New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authenticode verification support for Windows (similar to the 'signature' table on macOS) #3716

Merged
merged 9 commits into from Oct 14, 2017

Conversation

Projects
None yet
5 participants
@alessandrogario
Contributor

alessandrogario commented Sep 21, 2017

Goal

This PR aims to add Authenticode verification support to osquery in a similar way to the 'signature' virtual table that has been implemented for macOS.

Changes

I have defined a signature virtual table for Windows, containing the following columns: path, original_program_name (from the publisher), serial_number, issuer_name, subject_name, result.

The following are the possible values for the result column:

  • missing: Missing signature.
  • invalid: An invalid signature, caused by missing or broken files.
  • untrusted: A signature that could not be validated.
  • distrusted: A valid signature, explicitly distrusted by the user.
  • valid: A valid signature which is not explicitly trusted by the user.
  • trusted: A valid signature, trusted by the user.

Examples

Verifying the authenticode signature for running executables

SELECT process.pid, process.path, authenticode.result
FROM processes as process
LEFT JOIN signature AS authenticode
ON process.path = authenticode.path;
...
| 5124 | C:\Windows\system32\winlogon.exe    | missing |
| 2476 | C:\Windows\system32\dwm.exe         | missing |
| 2744 | C:\Windows\system32\fontdrvhost.exe | trusted |
| 6372 | c:\windows\system32\sihost.exe      | missing |
| 7152 | c:\windows\system32\svchost.exe     | trusted |
| 80   | c:\windows\system32\svchost.exe     | trusted |
| 6748 | c:\windows\system32\taskhostw.exe   | trusted |
...

Listing unsigned/untrusted processes listening for connections

SELECT port_info.pid, port_info.family, port_info.protocol, port_info.port, port_info.address,
       process.name, process.path,
       authenticode.result AS authenticode

FROM listening_ports AS port_info

LEFT JOIN processes
AS process ON port_info.pid = process.pid

LEFT JOIN signature AS authenticode
ON process.path = authenticode.path

WHERE authenticode <> "trusted";


+------+--------+----------+-------+---------+-------------+------------------------------------+--------------+
| pid  | family | protocol | port  | address | name        | path                               | authenticode |
+------+--------+----------+-------+---------+-------------+------------------------------------+--------------+
| 6588 | 2      | 6        | 80    | 0.0.0.0 | hfs.exe     | C:\Program Files (x86)\HFS\hfs.exe | missing      |
| 1724 | 2      | 6        | 49667 | 0.0.0.0 | spoolsv.exe | C:\Windows\System32\spoolsv.exe    | missing      |
| 1724 | 23     | 6        | 49667 | ::      | spoolsv.exe | C:\Windows\System32\spoolsv.exe    | missing      |
+------+--------+----------+-------+---------+-------------+------------------------------------+--------------+
@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 21, 2017

@alessandrogario has updated the pull request. View: changes

facebook-github-bot commented Sep 21, 2017

@alessandrogario has updated the pull request. View: changes

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 21, 2017

@alessandrogario has updated the pull request. View: changes

facebook-github-bot commented Sep 21, 2017

@alessandrogario has updated the pull request. View: changes

@theopolis

I'd recommend creating an authenticode or signature table for Windows.

@alessandrogario

This comment has been minimized.

Show comment
Hide comment
@alessandrogario

alessandrogario Sep 24, 2017

Contributor

@theopolis sure! I'm still writing the utilities I need, as I also want to be able to list signature information like signer name etc. Once it's done, I'll create the new table; how would you like it to work? Should it just list the running executables?

Contributor

alessandrogario commented Sep 24, 2017

@theopolis sure! I'm still writing the utilities I need, as I also want to be able to list signature information like signer name etc. Once it's done, I'll create the new table; how would you like it to work? Should it just list the running executables?

@theopolis

This comment has been minimized.

Show comment
Hide comment
@theopolis

theopolis Sep 25, 2017

Contributor

how would you like it to work? Should it just list the running executables?

Check out the signature table for macOS, if you don't mind, mimic the user experience for that.

Contributor

theopolis commented Sep 25, 2017

how would you like it to work? Should it just list the running executables?

Check out the signature table for macOS, if you don't mind, mimic the user experience for that.

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 28, 2017

@alessandrogario has updated the pull request.

facebook-github-bot commented Sep 28, 2017

@alessandrogario has updated the pull request.

1 similar comment
@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 28, 2017

@alessandrogario has updated the pull request.

facebook-github-bot commented Sep 28, 2017

@alessandrogario has updated the pull request.

@alessandrogario

This comment has been minimized.

Show comment
Hide comment
@alessandrogario

alessandrogario Sep 28, 2017

Contributor

I have defined a 'signature' virtual table for Windows; it only sports two columns for now, but I plan on adding more. I'm using a more verbose field instead of the 'signed' boolean used in the macOS implementation.

The following are the possible states:

  • missing: Missing signature.
  • invalid: An invalid signature, caused by missing or broken files.
  • untrusted: A signature that could not be validated.
  • distrusted: A valid signature, explicitly distrusted by the user.
  • valid: A valid signature which is not explicitly trusted by the user.
  • trusted: A valid signature, trusted by the user.

EDIT: I should probably put this information in the summary!

Contributor

alessandrogario commented Sep 28, 2017

I have defined a 'signature' virtual table for Windows; it only sports two columns for now, but I plan on adding more. I'm using a more verbose field instead of the 'signed' boolean used in the macOS implementation.

The following are the possible states:

  • missing: Missing signature.
  • invalid: An invalid signature, caused by missing or broken files.
  • untrusted: A signature that could not be validated.
  • distrusted: A valid signature, explicitly distrusted by the user.
  • valid: A valid signature which is not explicitly trusted by the user.
  • trusted: A valid signature, trusted by the user.

EDIT: I should probably put this information in the summary!

@muffins

A couple of smaller nits and a question about the << operator definition, not sure if that'll fly as it seems risky to define it in such a high scope for something used by so many places in the code base.

Otherwise super excited for this table to land!

Show outdated Hide outdated osquery/tables/system/windows/signature.cpp Outdated
Show outdated Hide outdated osquery/tables/system/windows/signature.cpp Outdated
Show outdated Hide outdated osquery/tables/system/windows/signature.cpp Outdated
Show outdated Hide outdated specs/windows/signature.table Outdated
Show outdated Hide outdated osquery/tables/system/windows/signature.cpp Outdated
@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 29, 2017

@alessandrogario has updated the pull request. View: changes

facebook-github-bot commented Sep 29, 2017

@alessandrogario has updated the pull request. View: changes

@alessandrogario alessandrogario changed the title from [WIP] Authenticode verification support for the 'processes' table on Windows to [WIP] Authenticode verification support for Windows (similar to the 'signature' table on macOS) Sep 29, 2017

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 30, 2017

@alessandrogario has updated the pull request. View: changes

facebook-github-bot commented Sep 30, 2017

@alessandrogario has updated the pull request. View: changes

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 30, 2017

@alessandrogario has updated the pull request. View: changes

facebook-github-bot commented Sep 30, 2017

@alessandrogario has updated the pull request. View: changes

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 30, 2017

@alessandrogario has updated the pull request. View: changes

facebook-github-bot commented Sep 30, 2017

@alessandrogario has updated the pull request. View: changes

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 30, 2017

@alessandrogario has updated the pull request. View: changes

facebook-github-bot commented Sep 30, 2017

@alessandrogario has updated the pull request. View: changes

@alessandrogario alessandrogario changed the title from [WIP] Authenticode verification support for Windows (similar to the 'signature' table on macOS) to Authenticode verification support for Windows (similar to the 'signature' table on macOS) Sep 30, 2017

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Sep 30, 2017

@alessandrogario has updated the pull request.

facebook-github-bot commented Sep 30, 2017

@alessandrogario has updated the pull request.

@theopolis

I'll defer to @muffins but a quick note, some of the VLOGs seem a bit generic.

Show outdated Hide outdated osquery/tables/system/windows/signature.cpp Outdated
Show outdated Hide outdated osquery/tables/system/windows/signature.cpp Outdated
Show outdated Hide outdated osquery/tables/system/windows/signature.cpp Outdated

@muffins muffins dismissed their stale review Oct 4, 2017

Dismissing as my review is dated. Will review again after the changes requested by @theopolis are addressed.

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Oct 5, 2017

@alessandrogario has updated the pull request.

facebook-github-bot commented Oct 5, 2017

@alessandrogario has updated the pull request.

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Oct 5, 2017

@alessandrogario has updated the pull request. View: changes

facebook-github-bot commented Oct 5, 2017

@alessandrogario has updated the pull request. View: changes

@theopolis

This comment has been minimized.

Show comment
Hide comment
@theopolis

theopolis Oct 10, 2017

Contributor

ok to test

Contributor

theopolis commented Oct 10, 2017

ok to test

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 10, 2017

Collaborator

🙅 The commit 50f6de6 (Job results: 2631) failed the code audit or documentation test.

Collaborator

osqueryer commented Oct 10, 2017

🙅 The commit 50f6de6 (Job results: 2631) failed the code audit or documentation test.

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 10, 2017

Collaborator

👎 The commit 50f6de6 (Job results: 5988) failed one or more tests (Linux).

Collaborator

osqueryer commented Oct 10, 2017

👎 The commit 50f6de6 (Job results: 5988) failed one or more tests (Linux).

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 10, 2017

Collaborator

👎 The commit 50f6de6 (Job results: 5989) failed one or more tests (Linux).

Collaborator

osqueryer commented Oct 10, 2017

👎 The commit 50f6de6 (Job results: 5989) failed one or more tests (Linux).

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 10, 2017

Collaborator

👎 The commit 2e99777 (Job results: 5991) failed one or more tests (Linux).

Collaborator

osqueryer commented Oct 10, 2017

👎 The commit 2e99777 (Job results: 5991) failed one or more tests (Linux).

Show outdated Hide outdated specs/windows/signature.table Outdated
@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Oct 13, 2017

@alessandrogario has updated the pull request.

facebook-github-bot commented Oct 13, 2017

@alessandrogario has updated the pull request.

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 13, 2017

Collaborator

🙅 The commit 6e5b348 (Job results: 2647) failed the code audit or documentation test.

Collaborator

osqueryer commented Oct 13, 2017

🙅 The commit 6e5b348 (Job results: 2647) failed the code audit or documentation test.

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 13, 2017

Collaborator

👎 The commit 6e5b348 (Job results: 6006) failed one or more tests (Linux).

Collaborator

osqueryer commented Oct 13, 2017

👎 The commit 6e5b348 (Job results: 6006) failed one or more tests (Linux).

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 13, 2017

Collaborator

👎 The commit 6e5b348 (Job results: 923) failed one or more tests (FreeBSD).

Collaborator

osqueryer commented Oct 13, 2017

👎 The commit 6e5b348 (Job results: 923) failed one or more tests (FreeBSD).

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 13, 2017

Collaborator

👎 The commit 6e5b348 (Job results: 6007) failed one or more tests (Linux).

Collaborator

osqueryer commented Oct 13, 2017

👎 The commit 6e5b348 (Job results: 6007) failed one or more tests (Linux).

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 13, 2017

Collaborator

👎 The commit 6e5b348 (Job results: 924) failed one or more tests (FreeBSD).

Collaborator

osqueryer commented Oct 13, 2017

👎 The commit 6e5b348 (Job results: 924) failed one or more tests (FreeBSD).

@facebook-github-bot

This comment has been minimized.

Show comment
Hide comment
@facebook-github-bot

facebook-github-bot Oct 13, 2017

@alessandrogario has updated the pull request.

facebook-github-bot commented Oct 13, 2017

@alessandrogario has updated the pull request.

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 13, 2017

Collaborator

👎 The commit 087f1fb (Job results: 925) failed one or more tests (FreeBSD).

Collaborator

osqueryer commented Oct 13, 2017

👎 The commit 087f1fb (Job results: 925) failed one or more tests (FreeBSD).

@osqueryer

This comment has been minimized.

Show comment
Hide comment
@osqueryer

osqueryer Oct 13, 2017

Collaborator

👎 The commit 087f1fb (Job results: 926) failed one or more tests (FreeBSD).

Collaborator

osqueryer commented Oct 13, 2017

👎 The commit 087f1fb (Job results: 926) failed one or more tests (FreeBSD).

@theopolis theopolis added approved and removed ready for review labels Oct 14, 2017

@theopolis

This comment has been minimized.

Show comment
Hide comment
@theopolis

theopolis Oct 14, 2017

Contributor

LGTM, @muffins I'll let you have the final look and merge when you're ready.

Contributor

theopolis commented Oct 14, 2017

LGTM, @muffins I'll let you have the final look and merge when you're ready.

@muffins

This comment has been minimized.

Show comment
Hide comment
@muffins

muffins Oct 14, 2017

Contributor

LGTM

Contributor

muffins commented Oct 14, 2017

LGTM

@muffins muffins merged commit e888f3e into facebook:master Oct 14, 2017

4 of 5 checks passed

FreeBSD Build finished.
Details
Code Audit Build finished.
Details
Linux Build finished.
Details
Windows Build finished.
Details
macOS/OS X Build finished.
Details

uptycs-nishant pushed a commit to uptycs-nishant/osquery that referenced this pull request Oct 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment