experiment : VerifyFileSignatureBuildIn
2024-06-28 20:03:23
在开源工程中找到一段校验PE文件签名的代码, 因为以前的工程没有用到过PE文件签名校验, 拿来做个实验.
这段代码比MS给的签名验证的Demo好,对MS程序和第三方程序做了区分.
/// @file srcVerifyFileSignature.cpp
/// @brief 测试 校验文件内建签名#include "stdafx.h"
#include <windows.h>
#include <Wintrust.h>
#include <Mscat.h>
#include <SoftPub.h>
#include <tchar.h>
#include <Strsafe.h>#pragma comment(lib, "Wintrust.lib")/// 被测试校验签名的PE文件全路径/// 有签名的系统程序, 校验签名通过
#define G_FILE_TOBE_VERIFY_SIGN L"C:\\Windows\\System32\\notepad.exe"/// 没有加签名的第三方程序, 校验签名失败
// #define G_FILE_TOBE_VERIFY_SIGN L"d:\\LsTemp\\srcVerifyFileSignature_X64.exe"/// 第三方程序带签名, 从360目录里找了个软件管家的PE文件
// #define G_FILE_TOBE_VERIFY_SIGN L"d:\\LsTemp\\SoftManager.exe"/// @fn VerifyFileSignatureBuildIn
/// @brief 调用MS接口, 校验文件内建签名是否正确
/// @param wchar_t * pFilePathName, 被校验的文件全路径名称
/// @return BOOL
/// @retval TRUE
/// 校验成功
/// @retval 其他
/// 校验失败
BOOL VerifyFileSignatureBuildIn(wchar_t * pFilePathName);int _tmain(int argc, _TCHAR* argv[])
{BOOL bRc = TRUE;bRc = VerifyFileSignatureBuildIn(G_FILE_TOBE_VERIFY_SIGN);_tprintf(L"%s : VerifyFileSignatureBuildIn(%s)\r\n",bRc ? L"TRUE" : L"FALSE",G_FILE_TOBE_VERIFY_SIGN);/// run result/**x86和x64程序也可以调用此接口校验目标程序已经测试了X86版PE输出校验X64版目标程序的情况TRUE : VerifyFileSignatureBuildIn(C:\Windows\System32\notepad.exe)/// 带签名的非MS程序TRUE : VerifyFileSignatureBuildIn(d:\LsTemp\SoftManager.exe)/// 对于没有签名的程序, 校验的结果是FALSEFALSE : VerifyFileSignatureBuildIn(d:\LsTemp\srcVerifyFileSignature_X64.exe)/// @todo 没有测试有签名的程序被篡改的情况*/_tprintf(L"END, press any key to quit\r\n");getwchar();return 0;
}BOOL VerifyFileSignatureBuildIn(wchar_t * pFilePathName)
{BOOL bRc = FALSE;HANDLE hFile = INVALID_HANDLE_VALUE;HCATADMIN hCatAdmin = NULL;GUID GuidAction = WINTRUST_ACTION_GENERIC_VERIFY_V2;long lRc = NULL;WINTRUST_DATA wd = {0};WINTRUST_FILE_INFO wfi = {0};WINTRUST_CATALOG_INFO wci = {0};CATALOG_INFO ci = {0};HCATINFO hCatInfo = NULL;BYTE * pbHash = NULL; ///< 容纳Hash值DWORD dwLenHash = 0;DWORD dwIndex = 0;DWORD dwPosCur = 0;wchar_t * pcwszMemberTag = NULL; ///< wfi.pcwszMemberTagif (!CryptCATAdminAcquireContext(&hCatAdmin, NULL, 0))return FALSE;hFile = CreateFileW(pFilePathName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL );if (INVALID_HANDLE_VALUE == hFile){bRc = FALSE;goto END_VerifyFileSignatureBuildIn;}/// 得到返回的hash值缓冲区大小bRc = CryptCATAdminCalcHashFromFileHandle(hFile, &dwLenHash, pbHash, 0);if (!bRc){bRc = FALSE;goto END_VerifyFileSignatureBuildIn;}/// 构造字节型的HASH值缓冲区pbHash = new BYTE[dwLenHash + 1];if (NULL == pbHash){bRc = FALSE;goto END_VerifyFileSignatureBuildIn;}::ZeroMemory(pbHash, dwLenHash + 1);/// 计算文件HASH值bRc = CryptCATAdminCalcHashFromFileHandle(hFile, &dwLenHash, pbHash, 0);if (!bRc){bRc = FALSE;goto END_VerifyFileSignatureBuildIn;}/// 从HASH值中枚举目录/// @note 这个目录(Catalog)的含义?/// 经测试, MS签名的程序都可以按照目录找到/// 那目录的含义就是带MS签名的HASH本地库/// MS在本地已经存储了该系统文件的HASH值hCatInfo = CryptCATAdminEnumCatalogFromHash(hCatAdmin,pbHash,dwLenHash,0,NULL);/// vs2010 WinVerifyTrust 例子中, 给出的签名校验方式/// 是按照文件方式 WTD_CHOICE_FILE 方式来校验签名的/// 如果将被校验的文件, 分为MS签名和非MS签名, 可能会提高效率if (NULL == hCatInfo){/// 按照文件来校验HASH/// 未加签名的程序会进这里/// 第三方程序(非MS出品)加签名, 也会进这里wfi.cbStruct = sizeof(WINTRUST_FILE_INFO);wfi.pcwszFilePath = pFilePathName;wfi.hFile = NULL;wfi.pgKnownSubject = NULL;wd.cbStruct = sizeof(WINTRUST_DATA);wd.dwUnionChoice = WTD_CHOICE_FILE;wd.pFile = &wfi;wd.dwUIChoice = WTD_UI_NONE;wd.fdwRevocationChecks = WTD_REVOKE_NONE;wd.dwStateAction = WTD_STATEACTION_IGNORE;wd.dwProvFlags = WTD_SAFER_FLAG;wd.hWVTStateData = NULL;wd.pwszURLReference = NULL;}else{/// 按照目录来校验签名/// 已经签名未篡改的PE文件会到这里/// 在文件中能找到计算出的HASH值CryptCATCatalogInfoFromContext(hCatInfo, &ci, 0);wci.cbStruct = sizeof(WINTRUST_CATALOG_INFO);wci.pcwszCatalogFilePath = ci.wszCatalogFile;wci.pcwszMemberFilePath = pFilePathName;/// 一个字节的HASH值 => 2个wchar_t的HASH字符串/// e.g. 0x11 => L"11"/// 缓冲区尾部留2个L'\0'的位置, 留一个L'\0'会报错的pcwszMemberTag = new wchar_t[(dwLenHash + 1) * 2];if (NULL == pcwszMemberTag){bRc = FALSE;goto END_VerifyFileSignatureBuildIn;}::ZeroMemory(pcwszMemberTag, sizeof(wchar_t) * (dwLenHash + 1) * 2);for (dwIndex = 0; dwIndex < dwLenHash; dwIndex++, dwPosCur += sizeof(wchar_t)){swprintf_s( &pcwszMemberTag[dwIndex * 2],sizeof(wchar_t) * 2, L"%02X", pbHash[dwIndex]);}wci.pcwszMemberTag = pcwszMemberTag;wd.cbStruct = sizeof(WINTRUST_DATA);wd.dwUnionChoice = WTD_CHOICE_CATALOG;wd.pCatalog = &wci;wd.dwUIChoice = WTD_UI_NONE;wd.fdwRevocationChecks = WTD_STATEACTION_VERIFY;wd.dwProvFlags = 0;wd.hWVTStateData = NULL;wd.pwszURLReference = NULL;}/**Note The return value is a LONG, not an HRESULT as previously documented. Do not use HRESULT macros such as SUCCEEDED to determine whether the function succeeded. Instead, check the return value for equality to zero.TRUST_E_SUBJECT_NOT_TRUSTED The subject failed the specified verification action. Most trust providers return a more detailed error code that describes the reason for the failure.TRUST_E_PROVIDER_UNKNOWN The trust provider is not recognized on this system.TRUST_E_ACTION_UNKNOWN The trust provider does not support the specified action.TRUST_E_SUBJECT_FORM_UNKNOWN The trust provider does not support the form specified for the subject.*/lRc = WinVerifyTrust(NULL, &GuidAction, &wd);bRc = (0 == lRc);END_VerifyFileSignatureBuildIn:if (NULL != hCatInfo)CryptCATAdminReleaseCatalogContext(hCatAdmin, hCatInfo, 0);if (NULL != hCatAdmin)CryptCATAdminReleaseContext(hCatAdmin, 0);if ((NULL != hFile)&& (INVALID_HANDLE_VALUE != hFile)){CloseHandle(hFile);hFile = INVALID_HANDLE_VALUE;}if (NULL != pbHash){delete []pbHash;pbHash = NULL;}if (NULL != pcwszMemberTag){delete []pcwszMemberTag;pcwszMemberTag = NULL;}return bRc;
}
experiment : VerifyFileSignatureBuildIn相关推荐
- 【深度学习入门到精通系列】什么是消融实验(Ablation experiment)
什么是消融实验(Ablation experiment)? 笔者第一次见到消融实验(Ablation experiment)这个概念是在论文<Faster R-CNN>中. 消融实验类似于 ...
- 【Paper】An Experiment Comparing Double Exponential Smoothing and Kalman Filter-Based Predict
算法 Paper DES (Double Exponential Smoothing) 算法 Kalman-Filter Algorithm KF EKF Exponentially Weighted ...
- 上海理工大学第二届“联想杯”全国程序设计邀请赛 - Experiment Class(几何+三分套三分)
题目链接:点击查看 题目大意:在二维平面的第一象限中给出两条射线代表河流,再给出起点和终点,问从起点出发,至少经过两条河各一次后到达终点的最短路 题目分析:如果只有一条河的话就是初中数学的经典问题了, ...
- CodeForces Manthan 2011 D. Optical Experiment(动态规划)
题目大意 这题建议大家先看看原题是怎么描述的,在看看我讲的中文题面,本来我打算直接翻译的,但是考虑到文字太多,还是算了 原题链接:D. Optical Experiment 我描述的中文题意: 题意化 ...
- 学术词汇 | Ablation Test or Ablation Experiment
点击上方,选择星标或置顶,每天给你送干货! 阅读大概需要1.2分钟 跟随小博主,每天进步一丢丢 在看论文中经常会出现一些词 Ablation Test 或者 Ablation Experiment,一 ...
- 20162314 Experiment 3 - Sorting and Searching
Experiment report of Besti course:<Program Design & Data Structures> Class: 1623 Student N ...
- 因果倒置的实验名称是“延迟实验”(Wheeler's delayed choice experiment)
Wheeler's delayed choice experiment 转载于:https://www.cnblogs.com/pootow/archive/2009/10/25/1589639.ht ...
- Overlapping Experiment Infrastructure: More, Better, Faster Experimentation
原文链接: Overlapping Experiment Infrastructure: More, Better, Faster Experimentation - Diane Tang, Ashi ...
- Overlapping Experiment Infrastructure,重叠(分层)实验架构。
重叠实验设施:更多.更好.更快地实验 1. 序言 2. 相关工作成果[略] 3. 背景 4. 重叠实验基础设施 5. 工具与流程 5.1 工具 5.2 实验设计与样本量 5.2.1 样本量 5.2.2 ...
最新文章
- 转:PHP Liunx 服务安全防范方案
- win10 应用程序 快捷启动
- php函数计算加法,JavaScript_javascript实现一个数值加法函数,废话不多说,直接奉上代码 JS - phpStudy...
- 用SQL语句添加删除修改字段_常用SQL
- 15分钟从零开始搭建支持10w+用户的生产环境(三)
- wordpress房产信息网_Realia v3.1.2 wordpress房地产模板 租房网站模板
- 《spring-boot学习》-07-spring data jpa
- 1019 数字黑洞 (20)
- 英文标题大写格式化 在线网站
- java工程师英文简历_软件工程师英文简历
- 【游戏测试】游戏兼容性测试(通用方案)
- anaconda配置清华镜像源
- coturn mysql_Coturn / turnserver:错误437:不匹配的分配:错误的事务ID(WebRTC)
- Android监听消息(二)——电话及短信监听
- 【网络安全】文件上传漏洞 详解
- 读书:每天做一个情绪稳定的成年人!
- Haoop之hbase高可用集群的 安装与使用
- 教育:构造主义和机能主义
- css实现图片翻转动画
- JS 点击每个图片弹出对话框