[manape] Fixed an issue related to empty entries in VS_VERSION_INFO r…

…esources. [plugin_authenticode] Fixed the name of an impersonated company not being displayed properly. [plugin_authenticode (windows)] Improved error handling when the PE is locked by another process.
JusticeRage · May 3, 2020 · e662e19 · e662e19
1 parent e156274
commit e662e19
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/manape/resources.cpp b/manape/resources.cpp
@@ -570,6 +570,24 @@ DECLSPEC pversion_info Resource::interpret_as()
 			res.reset();
 			goto END;
 		}
+
+		// Ignore empty entries
+		if (current_structure->ValueLength == 0)
+		{
+			padding = 16 - ftell(f) % 16;
+			if (padding != 16) {
+				fseek(f, padding, SEEK_CUR);  // Realign on a 16-byte boundray. I'm not 100% sure it's what's needed here.
+			}
+			bytes_read = ftell(f) - bytes_read;
+			if (bytes_read < bytes_remaining) {  // Padding in the last entry isn't included in the length.
+				bytes_remaining -= bytes_read;
+			}
+			else {
+				bytes_remaining = 0;
+			}
+			continue;
+		}
+
 		std::string value;
 		// If the string is null, there won't even be a null terminator.
 		if (ftell(f) - bytes_read < current_structure->Length) {
@@ -590,7 +608,7 @@ DECLSPEC pversion_info Resource::interpret_as()
 		auto p = boost::make_shared<string_pair>(current_structure->Key, value);
 		res->StringTable.push_back(p);
 
-		// The next structure is 4byte aligned.
+		// The next structure is 4-byte aligned.
 		padding = ftell(f) % 4;
 		if (padding)
 		{

diff --git a/plugins/plugin_authenticode/commons.cpp b/plugins/plugin_authenticode/commons.cpp
@@ -67,7 +67,7 @@ void check_version_info(const mana::PE& pe, pResult res)
 			}
 			else
 			{
-				ss << "The PE pretends to be from " << *(m->at(0)->get_found_strings().begin())
+				ss << "The PE pretends to be from " << (*(m->at(0)->get_found_strings().begin()))->get_str()
 				   << " but is not signed!";
 				res->add_information(ss.str());
 			}

diff --git a/plugins/plugin_authenticode/plugin_authenticode.cpp b/plugins/plugin_authenticode/plugin_authenticode.cpp
@@ -480,10 +480,11 @@ void do_winverifytrust(GUID& guid, WINTRUST_DATA& data, pResult res)
 		res->set_level(SUSPICIOUS);
 		res->set_summary("The PE's certificate has expired.");
 		break;
+	case CRYPT_E_FILE_ERROR:
+		PRINT_ERROR << "[plugin_authenticode] Windows' API could not open the target PE. It's possible another process is currently manipulating it." << std::endl;
+		break;
 	default:
-		std::stringstream ss;
-		ss << "Unknown error encountered while reading the signature (0x" << std::hex << retval << ").";
-		res->set_summary(ss.str());
+		PRINT_ERROR << "[plugin_authenticode] Unknown error encountered while reading the signature (0x" << std::hex << retval << ")." << std::endl;
 		break;
 	}
 }