vcsjones
diff --git a/‎AuthenticodeLint/AuthenticodeLint.csproj‎
Lines changed: 4 additions & 0 deletions b/‎AuthenticodeLint/AuthenticodeLint.csproj‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎AuthenticodeLint/CertificatePaddingExtractor.cs‎
Lines changed: 54 additions & 0 deletions b/‎AuthenticodeLint/CertificatePaddingExtractor.cs‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎AuthenticodeLint/CheckEngine.cs‎
Lines changed: 2 additions & 1 deletion b/‎AuthenticodeLint/CheckEngine.cs‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎AuthenticodeLint/Interop/Pe.cs‎
Lines changed: 133 additions & 0 deletions b/‎AuthenticodeLint/Interop/Pe.cs‎
Lines changed: 133 additions & 0 deletions
@@ -53,17 +53,20 @@
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="CertificatePaddingExtractor.cs" />
     <Compile Include="CheckEngine.cs" />
     <Compile Include="CommandLineParser.cs" />
     <Compile Include="ConfigurationValidator.cs" />
     <Compile Include="Interop\CertStoreSafeHandle.cs" />
     <Compile Include="Interop\Crypt32.cs" />
     <Compile Include="Interop\CryptMsgSafeHandle.cs" />
     <Compile Include="Interop\LocalBufferSafeHandle.cs" />
+    <Compile Include="Interop\Pe.cs" />
     <Compile Include="Interop\Wintrust.cs" />
     <Compile Include="IRuleResultCollector.cs" />
     <Compile Include="KnownGuids.cs" />
     <Compile Include="KnownOids.cs" />
+    <Compile Include="PE\PortableExecutable.cs" />
     <Compile Include="PublisherInformation.cs" />
     <Compile Include="Rfc3161Signature.cs" />
     <Compile Include="Rules\IAuthenticodeRule.cs" />
@@ -78,6 +81,7 @@
     <Compile Include="Rules\SigningCertificateDigestAlgorithmRule.cs" />
     <Compile Include="Rules\TimestampedRule.cs" />
     <Compile Include="Rules\TrustedSignatureRule.cs" />
+    <Compile Include="Rules\WinCertificatePaddingRule.cs" />
     <Compile Include="Signature.cs" />
     <Compile Include="SignatureExtractor.cs" />
     <Compile Include="Graph.cs" />
 
@@ -0,0 +1,54 @@
+using AuthenticodeLint.PE;
+using System;
+using System.IO;
+using System.Security.Cryptography.Pkcs;
+
+namespace AuthenticodeLint
+{
+    public static class CertificatePaddingExtractor
+    {
+        public static byte[] ExtractPadding(string filePath)
+        {
+            using (var file = new PortableExecutable(filePath))
+            {
+                var dosHeader = file.GetDosHeader();
+                var peHeader = file.GetPEHeader(dosHeader);
+                var signatureLocation = peHeader.DataDirectories[ImageDataDirectoryEntry.IMAGE_DIRECTORY_ENTRY_SECURITY];
+                using (var signatureData = file.ReadDataDirectory(signatureLocation))
+                {
+                    using (var reader = new BinaryReader(signatureData))
+                    {
+                        var winCertLength = reader.ReadUInt32();
+                        var winCertRevision = reader.ReadUInt16();
+                        var winCertType = reader.ReadUInt16();
+                        if (winCertRevision != 0x200 && winCertRevision != 0x100)
+                        {
+                            return null;
+                        }
+                        if (winCertType != 0x0002)
+                        {
+                            return null;
+                        }
+                        using (var memoryStream = new MemoryStream())
+                        {
+                            int read;
+                            var buffer = new byte[0x1000];
+                            while ((read = reader.Read(buffer, 0, buffer.Length)) > 0)
+                            {
+                                memoryStream.Write(buffer, 0, read);
+                            }
+                            var winCertificate = memoryStream.ToArray();
+                            var signer = new SignedCms();
+                            signer.Decode(winCertificate);
+                            var roundTrip = signer.Encode();
+                            var sizeDifference = winCertificate.Length - roundTrip.Length;
+                            var difference = new byte[sizeDifference];
+                            Buffer.BlockCopy(winCertificate, roundTrip.Length, difference, 0, difference.Length);
+                            return difference;
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
@@ -23,7 +23,8 @@ public IReadOnlyList<IAuthenticodeRule> GetRules()
                 new PublisherInformationPresentRule(),
                 new PublisherInformationUrlHttpsRule(),
                 new SigningCertificateDigestAlgorithmRule(),
-                new TrustedSignatureRule()
+                new TrustedSignatureRule(),
+                new WinCertificatePaddingRule()
             };
         }
 
 
@@ -0,0 +1,133 @@
+using System.Runtime.InteropServices;
+
+namespace AuthenticodeLint.Interop
+{
+    [type: StructLayout(LayoutKind.Sequential, Pack = 4)]
+    internal struct IMAGE_DOS_HEADER
+    {
+        public ushort e_magic;
+        public ushort e_cblp;
+        public ushort e_cp;
+        public ushort e_crlc;
+        public ushort e_cparhdr;
+        public ushort e_minalloc;
+        public ushort e_maxalloc;
+        public ushort e_ss;
+        public ushort e_sp;
+        public ushort e_csum;
+        public ushort e_ip;
+        public ushort e_cs;
+        public ushort e_lfarlc;
+        public ushort e_ovno;
+        public unsafe fixed ushort e_res[4];
+        public ushort e_oemid;
+        public ushort e_oeminfo;
+        public unsafe fixed ushort e_res2[10];
+        public int e_lfanew;
+    }
+
+    [type: StructLayout(LayoutKind.Sequential, Size = 20, Pack = 4)]
+    internal struct IMAGE_FILE_HEADER
+    {
+        public ushort Machine;
+        public ushort NumberOfSections;
+        public uint TimeDateStamp;
+        public uint PointerToSymbolTable;
+        public uint NumberOfSymbols;
+        public ushort SizeOfOptionalHeader;
+        public ushort Characteristics;
+    }
+
+    [type: StructLayout(LayoutKind.Sequential, Pack = 4)]
+    internal struct IMAGE_OPTIONAL_HEADER32
+    {
+        public ushort Magic;
+        public byte MajorLinkerVersion;
+        public byte MinorLinkerVersion;
+        public uint SizeOfCode;
+        public uint SizeOfInitializedData;
+        public uint SizeOfUninitializedData;
+        public uint AddressOfEntryPoint;
+        public uint BaseOfCode;
+        public uint BaseOfData;
+        public uint ImageBase;
+        public uint SectionAlignment;
+        public uint FileAlignment;
+        public ushort MajorOperatingSystemVersion;
+        public ushort MinorOperatingSystemVersion;
+        public ushort MajorImageVersion;
+        public ushort MinorImageVersion;
+        public ushort MajorSubsystemVersion;
+        public ushort MinorSubsystemVersion;
+        public uint Win32VersionValue;
+        public uint SizeOfImage;
+        public uint SizeOfHeaders;
+        public uint CheckSum;
+        public ushort Subsystem;
+        public ushort DllCharacteristics;
+        public uint SizeOfStackReserve;
+        public uint SizeOfStackCommit;
+        public uint SizeOfHeapReserve;
+        public uint SizeOfHeapCommit;
+        public uint LoaderFlags;
+        public uint NumberOfRvaAndSizes;
+        //Remove data directory.
+    }
+
+    [type: StructLayout(LayoutKind.Sequential, Pack = 4)]
+    internal struct IMAGE_OPTIONAL_HEADER64
+    {
+        public ushort Magic;
+        public byte MajorLinkerVersion;
+        public byte MinorLinkerVersion;
+        public uint SizeOfCode;
+        public uint SizeOfInitializedData;
+        public uint SizeOfUninitializedData;
+        public uint AddressOfEntryPoint;
+        public uint BaseOfCode;
+        public ulong ImageBase;
+        public uint SectionAlignment;
+        public uint FileAlignment;
+        public ushort MajorOperatingSystemVersion;
+        public ushort MinorOperatingSystemVersion;
+        public ushort MajorImageVersion;
+        public ushort MinorImageVersion;
+        public ushort MajorSubsystemVersion;
+        public ushort MinorSubsystemVersion;
+        public uint Win32VersionValue;
+        public uint SizeOfImage;
+        public uint SizeOfHeaders;
+        public uint CheckSum;
+        public ushort Subsystem;
+        public ushort DllCharacteristics;
+        public ulong SizeOfStackReserve;
+        public ulong SizeOfStackCommit;
+        public ulong SizeOfHeapReserve;
+        public ulong SizeOfHeapCommit;
+        public uint LoaderFlags;
+        public uint NumberOfRvaAndSizes;
+        //Remove data directory.
+    }
+
+    [type: StructLayout(LayoutKind.Sequential, Pack = 4)]
+    public struct IMAGE_DATA_DIRECTORY
+    {
+        public uint VirtualAddress;
+        public uint Size;
+    }
+
+    [type: StructLayout(LayoutKind.Sequential, Pack = 4)]
+    public struct IMAGE_SECTION_HEADER
+    {
+        public unsafe fixed byte Name[8];
+        public uint PhysicalAddressOrVirtualSize;
+        public uint VirtualAddress;
+        public uint SizeOfRawData;
+        public uint PointerToRawData;
+        public uint PointerToRelocations;
+        public uint PointerToLinenumbers;
+        public ushort NumberOfRelocations;
+        public ushort NumberOfLinenumbers;
+        public uint Characteristics;
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,8 @@ public IReadOnlyList<IAuthenticodeRule> GetRules()`
`23`	`23`	`new PublisherInformationPresentRule(),`
`24`	`24`	`new PublisherInformationUrlHttpsRule(),`
`25`	`25`	`new SigningCertificateDigestAlgorithmRule(),`
`26`		`- new TrustedSignatureRule()`
	`26`	`+ new TrustedSignatureRule(),`
	`27`	`+ new WinCertificatePaddingRule()`
`27`	`28`	`};`
`28`	`29`	`}`
`29`	`30`