Inaccurate Authenticode hash calculations #6
Comments
|
Hello, Where is this file can be downloaded? |
|
I put it in this zip |
|
Your report is valid. Microsoft calculates authenticode for file with padding added to the end of file if necessary. In this particular file case since there is an overlay with odd size present it fired up such situation. Which mean entire VirusTotal/Sysinformer and several other tools/services calculates authenticode in a wrong way too. |
|
Thanks for the explanation, what if you used wintrust.dll for hash calculations? This way if MS changes hashing algorithms (by adding SHA3 support and so on) or the way some file hashes are calculated, your tool will also automatically be compatible. There are files that can't even be hashed like the uninstall.exe in OBS software, for those files the flat hashes are calculated in WDAC policies. |
|
I cannot use all the fancy new Windows API because I need this to be working on machines with Windows versions that MS officially dropped. If MS will introduce new hashing algo then I will add it. I've prepared preliminary fix for issue, can you check it out? As of OBS uninstaller I can tell that this particular file contain corrupted PE structure. It doesn't affect Windows loader however as it doesn't do deep and all-kind-of file structure validation because of multiple reasons. Probably this is result of NSIS developer mad skills. NSIS is ancient installation system that should not be used at all in 2024 as it seems produce the inaccurate PE binaries.
|
|
Thanks, the hashes are accurate now ^^ I wonder, why Virus total and others were affected, they weren't all using your tool, were they ? Oh I'm surprised a popular software such as OBS uses those old stuff |
|
Well, this is Microsoft creation. Anything good they always keep closed (except this https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx). Overall authenticode calculation algorithm is known and mostly rely on primitive PE format parsing plus using widely known hashing algorithms for actual signature calculation. Since it is nowhere clearly specified everybody understands it as they could. |
Hi,
The Authenticode hashes are not calculated properly for all files. For example, I found this file where AuthHashCalc calculates the wrong hashes but my module calculates the right ones. The reason I know this is because I scanned the file with the built-in ConfigCI cmdlets to generate a WDAC policy using Hash level and there I can see the correct Authenticode and Page hashes of the file.
cmdlet code
The text was updated successfully, but these errors were encountered: