Basic support for information extraction.

vcsjones · vcsjones · commit 2a7f05545d25 · 2016-05-05T16:23:44.000-04:00
diff --git a/AuthenticodeLint/AuthenticodeLint.csproj b/AuthenticodeLint/AuthenticodeLint.csproj
@@ -57,6 +57,7 @@
     <Compile Include="CheckEngine.cs" />
     <Compile Include="CommandLineParser.cs" />
     <Compile Include="ConfigurationValidator.cs" />
+    <Compile Include="Extraction.cs" />
     <Compile Include="GraphBuilders.cs" />
     <Compile Include="Interop\CertStoreSafeHandle.cs" />
     <Compile Include="Interop\Crypt32.cs" />
@@ -89,6 +90,7 @@
     <Compile Include="Signature.cs" />
     <Compile Include="SignatureExtractor.cs" />
     <Compile Include="Graph.cs" />
+    <Compile Include="SignatureHasher.cs" />
     <Compile Include="SignerInfoExtensions.cs" />
     <Compile Include="StdOutRuleResultCollector.cs" />
     <Compile Include="VerboseSignatureTextWriter.cs" />
diff --git a/AuthenticodeLint/CheckEngine.cs b/AuthenticodeLint/CheckEngine.cs
@@ -65,6 +65,10 @@ public RuleEngineResult RunAllRules(string file, Graph<Signature> signatures, Li
                 }
                 collectors.ForEach(c => c.CollectResult(rule, result, verboseWriter.Messages));
             }
+            if (configuration.ExtractPath != null)
+            {
+                Extraction.ExtractToDisk(file, configuration, signatures);
+            }
             collectors.ForEach(c => c.CompleteSet());
             return engineResult;
         }
diff --git a/AuthenticodeLint/ConfigurationValidator.cs b/AuthenticodeLint/ConfigurationValidator.cs
@@ -12,15 +12,17 @@ public class CheckConfiguration
         public HashSet<int> SuppressErrorIDs { get; }
         public bool Verbose { get; }
         public RevocationChecking RevocationMode {get;}
+        public string ExtractPath { get; }
 
-        public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, bool quiet, HashSet<int> suppressErrorIDs, bool verbose, RevocationChecking revocationMode)
+        public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, bool quiet, HashSet<int> suppressErrorIDs, bool verbose, RevocationChecking revocationMode, string extract)
         {
             InputPaths = inputPaths;
             ReportPath = reportPath;
             Quiet = quiet;
             SuppressErrorIDs = suppressErrorIDs;
             Verbose = verbose;
             RevocationMode = revocationMode;
+            ExtractPath = extract;
         }
     }
 
@@ -52,6 +54,13 @@ public static bool ValidateAndPrint(CheckConfiguration configuration, TextWriter
                     success = false;
                 }
             }
+            if (configuration.ExtractPath != null)
+            {
+                if (!Directory.Exists(configuration.ExtractPath))
+                {
+                    printer.WriteLine($"Directory {configuration.ExtractPath} does not exist.");
+                }
+            }
             return success;
         }
     }
diff --git a/AuthenticodeLint/Extraction.cs b/AuthenticodeLint/Extraction.cs
@@ -0,0 +1,57 @@
+﻿using AuthenticodeLint.Interop;
+using System.IO;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+
+namespace AuthenticodeLint
+{
+    public class Extraction
+    {
+        public static void ExtractToDisk(string file, CheckConfiguration configuration, Graph<Signature> signatureGraph)
+        {
+            var fileDirectory = Path.Combine(configuration.ExtractPath, Path.GetFileName(file));
+            if (Directory.Exists(fileDirectory))
+            {
+                Directory.Delete(fileDirectory, true);
+            }
+            Directory.CreateDirectory(fileDirectory);
+            var signatures = signatureGraph.VisitAll();
+            foreach(var signature in signatures)
+            {
+                var signatureHash = HashHelpers.GetHashForSignature(signature.SignerInfo);
+                var signatureDirectory = Path.Combine(fileDirectory, signatureHash);
+                var certificateDirectory = Path.Combine(signatureDirectory, "Certificates");
+                if (!Directory.Exists(certificateDirectory))
+                {
+                    Directory.CreateDirectory(certificateDirectory);
+                }
+                foreach(var certificate in signature.AdditionalCertificates)
+                {
+                    var thumbprint = certificate.Thumbprint;
+                    var serialized = SerializeCertificate(certificate);
+                    if (serialized != null)
+                    {
+                        File.WriteAllText(Path.Combine(certificateDirectory, thumbprint + ".cer"), serialized);
+                    }
+                }
+            }
+        }
+
+        private static string SerializeCertificate(X509Certificate2 certificate)
+        {
+            string base64Certificate = null;
+            var binaryCertificate = certificate.Export(X509ContentType.Cert);
+
+            uint size = 0;
+            if (Crypt32.CryptBinaryToString(binaryCertificate, (uint)binaryCertificate.Length, CryptBinaryToStringFlags.CRYPT_STRING_BASE64HEADER, null, ref size))
+            {
+                var builder = new StringBuilder((int)size);
+                if (Crypt32.CryptBinaryToString(binaryCertificate, (uint)binaryCertificate.Length, CryptBinaryToStringFlags.CRYPT_STRING_BASE64HEADER, builder, ref size))
+                {
+                    base64Certificate = builder.ToString();
+                }
+            }
+            return base64Certificate; 
+        }
+    }
+}
diff --git a/AuthenticodeLint/Interop/Crypt32.cs b/AuthenticodeLint/Interop/Crypt32.cs
@@ -1,5 +1,6 @@
 ﻿using System;
 using System.Runtime.InteropServices;
+using System.Text;
 
 namespace AuthenticodeLint.Interop
 {
@@ -121,6 +122,36 @@ public static unsafe extern bool CryptMsgGetParam
             [param: In] void* pvData,
             [param: In, Out, MarshalAs(UnmanagedType.U4)] ref uint pcbData
         );
+
+        [method: DllImport("crypt32.dll", CallingConvention = CallingConvention.Winapi, EntryPoint = "CryptBinaryToString", SetLastError = true)]
+        [return: MarshalAs(UnmanagedType.Bool)]
+        public static unsafe extern bool CryptBinaryToString
+        (
+            [param: In] byte[] pbBinary,
+            [param: In, MarshalAs(UnmanagedType.U4)] uint cbBinary,
+            [param: In, MarshalAs(UnmanagedType.U4)] CryptBinaryToStringFlags dwFlags,
+            [param: In, Out] StringBuilder pszString,
+            [param: In, Out] ref uint pcchString
+        );
+    }
+
+    internal enum CryptBinaryToStringFlags : uint
+    {
+        CRYPT_STRING_BASE64HEADER = 0x00000000,
+        CRYPT_STRING_BASE64 = 0x00000001,
+        CRYPT_STRING_BINARY = 0x00000002,
+        CRYPT_STRING_BASE64REQUESTHEADER = 0x00000003,
+        CRYPT_STRING_HEX = 0x00000004,
+        CRYPT_STRING_HEXASCII = 0x00000005,
+        CRYPT_STRING_BASE64X509CRLHEADER = 0x00000009,
+        CRYPT_STRING_HEXADDR = 0x0000000a,
+        CRYPT_STRING_HEXASCIIADDR = 0x0000000b,
+        CRYPT_STRING_HEXRAW = 0x0000000c,
+        CRYPT_STRING_STRICT = 0x20000000,
+
+        CRYPT_STRING_NOCRLF = 0x40000000,
+        CRYPT_STRING_NOCR = 0x80000000,
+
     }
 
     internal enum CryptQueryObjectType : uint
diff --git a/AuthenticodeLint/Program.cs b/AuthenticodeLint/Program.cs
@@ -24,6 +24,7 @@ static int Main(string[] args)
             bool quiet = false;
             bool verbose = false;
             string report = null;
+            string extract = null;
             var revocation = RevocationChecking.None;
             foreach(var parameter in parsedCommandLine)
             {
@@ -89,10 +90,15 @@ static int Main(string[] args)
                     }
                     verbose = true;
                 }
+
                 else if (parameter.Name == "report")
                 {
                     report = parameter.Value;
                 }
+                else if (parameter.Name == "extract")
+                {
+                    extract = parameter.Value;
+                }
                 else if (parameter.Name == "revocation")
                 {
                     if (string.IsNullOrWhiteSpace(parameter.Value))
@@ -117,7 +123,7 @@ static int Main(string[] args)
                 Console.Error.WriteLine("Input is expected. See -help for usage.");
                 return ExitCodes.InvalidInputOrConfig;
             }
-            var configuration = new CheckConfiguration(inputs, report, quiet, suppress, verbose, revocation);
+            var configuration = new CheckConfiguration(inputs, report, quiet, suppress, verbose, revocation, extract);
 
             if (!ConfigurationValidator.ValidateAndPrint(configuration, Console.Error))
             {
@@ -162,6 +168,7 @@ Checks the Authenticode signature of your binaries.
     -report:        A path to produce an XML file as a report. Optional.
     -verbose:       Show verbose output. Cannot be combined with -quiet.
     -revocation:    Specify how revocation checking is done. Valid values are none, offline, online. None is the default.
+    -extract:       Extracts all signature information to the specified directory.
 
 Exit codes:
 
diff --git a/AuthenticodeLint/Rules/NoUnknownCertificatesRule.cs b/AuthenticodeLint/Rules/NoUnknownCertificatesRule.cs
@@ -5,6 +5,7 @@
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
+using System.Text;
 
 namespace AuthenticodeLint.Rules
 {
@@ -20,11 +21,11 @@ public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter
         {
             var result = RuleResult.Pass;
             var signatures = graph.VisitAll();
-            foreach(var signature in signatures)
+            foreach (var signature in signatures)
             {
                 var allEmbeddedCertificates = signature.AdditionalCertificates.Cast<X509Certificate2>().ToList();
                 var certificatesRequiringEliminiation = new HashSet<X509Certificate2>(allEmbeddedCertificates, new CertificateThumbprintComparer());
-                foreach(var certificate in allEmbeddedCertificates)
+                foreach (var certificate in allEmbeddedCertificates)
                 {
                     if (!certificatesRequiringEliminiation.Contains(certificate))
                     {
@@ -38,15 +39,15 @@ public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter
                         chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
                         //All we care is that we can even find an authority.
                         chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags & ~X509VerificationFlags.AllowUnknownCertificateAuthority;
-                        if(chain.Build(certificate))
+                        if (chain.Build(certificate))
                         {
                             certificatesRequiringEliminiation.ExceptWith(chain.ChainElements.Cast<X509ChainElement>().Select(c => c.Certificate));
                         }
                     }
                 }
                 if (certificatesRequiringEliminiation.Count > 0)
                 {
-                    foreach(var certificate in certificatesRequiringEliminiation)
+                    foreach (var certificate in certificatesRequiringEliminiation)
                     {
                         verboseWriter.LogSignatureMessage(signature.SignerInfo, $"Signature contained untrusted certificate \"{certificate.Subject}\" ({certificate.Thumbprint}).");
                     }
diff --git a/AuthenticodeLint/SignatureHasher.cs b/AuthenticodeLint/SignatureHasher.cs
@@ -0,0 +1,24 @@
+﻿using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography.Pkcs;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace AuthenticodeLint
+{
+    public static class HashHelpers
+    {
+        public static string GetHashForSignature(SignerInfo signature)
+        {
+            var digest = signature.SignatureDigest();
+            var digestString = digest.Aggregate(new StringBuilder(), (acc, b) => acc.AppendFormat("{0:x2}", b)).ToString();
+            return digestString;
+        }
+
+        public static string HexEncode(byte[] data)
+        {
+            return data.Aggregate(new StringBuilder(), (acc, b) => acc.AppendFormat("{0:x2}", b)).ToString();
+        }
+    }
+}
diff --git a/AuthenticodeLint/VerboseSignatureTextWriter.cs b/AuthenticodeLint/VerboseSignatureTextWriter.cs
@@ -13,8 +13,7 @@ public class MemorySignatureLogger : SignatureLogger
 
         public override void LogSignatureMessage(SignerInfo signature, string message)
         {
-            var digest = signature.SignatureDigest();
-            var digestString = digest.Aggregate(new StringBuilder(), (acc, b) => acc.AppendFormat("{0:x2}", b)).ToString();
+            var digestString = HashHelpers.GetHashForSignature(signature);
             Messages.Add($"Signature {digestString}: {message}");
         }
     }
diff --git a/AuthenticodeLintTests/Rules/PublisherInformationPresentRuleTests.cs b/AuthenticodeLintTests/Rules/PublisherInformationPresentRuleTests.cs
@@ -7,7 +7,7 @@ namespace AuthenticodeLintTests.Rules
 {
     public class PublisherInformationPresentRuleTests
     {
-        private static CheckConfiguration Configuration => new CheckConfiguration(new List<string>(), null, false, new HashSet<int>(), false, RevocationChecking.None);
+        private static CheckConfiguration Configuration => new CheckConfiguration(new List<string>(), null, false, new HashSet<int>(), false, RevocationChecking.None, null);
 
         private static Graph<Signature> GetGraphForFile(string file)
         {
diff --git a/AuthenticodeLintTests/Rules/TimestampedRuleTests.cs b/AuthenticodeLintTests/Rules/TimestampedRuleTests.cs
@@ -7,7 +7,7 @@ namespace AuthenticodeLintTests.Rules
 {
     public class TimestampedRuleTests
     {
-        private static CheckConfiguration Configuration => new CheckConfiguration(new List<string>(), null, false, new HashSet<int>(), false, RevocationChecking.None);
+        private static CheckConfiguration Configuration => new CheckConfiguration(new List<string>(), null, false, new HashSet<int>(), false, RevocationChecking.None, null);
 
         private static Graph<Signature> GetGraphForFile(string file)
         {
diff --git a/AuthenticodeLintTests/Rules/WinCertificatePaddingRuleTests.cs b/AuthenticodeLintTests/Rules/WinCertificatePaddingRuleTests.cs
@@ -8,7 +8,7 @@ namespace AuthenticodeLintTests.Rules
 {
     public class WinCertificatePaddingRuleTests
     {
-        private static CheckConfiguration Configuration => new CheckConfiguration(new List<string>(), null, false, new HashSet<int>(), false, RevocationChecking.None);
+        private static CheckConfiguration Configuration => new CheckConfiguration(new List<string>(), null, false, new HashSet<int>(), false, RevocationChecking.None, null);
 
         [Fact]
         public void PaddedExecutableShouldFail()

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,10 @@ public RuleEngineResult RunAllRules(string file, Graph<Signature> signatures, Li`
`65`	`65`	`}`
`66`	`66`	`collectors.ForEach(c => c.CollectResult(rule, result, verboseWriter.Messages));`
`67`	`67`	`}`
	`68`	`+ if (configuration.ExtractPath != null)`
	`69`	`+ {`
	`70`	`+ Extraction.ExtractToDisk(file, configuration, signatures);`
	`71`	`+ }`
`68`	`72`	`collectors.ForEach(c => c.CompleteSet());`
`69`	`73`	`return engineResult;`
`70`	`74`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,15 +12,17 @@ public class CheckConfiguration`
`12`	`12`	`public HashSet<int> SuppressErrorIDs { get; }`
`13`	`13`	`public bool Verbose { get; }`
`14`	`14`	`public RevocationChecking RevocationMode {get;}`
	`15`	`+ public string ExtractPath { get; }`
`15`	`16`
`16`		`- public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, bool quiet, HashSet<int> suppressErrorIDs, bool verbose, RevocationChecking revocationMode)`
	`17`	`+ public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, bool quiet, HashSet<int> suppressErrorIDs, bool verbose, RevocationChecking revocationMode, string extract)`
`17`	`18`	`{`
`18`	`19`	`InputPaths = inputPaths;`
`19`	`20`	`ReportPath = reportPath;`
`20`	`21`	`Quiet = quiet;`
`21`	`22`	`SuppressErrorIDs = suppressErrorIDs;`
`22`	`23`	`Verbose = verbose;`
`23`	`24`	`RevocationMode = revocationMode;`
	`25`	`+ ExtractPath = extract;`
`24`	`26`	`}`
`25`	`27`	`}`
`26`	`28`
`@@ -52,6 +54,13 @@ public static bool ValidateAndPrint(CheckConfiguration configuration, TextWriter`
`52`	`54`	`success = false;`
`53`	`55`	`}`
`54`	`56`	`}`
	`57`	`+ if (configuration.ExtractPath != null)`
	`58`	`+ {`
	`59`	`+ if (!Directory.Exists(configuration.ExtractPath))`
	`60`	`+ {`
	`61`	`+ printer.WriteLine($"Directory {configuration.ExtractPath} does not exist.");`
	`62`	`+ }`
	`63`	`+ }`
`55`	`64`	`return success;`
`56`	`65`	`}`
`57`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ static int Main(string[] args)`
`24`	`24`	`bool quiet = false;`
`25`	`25`	`bool verbose = false;`
`26`	`26`	`string report = null;`
	`27`	`+ string extract = null;`
`27`	`28`	`var revocation = RevocationChecking.None;`
`28`	`29`	`foreach(var parameter in parsedCommandLine)`
`29`	`30`	`{`
`@@ -89,10 +90,15 @@ static int Main(string[] args)`
`89`	`90`	`}`
`90`	`91`	`verbose = true;`
`91`	`92`	`}`
	`93`	`+`
`92`	`94`	`else if (parameter.Name == "report")`
`93`	`95`	`{`
`94`	`96`	`report = parameter.Value;`
`95`	`97`	`}`
	`98`	`+ else if (parameter.Name == "extract")`
	`99`	`+ {`
	`100`	`+ extract = parameter.Value;`
	`101`	`+ }`
`96`	`102`	`else if (parameter.Name == "revocation")`
`97`	`103`	`{`
`98`	`104`	`if (string.IsNullOrWhiteSpace(parameter.Value))`
`@@ -117,7 +123,7 @@ static int Main(string[] args)`
`117`	`123`	`Console.Error.WriteLine("Input is expected. See -help for usage.");`
`118`	`124`	`return ExitCodes.InvalidInputOrConfig;`
`119`	`125`	`}`
`120`		`- var configuration = new CheckConfiguration(inputs, report, quiet, suppress, verbose, revocation);`
	`126`	`+ var configuration = new CheckConfiguration(inputs, report, quiet, suppress, verbose, revocation, extract);`
`121`	`127`
`122`	`128`	`if (!ConfigurationValidator.ValidateAndPrint(configuration, Console.Error))`
`123`	`129`	`{`
`@@ -162,6 +168,7 @@ Checks the Authenticode signature of your binaries.`
`162`	`168`	`-report: A path to produce an XML file as a report. Optional.`
`163`	`169`	`-verbose: Show verbose output. Cannot be combined with -quiet.`
`164`	`170`	`-revocation: Specify how revocation checking is done. Valid values are none, offline, online. None is the default.`
	`171`	`+ -extract: Extracts all signature information to the specified directory.`
`165`	`172`
`166`	`173`	`Exit codes:`
`167`	`174`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`using System.Runtime.InteropServices;`
`6`	`6`	`using System.Security.Cryptography;`
`7`	`7`	`using System.Security.Cryptography.X509Certificates;`
	`8`	`+using System.Text;`
`8`	`9`
`9`	`10`	`namespace AuthenticodeLint.Rules`
`10`	`11`	`{`
`@@ -20,11 +21,11 @@ public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter`
`20`	`21`	`{`
`21`	`22`	`var result = RuleResult.Pass;`
`22`	`23`	`var signatures = graph.VisitAll();`
`23`		`- foreach(var signature in signatures)`
	`24`	`+ foreach (var signature in signatures)`
`24`	`25`	`{`
`25`	`26`	`var allEmbeddedCertificates = signature.AdditionalCertificates.Cast<X509Certificate2>().ToList();`
`26`	`27`	`var certificatesRequiringEliminiation = new HashSet<X509Certificate2>(allEmbeddedCertificates, new CertificateThumbprintComparer());`
`27`		`- foreach(var certificate in allEmbeddedCertificates)`
	`28`	`+ foreach (var certificate in allEmbeddedCertificates)`
`28`	`29`	`{`
`29`	`30`	`if (!certificatesRequiringEliminiation.Contains(certificate))`
`30`	`31`	`{`
`@@ -38,15 +39,15 @@ public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter`
`38`	`39`	`chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;`
`39`	`40`	`//All we care is that we can even find an authority.`
`40`	`41`	`chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags & ~X509VerificationFlags.AllowUnknownCertificateAuthority;`
`41`		`- if(chain.Build(certificate))`
	`42`	`+ if (chain.Build(certificate))`
`42`	`43`	`{`
`43`	`44`	`certificatesRequiringEliminiation.ExceptWith(chain.ChainElements.Cast<X509ChainElement>().Select(c => c.Certificate));`
`44`	`45`	`}`
`45`	`46`	`}`
`46`	`47`	`}`
`47`	`48`	`if (certificatesRequiringEliminiation.Count > 0)`
`48`	`49`	`{`
`49`		`- foreach(var certificate in certificatesRequiringEliminiation)`
	`50`	`+ foreach (var certificate in certificatesRequiringEliminiation)`
`50`	`51`	`{`
`51`	`52`	`verboseWriter.LogSignatureMessage(signature.SignerInfo, $"Signature contained untrusted certificate \"{certificate.Subject}\" ({certificate.Thumbprint}).");`
`52`	`53`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,7 @@ public class MemorySignatureLogger : SignatureLogger`
`13`	`13`
`14`	`14`	`public override void LogSignatureMessage(SignerInfo signature, string message)`
`15`	`15`	`{`
`16`		`- var digest = signature.SignatureDigest();`
`17`		`- var digestString = digest.Aggregate(new StringBuilder(), (acc, b) => acc.AppendFormat("{0:x2}", b)).ToString();`
	`16`	`+ var digestString = HashHelpers.GetHashForSignature(signature);`
`18`	`17`	`Messages.Add($"Signature {digestString}: {message}");`
`19`	`18`	`}`
`20`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ namespace AuthenticodeLintTests.Rules`
`7`	`7`	`{`
`8`	`8`	`public class PublisherInformationPresentRuleTests`
`9`	`9`	`{`
`10`		`- private static CheckConfiguration Configuration => new CheckConfiguration(new List<string>(), null, false, new HashSet<int>(), false, RevocationChecking.None);`
	`10`	`+ private static CheckConfiguration Configuration => new CheckConfiguration(new List<string>(), null, false, new HashSet<int>(), false, RevocationChecking.None, null);`
`11`	`11`
`12`	`12`	`private static Graph<Signature> GetGraphForFile(string file)`
`13`	`13`	`{`