├── .gitignore
├── 3rd Party
├── ManagedMD.dll
└── ManagedMDNew2014.dll
├── BinAudit.sln
├── LICENSE
├── README
├── README.md
└── WinBinAudit
├── CertificateSupport.cs
├── Properties
├── AssemblyInfo.cs
├── Resources.Designer.cs
└── Resources.resx
├── Resources
└── BannedAPIs.txt
├── WinBinAudit.csproj
├── WinBinAuditv1Checks.cs
├── WinBinAuditv1PE.cs
├── WinBinAuditv1SecurityInfo.cs
└── v5.cs
/.gitignore:
--------------------------------------------------------------------------------
1 | #######################
2 | # Visual Studio files #
3 | #######################
4 | *.suo
5 | *.user
6 | *.sdf
7 | ipch/
8 |
9 | ##################
10 | # Compiled files #
11 | ##################
12 | bin/
13 | obj/
14 | Release/
15 | Debug/
16 | uploads/
17 | *.dll
18 | *.exe
19 | *.pdb
20 | *.obj
21 | *.log
22 | *.tlog
23 | *.htm
24 | *.pch
25 |
26 | #####################
27 | # OS-specific files #
28 | #####################
29 | .DS_Store
30 | .DS_Store?
31 | ._*
32 | .Spotlight-V100
33 | .Trashes
34 | Icon?
35 | ehthumbs.db
36 | Thumbs.db
37 |
--------------------------------------------------------------------------------
/3rd Party/ManagedMD.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/olliencc/WinBinaryAudit/6f738c0e5dcf1e4ab73be9fe3bc124b35078ad48/3rd Party/ManagedMD.dll
--------------------------------------------------------------------------------
/3rd Party/ManagedMDNew2014.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/olliencc/WinBinaryAudit/6f738c0e5dcf1e4ab73be9fe3bc124b35078ad48/3rd Party/ManagedMDNew2014.dll
--------------------------------------------------------------------------------
/BinAudit.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WinBinAudit", "WinBinAudit\WinBinAudit.csproj", "{45B53C8D-6C83-4650-9AD2-720A6F9407F3}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {45B53C8D-6C83-4650-9AD2-720A6F9407F3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {45B53C8D-6C83-4650-9AD2-720A6F9407F3}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {45B53C8D-6C83-4650-9AD2-720A6F9407F3}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {45B53C8D-6C83-4650-9AD2-720A6F9407F3}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU AFFERO GENERAL PUBLIC LICENSE
2 | Version 3, 19 November 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU Affero General Public License is a free, copyleft license for
11 | software and other kinds of works, specifically designed to ensure
12 | cooperation with the community in the case of network server software.
13 |
14 | The licenses for most software and other practical works are designed
15 | to take away your freedom to share and change the works. By contrast,
16 | our General Public Licenses are intended to guarantee your freedom to
17 | share and change all versions of a program--to make sure it remains free
18 | software for all its users.
19 |
20 | When we speak of free software, we are referring to freedom, not
21 | price. Our General Public Licenses are designed to make sure that you
22 | have the freedom to distribute copies of free software (and charge for
23 | them if you wish), that you receive source code or can get it if you
24 | want it, that you can change the software or use pieces of it in new
25 | free programs, and that you know you can do these things.
26 |
27 | Developers that use our General Public Licenses protect your rights
28 | with two steps: (1) assert copyright on the software, and (2) offer
29 | you this License which gives you legal permission to copy, distribute
30 | and/or modify the software.
31 |
32 | A secondary benefit of defending all users' freedom is that
33 | improvements made in alternate versions of the program, if they
34 | receive widespread use, become available for other developers to
35 | incorporate. Many developers of free software are heartened and
36 | encouraged by the resulting cooperation. However, in the case of
37 | software used on network servers, this result may fail to come about.
38 | The GNU General Public License permits making a modified version and
39 | letting the public access it on a server without ever releasing its
40 | source code to the public.
41 |
42 | The GNU Affero General Public License is designed specifically to
43 | ensure that, in such cases, the modified source code becomes available
44 | to the community. It requires the operator of a network server to
45 | provide the source code of the modified version running there to the
46 | users of that server. Therefore, public use of a modified version, on
47 | a publicly accessible server, gives the public access to the source
48 | code of the modified version.
49 |
50 | An older license, called the Affero General Public License and
51 | published by Affero, was designed to accomplish similar goals. This is
52 | a different license, not a version of the Affero GPL, but Affero has
53 | released a new version of the Affero GPL which permits relicensing under
54 | this license.
55 |
56 | The precise terms and conditions for copying, distribution and
57 | modification follow.
58 |
59 | TERMS AND CONDITIONS
60 |
61 | 0. Definitions.
62 |
63 | "This License" refers to version 3 of the GNU Affero General Public License.
64 |
65 | "Copyright" also means copyright-like laws that apply to other kinds of
66 | works, such as semiconductor masks.
67 |
68 | "The Program" refers to any copyrightable work licensed under this
69 | License. Each licensee is addressed as "you". "Licensees" and
70 | "recipients" may be individuals or organizations.
71 |
72 | To "modify" a work means to copy from or adapt all or part of the work
73 | in a fashion requiring copyright permission, other than the making of an
74 | exact copy. The resulting work is called a "modified version" of the
75 | earlier work or a work "based on" the earlier work.
76 |
77 | A "covered work" means either the unmodified Program or a work based
78 | on the Program.
79 |
80 | To "propagate" a work means to do anything with it that, without
81 | permission, would make you directly or secondarily liable for
82 | infringement under applicable copyright law, except executing it on a
83 | computer or modifying a private copy. Propagation includes copying,
84 | distribution (with or without modification), making available to the
85 | public, and in some countries other activities as well.
86 |
87 | To "convey" a work means any kind of propagation that enables other
88 | parties to make or receive copies. Mere interaction with a user through
89 | a computer network, with no transfer of a copy, is not conveying.
90 |
91 | An interactive user interface displays "Appropriate Legal Notices"
92 | to the extent that it includes a convenient and prominently visible
93 | feature that (1) displays an appropriate copyright notice, and (2)
94 | tells the user that there is no warranty for the work (except to the
95 | extent that warranties are provided), that licensees may convey the
96 | work under this License, and how to view a copy of this License. If
97 | the interface presents a list of user commands or options, such as a
98 | menu, a prominent item in the list meets this criterion.
99 |
100 | 1. Source Code.
101 |
102 | The "source code" for a work means the preferred form of the work
103 | for making modifications to it. "Object code" means any non-source
104 | form of a work.
105 |
106 | A "Standard Interface" means an interface that either is an official
107 | standard defined by a recognized standards body, or, in the case of
108 | interfaces specified for a particular programming language, one that
109 | is widely used among developers working in that language.
110 |
111 | The "System Libraries" of an executable work include anything, other
112 | than the work as a whole, that (a) is included in the normal form of
113 | packaging a Major Component, but which is not part of that Major
114 | Component, and (b) serves only to enable use of the work with that
115 | Major Component, or to implement a Standard Interface for which an
116 | implementation is available to the public in source code form. A
117 | "Major Component", in this context, means a major essential component
118 | (kernel, window system, and so on) of the specific operating system
119 | (if any) on which the executable work runs, or a compiler used to
120 | produce the work, or an object code interpreter used to run it.
121 |
122 | The "Corresponding Source" for a work in object code form means all
123 | the source code needed to generate, install, and (for an executable
124 | work) run the object code and to modify the work, including scripts to
125 | control those activities. However, it does not include the work's
126 | System Libraries, or general-purpose tools or generally available free
127 | programs which are used unmodified in performing those activities but
128 | which are not part of the work. For example, Corresponding Source
129 | includes interface definition files associated with source files for
130 | the work, and the source code for shared libraries and dynamically
131 | linked subprograms that the work is specifically designed to require,
132 | such as by intimate data communication or control flow between those
133 | subprograms and other parts of the work.
134 |
135 | The Corresponding Source need not include anything that users
136 | can regenerate automatically from other parts of the Corresponding
137 | Source.
138 |
139 | The Corresponding Source for a work in source code form is that
140 | same work.
141 |
142 | 2. Basic Permissions.
143 |
144 | All rights granted under this License are granted for the term of
145 | copyright on the Program, and are irrevocable provided the stated
146 | conditions are met. This License explicitly affirms your unlimited
147 | permission to run the unmodified Program. The output from running a
148 | covered work is covered by this License only if the output, given its
149 | content, constitutes a covered work. This License acknowledges your
150 | rights of fair use or other equivalent, as provided by copyright law.
151 |
152 | You may make, run and propagate covered works that you do not
153 | convey, without conditions so long as your license otherwise remains
154 | in force. You may convey covered works to others for the sole purpose
155 | of having them make modifications exclusively for you, or provide you
156 | with facilities for running those works, provided that you comply with
157 | the terms of this License in conveying all material for which you do
158 | not control copyright. Those thus making or running the covered works
159 | for you must do so exclusively on your behalf, under your direction
160 | and control, on terms that prohibit them from making any copies of
161 | your copyrighted material outside their relationship with you.
162 |
163 | Conveying under any other circumstances is permitted solely under
164 | the conditions stated below. Sublicensing is not allowed; section 10
165 | makes it unnecessary.
166 |
167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
168 |
169 | No covered work shall be deemed part of an effective technological
170 | measure under any applicable law fulfilling obligations under article
171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
172 | similar laws prohibiting or restricting circumvention of such
173 | measures.
174 |
175 | When you convey a covered work, you waive any legal power to forbid
176 | circumvention of technological measures to the extent such circumvention
177 | is effected by exercising rights under this License with respect to
178 | the covered work, and you disclaim any intention to limit operation or
179 | modification of the work as a means of enforcing, against the work's
180 | users, your or third parties' legal rights to forbid circumvention of
181 | technological measures.
182 |
183 | 4. Conveying Verbatim Copies.
184 |
185 | You may convey verbatim copies of the Program's source code as you
186 | receive it, in any medium, provided that you conspicuously and
187 | appropriately publish on each copy an appropriate copyright notice;
188 | keep intact all notices stating that this License and any
189 | non-permissive terms added in accord with section 7 apply to the code;
190 | keep intact all notices of the absence of any warranty; and give all
191 | recipients a copy of this License along with the Program.
192 |
193 | You may charge any price or no price for each copy that you convey,
194 | and you may offer support or warranty protection for a fee.
195 |
196 | 5. Conveying Modified Source Versions.
197 |
198 | You may convey a work based on the Program, or the modifications to
199 | produce it from the Program, in the form of source code under the
200 | terms of section 4, provided that you also meet all of these conditions:
201 |
202 | a) The work must carry prominent notices stating that you modified
203 | it, and giving a relevant date.
204 |
205 | b) The work must carry prominent notices stating that it is
206 | released under this License and any conditions added under section
207 | 7. This requirement modifies the requirement in section 4 to
208 | "keep intact all notices".
209 |
210 | c) You must license the entire work, as a whole, under this
211 | License to anyone who comes into possession of a copy. This
212 | License will therefore apply, along with any applicable section 7
213 | additional terms, to the whole of the work, and all its parts,
214 | regardless of how they are packaged. This License gives no
215 | permission to license the work in any other way, but it does not
216 | invalidate such permission if you have separately received it.
217 |
218 | d) If the work has interactive user interfaces, each must display
219 | Appropriate Legal Notices; however, if the Program has interactive
220 | interfaces that do not display Appropriate Legal Notices, your
221 | work need not make them do so.
222 |
223 | A compilation of a covered work with other separate and independent
224 | works, which are not by their nature extensions of the covered work,
225 | and which are not combined with it such as to form a larger program,
226 | in or on a volume of a storage or distribution medium, is called an
227 | "aggregate" if the compilation and its resulting copyright are not
228 | used to limit the access or legal rights of the compilation's users
229 | beyond what the individual works permit. Inclusion of a covered work
230 | in an aggregate does not cause this License to apply to the other
231 | parts of the aggregate.
232 |
233 | 6. Conveying Non-Source Forms.
234 |
235 | You may convey a covered work in object code form under the terms
236 | of sections 4 and 5, provided that you also convey the
237 | machine-readable Corresponding Source under the terms of this License,
238 | in one of these ways:
239 |
240 | a) Convey the object code in, or embodied in, a physical product
241 | (including a physical distribution medium), accompanied by the
242 | Corresponding Source fixed on a durable physical medium
243 | customarily used for software interchange.
244 |
245 | b) Convey the object code in, or embodied in, a physical product
246 | (including a physical distribution medium), accompanied by a
247 | written offer, valid for at least three years and valid for as
248 | long as you offer spare parts or customer support for that product
249 | model, to give anyone who possesses the object code either (1) a
250 | copy of the Corresponding Source for all the software in the
251 | product that is covered by this License, on a durable physical
252 | medium customarily used for software interchange, for a price no
253 | more than your reasonable cost of physically performing this
254 | conveying of source, or (2) access to copy the
255 | Corresponding Source from a network server at no charge.
256 |
257 | c) Convey individual copies of the object code with a copy of the
258 | written offer to provide the Corresponding Source. This
259 | alternative is allowed only occasionally and noncommercially, and
260 | only if you received the object code with such an offer, in accord
261 | with subsection 6b.
262 |
263 | d) Convey the object code by offering access from a designated
264 | place (gratis or for a charge), and offer equivalent access to the
265 | Corresponding Source in the same way through the same place at no
266 | further charge. You need not require recipients to copy the
267 | Corresponding Source along with the object code. If the place to
268 | copy the object code is a network server, the Corresponding Source
269 | may be on a different server (operated by you or a third party)
270 | that supports equivalent copying facilities, provided you maintain
271 | clear directions next to the object code saying where to find the
272 | Corresponding Source. Regardless of what server hosts the
273 | Corresponding Source, you remain obligated to ensure that it is
274 | available for as long as needed to satisfy these requirements.
275 |
276 | e) Convey the object code using peer-to-peer transmission, provided
277 | you inform other peers where the object code and Corresponding
278 | Source of the work are being offered to the general public at no
279 | charge under subsection 6d.
280 |
281 | A separable portion of the object code, whose source code is excluded
282 | from the Corresponding Source as a System Library, need not be
283 | included in conveying the object code work.
284 |
285 | A "User Product" is either (1) a "consumer product", which means any
286 | tangible personal property which is normally used for personal, family,
287 | or household purposes, or (2) anything designed or sold for incorporation
288 | into a dwelling. In determining whether a product is a consumer product,
289 | doubtful cases shall be resolved in favor of coverage. For a particular
290 | product received by a particular user, "normally used" refers to a
291 | typical or common use of that class of product, regardless of the status
292 | of the particular user or of the way in which the particular user
293 | actually uses, or expects or is expected to use, the product. A product
294 | is a consumer product regardless of whether the product has substantial
295 | commercial, industrial or non-consumer uses, unless such uses represent
296 | the only significant mode of use of the product.
297 |
298 | "Installation Information" for a User Product means any methods,
299 | procedures, authorization keys, or other information required to install
300 | and execute modified versions of a covered work in that User Product from
301 | a modified version of its Corresponding Source. The information must
302 | suffice to ensure that the continued functioning of the modified object
303 | code is in no case prevented or interfered with solely because
304 | modification has been made.
305 |
306 | If you convey an object code work under this section in, or with, or
307 | specifically for use in, a User Product, and the conveying occurs as
308 | part of a transaction in which the right of possession and use of the
309 | User Product is transferred to the recipient in perpetuity or for a
310 | fixed term (regardless of how the transaction is characterized), the
311 | Corresponding Source conveyed under this section must be accompanied
312 | by the Installation Information. But this requirement does not apply
313 | if neither you nor any third party retains the ability to install
314 | modified object code on the User Product (for example, the work has
315 | been installed in ROM).
316 |
317 | The requirement to provide Installation Information does not include a
318 | requirement to continue to provide support service, warranty, or updates
319 | for a work that has been modified or installed by the recipient, or for
320 | the User Product in which it has been modified or installed. Access to a
321 | network may be denied when the modification itself materially and
322 | adversely affects the operation of the network or violates the rules and
323 | protocols for communication across the network.
324 |
325 | Corresponding Source conveyed, and Installation Information provided,
326 | in accord with this section must be in a format that is publicly
327 | documented (and with an implementation available to the public in
328 | source code form), and must require no special password or key for
329 | unpacking, reading or copying.
330 |
331 | 7. Additional Terms.
332 |
333 | "Additional permissions" are terms that supplement the terms of this
334 | License by making exceptions from one or more of its conditions.
335 | Additional permissions that are applicable to the entire Program shall
336 | be treated as though they were included in this License, to the extent
337 | that they are valid under applicable law. If additional permissions
338 | apply only to part of the Program, that part may be used separately
339 | under those permissions, but the entire Program remains governed by
340 | this License without regard to the additional permissions.
341 |
342 | When you convey a copy of a covered work, you may at your option
343 | remove any additional permissions from that copy, or from any part of
344 | it. (Additional permissions may be written to require their own
345 | removal in certain cases when you modify the work.) You may place
346 | additional permissions on material, added by you to a covered work,
347 | for which you have or can give appropriate copyright permission.
348 |
349 | Notwithstanding any other provision of this License, for material you
350 | add to a covered work, you may (if authorized by the copyright holders of
351 | that material) supplement the terms of this License with terms:
352 |
353 | a) Disclaiming warranty or limiting liability differently from the
354 | terms of sections 15 and 16 of this License; or
355 |
356 | b) Requiring preservation of specified reasonable legal notices or
357 | author attributions in that material or in the Appropriate Legal
358 | Notices displayed by works containing it; or
359 |
360 | c) Prohibiting misrepresentation of the origin of that material, or
361 | requiring that modified versions of such material be marked in
362 | reasonable ways as different from the original version; or
363 |
364 | d) Limiting the use for publicity purposes of names of licensors or
365 | authors of the material; or
366 |
367 | e) Declining to grant rights under trademark law for use of some
368 | trade names, trademarks, or service marks; or
369 |
370 | f) Requiring indemnification of licensors and authors of that
371 | material by anyone who conveys the material (or modified versions of
372 | it) with contractual assumptions of liability to the recipient, for
373 | any liability that these contractual assumptions directly impose on
374 | those licensors and authors.
375 |
376 | All other non-permissive additional terms are considered "further
377 | restrictions" within the meaning of section 10. If the Program as you
378 | received it, or any part of it, contains a notice stating that it is
379 | governed by this License along with a term that is a further
380 | restriction, you may remove that term. If a license document contains
381 | a further restriction but permits relicensing or conveying under this
382 | License, you may add to a covered work material governed by the terms
383 | of that license document, provided that the further restriction does
384 | not survive such relicensing or conveying.
385 |
386 | If you add terms to a covered work in accord with this section, you
387 | must place, in the relevant source files, a statement of the
388 | additional terms that apply to those files, or a notice indicating
389 | where to find the applicable terms.
390 |
391 | Additional terms, permissive or non-permissive, may be stated in the
392 | form of a separately written license, or stated as exceptions;
393 | the above requirements apply either way.
394 |
395 | 8. Termination.
396 |
397 | You may not propagate or modify a covered work except as expressly
398 | provided under this License. Any attempt otherwise to propagate or
399 | modify it is void, and will automatically terminate your rights under
400 | this License (including any patent licenses granted under the third
401 | paragraph of section 11).
402 |
403 | However, if you cease all violation of this License, then your
404 | license from a particular copyright holder is reinstated (a)
405 | provisionally, unless and until the copyright holder explicitly and
406 | finally terminates your license, and (b) permanently, if the copyright
407 | holder fails to notify you of the violation by some reasonable means
408 | prior to 60 days after the cessation.
409 |
410 | Moreover, your license from a particular copyright holder is
411 | reinstated permanently if the copyright holder notifies you of the
412 | violation by some reasonable means, this is the first time you have
413 | received notice of violation of this License (for any work) from that
414 | copyright holder, and you cure the violation prior to 30 days after
415 | your receipt of the notice.
416 |
417 | Termination of your rights under this section does not terminate the
418 | licenses of parties who have received copies or rights from you under
419 | this License. If your rights have been terminated and not permanently
420 | reinstated, you do not qualify to receive new licenses for the same
421 | material under section 10.
422 |
423 | 9. Acceptance Not Required for Having Copies.
424 |
425 | You are not required to accept this License in order to receive or
426 | run a copy of the Program. Ancillary propagation of a covered work
427 | occurring solely as a consequence of using peer-to-peer transmission
428 | to receive a copy likewise does not require acceptance. However,
429 | nothing other than this License grants you permission to propagate or
430 | modify any covered work. These actions infringe copyright if you do
431 | not accept this License. Therefore, by modifying or propagating a
432 | covered work, you indicate your acceptance of this License to do so.
433 |
434 | 10. Automatic Licensing of Downstream Recipients.
435 |
436 | Each time you convey a covered work, the recipient automatically
437 | receives a license from the original licensors, to run, modify and
438 | propagate that work, subject to this License. You are not responsible
439 | for enforcing compliance by third parties with this License.
440 |
441 | An "entity transaction" is a transaction transferring control of an
442 | organization, or substantially all assets of one, or subdividing an
443 | organization, or merging organizations. If propagation of a covered
444 | work results from an entity transaction, each party to that
445 | transaction who receives a copy of the work also receives whatever
446 | licenses to the work the party's predecessor in interest had or could
447 | give under the previous paragraph, plus a right to possession of the
448 | Corresponding Source of the work from the predecessor in interest, if
449 | the predecessor has it or can get it with reasonable efforts.
450 |
451 | You may not impose any further restrictions on the exercise of the
452 | rights granted or affirmed under this License. For example, you may
453 | not impose a license fee, royalty, or other charge for exercise of
454 | rights granted under this License, and you may not initiate litigation
455 | (including a cross-claim or counterclaim in a lawsuit) alleging that
456 | any patent claim is infringed by making, using, selling, offering for
457 | sale, or importing the Program or any portion of it.
458 |
459 | 11. Patents.
460 |
461 | A "contributor" is a copyright holder who authorizes use under this
462 | License of the Program or a work on which the Program is based. The
463 | work thus licensed is called the contributor's "contributor version".
464 |
465 | A contributor's "essential patent claims" are all patent claims
466 | owned or controlled by the contributor, whether already acquired or
467 | hereafter acquired, that would be infringed by some manner, permitted
468 | by this License, of making, using, or selling its contributor version,
469 | but do not include claims that would be infringed only as a
470 | consequence of further modification of the contributor version. For
471 | purposes of this definition, "control" includes the right to grant
472 | patent sublicenses in a manner consistent with the requirements of
473 | this License.
474 |
475 | Each contributor grants you a non-exclusive, worldwide, royalty-free
476 | patent license under the contributor's essential patent claims, to
477 | make, use, sell, offer for sale, import and otherwise run, modify and
478 | propagate the contents of its contributor version.
479 |
480 | In the following three paragraphs, a "patent license" is any express
481 | agreement or commitment, however denominated, not to enforce a patent
482 | (such as an express permission to practice a patent or covenant not to
483 | sue for patent infringement). To "grant" such a patent license to a
484 | party means to make such an agreement or commitment not to enforce a
485 | patent against the party.
486 |
487 | If you convey a covered work, knowingly relying on a patent license,
488 | and the Corresponding Source of the work is not available for anyone
489 | to copy, free of charge and under the terms of this License, through a
490 | publicly available network server or other readily accessible means,
491 | then you must either (1) cause the Corresponding Source to be so
492 | available, or (2) arrange to deprive yourself of the benefit of the
493 | patent license for this particular work, or (3) arrange, in a manner
494 | consistent with the requirements of this License, to extend the patent
495 | license to downstream recipients. "Knowingly relying" means you have
496 | actual knowledge that, but for the patent license, your conveying the
497 | covered work in a country, or your recipient's use of the covered work
498 | in a country, would infringe one or more identifiable patents in that
499 | country that you have reason to believe are valid.
500 |
501 | If, pursuant to or in connection with a single transaction or
502 | arrangement, you convey, or propagate by procuring conveyance of, a
503 | covered work, and grant a patent license to some of the parties
504 | receiving the covered work authorizing them to use, propagate, modify
505 | or convey a specific copy of the covered work, then the patent license
506 | you grant is automatically extended to all recipients of the covered
507 | work and works based on it.
508 |
509 | A patent license is "discriminatory" if it does not include within
510 | the scope of its coverage, prohibits the exercise of, or is
511 | conditioned on the non-exercise of one or more of the rights that are
512 | specifically granted under this License. You may not convey a covered
513 | work if you are a party to an arrangement with a third party that is
514 | in the business of distributing software, under which you make payment
515 | to the third party based on the extent of your activity of conveying
516 | the work, and under which the third party grants, to any of the
517 | parties who would receive the covered work from you, a discriminatory
518 | patent license (a) in connection with copies of the covered work
519 | conveyed by you (or copies made from those copies), or (b) primarily
520 | for and in connection with specific products or compilations that
521 | contain the covered work, unless you entered into that arrangement,
522 | or that patent license was granted, prior to 28 March 2007.
523 |
524 | Nothing in this License shall be construed as excluding or limiting
525 | any implied license or other defenses to infringement that may
526 | otherwise be available to you under applicable patent law.
527 |
528 | 12. No Surrender of Others' Freedom.
529 |
530 | If conditions are imposed on you (whether by court order, agreement or
531 | otherwise) that contradict the conditions of this License, they do not
532 | excuse you from the conditions of this License. If you cannot convey a
533 | covered work so as to satisfy simultaneously your obligations under this
534 | License and any other pertinent obligations, then as a consequence you may
535 | not convey it at all. For example, if you agree to terms that obligate you
536 | to collect a royalty for further conveying from those to whom you convey
537 | the Program, the only way you could satisfy both those terms and this
538 | License would be to refrain entirely from conveying the Program.
539 |
540 | 13. Remote Network Interaction; Use with the GNU General Public License.
541 |
542 | Notwithstanding any other provision of this License, if you modify the
543 | Program, your modified version must prominently offer all users
544 | interacting with it remotely through a computer network (if your version
545 | supports such interaction) an opportunity to receive the Corresponding
546 | Source of your version by providing access to the Corresponding Source
547 | from a network server at no charge, through some standard or customary
548 | means of facilitating copying of software. This Corresponding Source
549 | shall include the Corresponding Source for any work covered by version 3
550 | of the GNU General Public License that is incorporated pursuant to the
551 | following paragraph.
552 |
553 | Notwithstanding any other provision of this License, you have
554 | permission to link or combine any covered work with a work licensed
555 | under version 3 of the GNU General Public License into a single
556 | combined work, and to convey the resulting work. The terms of this
557 | License will continue to apply to the part which is the covered work,
558 | but the work with which it is combined will remain governed by version
559 | 3 of the GNU General Public License.
560 |
561 | 14. Revised Versions of this License.
562 |
563 | The Free Software Foundation may publish revised and/or new versions of
564 | the GNU Affero General Public License from time to time. Such new versions
565 | will be similar in spirit to the present version, but may differ in detail to
566 | address new problems or concerns.
567 |
568 | Each version is given a distinguishing version number. If the
569 | Program specifies that a certain numbered version of the GNU Affero General
570 | Public License "or any later version" applies to it, you have the
571 | option of following the terms and conditions either of that numbered
572 | version or of any later version published by the Free Software
573 | Foundation. If the Program does not specify a version number of the
574 | GNU Affero General Public License, you may choose any version ever published
575 | by the Free Software Foundation.
576 |
577 | If the Program specifies that a proxy can decide which future
578 | versions of the GNU Affero General Public License can be used, that proxy's
579 | public statement of acceptance of a version permanently authorizes you
580 | to choose that version for the Program.
581 |
582 | Later license versions may give you additional or different
583 | permissions. However, no additional obligations are imposed on any
584 | author or copyright holder as a result of your choosing to follow a
585 | later version.
586 |
587 | 15. Disclaimer of Warranty.
588 |
589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
597 |
598 | 16. Limitation of Liability.
599 |
600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
608 | SUCH DAMAGES.
609 |
610 | 17. Interpretation of Sections 15 and 16.
611 |
612 | If the disclaimer of warranty and limitation of liability provided
613 | above cannot be given local legal effect according to their terms,
614 | reviewing courts shall apply local law that most closely approximates
615 | an absolute waiver of all civil liability in connection with the
616 | Program, unless a warranty or assumption of liability accompanies a
617 | copy of the Program in return for a fee.
618 |
619 | END OF TERMS AND CONDITIONS
620 |
621 | How to Apply These Terms to Your New Programs
622 |
623 | If you develop a new program, and you want it to be of the greatest
624 | possible use to the public, the best way to achieve this is to make it
625 | free software which everyone can redistribute and change under these terms.
626 |
627 | To do so, attach the following notices to the program. It is safest
628 | to attach them to the start of each source file to most effectively
629 | state the exclusion of warranty; and each file should have at least
630 | the "copyright" line and a pointer to where the full notice is found.
631 |
632 |
633 | Copyright (C)
634 |
635 | This program is free software: you can redistribute it and/or modify
636 | it under the terms of the GNU Affero General Public License as published by
637 | the Free Software Foundation, either version 3 of the License, or
638 | (at your option) any later version.
639 |
640 | This program is distributed in the hope that it will be useful,
641 | but WITHOUT ANY WARRANTY; without even the implied warranty of
642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
643 | GNU Affero General Public License for more details.
644 |
645 | You should have received a copy of the GNU Affero General Public License
646 | along with this program. If not, see .
647 |
648 | Also add information on how to contact you by electronic and paper mail.
649 |
650 | If your software can interact with users remotely through a computer
651 | network, you should also make sure that it provides a way for users to
652 | get its source. For example, if your program is a web application, its
653 | interface could display a "Source" link that leads users to an archive
654 | of the code. There are many ways you could offer source, and different
655 | solutions will be better for different programs; see section 13 for the
656 | specific requirements.
657 |
658 | You should also get your employer (if you work as a programmer) or school,
659 | if any, to sign a "copyright disclaimer" for the program, if necessary.
660 | For more information on this, and how to apply and follow the GNU AGPL, see
661 | .
--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/olliencc/WinBinaryAudit/6f738c0e5dcf1e4ab73be9fe3bc124b35078ad48/README
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # WinBinaryAudit .NET library
2 |
3 | This is a .NET library for assessing the security properties of PE/COFF files.
4 |
5 | Over the years it has had many names including:
6 | * GSAudit at Symantec - used in Blackhat DC 2007 presentation
7 | * ExeAudit at RIM/BlackBerry - internal
8 | * RECX Binary Assurance for Windows - http://www.recx.co.uk/products/exeaudit.php
9 | * Windows Binary Analyzer at NCC Group - https://labs.nccgroup.com/NCCGroupWindowsBinaryAnalyzer/
10 |
11 | 5 versions later, still the same concept. This is the core .NET library now known as WinBinaryAudit.
12 |
--------------------------------------------------------------------------------
/WinBinAudit/CertificateSupport.cs:
--------------------------------------------------------------------------------
1 | //
2 | // Based in part on http://www.jensign.com/JavaScience/dotnet/DecodeCertKey/source/DecodeCertKey.txt
3 | //
4 | using System;
5 | using System.IO;
6 | using System.Text;
7 | using System.Security;
8 | using System.Security.Cryptography;
9 | using System.Security.Cryptography.X509Certificates;
10 | using System.Runtime.InteropServices;
11 |
12 | namespace JavaScience
13 | {
14 |
15 | //--- P/Invoke CryptoAPI wrapper classes -----
16 | public class Win32
17 | {
18 |
19 | [DllImport("crypt32.dll")]
20 | public static extern bool CryptDecodeObject(
21 | uint CertEncodingType,
22 | uint lpszStructType,
23 | byte[] pbEncoded,
24 | uint cbEncoded,
25 | uint flags,
26 | [In, Out] byte[] pvStructInfo,
27 | ref uint cbStructInfo);
28 |
29 |
30 | [DllImport("crypt32.dll", SetLastError = true)]
31 | public static extern IntPtr CertFindCertificateInStore(
32 | IntPtr hCertStore,
33 | uint dwCertEncodingType,
34 | uint dwFindFlags,
35 | uint dwFindType,
36 | [In, MarshalAs(UnmanagedType.LPWStr)]String pszFindString,
37 | IntPtr pPrevCertCntxt);
38 |
39 | [DllImport("crypt32.dll", SetLastError = true)]
40 | public static extern bool CertFreeCertificateContext(
41 | IntPtr hCertStore);
42 |
43 |
44 | [DllImport("crypt32.dll", CharSet = CharSet.Auto, SetLastError = true)] //overloaded
45 | public static extern IntPtr CertOpenStore(
46 | [MarshalAs(UnmanagedType.LPStr)] String storeProvider,
47 | uint dwMsgAndCertEncodingType,
48 | IntPtr hCryptProv,
49 | uint dwFlags,
50 | String cchNameString);
51 |
52 |
53 | [DllImport("crypt32.dll", SetLastError = true)]
54 | public static extern bool CertCloseStore(
55 | IntPtr hCertStore,
56 | uint dwFlags);
57 |
58 | }
59 |
60 |
61 | [StructLayout(LayoutKind.Sequential)]
62 | public struct PUBKEYBLOBHEADERS
63 | {
64 | public byte bType; //BLOBHEADER
65 | public byte bVersion; //BLOBHEADER
66 | public short reserved; //BLOBHEADER
67 | public uint aiKeyAlg; //BLOBHEADER
68 | public uint magic; //RSAPUBKEY
69 | public uint bitlen; //RSAPUBKEY
70 | public uint pubexp; //RSAPUBKEY
71 | }
72 |
73 |
74 | public class EncryptTo
75 | {
76 |
77 | const uint CERT_SYSTEM_STORE_CURRENT_USER = 0x00010000;
78 | const uint CERT_STORE_READONLY_FLAG = 0x00008000;
79 | const uint CERT_STORE_OPEN_EXISTING_FLAG = 0x00004000;
80 | const uint CERT_FIND_SUBJECT_STR = 0x00080007;
81 | const uint X509_ASN_ENCODING = 0x00000001;
82 | const uint PKCS_7_ASN_ENCODING = 0x00010000;
83 | const uint RSA_CSP_PUBLICKEYBLOB = 19;
84 | const int AT_KEYEXCHANGE = 1; //keyspec values
85 | const int AT_SIGNATURE = 2;
86 | static uint ENCODING_TYPE = PKCS_7_ASN_ENCODING | X509_ASN_ENCODING;
87 |
88 | //private X509Certificate recipcert;
89 | private byte[] certkeymodulus;
90 | private byte[] certkeyexponent;
91 | private uint certkeysize;
92 | private bool verbose = false;
93 |
94 |
95 |
96 | //--- Search for first matching certificate in CryptoAPI cert stores ---
97 | private X509Certificate GetRecipientStoreCert(String searchstr)
98 | {
99 | X509Certificate cert = null;
100 | IntPtr hSysStore = IntPtr.Zero;
101 | IntPtr hCertCntxt = IntPtr.Zero;
102 | string[] searchstores = { "ADDRESSBOOK", "MY" };
103 |
104 | uint openflags = CERT_SYSTEM_STORE_CURRENT_USER |
105 | CERT_STORE_READONLY_FLAG |
106 | CERT_STORE_OPEN_EXISTING_FLAG;
107 |
108 | foreach (String store in searchstores)
109 | {
110 | hSysStore = Win32.CertOpenStore("System", ENCODING_TYPE, IntPtr.Zero, openflags, store);
111 | if (hSysStore == IntPtr.Zero)
112 | {
113 | Console.WriteLine("Failed to open system store {0}", store);
114 | continue;
115 | }
116 | hCertCntxt = Win32.CertFindCertificateInStore(
117 | hSysStore,
118 | ENCODING_TYPE,
119 | 0,
120 | CERT_FIND_SUBJECT_STR,
121 | searchstr,
122 | IntPtr.Zero);
123 |
124 | if (hCertCntxt != IntPtr.Zero)
125 | { //use certcontext from managed code
126 | cert = new X509Certificate(hCertCntxt);
127 | Console.WriteLine("\nFound certificate in {0} store with SubjectName string \"{1}\"", store, searchstr);
128 | Console.WriteLine("SubjectName:\t{0}", cert.Subject);
129 | break;
130 | }
131 | } // end foreach
132 |
133 | //------- Clean Up -----------
134 | if (hCertCntxt != IntPtr.Zero)
135 | Win32.CertFreeCertificateContext(hCertCntxt);
136 | if (hSysStore != IntPtr.Zero)
137 | Win32.CertCloseStore(hSysStore, 0);
138 | return cert;
139 | }
140 |
141 |
142 |
143 | //--- Get X509Certificate from binary DER or b64 cert file ---
144 | //--- try reading as binary DER first; if error, try b64 ---
145 | private X509Certificate GetRecipientFileCert(String certfile)
146 | {
147 | X509Certificate cert = null;
148 | try
149 | {
150 | cert = X509Certificate.CreateFromCertFile(certfile);
151 | }
152 | catch (System.Security.Cryptography.CryptographicException)
153 | {
154 | StreamReader sr = File.OpenText(certfile);
155 | String filestr = sr.ReadToEnd();
156 | sr.Close();
157 | StringBuilder sb = new StringBuilder(filestr);
158 | sb.Replace("-----BEGIN CERTIFICATE-----", "");
159 | sb.Replace("-----END CERTIFICATE-----", "");
160 | //Decode
161 | try
162 | { //see if the file is a valid Base64 encoded cert
163 | byte[] certBytes = Convert.FromBase64String(sb.ToString());
164 | cert = new X509Certificate(certBytes);
165 | }
166 | catch (System.FormatException)
167 | {
168 | Console.WriteLine("Not valid binary DER or b64 X509 certificate");
169 | }
170 | catch (System.Security.Cryptography.CryptographicException)
171 | {
172 | Console.WriteLine("Not valid binary DER or b64 X509 certificate");
173 | }
174 | }
175 | if (cert != null)
176 | {
177 | Console.WriteLine("{0} is a valid certificate file", certfile);
178 | Console.WriteLine("SubjectName:\t{0}", cert.Subject);
179 | }
180 | return cert;
181 | }
182 |
183 |
184 | public uint GetCertPublicKeySize(X509Certificate cert)
185 | {
186 | byte[] publickeyblob;
187 | byte[] encodedpubkey = cert.GetPublicKey(); //asn.1 encoded public key
188 |
189 | uint blobbytes = 0;
190 | if (verbose)
191 | {
192 | Console.WriteLine();
193 | showBytes("Encoded publickey", encodedpubkey);
194 | Console.WriteLine();
195 | }
196 | if (Win32.CryptDecodeObject(ENCODING_TYPE, RSA_CSP_PUBLICKEYBLOB, encodedpubkey, (uint)encodedpubkey.Length, 0, null, ref blobbytes))
197 | {
198 | publickeyblob = new byte[blobbytes];
199 | if (Win32.CryptDecodeObject(ENCODING_TYPE, RSA_CSP_PUBLICKEYBLOB, encodedpubkey, (uint)encodedpubkey.Length, 0, publickeyblob, ref blobbytes))
200 | if (verbose)
201 | showBytes("CryptoAPI publickeyblob", publickeyblob);
202 | }
203 | else
204 | {
205 | Console.WriteLine("Couldn't decode publickeyblob from certificate publickey");
206 | return 0;
207 | }
208 |
209 | PUBKEYBLOBHEADERS pkheaders = new PUBKEYBLOBHEADERS();
210 | int headerslength = Marshal.SizeOf(pkheaders);
211 | IntPtr buffer = Marshal.AllocHGlobal(headerslength);
212 | Marshal.Copy(publickeyblob, 0, buffer, headerslength);
213 | pkheaders = (PUBKEYBLOBHEADERS)Marshal.PtrToStructure(buffer, typeof(PUBKEYBLOBHEADERS));
214 | Marshal.FreeHGlobal(buffer);
215 |
216 | if (verbose)
217 | {
218 | Console.WriteLine("\n ---- PUBLICKEYBLOB headers ------");
219 | Console.WriteLine(" btype {0}", pkheaders.bType);
220 | Console.WriteLine(" bversion {0}", pkheaders.bVersion);
221 | Console.WriteLine(" reserved {0}", pkheaders.reserved);
222 | Console.WriteLine(" aiKeyAlg 0x{0:x8}", pkheaders.aiKeyAlg);
223 | String magicstring = (new ASCIIEncoding()).GetString(BitConverter.GetBytes(pkheaders.magic));
224 | Console.WriteLine(" magic 0x{0:x8} '{1}'", pkheaders.magic, magicstring);
225 | Console.WriteLine(" bitlen {0}", pkheaders.bitlen);
226 | Console.WriteLine(" pubexp {0}", pkheaders.pubexp);
227 | Console.WriteLine(" --------------------------------");
228 | }
229 | //----- Get public key size in bits -------------
230 | this.certkeysize = pkheaders.bitlen;
231 |
232 | return this.certkeysize;
233 |
234 | }
235 |
236 | //----- decode public key and extract modulus and exponent ----
237 | private bool GetCertPublicKey(X509Certificate cert)
238 | {
239 | byte[] publickeyblob;
240 | byte[] encodedpubkey = cert.GetPublicKey(); //asn.1 encoded public key
241 |
242 | uint blobbytes = 0;
243 | if (verbose)
244 | {
245 | Console.WriteLine();
246 | showBytes("Encoded publickey", encodedpubkey);
247 | Console.WriteLine();
248 | }
249 | if (Win32.CryptDecodeObject(ENCODING_TYPE, RSA_CSP_PUBLICKEYBLOB, encodedpubkey, (uint)encodedpubkey.Length, 0, null, ref blobbytes))
250 | {
251 | publickeyblob = new byte[blobbytes];
252 | if (Win32.CryptDecodeObject(ENCODING_TYPE, RSA_CSP_PUBLICKEYBLOB, encodedpubkey, (uint)encodedpubkey.Length, 0, publickeyblob, ref blobbytes))
253 | if (verbose)
254 | showBytes("CryptoAPI publickeyblob", publickeyblob);
255 | }
256 | else
257 | {
258 | Console.WriteLine("Couldn't decode publickeyblob from certificate publickey");
259 | return false;
260 | }
261 |
262 | PUBKEYBLOBHEADERS pkheaders = new PUBKEYBLOBHEADERS();
263 | int headerslength = Marshal.SizeOf(pkheaders);
264 | IntPtr buffer = Marshal.AllocHGlobal(headerslength);
265 | Marshal.Copy(publickeyblob, 0, buffer, headerslength);
266 | pkheaders = (PUBKEYBLOBHEADERS)Marshal.PtrToStructure(buffer, typeof(PUBKEYBLOBHEADERS));
267 | Marshal.FreeHGlobal(buffer);
268 |
269 | if (verbose)
270 | {
271 | Console.WriteLine("\n ---- PUBLICKEYBLOB headers ------");
272 | Console.WriteLine(" btype {0}", pkheaders.bType);
273 | Console.WriteLine(" bversion {0}", pkheaders.bVersion);
274 | Console.WriteLine(" reserved {0}", pkheaders.reserved);
275 | Console.WriteLine(" aiKeyAlg 0x{0:x8}", pkheaders.aiKeyAlg);
276 | String magicstring = (new ASCIIEncoding()).GetString(BitConverter.GetBytes(pkheaders.magic));
277 | Console.WriteLine(" magic 0x{0:x8} '{1}'", pkheaders.magic, magicstring);
278 | Console.WriteLine(" bitlen {0}", pkheaders.bitlen);
279 | Console.WriteLine(" pubexp {0}", pkheaders.pubexp);
280 | Console.WriteLine(" --------------------------------");
281 | }
282 | //----- Get public key size in bits -------------
283 | this.certkeysize = pkheaders.bitlen;
284 |
285 | //----- Get public exponent -------------
286 | byte[] exponent = BitConverter.GetBytes(pkheaders.pubexp); //little-endian ordered
287 | Array.Reverse(exponent); //convert to big-endian order
288 | this.certkeyexponent = exponent;
289 | if (verbose)
290 | showBytes("\nPublic key exponent (big-endian order):", exponent);
291 |
292 | //----- Get modulus -------------
293 | int modulusbytes = (int)pkheaders.bitlen / 8;
294 | byte[] modulus = new byte[modulusbytes];
295 | try
296 | {
297 | Array.Copy(publickeyblob, headerslength, modulus, 0, modulusbytes);
298 | Array.Reverse(modulus); //convert from little to big-endian ordering.
299 | this.certkeymodulus = modulus;
300 | if (verbose)
301 | showBytes("\nPublic key modulus (big-endian order):", modulus);
302 | }
303 | catch (Exception)
304 | {
305 | Console.WriteLine("Problem getting modulus from publickeyblob");
306 | return false;
307 | }
308 | return true;
309 | }
310 |
311 |
312 | //--- Encrypt the content file and encrypt the key and IV for exchange ---
313 | private bool TripleDESEncrypt(String content, String encContent, String encKeyfile, String encIVfile)
314 | {
315 | FileStream fin = new FileStream(content, FileMode.Open, FileAccess.Read);
316 | FileStream fout = new FileStream(encContent, FileMode.OpenOrCreate, FileAccess.Write);
317 |
318 | byte[] buff = new byte[1000]; //encryption buffer.
319 | int lenread;
320 |
321 | byte[] encdata;
322 |
323 | try
324 | {
325 | TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();
326 | CryptoStream encStream = new CryptoStream(fout, tdes.CreateEncryptor(), CryptoStreamMode.Write);
327 |
328 | Console.WriteLine("\nEncrypting content ... ");
329 |
330 | //do the encryption ...
331 | while ((lenread = fin.Read(buff, 0, 1000)) > 0)
332 | encStream.Write(buff, 0, lenread);
333 | encStream.Close();
334 |
335 | //--- Encrypt the 3DES key and IV to output files ---
336 | //----- bug in FCL 1.0 which changes passes array; therefore pass in copy only --------
337 | Console.WriteLine("Encrypting 3DES Key and IV ... ");
338 | encdata = DoRSAEncrypt(tdes.Key, (byte[])certkeymodulus.Clone(), (byte[])certkeyexponent.Clone());
339 | if (encdata == null)
340 | return false;
341 | this.PutFileBytes(encKeyfile, encdata, encdata.Length);
342 | encdata = DoRSAEncrypt(tdes.IV, (byte[])certkeymodulus.Clone(), (byte[])certkeyexponent.Clone());
343 | if (encdata == null)
344 | return false;
345 | this.PutFileBytes(encIVfile, encdata, encdata.Length);
346 | return true;
347 | }
348 | catch (Exception)
349 | {
350 | return false;
351 | }
352 | }
353 |
354 |
355 |
356 | private byte[] DoRSAEncrypt(byte[] keydata, byte[] modulus, byte[] exponent)
357 | {
358 | if (keydata == null || modulus == null || exponent == null)
359 | return null;
360 | byte[] protectedkey = null;
361 | try
362 | {
363 | //Initialize RSAKeyInfo with public parameters
364 | RSAParameters RSAKeyInfo = new RSAParameters();
365 | RSAKeyInfo.Modulus = modulus;
366 | RSAKeyInfo.Exponent = exponent;
367 |
368 | //Initialize RSACryptoServiceProvider
369 | RSACryptoServiceProvider oRSA = new RSACryptoServiceProvider();
370 | oRSA.ImportParameters(RSAKeyInfo);
371 | protectedkey = oRSA.Encrypt(keydata, false);
372 | }
373 |
374 | catch (CryptographicException)
375 | {
376 | return null;
377 | }
378 | return protectedkey;
379 | }
380 |
381 |
382 |
383 | private static void usage()
384 | {
385 | Console.WriteLine("\nUsage:\nEncryptTo.exe [ContentFile] [outFile] [outKeyfile] [outIVfile]");
386 | }
387 |
388 |
389 | private void PutFileBytes(String outfile, byte[] data, int bytes)
390 | {
391 | FileStream fs = null;
392 | if (bytes > data.Length)
393 | {
394 | Console.WriteLine("Too many bytes");
395 | return;
396 | }
397 | try
398 | {
399 | fs = new FileStream(outfile, FileMode.Create);
400 | fs.Write(data, 0, bytes);
401 | }
402 | catch (Exception e)
403 | {
404 | Console.WriteLine(e.Message);
405 | }
406 | finally
407 | {
408 | fs.Close();
409 | }
410 | }
411 |
412 |
413 | private static void showBytes(String info, byte[] data)
414 | {
415 | Console.WriteLine("{0} [{1} bytes]", info, data.Length);
416 | for (int i = 1; i <= data.Length; i++)
417 | {
418 | Console.Write("{0:X2} ", data[i - 1]);
419 | if (i % 16 == 0)
420 | Console.WriteLine();
421 | }
422 | Console.WriteLine();
423 | }
424 |
425 | }
426 | }
--------------------------------------------------------------------------------
/WinBinAudit/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("WinBinAudit")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("WinBinAudit")]
13 | [assembly: AssemblyCopyright("Copyright © 2014")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("2f8d919f-9ff5-4b6f-932e-4ad2b4cdcfa5")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/WinBinAudit/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.34014
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace WinBinAudit.Properties {
12 | using System;
13 |
14 |
15 | ///
16 | /// A strongly-typed resource class, for looking up localized strings, etc.
17 | ///
18 | // This class was auto-generated by the StronglyTypedResourceBuilder
19 | // class via a tool like ResGen or Visual Studio.
20 | // To add or remove a member, edit your .ResX file then rerun ResGen
21 | // with the /str option, or rebuild your VS project.
22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 | internal class Resources {
26 |
27 | private static global::System.Resources.ResourceManager resourceMan;
28 |
29 | private static global::System.Globalization.CultureInfo resourceCulture;
30 |
31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 | internal Resources() {
33 | }
34 |
35 | ///
36 | /// Returns the cached ResourceManager instance used by this class.
37 | ///
38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 | internal static global::System.Resources.ResourceManager ResourceManager {
40 | get {
41 | if (object.ReferenceEquals(resourceMan, null)) {
42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("WinBinAudit.Properties.Resources", typeof(Resources).Assembly);
43 | resourceMan = temp;
44 | }
45 | return resourceMan;
46 | }
47 | }
48 |
49 | ///
50 | /// Overrides the current thread's CurrentUICulture property for all
51 | /// resource lookups using this strongly typed resource class.
52 | ///
53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 | internal static global::System.Globalization.CultureInfo Culture {
55 | get {
56 | return resourceCulture;
57 | }
58 | set {
59 | resourceCulture = value;
60 | }
61 | }
62 |
63 | ///
64 | /// Looks up a localized string similar to strcpy
65 | ///wcscpy
66 | ///_tcscpy
67 | ///_mbscpy
68 | ///StrCpy
69 | ///StrCpyA
70 | ///StrCpyW
71 | ///lstrcpy
72 | ///lstrcpyA
73 | ///lstrcpyW
74 | ///strcpyA
75 | ///strcpyW
76 | ///_tccpy
77 | ///_mbccpy
78 | ///strcat
79 | ///wcscat
80 | ///_tcscat
81 | ///_mbscat
82 | ///StrCat
83 | ///StrCatA
84 | ///StrCatW
85 | ///lstrcat
86 | ///lstrcatA
87 | ///lstrcatW
88 | ///StrCatBuffW
89 | ///StrCatBuff
90 | ///StrCatBuffA
91 | ///StrCatChainW
92 | ///strcatA
93 | ///strcatW
94 | ///_tccat
95 | ///_mbccatwnsprintf
96 | ///wnsprintfA
97 | ///wnsprintfW
98 | ///sprintfW
99 | ///sprintfA
100 | ///wsprintf
101 | ///wsprintfW
102 | ///wsprintfA
103 | ///sprintf
104 | ///swprintf
105 | ///_stprintf
106 | ///_snwprintf
107 | ///_snprintf
108 | ///_sntprintf
109 | ///nsprintf
110 | ///wvsprintf
111 | ///wvsprintfA
112 | ///wvsprintfW
113 | ///vsprintf
114 | ///_vstpri [rest of string was truncated]";.
115 | ///
116 | internal static string BannedAPIs {
117 | get {
118 | return ResourceManager.GetString("BannedAPIs", resourceCulture);
119 | }
120 | }
121 | }
122 | }
123 |
--------------------------------------------------------------------------------
/WinBinAudit/Properties/Resources.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 |
122 | ..\Resources\BannedAPIs.txt;System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089;Windows-1252
123 |
124 |
--------------------------------------------------------------------------------
/WinBinAudit/Resources/BannedAPIs.txt:
--------------------------------------------------------------------------------
1 | strcpy
2 | wcscpy
3 | _tcscpy
4 | _mbscpy
5 | StrCpy
6 | StrCpyA
7 | StrCpyW
8 | lstrcpy
9 | lstrcpyA
10 | lstrcpyW
11 | strcpyA
12 | strcpyW
13 | _tccpy
14 | _mbccpy
15 | strcat
16 | wcscat
17 | _tcscat
18 | _mbscat
19 | StrCat
20 | StrCatA
21 | StrCatW
22 | lstrcat
23 | lstrcatA
24 | lstrcatW
25 | StrCatBuffW
26 | StrCatBuff
27 | StrCatBuffA
28 | StrCatChainW
29 | strcatA
30 | strcatW
31 | _tccat
32 | _mbccatwnsprintf
33 | wnsprintfA
34 | wnsprintfW
35 | sprintfW
36 | sprintfA
37 | wsprintf
38 | wsprintfW
39 | wsprintfA
40 | sprintf
41 | swprintf
42 | _stprintf
43 | _snwprintf
44 | _snprintf
45 | _sntprintf
46 | nsprintf
47 | wvsprintf
48 | wvsprintfA
49 | wvsprintfW
50 | vsprintf
51 | _vstprintf
52 | vswprintf
53 | _vsnprintf
54 | _vsnwprintf
55 | _vsntprintf
56 | wvnsprintf
57 | wvnsprintfA
58 | wvnsprintfW
59 | strncpy
60 | wcsncpy
61 | _tcsncpy
62 | _mbsncpy
63 | _mbsnbcpy
64 | StrCpyN
65 | StrCpyNA
66 | StrCpyNW
67 | StrNCpy
68 | strcpynA
69 | StrNCpyA
70 | StrNCpyW
71 | lstrcpyn
72 | lstrcpynA
73 | lstrcpynW
74 | _fstrncpy
75 | strncat
76 | wcsncat
77 | _tcsncat
78 | _mbsncat
79 | _mbsnbcat
80 | StrCatN
81 | StrCatNA
82 | StrCatNW
83 | StrNCat
84 | StrNCatA
85 | StrNCatW
86 | lstrncat
87 | lstrcatnA
88 | lstrcatnW
89 | lstrcatn
90 | _fstrncat
91 | strtok
92 | _tcstok
93 | wcstok
94 | _mbstok
95 | Makepath
96 | _tmakepath
97 | _makepath
98 | _wmakepath
99 | _splitpath
100 | _tsplitpath
101 | _wsplitpath
102 | scanf
103 | wscanf
104 | _tscanf
105 | sscanf
106 | swscanf
107 | _stscanf
108 | snscanf
109 | snwscanf
110 | _sntscanf
111 | _itoa
112 | _itow
113 | _i64toa
114 | _i64tow
115 | _ui64toa
116 | _ui64tot
117 | _ui64tow
118 | _ultoa
119 | _ultot
120 | _ultow
121 | gets
122 | _getts
123 | _gettws
124 | IsBadWritePtr
125 | IsBadHugeWritePtr
126 | IsBadReadPtr
127 | IsBadHugeReadPtr
128 | IsBadCodePtr
129 | IsBadStringPtr
130 | CharToOem
131 | CharToOemA
132 | CharToOemW
133 | OemToChar
134 | OemToCharA
135 | OemToCharW
136 | CharToOemBuffA
137 | CharToOemBuffW
138 | alloca
139 | _alloca
140 | strlen
141 | wcslen
142 | _mbslen
143 | _mbstrlen
144 | StrLen
145 | lstrlen
--------------------------------------------------------------------------------
/WinBinAudit/WinBinAudit.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {45B53C8D-6C83-4650-9AD2-720A6F9407F3}
8 | Library
9 | Properties
10 | WinBinAudit
11 | WinBinAudit
12 | v4.5
13 | 512
14 |
15 |
16 | true
17 | full
18 | false
19 | bin\Debug\
20 | DEBUG;TRACE
21 | prompt
22 | 4
23 |
24 |
25 | pdbonly
26 | true
27 | bin\Release\
28 | TRACE
29 | prompt
30 | 4
31 |
32 |
33 |
34 | False
35 | ..\3rd Party\ManagedMD.dll
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 | True
51 | True
52 | Resources.resx
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 | ResXFileCodeGenerator
63 | Resources.Designer.cs
64 |
65 |
66 |
67 |
68 |
69 |
70 |
77 |
--------------------------------------------------------------------------------
/WinBinAudit/WinBinAuditv1Checks.cs:
--------------------------------------------------------------------------------
1 | /*
2 | Released as open source by NCC Group Plc - http://www.nccgroup.com/
3 |
4 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
5 |
6 | http://www.github.com/olliencc/WinBinaryAudit/
7 |
8 | Released under AGPL see LICENSE for more information
9 | */
10 |
11 | using System;
12 | using System.Collections.Generic;
13 | using System.Text;
14 | using System.IO;
15 | using System.Windows.Forms;
16 | using ManagedMD;
17 | using ManagedMD.Utils;
18 | using WinBinAuditv1PE;
19 | using System.Runtime.InteropServices;
20 | using System.Security.Cryptography.X509Certificates;
21 |
22 | namespace WinBinAuditv1
23 | {
24 | class WinBinAuditv1PEChecks
25 | {
26 |
27 | [DllImport("kernel32.dll", SetLastError = true)]
28 | static extern IntPtr LoadLibraryEx(string lpFileName, IntPtr hFile, uint dwFlags);
29 | [DllImport("kernel32.dll")]
30 | static extern IntPtr FindResource(IntPtr hModule, int lpID, int lpType);
31 | [DllImport("kernel32.dll", SetLastError = true)]
32 | static extern IntPtr LoadResource(IntPtr hModule, IntPtr hResInfo);
33 | [DllImport("kernel32.dll", SetLastError = true)]
34 | static extern uint SizeofResource(IntPtr hModule, IntPtr hResInfo);
35 | [DllImport("User32.dll")]
36 | static extern int LoadString(IntPtr hInstance, int uID, StringBuilder lpBuffer, int nBufferMax);
37 | [DllImport("kernel32.dll", SetLastError = true)]
38 | internal static extern IntPtr LockResource(IntPtr hResData);
39 |
40 | ///
41 | /// Check for DEP Support
42 | ///
43 | ///
44 | ///
45 | public bool NX(PEProp binInfo)
46 | {
47 | try
48 | {
49 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
50 | if (optionalHeader != null)
51 | {
52 | ushort field = (ushort)optionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
53 | if ((field & 0x100) != 0)
54 | {
55 | return true;
56 | }
57 | }
58 | else
59 | {
60 | return false;
61 | }
62 | }
63 | catch (Exception)
64 | {
65 | return false;
66 | }
67 | return false;
68 | }
69 |
70 | ///
71 | /// SafeSEH Check
72 | ///
73 | ///
74 | ///
75 | public bool SafeSEH(PEProp binInfo)
76 | {
77 | try
78 | {
79 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
80 | if (optionalHeader != null)
81 | {
82 | ushort field = (ushort)binInfo.PE.OptionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
83 | if ((field & 0x400) != 0)
84 | {
85 | return false;
86 | }
87 | SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress);
88 | if (rva.Address == 0)
89 | {
90 | return false;
91 | }
92 | uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size);
93 | ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva));
94 | int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size);
95 | if (FieldSize < 0x48)
96 | {
97 | return false;
98 | }
99 | uint SEHTable = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.SEHandlerTable);
100 | uint SEHTableCount = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.SEHandlerCount);
101 | if ((SEHTable != 0) && (SEHTableCount != 0))
102 | {
103 | return true;
104 | }
105 | if (SEHTable == 0)
106 | {
107 | return false;
108 | }
109 | if (SEHTableCount == 0)
110 | {
111 | return false;
112 | }
113 | }
114 | else
115 | {
116 | return false;
117 | }
118 | }
119 | catch (Exception)
120 | {
121 | return false;
122 | }
123 | return false;
124 | }
125 |
126 | ///
127 | /// Check for No SEH
128 | ///
129 | ///
130 | ///
131 | public bool NoSEH(PEProp binInfo)
132 | {
133 | try
134 | {
135 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
136 | if (optionalHeader != null)
137 | {
138 | ushort field = (ushort)binInfo.PE.OptionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
139 | if ((field & 0x400) != 0)
140 | {
141 | return true;
142 | }
143 | }
144 | }
145 | catch (Exception)
146 | {
147 | return false;
148 | }
149 | return false;
150 | }
151 |
152 | ///
153 | /// Is the file a DLL
154 | ///
155 | ///
156 | ///
157 | public bool IsDLL(PEProp binInfo)
158 | {
159 | // IMAGE_FILE_DLL
160 |
161 | try
162 | {
163 | ushort field = (ushort)binInfo.PE.FileHeader.GetField(ImageFileHeader.Fields.Characteristics);
164 | if (( field & 0x2000) != 0)
165 | {
166 | return true;
167 | }
168 | }
169 | catch (Exception)
170 | {
171 | return false;
172 | }
173 | return false;
174 | }
175 |
176 | ///
177 | /// MS12-001 Vulnerability Check
178 | ///
179 | ///
180 | ///
181 | ///
182 | public bool MS12001(PEProp binInfo){
183 | try
184 | {
185 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
186 | if (optionalHeader != null)
187 | {
188 | SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress);
189 | if (rva.Address == 0)
190 | {
191 | return false;
192 | }
193 | uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size);
194 |
195 | // This used to be != 64
196 | // http://blogs.technet.com/b/srd/archive/2012/01/10/more-information-on-the-impact-of-ms12-001.aspx
197 | if (DirSize == 0x48)
198 | {
199 | return true;
200 | }
201 |
202 | /*
203 | ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva));
204 | int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size);
205 | if (FieldSize != 64)
206 | {
207 | return true;
208 | }
209 | */
210 | }
211 | else
212 | {
213 | return false;
214 | }
215 | }
216 | catch (Exception)
217 | {
218 | return false;
219 | }
220 | return false;
221 | }
222 |
223 | ///
224 | /// Size extraction related to MS12-001 size check
225 | ///
226 | ///
227 | ///
228 | public int MS12001Sz(PEProp binInfo){
229 | try
230 | {
231 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
232 | if (optionalHeader != null)
233 | {
234 | SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress);
235 | if (rva.Address == 0)
236 | {
237 | return 0;
238 | }
239 | uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size);
240 |
241 | ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva));
242 | int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size);
243 | return FieldSize;
244 | }
245 | else
246 | {
247 | return 0;
248 | }
249 | }
250 | catch (Exception)
251 | {
252 | return 0;
253 | }
254 | //return 0;
255 | }
256 |
257 | ///
258 | /// Second size extraction for MS12-001 test
259 | ///
260 | ///
261 | ///
262 | public uint MS12001SzTwo(PEProp binInfo)
263 | {
264 | try
265 | {
266 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
267 | if (optionalHeader != null)
268 | {
269 | SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress);
270 | if (rva.Address == 0)
271 | {
272 | return 0;
273 | }
274 |
275 | uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size);
276 |
277 | return DirSize;
278 | }
279 | else
280 | {
281 | return 0;
282 | }
283 | }
284 | catch (Exception)
285 | {
286 | return 0;
287 | }
288 | //return 0;
289 | }
290 |
291 |
292 | ///
293 | /// Is this an AppContainer binary
294 | ///
295 | ///
296 | ///
297 | public bool AppContainer(PEProp binInfo)
298 | {
299 | try
300 | {
301 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
302 | if (optionalHeader != null)
303 | {
304 | ushort Field = (ushort)optionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
305 | if ((Field & 0x1000) != 0)
306 | {
307 | return true;
308 | }
309 |
310 | }
311 | else
312 | {
313 | return false;
314 | }
315 | }
316 | catch (Exception)
317 | {
318 | return false;
319 | }
320 |
321 | return false;
322 |
323 | }
324 |
325 | ///
326 | /// Is this an AppContainer binary
327 | ///
328 | ///
329 | ///
330 | public bool ControlFlowGuard(PEProp binInfo)
331 | {
332 | try
333 | {
334 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
335 | if (optionalHeader != null)
336 | {
337 | ushort Field = (ushort)optionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
338 | if ((Field & 0x4000) != 0)
339 | {
340 | return true;
341 | }
342 |
343 | }
344 | else
345 | {
346 | return false;
347 | }
348 | }
349 | catch (Exception)
350 | {
351 | return false;
352 | }
353 |
354 | return false;
355 |
356 | }
357 |
358 | ///
359 | /// Does it support ASLR
360 | ///
361 | ///
362 | ///
363 | public bool ASLR(PEProp binInfo)
364 | {
365 |
366 | try
367 | {
368 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
369 | if (optionalHeader != null)
370 | {
371 | ushort field = (ushort) optionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
372 | if ((field & 0x40) != 0)
373 | {
374 | return true;
375 | }
376 | }
377 | else
378 | {
379 | return false;
380 | }
381 | }
382 | catch (Exception)
383 | {
384 | return false;
385 | }
386 |
387 | return false;
388 | }
389 |
390 |
391 | ///
392 | /// Is there a shared and writeable section
393 | ///
394 | ///
395 | ///
396 | public bool InsecureSection(PEProp binInfo)
397 | {
398 | bool bFailed = false;
399 |
400 | try
401 | {
402 | ImageSectionHeader[] sectionHeaders = binInfo.PE.SectionHeaders;
403 | if (sectionHeaders != null)
404 | {
405 | foreach (ImageSectionHeader header in sectionHeaders)
406 | {
407 | uint field = (uint)header.GetField(ImageSectionHeader.Fields.Characteristics);
408 | if ((field & 0x90000000) == 0x90000000)
409 | {
410 | bFailed = true;
411 | }
412 | }
413 |
414 | if (bFailed == true)
415 | {
416 | return true;
417 | }
418 |
419 | return false;
420 | }
421 | }
422 | catch (Exception)
423 | {
424 | return false;
425 | }
426 | return true;
427 |
428 | }
429 |
430 | // .NET Strong Name
431 | public bool DotNetStrongName(PEProp binInfo)
432 | {
433 | try
434 | {
435 | Assembly assembly = new Assembly(binInfo.Path);
436 | byte[] publicKey = assembly.PublicKey;
437 | if ((publicKey != null) && (publicKey.Length > 0))
438 | {
439 | return true;
440 | }
441 | }
442 | catch (Exception)
443 | {
444 | return false;
445 | }
446 |
447 | return false;
448 | }
449 |
450 | // .NET Allow Partially Trusted Callers
451 | public bool DotNetAllowPartialTrustCallers(PEProp binInfo)
452 | {
453 | try
454 | {
455 | Assembly assembly = new Assembly(binInfo.Path);
456 | CustomAttribute[] customAttributes = assembly.CustomAttributes;
457 | if (customAttributes == null)
458 | {
459 | return false;
460 | }
461 | foreach (CustomAttribute attribute in customAttributes)
462 | {
463 | if (attribute.TypeCtor.Type.Name == "AllowPartiallyTrustedCallersAttribute")
464 | {
465 | return true;
466 | }
467 | }
468 | }
469 | catch (Exception)
470 | {
471 | return false;
472 | }
473 |
474 | return false;
475 | }
476 |
477 | public string DotNetVer(PEProp binInfo)
478 | {
479 | bool bMaj = false;
480 | bool bMin = false;
481 | string strMaj = null;
482 | string strMin = null ;
483 |
484 | COMPEFile comPE = new COMPEFile(binInfo.PE);
485 | ImageCor20Header cor20Hdr = comPE.Cor20Header;
486 | Header.FieldInfo fieldInfo = new Header.FieldInfo();
487 | object fieldValue = new object();
488 |
489 | for(int intCount = 0;intCount < cor20Hdr.NumberOfFields; intCount++){
490 | fieldInfo = cor20Hdr.GetFieldInfo(intCount);
491 | if (fieldInfo.Name.ToString() == "MajorRuntimeVersion")
492 | {
493 | bMaj = true;
494 | fieldValue = cor20Hdr.GetField(intCount);
495 |
496 | strMaj = fieldValue.ToString();
497 | } else if (fieldInfo.Name.ToString() == "MinorRuntimeVersion"){
498 | bMin = true;
499 | fieldValue = cor20Hdr.GetField(intCount);
500 |
501 | strMin = fieldValue.ToString();
502 | }
503 | }
504 |
505 | StringBuilder strFinal = new System.Text.StringBuilder();
506 |
507 | if (bMaj == true && bMin == true)
508 | {
509 | strFinal.Append(strMaj.ToString());
510 | strFinal.Append(".");
511 | strFinal.Append(strMin.ToString());
512 | }
513 | else
514 | {
515 | strFinal.Append("Error");
516 | }
517 |
518 | return strFinal.ToString();
519 | }
520 |
521 | public bool VirtualAlloc(PEProp binInfo, SecurityInfo SecInfo)
522 | {
523 |
524 | foreach (string strImport in SecInfo.Imports)
525 | {
526 |
527 | if (strImport.ToString() == "VirtualAlloc") return true;
528 | }
529 |
530 | return false;
531 | }
532 |
533 | public uint CodeSize(PEProp binInfo){
534 | uint szSize = 0;
535 |
536 | ImageSectionHeader[] sectionHeaders = binInfo.PE.SectionHeaders;
537 | if (sectionHeaders != null)
538 | {
539 | foreach (ImageSectionHeader header in sectionHeaders)
540 | {
541 | uint field = (uint)header.GetField(ImageSectionHeader.Fields.Characteristics);
542 | if ((field & 0x20000000) != 0)
543 | {
544 | szSize += (uint)header.GetField(ImageSectionHeader.Fields.SizeOfRawData);
545 | }
546 | }
547 |
548 | }
549 |
550 | return szSize;
551 | }
552 |
553 | ///
554 | /// SetDllDirectory, SetDefaultDllDirectories, AddDllDirectory
555 | ///
556 | ///
557 | ///
558 | ///
559 | public bool DLLPlanting(PEProp binInfo, SecurityInfo SecInfo)
560 | {
561 |
562 | if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo) || DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo) || DoesImport(binInfo, "AddDllDirectory", false, SecInfo))
563 | {
564 | if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo)){
565 | SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports SetDLLDirectory ";
566 | }
567 |
568 | if (DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo)){
569 | SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports SetDefaultDllDirectories ";
570 | }
571 |
572 | if (DoesImport(binInfo, "AddDllDirectory", false, SecInfo)){
573 | SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports AddDllDirectory ";
574 | }
575 | return true;
576 | }
577 |
578 | if (DoesImportviaLoadLibrary(binInfo, "SetDLLDirectory", SecInfo) || DoesImportviaLoadLibrary(binInfo, "SetDefaultDllDirectories", SecInfo) || DoesImportviaLoadLibrary(binInfo, "AddDllDirectory", SecInfo))
579 | {
580 |
581 | if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo))
582 | {
583 | SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports via LoadLibrary SetDLLDirectory ";
584 | }
585 |
586 | if (DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo))
587 | {
588 | SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports via LoadLibrary SetDefaultDllDirectories ";
589 | }
590 |
591 | if (DoesImport(binInfo, "AddDllDirectory", false, SecInfo))
592 | {
593 | SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports via LoadLibrary AddDllDirectory ";
594 | }
595 | return true;
596 | }
597 |
598 | return false;
599 | }
600 |
601 | public string DLLPlantingReason(PEProp binInfo, SecurityInfo SecInfo)
602 | {
603 | string strDLLPlantReason = "";
604 |
605 | if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo) || DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo) || DoesImport(binInfo, "AddDllDirectory", false, SecInfo))
606 | {
607 | if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo))
608 | {
609 | strDLLPlantReason = strDLLPlantReason + "Imports SetDLLDirectory ";
610 | }
611 |
612 | if (DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo))
613 | {
614 | strDLLPlantReason = strDLLPlantReason + "Imports SetDefaultDllDirectories ";
615 | }
616 |
617 | if (DoesImport(binInfo, "AddDllDirectory", false, SecInfo))
618 | {
619 | strDLLPlantReason = strDLLPlantReason + "Imports AddDllDirectory ";
620 | }
621 |
622 | }
623 |
624 | if (DoesImportviaLoadLibrary(binInfo, "SetDLLDirectory", SecInfo) || DoesImportviaLoadLibrary(binInfo, "SetDefaultDllDirectories", SecInfo) || DoesImportviaLoadLibrary(binInfo, "AddDllDirectory", SecInfo))
625 | {
626 |
627 | if (DoesImportviaLoadLibrary(binInfo, "SetDLLDirectory", SecInfo))
628 | {
629 | strDLLPlantReason = strDLLPlantReason + "Imports via LoadLibrary SetDLLDirectory ";
630 | }
631 |
632 | if (DoesImportviaLoadLibrary(binInfo, "SetDefaultDllDirectories", SecInfo))
633 | {
634 | strDLLPlantReason = strDLLPlantReason + "Imports via LoadLibrary SetDefaultDllDirectories ";
635 | }
636 |
637 | if (DoesImportviaLoadLibrary(binInfo, "AddDllDirectory", SecInfo))
638 | {
639 | strDLLPlantReason = strDLLPlantReason + "Imports via LoadLibrary AddDllDirectory ";
640 | }
641 |
642 | }
643 |
644 |
645 | return strDLLPlantReason;
646 | }
647 | ///
648 | /// Checks if the the string is in the list of imports
649 | ///
650 | ///
651 | ///
652 | ///
653 | public bool DoesImport(PEProp binInfo, string strTheOne, bool bExact, SecurityInfo SecInfo)
654 | {
655 |
656 | foreach (string strImport in SecInfo.Imports)
657 | {
658 |
659 | if (bExact == true)
660 | {
661 | if (strImport.ToString().Equals(strTheOne)) return true;
662 | }
663 | else
664 | {
665 | if (strImport.ToString().Contains(strTheOne)) return true;
666 | }
667 | }
668 |
669 | return false;
670 | }
671 |
672 | public bool DoesImportviaLoadLibrary(PEProp binInfo, string strTheOne, SecurityInfo SecInfo)
673 | {
674 | if (DoesImport(binInfo, strTheOne, true, SecInfo)) return true;
675 |
676 | if (DoesImport(binInfo, "LoadLibrary", false, SecInfo) && DoesImport(binInfo, "GetProcAddress", false, SecInfo))
677 | {
678 | System.IO.FileStream fsStream = new System.IO.FileStream(binInfo.Path, System.IO.FileMode.Open, System.IO.FileAccess.Read);
679 | System.IO.BinaryReader brReader = new System.IO.BinaryReader(fsStream);
680 | Byte[] strWorkBuff = brReader.ReadBytes((Int32)fsStream.Length);
681 | long lngSize = brReader.BaseStream.Length;
682 | long lngCnt = 0;
683 | long lngInnerCnt = 0;
684 | brReader.Close();
685 | fsStream.Close();
686 |
687 | for (lngCnt = 0; lngCnt < lngSize; lngCnt++)
688 | {
689 | for (lngInnerCnt = 0; lngInnerCnt < strTheOne.Length; lngInnerCnt++)
690 | {
691 | if (strWorkBuff[lngCnt + lngInnerCnt].CompareTo(Convert.ToByte(strTheOne[(int)lngInnerCnt])) == 0) break;
692 | }
693 | if (lngInnerCnt == strTheOne.Length)
694 | {
695 | return true;
696 | }
697 | }
698 | }
699 |
700 | return false;
701 | }
702 |
703 |
704 | public bool LoadLibrary(PEProp binInfo, SecurityInfo SecInfo)
705 | {
706 | if (DoesImport(binInfo, "LoadLibrary", false, SecInfo)) return true;
707 |
708 | return false;
709 | }
710 |
711 |
712 | ///
713 | /// Checks if the binary / uses HeapSetInformation
714 | ///
715 | ///
716 | ///
717 | public bool HeapSetInfo(PEProp binInfo, SecurityInfo SecInfo)
718 | {
719 | return DoesImportviaLoadLibrary(binInfo, "HeapSetInformation", SecInfo);
720 | }
721 |
722 | public bool SetDEPPolicy(PEProp binInfo, SecurityInfo SecInfo)
723 | {
724 | return DoesImportviaLoadLibrary(binInfo, "SetProcessDEPPolicy", SecInfo);
725 | }
726 |
727 | public bool EncodePointer(PEProp binInfo, SecurityInfo SecInfo)
728 | {
729 | return DoesImportviaLoadLibrary(binInfo, "EncodePointer", SecInfo);
730 | }
731 |
732 | public bool ProcessHeapExec(PEProp binInfo)
733 | {
734 |
735 | try
736 | {
737 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
738 | if (optionalHeader != null)
739 | {
740 | ushort field = (ushort)binInfo.PE.OptionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
741 | if ((field & 0x400) != 0)
742 | {
743 | return false;
744 | }
745 | SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress);
746 | if (rva.Address == 0)
747 | {
748 | return false;
749 | }
750 | uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size);
751 | ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva));
752 | int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size);
753 | if (FieldSize < 0x48)
754 | {
755 | return false;
756 | }
757 | uint ProcHeapFlags = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.ProcessHeapFlags);
758 |
759 | if ((field & 0x00040000) != 0)
760 | {
761 | return true;
762 | }
763 | }
764 | else
765 | {
766 | return false;
767 | }
768 | }
769 | catch (Exception)
770 | {
771 | return false;
772 | }
773 |
774 | return false;
775 | }
776 |
777 | public bool ForceInt(PEProp binInfo)
778 | {
779 | try
780 | {
781 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
782 | if (optionalHeader != null)
783 | {
784 | ushort field = (ushort)optionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
785 | if ((field & 0x0080) != 0)
786 | {
787 | return true;
788 | }
789 |
790 | }
791 | else
792 | {
793 | return false;
794 | }
795 | }
796 | catch (Exception)
797 | {
798 | return false;
799 | }
800 | return false;
801 | }
802 |
803 | public string UACUIAccess(PEProp binInfo)
804 | {
805 | IntPtr hMod = LoadLibraryEx(binInfo.Path, IntPtr.Zero, 0x2);
806 | if(hMod != null){
807 | IntPtr hRes = FindResource(hMod, 1, 24);
808 | if (hRes != null)
809 | {
810 | uint intSize = SizeofResource(hMod, hRes);
811 | if (intSize > 0)
812 | {
813 | IntPtr ptrRes = LoadResource(hMod, hRes);
814 | if (ptrRes != null)
815 | {
816 | IntPtr strMani = LockResource(ptrRes);
817 |
818 | if (strMani != null)
819 | {
820 | string strManifest = System.Runtime.InteropServices.Marshal.PtrToStringAnsi(strMani);
821 | if (strManifest != null)
822 | {
823 | //Console.WriteLine(strManifest.ToString());
824 | if (strManifest.Contains("uiAccess=\"false\"") == true)
825 | {
826 | return "False";
827 | }
828 | else if (strManifest.Contains("uiAccess=\"true\"") == true)
829 | {
830 | return "True";
831 | }
832 | else if (strManifest.Contains("uiAcces") == true)
833 | {
834 | return "Present";
835 | }
836 | else
837 | {
838 | return "Error";
839 | }
840 | }
841 | else
842 | {
843 | return "Null";
844 | }
845 | }
846 | }
847 | }
848 | }
849 | }
850 |
851 | return "Not found";
852 | }
853 |
854 | public string UACIntLevel(PEProp binInfo)
855 | {
856 | IntPtr hMod = LoadLibraryEx(binInfo.Path, IntPtr.Zero, 0x2);
857 | if (hMod != null)
858 | {
859 | IntPtr hRes = FindResource(hMod, 1, 24);
860 | if (hRes != null)
861 | {
862 | uint intSize = SizeofResource(hMod, hRes);
863 | if (intSize > 0)
864 | {
865 | IntPtr ptrRes = LoadResource(hMod, hRes);
866 | if (ptrRes != null)
867 | {
868 | IntPtr strMani = LockResource(ptrRes);
869 |
870 | if (strMani != null)
871 | {
872 | string strManifest = System.Runtime.InteropServices.Marshal.PtrToStringAnsi(strMani);
873 | //Console.WriteLine(strManifest.ToString());
874 | if (strManifest != null)
875 | {
876 | if (strManifest.Contains("level=\"requireAdministrator\"") == true)
877 | {
878 | return "Administrator";
879 | }
880 | else if (strManifest.Contains("level=\"highestAvailable\"") == true)
881 | {
882 | return "Highest";
883 | }
884 | else if (strManifest.Contains("level=\"asInvoker\"") == true)
885 | {
886 | return "Invoker";
887 | }
888 | else if (strManifest.Contains("requestedExecutionLevel") == true)
889 | {
890 | return "Present";
891 | }
892 | else
893 | {
894 | return "Error";
895 | }
896 | }
897 | else
898 | {
899 | return "Null";
900 | }
901 | }
902 | }
903 | }
904 | }
905 | }
906 |
907 | return "Not found";
908 | }
909 |
910 | public bool GetManifest(PEProp binInfo, SecurityInfo secInfo)
911 | {
912 | IntPtr hMod = LoadLibraryEx(binInfo.Path, IntPtr.Zero, 0x2);
913 | if (hMod != null)
914 | {
915 | IntPtr hRes = FindResource(hMod, 1, 24);
916 | if (hRes != null)
917 | {
918 | uint intSize = SizeofResource(hMod, hRes);
919 | if (intSize > 0)
920 | {
921 | IntPtr ptrRes = LoadResource(hMod, hRes);
922 | if (ptrRes != null)
923 | {
924 | IntPtr strMani = LockResource(ptrRes);
925 |
926 | if (strMani != null)
927 | {
928 | string strManifest = System.Runtime.InteropServices.Marshal.PtrToStringAnsi(strMani);
929 |
930 | int intIdx = strManifest.IndexOf("¿");
931 | if (intIdx != 0)
932 | {
933 | secInfo.Manifest = strManifest.Substring(intIdx + 1);
934 | }
935 | else
936 | {
937 | secInfo.Manifest = strManifest;
938 | }
939 | return true;
940 | }
941 |
942 | }
943 | }
944 | }
945 | }
946 |
947 | return false;
948 | }
949 |
950 | public bool GS1Check(PEProp binInfo)
951 | {
952 |
953 | try
954 | {
955 | ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
956 | if (optionalHeader != null)
957 | {
958 | ushort field = (ushort)binInfo.PE.OptionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
959 | if ((field & 0x400) != 0)
960 | {
961 | return false;
962 | }
963 | SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress);
964 | if (rva.Address == 0)
965 | {
966 | return false;
967 | }
968 | uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size);
969 | ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva));
970 | int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size);
971 | if (FieldSize < 0x48)
972 | {
973 | return false;
974 | }
975 | uint GSCookieLoc = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.SecurityCookie);
976 |
977 | if (GSCookieLoc != 0)
978 | {
979 | return true;
980 | }
981 | }
982 | else
983 | {
984 | return false;
985 | }
986 | }
987 | catch (Exception)
988 | {
989 | return false;
990 | }
991 |
992 | return false;
993 | }
994 |
995 | public long GSCookieHunter(byte[] strWorkBuff, long lngFileSize, byte[] strGSAddr)
996 | {
997 | long lngCnt=0;
998 | long lngNumofRefs=0;
999 | long lngStart=0;
1000 | long lngFinish=0;
1001 |
1002 | lngStart=0;
1003 | lngFinish=lngFileSize-5;
1004 |
1005 | try
1006 | {
1007 | for (lngCnt = lngStart; lngCnt <= lngFinish; lngCnt++)
1008 | {
1009 | if ((strWorkBuff[lngCnt] == 0xA1) && (strWorkBuff[lngCnt + 1] == strGSAddr[0]) && (strWorkBuff[lngCnt + 2] == strGSAddr[1]) && (strWorkBuff[lngCnt + 3] == strGSAddr[2]) && (strWorkBuff[lngCnt + 4] == strGSAddr[3]))
1010 | {
1011 | lngNumofRefs++;
1012 | }
1013 | }
1014 | }
1015 | catch
1016 | {
1017 |
1018 | }
1019 |
1020 | return lngNumofRefs;
1021 | }
1022 |
1023 | public bool GSCheck64(PEProp binInfo)
1024 | {
1025 | long lngCnt;
1026 | System.IO.FileStream fsStream = new System.IO.FileStream(binInfo.Path, System.IO.FileMode.Open, System.IO.FileAccess.Read);
1027 | System.IO.BinaryReader brReader = new System.IO.BinaryReader(fsStream);
1028 | Byte[] strWorkBuff = brReader.ReadBytes((Int32)fsStream.Length);
1029 | long lngSize = brReader.BaseStream.Length;
1030 | brReader.Close();
1031 | fsStream.Close();
1032 |
1033 | try
1034 | {
1035 | for (lngCnt = 0; lngCnt < lngSize; lngCnt++)
1036 | {
1037 | if ( // epilogue
1038 | strWorkBuff[lngCnt] == 0x75 && strWorkBuff[lngCnt + 1] == 0x11 &&
1039 | strWorkBuff[lngCnt + 2] == 0x48 && strWorkBuff[lngCnt + 3] == 0xc1 &&
1040 | strWorkBuff[lngCnt + 4] == 0xc1 && strWorkBuff[lngCnt + 5] == 0x10 &&
1041 | strWorkBuff[lngCnt + 6] == 0x66 && strWorkBuff[lngCnt + 7] == 0xf7 &&
1042 | strWorkBuff[lngCnt + 8] == 0xc1 && strWorkBuff[lngCnt + 9] == 0xff &&
1043 | strWorkBuff[lngCnt + 10] == 0xff && strWorkBuff[lngCnt + 11] == 0x75 &&
1044 | strWorkBuff[lngCnt + 12] == 0x02 && strWorkBuff[lngCnt + 13] == 0xf3 &&
1045 | strWorkBuff[lngCnt + 14] == 0xc3
1046 | )
1047 | {
1048 | return true;
1049 |
1050 | //0 1 2 3 4 5 6
1051 | //48 8D 0D XX XX XX XX lea rcx,[GS_ContextRecord (13FC630F0h)]
1052 | //7 8 9 10 11 12
1053 | //FF 15 XX XX XX XX call qword ptr [__imp_RtlCaptureContext (13FC62028h)]
1054 | //13 14 15 16 17 18 19
1055 | //48/4C 8B XX XX XX XX XX mov rax,qword ptr [GS_ContextRecord+0F8h (13FC631E8h)]
1056 | //20 21 22 23 24
1057 | //48/4C XX XX XX XX
1058 | //25 26 27
1059 | //45 33 C0
1060 |
1061 | }
1062 | else if ( // __report_gs_failure - well part of
1063 | strWorkBuff[lngCnt] == 0x48 && strWorkBuff[lngCnt + 1] == 0x8D &&
1064 | strWorkBuff[lngCnt + 2] == 0x0D && strWorkBuff[lngCnt + 7] == 0xFF &&
1065 | strWorkBuff[lngCnt + 8] == 0x15 &&
1066 | (strWorkBuff[lngCnt + 13] == 0x48 || strWorkBuff[lngCnt + 13] == 0x4C) &&
1067 | strWorkBuff[lngCnt + 14] == 0x8B &&
1068 | (strWorkBuff[lngCnt + 20] == 0x48 || strWorkBuff[lngCnt + 20] == 0x4C) &&
1069 | strWorkBuff[lngCnt + 25] == 0x45 && strWorkBuff[lngCnt + 26] == 0x33 &&
1070 | strWorkBuff[lngCnt + 27] == 0xC0
1071 | )
1072 | {
1073 | return true;
1074 | /*
1075 | 1 2 3 4 5 6
1076 | FF 15 XX XX XX XX
1077 | 7 8 9 10 11
1078 | 4C 8B 5C 24 38
1079 | 12 13 14
1080 | 4C 33 DB
1081 | 15 16 17 18 19 20 21 22 23 24
1082 | 48 B8 FF FF FF FF FF FF 00 00
1083 | 25 26 27
1084 | 4C 23 D8
1085 | 28 29 30 31 32 33 34 35 36 37
1086 | 48 B8 33 A2 DF 2D 99 2B 00 00
1087 | */
1088 |
1089 |
1090 | }
1091 | else if ( // ___security_init_cookie - part of
1092 | strWorkBuff[lngCnt] == 0xFF && strWorkBuff[lngCnt + 1] == 0x15 &&
1093 | strWorkBuff[lngCnt + 6] == 0x4C && strWorkBuff[lngCnt + 7] == 0x8B &&
1094 | strWorkBuff[lngCnt + 8] == 0x5C && strWorkBuff[lngCnt + 9] == 0x24 &&
1095 | strWorkBuff[lngCnt + 10] == 0x38 && strWorkBuff[lngCnt + 11] == 0x4C &&
1096 | strWorkBuff[lngCnt + 12] == 0x33 && strWorkBuff[lngCnt + 13] == 0xDB &&
1097 | strWorkBuff[lngCnt + 14] == 0x48 && strWorkBuff[lngCnt + 15] == 0xB8 &&
1098 | strWorkBuff[lngCnt + 16] == 0xFF && strWorkBuff[lngCnt + 17] == 0xFF &&
1099 | strWorkBuff[lngCnt + 18] == 0xFF && strWorkBuff[lngCnt + 19] == 0xFF &&
1100 | strWorkBuff[lngCnt + 20] == 0xFF && strWorkBuff[lngCnt + 21] == 0xFF &&
1101 | strWorkBuff[lngCnt + 22] == 0x00 && strWorkBuff[lngCnt + 23] == 0x00 &&
1102 | strWorkBuff[lngCnt + 24] == 0x4C && strWorkBuff[lngCnt + 25] == 0x23 &&
1103 | strWorkBuff[lngCnt + 26] == 0xD8 && strWorkBuff[lngCnt + 27] == 0x48 &&
1104 | strWorkBuff[lngCnt + 28] == 0xB8 && strWorkBuff[lngCnt + 29] == 0x33 &&
1105 | strWorkBuff[lngCnt + 30] == 0xA2 && strWorkBuff[lngCnt + 31] == 0xDF &&
1106 | strWorkBuff[lngCnt + 32] == 0x2D && strWorkBuff[lngCnt + 33] == 0x99 &&
1107 | strWorkBuff[lngCnt + 34] == 0x2B && strWorkBuff[lngCnt + 35] == 0x00 &&
1108 | strWorkBuff[lngCnt + 36] == 0x00
1109 |
1110 | )
1111 | {
1112 | return true;
1113 | } else if ( // ___security_init_cookie - part of
1114 | strWorkBuff[lngCnt] == 0x48 && strWorkBuff[lngCnt + 1] == 0xBA &&
1115 | strWorkBuff[lngCnt + 2] == 0xFF && strWorkBuff[lngCnt + 3] == 0xFF &&
1116 | strWorkBuff[lngCnt + 4] == 0xFF && strWorkBuff[lngCnt + 5] == 0xFF &&
1117 | strWorkBuff[lngCnt + 6] == 0xFF && strWorkBuff[lngCnt + 7] == 0xFF &&
1118 | strWorkBuff[lngCnt + 8] == 0x00 && strWorkBuff[lngCnt + 9] == 0x00 &&
1119 | strWorkBuff[lngCnt + 10] == 0x48 && strWorkBuff[lngCnt + 11] == 0x33 &&
1120 | strWorkBuff[lngCnt + 12] == 0xC1 && strWorkBuff[lngCnt + 13] == 0x48 &&
1121 | strWorkBuff[lngCnt + 14] == 0x23 && strWorkBuff[lngCnt + 15] == 0xC2 &&
1122 | strWorkBuff[lngCnt + 16] == 0x48 && strWorkBuff[lngCnt + 17] == 0x89 &&
1123 | strWorkBuff[lngCnt + 18] == 0x01
1124 | )
1125 | {
1126 | return true;
1127 | }
1128 | }
1129 | }
1130 | catch
1131 | {
1132 | return false;
1133 | }
1134 | return false;
1135 | }
1136 |
1137 | public int GS2Check32(PEProp binInfo)
1138 | {
1139 |
1140 | //Console.WriteLine("G32Check32 - " + binInfo.Path);
1141 | long lngCnt;
1142 | int intGS=0;
1143 | int intGSFound=0;
1144 | int intGS03=0;
1145 | int intGS0508=0;
1146 | System.IO.FileStream fsStream = new System.IO.FileStream(binInfo.Path, System.IO.FileMode.Open, System.IO.FileAccess.Read);
1147 | System.IO.BinaryReader brReader = new System.IO.BinaryReader(fsStream);
1148 | Byte[] strWorkBuff = brReader.ReadBytes((Int32)fsStream.Length);
1149 | long lngSize = brReader.BaseStream.Length;
1150 | brReader.Close();
1151 | fsStream.Close();
1152 |
1153 | //OllieCantCode:
1154 |
1155 | try
1156 | {
1157 | for (lngCnt = 0; lngCnt < lngSize; lngCnt++)
1158 | {
1159 | // VS2003 /GS check
1160 |
1161 | // PUSH 0000008h
1162 | if (strWorkBuff[lngCnt] == 0x6A)
1163 | {
1164 | if (strWorkBuff[lngCnt + 1] == 0x08)
1165 | {
1166 | // skip PUSH ????????
1167 | // skip call ????????
1168 | // AND DWORD PTR [ebp-04h],000000h
1169 | if (strWorkBuff[lngCnt + 12] == 0x83)
1170 | {
1171 | if (strWorkBuff[lngCnt + 13] == 0x65)
1172 | {
1173 | if (strWorkBuff[lngCnt + 14] == 0xFC)
1174 | {
1175 | if (strWorkBuff[lngCnt + 15] == 0x00)
1176 | {
1177 | // PUSH 00000000h
1178 | if (strWorkBuff[lngCnt + 16] == 0x6A)
1179 | {
1180 | if (strWorkBuff[lngCnt + 17] == 0x00)
1181 | {
1182 | // PUSH 00000001h
1183 | if (strWorkBuff[lngCnt + 18] == 0x6A)
1184 | {
1185 | if (strWorkBuff[lngCnt + 19] == 0x01)
1186 | {
1187 | // skip CALL ???????? // this is to MSVCR71.dll!__security_error_handler
1188 | if (strWorkBuff[lngCnt + 25] == 0x59)
1189 | {
1190 | if (strWorkBuff[lngCnt + 26] == 0x59)
1191 | {
1192 | // skip JMP ??
1193 | // XOR EAX,EAX
1194 | if (strWorkBuff[lngCnt + 29] == 0x33)
1195 | {
1196 | if (strWorkBuff[lngCnt + 30] == 0xC0)
1197 | {
1198 | // INC EAX
1199 | if (strWorkBuff[lngCnt + 31] == 0x40)
1200 | {
1201 | // RETN
1202 | if (strWorkBuff[lngCnt + 32] == 0xC3)
1203 | {
1204 | intGS = 1;
1205 | intGS03 = 1;
1206 | //break;
1207 | }
1208 | }
1209 | }
1210 | }
1211 | }
1212 | }
1213 | }
1214 | }
1215 | }
1216 | }
1217 | }
1218 | }
1219 | }
1220 | }
1221 | }
1222 | }
1223 |
1224 | // VS 2005 __security_check_cookie stub check
1225 | // CMP ECX, ?????
1226 | if (strWorkBuff[lngCnt] == 0x3B)
1227 | {
1228 | if (strWorkBuff[lngCnt + 1] == 0x0D)
1229 | {
1230 | // skip the CMP ECX, ??????
1231 | // but copy the address in
1232 |
1233 | // TODO
1234 | // memcpy(strGSAddr, &strWorkBuff[lngCnt + 2], 4);
1235 |
1236 | // JNZ ??
1237 | if (strWorkBuff[lngCnt + 6] == 0x75)
1238 | {
1239 | // TEST ECX,FFFF0000h
1240 | if (strWorkBuff[lngCnt + 8] == 0xF7)
1241 | {
1242 | if (strWorkBuff[lngCnt + 9] == 0xC1)
1243 | {
1244 | if (strWorkBuff[lngCnt + 10] == 0x00)
1245 | {
1246 | if (strWorkBuff[lngCnt + 11] == 0x00)
1247 | {
1248 | if (strWorkBuff[lngCnt + 12] == 0xFF)
1249 | {
1250 | if (strWorkBuff[lngCnt + 13] == 0xFF)
1251 | {
1252 | // JNZ ??
1253 | if (strWorkBuff[lngCnt + 14] == 0x75)
1254 | {
1255 | // RET
1256 | if (strWorkBuff[lngCnt + 16] == 0xC3)
1257 | {
1258 | intGS = 4;
1259 | intGS0508 = 1;
1260 | //break;
1261 | }
1262 | else if (strWorkBuff[lngCnt + 16] == 0xF3)
1263 | {
1264 | if (strWorkBuff[lngCnt + 17] == 0xC3)
1265 | {
1266 | intGS = 6;
1267 | intGS0508 = 1;
1268 | //break;
1269 | }
1270 | }
1271 | }
1272 | }
1273 | }
1274 | }
1275 | }
1276 | }
1277 |
1278 | // REP RETN
1279 | }
1280 | else if (strWorkBuff[lngCnt + 8] == 0xF3)
1281 | {
1282 | if (strWorkBuff[lngCnt + 9] == 0xC3)
1283 | {
1284 | // JMP ??????
1285 | if (strWorkBuff[lngCnt + 10] == 0xE9)
1286 | {
1287 | intGS = 3;
1288 | intGS0508 = 1;
1289 | //break;
1290 | // ???
1291 | }
1292 | else
1293 | {
1294 | intGS = 7;
1295 | intGS0508 = 1;
1296 | //break;
1297 | }
1298 | }
1299 | }
1300 | // JMP ????????
1301 | }
1302 | else if (strWorkBuff[lngCnt + 6] == 0x0F)
1303 | {
1304 | // TEST ECX,FFFF0000h
1305 | if (strWorkBuff[lngCnt + 12] == 0xF7)
1306 | {
1307 | if (strWorkBuff[lngCnt + 13] == 0xC1)
1308 | {
1309 | if (strWorkBuff[lngCnt + 14] == 0x00)
1310 | {
1311 | if (strWorkBuff[lngCnt + 15] == 0x00)
1312 | {
1313 | if (strWorkBuff[lngCnt + 16] == 0xFF)
1314 | {
1315 | if (strWorkBuff[lngCnt + 17] == 0xFF)
1316 | {
1317 | // JNZ ????????
1318 | if (strWorkBuff[lngCnt + 18] == 0x0F)
1319 | {
1320 | intGS = 5;
1321 | intGS0508 = 1;
1322 | //break;
1323 | }
1324 | }
1325 | }
1326 | }
1327 | }
1328 | }
1329 | // REP RETN
1330 | }
1331 | else if (strWorkBuff[lngCnt + 12] == 0xF3)
1332 | {
1333 | if (strWorkBuff[lngCnt + 13] == 0xC3)
1334 | {
1335 | // JMP ??????
1336 | if (strWorkBuff[lngCnt + 14] == 0xE9)
1337 | {
1338 | intGS = 3;
1339 | intGS0508 = 1;
1340 | //break;
1341 | // NOP
1342 | }
1343 | else
1344 | {
1345 | intGS = 7;
1346 | intGS0508 = 1;
1347 | //break;
1348 | }
1349 | }
1350 | // JMP
1351 | }
1352 | else if (strWorkBuff[lngCnt + 12] == 0xE9)
1353 | {
1354 | intGS = 8;
1355 | intGS0508 = 1;
1356 | //break;
1357 | }
1358 |
1359 | }
1360 | }
1361 | }
1362 |
1363 | // VS 2005 GSDriverEntry stub check
1364 | // MOV EDI, EDI
1365 | if (strWorkBuff[lngCnt] == 0x8B)
1366 | {
1367 | if (strWorkBuff[lngCnt + 1] == 0xFF)
1368 | {
1369 | // PUSH EBP
1370 | if (strWorkBuff[lngCnt + 2] == 0x55)
1371 | {
1372 | // MOV EBP, ESP
1373 | if (strWorkBuff[lngCnt + 3] == 0x8B)
1374 | {
1375 | if (strWorkBuff[lngCnt + 4] == 0xEC)
1376 | {
1377 | // MOV EAX, __security_cookie
1378 | if (strWorkBuff[lngCnt + 5] == 0xA1)
1379 | {
1380 | // TODO
1381 | //memcpy(strGSAddr, &strWorkBuff[lngCnt + 6], 4);
1382 |
1383 | // TEST EAX, EAX
1384 | if (strWorkBuff[lngCnt + 10] == 0x85)
1385 | {
1386 | if (strWorkBuff[lngCnt + 11] == 0xC0)
1387 | {
1388 | // MOV EAX, XXXXXXXX
1389 | if (strWorkBuff[lngCnt + 12] == 0xB9)
1390 | {
1391 | // JZ ??
1392 | if (strWorkBuff[lngCnt + 17] == 0x74)
1393 | {
1394 | // CMP EAX, ECX
1395 | if (strWorkBuff[lngCnt + 19] == 0x3B)
1396 | {
1397 | if (strWorkBuff[lngCnt + 20] == 0xC1)
1398 | {
1399 | // JNZ ??
1400 | if (strWorkBuff[lngCnt + 21] == 0x75)
1401 | {
1402 | intGS = 9;
1403 | intGS0508 = 1;
1404 | //break;
1405 | }
1406 | }
1407 | }
1408 | }
1409 | }
1410 | }
1411 | }
1412 | }
1413 | }
1414 | }
1415 | }
1416 | }
1417 | }
1418 | }
1419 |
1420 | /*
1421 | if(intGS==8){
1422 | lngTmp=0;
1423 | //lngTmp=GSCookieHunter(strWorkBuff,lngSize,fff);
1424 | if(lngTmp==0){
1425 | intGS=0;
1426 | long lngStart=lngCnt+12;
1427 | if(lngStart<=lngSize){
1428 | goto OllieCantCode;
1429 | }
1430 | }
1431 | }*/
1432 |
1433 | }
1434 | catch
1435 | {
1436 | return 0;
1437 | }
1438 |
1439 | if(intGS03==1 || intGS0508==1){
1440 | intGSFound=1;
1441 | } else if(intGS03==1 && intGS0508==1) {
1442 | intGSFound=9;
1443 | }
1444 |
1445 | return intGS;
1446 | }
1447 |
1448 | public bool GS3Check(PEProp binInfo, SecurityInfo SecInfo)
1449 | {
1450 |
1451 | foreach (string strImport in SecInfo.Imports)
1452 | {
1453 |
1454 | if (strImport.ToString() == "_crt_debugger_hook") return true;
1455 | }
1456 |
1457 | return false;
1458 | }
1459 |
1460 | public List MSCompilerVers(PEProp binInfo)
1461 | {
1462 | BinaryReader binReader = new BinaryReader(File.OpenRead(binInfo.Path));
1463 | UInt32[] arraryDWORDs = new UInt32[1024];
1464 | int intCount=0;
1465 | int intPos = 0;
1466 | bool bFound = false;
1467 | UInt32 XORKey = 0;
1468 | List lstCompilers = new List();
1469 |
1470 | try
1471 | {
1472 | if (binReader != null)
1473 | {
1474 | // Find the XOR key
1475 | while (intCount < 1024 && intPos < binReader.BaseStream.Length)
1476 | {
1477 | arraryDWORDs[intCount] = binReader.ReadUInt32();
1478 | if (arraryDWORDs[intCount] == 0x68636952)
1479 | {
1480 | bFound = true;
1481 | //Console.WriteLine("1 - "+ intCount.ToString());
1482 | break;
1483 | }
1484 | intPos += sizeof(UInt32);
1485 | intCount++;
1486 | }
1487 |
1488 | // Extract the XOR key
1489 | if (bFound == true)
1490 | {
1491 | XORKey = binReader.ReadUInt32();
1492 | intPos += sizeof(UInt32);
1493 |
1494 | // Now find the start of the version numbers
1495 | int intCount2 = 0;
1496 | int intPos2 = 0;
1497 | bool bFound2 = false;
1498 | UInt32 intTemp = 0;
1499 | binReader.BaseStream.Seek(0, SeekOrigin.Begin);
1500 | while (intCount2 < intCount && intPos < binReader.BaseStream.Length)
1501 | {
1502 | intTemp = binReader.ReadUInt32();
1503 | intTemp ^= XORKey;
1504 | //Console.WriteLine(intCount2.ToString());
1505 |
1506 | if (intTemp == 0x536E6144)
1507 | {
1508 | //Console.WriteLine("2 - " + intCount2.ToString());
1509 | bFound2 = true;
1510 | break;
1511 | }
1512 |
1513 | intPos2 += sizeof(UInt32);
1514 | intCount2++;
1515 |
1516 | }
1517 |
1518 | if (bFound2)
1519 | {
1520 | // Now work from the start of the block until the end
1521 | // and decode
1522 | binReader.BaseStream.Seek(intPos2, SeekOrigin.Begin);
1523 |
1524 |
1525 | int intPos3 = intPos2;
1526 | while (intPos3 < (intPos - 8))
1527 | {
1528 | //Console.WriteLine(intPos3.ToString());
1529 | UInt32 intVer = binReader.ReadUInt32();
1530 | UInt32 intTimes = binReader.ReadUInt32();
1531 | intPos3 += (sizeof(UInt32) * 2);
1532 | intVer ^= XORKey;
1533 | intTimes ^= XORKey;
1534 |
1535 | intTemp ^= XORKey;
1536 |
1537 | if ((intVer != 0x536E6144) && ((intVer != 0)))
1538 | {
1539 | UInt32 intVerFin = 0;
1540 | UInt32 intID = 0;
1541 |
1542 | intID = intVer >> 16;
1543 | intVerFin = intVer & 0xFFFF;
1544 |
1545 |
1546 | //Console.WriteLine("[] " + intVerFin.ToString() + " - " + intID.ToString() + " - " + intTimes.ToString());
1547 | if (intVerFin >= 8034 && intVerFin <= 8966)
1548 | {
1549 | lstCompilers.Add("VS6 " + intVerFin + " - " + intTimes + " times/objects");
1550 | }
1551 | else if (intVerFin >= 9466 && intVerFin <= 9528)
1552 | {
1553 | lstCompilers.Add("VS2002 " + intVerFin + " - " + intTimes + " times/objects");
1554 | }
1555 | else if (intVerFin == 3077)
1556 | {
1557 | lstCompilers.Add("VS2003 " + intVerFin + " - " + intTimes + " times/objects");
1558 | }
1559 | else if (intVerFin == 4035)
1560 | {
1561 | lstCompilers.Add("VS2003 " + intVerFin + " - " + intTimes + " times/objects");
1562 | }
1563 | else if (intVerFin == 50727)
1564 | {
1565 | lstCompilers.Add("VS2005 SP1 " + intVerFin + " - " + intTimes + " times/objects");
1566 | }
1567 | else if (intVerFin == 21022)
1568 | {
1569 | lstCompilers.Add("VS2008 " + intVerFin + " - " + intTimes + " times/objects");
1570 | }
1571 | else if (intVerFin == 30729)
1572 | {
1573 | lstCompilers.Add("VS2008 SP1 " + intVerFin + " - " + intTimes + " times/objects");
1574 | }
1575 | else if (intVerFin == 30319)
1576 | {
1577 | lstCompilers.Add("VS2010 " + intVerFin + " - " + intTimes + " times/objects");
1578 | }
1579 | else if (intVerFin == 40219)
1580 | {
1581 | lstCompilers.Add("VS2013 " + intVerFin + " - " + intTimes + " times/objects");
1582 | }
1583 | else
1584 | {
1585 | lstCompilers.Add("Unknown " + intVerFin + " - " + intTimes + " times/objects");
1586 | }
1587 |
1588 |
1589 | }
1590 | }
1591 |
1592 | binReader.Close();
1593 | return lstCompilers;
1594 | }
1595 |
1596 | }
1597 |
1598 | }
1599 | binReader.Close();
1600 | }
1601 | catch
1602 | {
1603 | lstCompilers.Add("Error");
1604 | return lstCompilers;
1605 | }
1606 |
1607 | lstCompilers.Add("N/A");
1608 | return lstCompilers;
1609 | }
1610 |
1611 | public int MSBannedAPIs(SecurityInfo secInfo, string [] strImports)
1612 | {
1613 |
1614 | StringBuilder strAPIBuild = new StringBuilder();
1615 | string strRes = WinBinAudit.Properties.Resources.BannedAPIs;
1616 | int intBannedCount = 0;
1617 | StringReader srBannedAPIs = null;
1618 |
1619 | srBannedAPIs = new StringReader(strRes);
1620 |
1621 |
1622 | string strLine = srBannedAPIs.ReadLine();
1623 | while (strLine != null)
1624 | {
1625 | System.Diagnostics.Debug.WriteLine("[banned API] " + strLine);
1626 | foreach (string strImport in strImports)
1627 | {
1628 | if(strImport.ToString().Equals(strLine.ToString())){
1629 | strAPIBuild.AppendLine(strImport);
1630 | intBannedCount++;
1631 | }
1632 | }
1633 |
1634 | strLine = srBannedAPIs.ReadLine();
1635 | }
1636 |
1637 | if (intBannedCount == 0)
1638 | {
1639 | strAPIBuild.Append("N/A");
1640 | }
1641 |
1642 | secInfo.MSSDLCBannedList = strAPIBuild.ToString();
1643 | return intBannedCount;
1644 | }
1645 |
1646 | public void GetFileSize(SecurityInfo secInfo, PEProp binInfo){
1647 | secInfo.FileSize = binInfo.Length;
1648 | }
1649 |
1650 | public void SigDetails(SecurityInfo secInfo, PEProp binInfo)
1651 | {
1652 |
1653 | X509Certificate xcert = null;
1654 | X509Certificate2 xcert2 = null;
1655 |
1656 | try {
1657 |
1658 | secInfo.SigName = "N/A";
1659 | secInfo.SigAlgo = "N/A";
1660 | secInfo.SigIssuer = "N/A";
1661 |
1662 | xcert = X509Certificate.CreateFromSignedFile(binInfo.Path);
1663 | xcert2 = new X509Certificate2(xcert);
1664 | secInfo.SigName = xcert.Subject;
1665 | secInfo.SigAlgo = xcert.GetKeyAlgorithm();
1666 |
1667 | JavaScience.EncryptTo eToo = new JavaScience.EncryptTo();
1668 |
1669 |
1670 | // show never happen
1671 | if (xcert2.HasPrivateKey == true) MessageBox.Show(binInfo.Path + " includes a private key!", "Private key found", MessageBoxButtons.OK, MessageBoxIcon.Hand);
1672 |
1673 | if(secInfo.SigAlgo.Equals("1.2.840.113549.1.1.1")){
1674 | secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / RSA " + eToo.GetCertPublicKeySize(xcert);
1675 | } else if (secInfo.SigAlgo.Equals("2.5.8.1.1")){
1676 | secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / RSA " + eToo.GetCertPublicKeySize(xcert);
1677 | } else if (secInfo.SigAlgo.Equals("1.2.840.10040.4.1")){
1678 | secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / DSA " + eToo.GetCertPublicKeySize(xcert);
1679 | } else if (secInfo.SigAlgo.Equals("1.2.840.10046.2.1")){
1680 | secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / DH " + eToo.GetCertPublicKeySize(xcert);
1681 | } else if (secInfo.SigAlgo.Equals("1.3.6.1.4.1.3029.1.2.1")){
1682 | secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / ElGamal " + eToo.GetCertPublicKeySize(xcert);
1683 | } else if (secInfo.SigAlgo.Equals("1.3.6.1.4.1.25258.1.1")){
1684 | secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / NR " + eToo.GetCertPublicKeySize(xcert);
1685 | } else if (secInfo.SigAlgo.Equals("1.3.6.1.4.1.25258.1.2")){
1686 | secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / ECDSA " + eToo.GetCertPublicKeySize(xcert);
1687 | } else if (secInfo.SigAlgo.Equals("1.2.643.2.2.19")){
1688 | secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / GOST-34.10 " + eToo.GetCertPublicKeySize(xcert);
1689 | }
1690 |
1691 |
1692 | secInfo.SigIssuer = xcert.Issuer;
1693 |
1694 | }
1695 | catch (Exception e)
1696 | {
1697 | if(secInfo.SigName.Equals("") == true) secInfo.SigName = "N/A";
1698 | if(secInfo.SigAlgo.Equals("") == true) secInfo.SigAlgo = "N/A";
1699 | if(secInfo.SigIssuer.Equals("") == true) secInfo.SigIssuer = "N/A";
1700 | secInfo.Error = "Signature details error " + e.Message;
1701 | }
1702 | }
1703 |
1704 | public bool HighEntropy(SecurityInfo secInfo, PEProp binInfo)
1705 | {
1706 |
1707 | // Compiler version must be 17
1708 |
1709 | PEFile pE = binInfo.PE;
1710 | ImageOptionalHeader optionalHeader = pE.OptionalHeader;
1711 | ushort num = (ushort)optionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
1712 | bool flag = (num & 32) != 0;
1713 | ImageFileHeader fileHeader = pE.FileHeader;
1714 | ushort num2 = (ushort)fileHeader.GetField(ImageFileHeader.Fields.Characteristics);
1715 | bool flag2 = (num2 & 32) != 0;
1716 | if (flag)
1717 | {
1718 | return false;
1719 | }
1720 | if (flag && flag2)
1721 | {
1722 | return true;
1723 | }
1724 | return false;
1725 | }
1726 |
1727 | }
1728 |
1729 | }
1730 |
--------------------------------------------------------------------------------
/WinBinAudit/WinBinAuditv1PE.cs:
--------------------------------------------------------------------------------
1 | /*
2 | Released as open source by NCC Group Plc - http://www.nccgroup.com/
3 |
4 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
5 |
6 | http://www.github.com/olliencc/WinBinaryAudit/
7 |
8 | Released under AGPL see LICENSE for more information
9 | */
10 |
11 | using System;
12 | using System.Collections.Generic;
13 | using System.Text;
14 | using ManagedMD;
15 | using ManagedMD.Utils;
16 | using System.Diagnostics;
17 | using System.Security.Cryptography;
18 | using System.IO;
19 | using WinBinAuditv1;
20 | using System.Collections;
21 | using System.Drawing;
22 |
23 | namespace WinBinAuditv1PE
24 | {
25 | class PEProp
26 | {
27 | private string strPath;
28 |
29 | public PEProp(string path)
30 | {
31 | this.strPath = path;
32 | }
33 |
34 | public string Vendor
35 | {
36 | get
37 | {
38 | FileVersionInfo vendorInfo = FileVersionInfo.GetVersionInfo(System.IO.Path.GetFullPath(this.Path));
39 | return vendorInfo.CompanyName;
40 | }
41 |
42 | }
43 |
44 | public string Version
45 | {
46 | get
47 | {
48 | FileVersionInfo vendorInfo = FileVersionInfo.GetVersionInfo(System.IO.Path.GetFullPath(this.Path));
49 | return vendorInfo.FileVersion;
50 | }
51 |
52 | }
53 |
54 | public bool Kernel
55 | {
56 | get
57 | {
58 | if (this.PE.IsPEFile)
59 | {
60 | if (this.PE.OptionalHeader == null)
61 | {
62 | return false;
63 | }
64 | foreach (string str in this.PE.Imports)
65 | {
66 | if ((str.StartsWith("ntoskrnl.exe", StringComparison.InvariantCultureIgnoreCase) || str.StartsWith("hal.dll", StringComparison.InvariantCultureIgnoreCase)) || (str.StartsWith("scsiport.sys", StringComparison.InvariantCultureIgnoreCase) || str.StartsWith("win32k.sys", StringComparison.InvariantCultureIgnoreCase)))
67 | {
68 | return true;
69 | }
70 | }
71 | }
72 | return false;
73 | }
74 | }
75 |
76 | public bool ManagedP
77 | {
78 | get
79 | {
80 | COMPEFile file = new COMPEFile(this.PE);
81 | if (file.Cor20Header == null)
82 | {
83 | return false;
84 | }
85 | uint field = (uint)file.Cor20Header.GetField(ImageCor20Header.Fields.Flags);
86 |
87 | return ((field & 1) == 1);
88 | }
89 |
90 | }
91 | public bool Managed
92 | {
93 | get
94 | {
95 | try
96 | {
97 | COMPEFile file = new COMPEFile(this.PE);
98 | if (file.Cor20Header != null)
99 | {
100 | return true;
101 | }
102 | }
103 | catch (Exception)
104 | {
105 | return false;
106 | }
107 | return false;
108 | }
109 | }
110 |
111 | public bool SkipValidation
112 | {
113 | get
114 | {
115 |
116 | Assembly assembly = new Assembly(new Module(new COMPEFile(this.PE)));
117 |
118 | DeclaredSecurityAction[] declSecurity = assembly.DeclSecurity;
119 |
120 | foreach(DeclaredSecurityAction declSec in declSecurity){
121 |
122 | string strXML = declSec.GetXml(assembly.Module);
123 | if (strXML.Contains("SkipVerification"))
124 | {
125 | return true;
126 | }
127 | }
128 |
129 | return false;
130 | }
131 | }
132 |
133 | public bool AllManaged
134 | {
135 | get
136 | {
137 | COMPEFile file = new COMPEFile(this.PE);
138 | if (file.Cor20Header == null)
139 | {
140 | return false;
141 | }
142 | uint field = (uint)file.Cor20Header.GetField(ImageCor20Header.Fields.Flags);
143 |
144 | return ((field & 1) == 1);
145 | }
146 | }
147 |
148 |
149 | public long Length
150 | {
151 | get
152 | {
153 | FileInfo info = new FileInfo(this.Path);
154 | return info.Length;
155 | }
156 | }
157 |
158 | public Version LinkerVersion
159 | {
160 | get
161 | {
162 | ImageOptionalHeader optionalHeader = this.PE.OptionalHeader;
163 | if (optionalHeader != null)
164 | {
165 | byte field = (byte)optionalHeader.GetField(ImageOptionalHeader.Fields.MajorLinkerVersion);
166 | return new Version(field, (byte)optionalHeader.GetField(ImageOptionalHeader.Fields.MinorLinkerVersion));
167 | }
168 | return null;
169 | }
170 | }
171 |
172 | public MachineType Machine
173 | {
174 |
175 | get
176 | {
177 | ImageFileHeader fileHeader = this.PE.FileHeader;
178 | if (fileHeader != null)
179 | {
180 | ushort field = (ushort)fileHeader.GetField(ImageFileHeader.Fields.Machine);
181 | return (MachineType)field;
182 | }
183 | return MachineType.UNKNOWN;
184 | }
185 | }
186 |
187 | public string Path
188 | {
189 | get
190 | {
191 | return this.strPath;
192 | }
193 | }
194 |
195 | public PEFile PE
196 | {
197 | get
198 | {
199 | PEFile target;
200 | target = new PEFile(this.Path);
201 | return target;
202 | }
203 | }
204 |
205 | public string SHA1Hash
206 | {
207 | get
208 | {
209 | byte[] buffer = new byte[0x1000];
210 | SHA1 sha = SHA1.Create();
211 | using (FileStream stream = new FileStream(this.Path, FileMode.Open, FileAccess.Read))
212 | {
213 | int inputCount = -1;
214 | do
215 | {
216 | inputCount = stream.Read(buffer, 0, buffer.Length);
217 | sha.TransformBlock(buffer, 0, inputCount, buffer, 0);
218 | }
219 |
220 | while (inputCount > 0);
221 | sha.TransformFinalBlock(buffer, 0, inputCount);
222 | }
223 |
224 | return BitConverter.ToString(sha.Hash).Replace("-", "");
225 | }
226 | }
227 |
228 | public string MD5Hash
229 | {
230 | get
231 | {
232 |
233 | byte[] buffer = new byte[0x1000];
234 | System.Security.Cryptography.MD5CryptoServiceProvider oMD5Hasher = new System.Security.Cryptography.MD5CryptoServiceProvider();
235 |
236 | using (FileStream stream = new FileStream(this.Path, FileMode.Open, FileAccess.Read))
237 | {
238 | int inputCount = -1;
239 | do
240 | {
241 | inputCount = stream.Read(buffer, 0, buffer.Length);
242 | oMD5Hasher.TransformBlock(buffer, 0, inputCount, buffer, 0);
243 | }
244 | while (inputCount > 0);
245 |
246 | oMD5Hasher.TransformFinalBlock(buffer, 0, inputCount);
247 | }
248 |
249 | return BitConverter.ToString(oMD5Hasher.Hash).Replace("-", "");
250 | }
251 | }
252 |
253 |
254 | public Icon Fileicon
255 | {
256 | get
257 | {
258 | return Icon.ExtractAssociatedIcon(this.strPath);
259 | }
260 | }
261 |
262 |
263 | public bool DelayLoadImports(PEFile OpenPE)
264 | {
265 | try
266 | {
267 | if (this.m_asImports == null)
268 | {
269 | if (((OpenPE.DirectoryEntries == null) || (OpenPE.DirectoryEntries.Length < 13)) || (OpenPE.DirectoryEntries[ImageOptionalHeader.IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT] == null))
270 | {
271 | return false;
272 | }
273 |
274 | uint DirSize = (uint)OpenPE.DirectoryEntries[ImageOptionalHeader.IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].GetField(ImageDataDirectory.Fields.Size);
275 | if (DirSize == 0) return false;
276 | }
277 |
278 | return true;
279 | }
280 | catch
281 | {
282 | return false;
283 | }
284 | }
285 |
286 | private string[] m_delayImports;
287 |
288 | public string[] DelayLoadImportFunctionsGet(PEFile OpenPE, string strFilename)
289 | {
290 | ArrayList list = new ArrayList();
291 | try
292 | {
293 |
294 |
295 |
296 | if (this.m_delayImports == null)
297 | {
298 | if (((OpenPE.DirectoryEntries == null) || (OpenPE.DirectoryEntries.Length < 13)) || (OpenPE.DirectoryEntries[ImageOptionalHeader.IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT] == null))
299 | {
300 | return null;
301 | }
302 |
303 | uint DirSize = (uint)OpenPE.DirectoryEntries[ImageOptionalHeader.IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].GetField(ImageDataDirectory.Fields.Size);
304 | if (DirSize == 0) return null;
305 | }
306 |
307 |
308 | // This gets RVA of the delay import table
309 | SafePointer rva = (SafePointer)OpenPE.DirectoryEntries[ImageOptionalHeader.IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].GetField(ImageDataDirectory.Fields.VirtualAddress);
310 | if (rva.Address == 0)
311 | {
312 | return null;
313 | }
314 |
315 | // Covert the address to the VA
316 | rva = OpenPE.RVA2VA(rva);
317 |
318 |
319 | while (((((uint)rva) != 0) && (((uint)(rva + 4)) != 0))) // IDT
320 | {
321 | uint uAttr = (uint)(OpenPE.RVA2VA(rva));
322 |
323 | SafePointer rva2 = new SafePointer();
324 | rva2.Address = (int)((uint)(rva + 4)); // address of the name
325 |
326 | SafePointer rva3 = new SafePointer();
327 | rva3.Address = (int)((uint)(rva + 8)); // address of HMODULE
328 |
329 | SafePointer rva4 = new SafePointer();
330 | rva4.Address = (int)((uint)(rva + 12)); // RVA of the IAT
331 |
332 | SafePointer rva5 = new SafePointer();
333 | rva5.Address = (int)((uint)(rva + 16)); // RVA of the Hint table
334 |
335 | // Seek and get the DLL name
336 | rva2 = OpenPE.RVA2VA(rva2);
337 | byte[] dataArray = new byte[1024];
338 | using (FileStream fileStream = new FileStream(strFilename, FileMode.Open, FileAccess.Read))
339 | {
340 | fileStream.Seek(rva2.Address, SeekOrigin.Begin);
341 | for (int i = 0; i < fileStream.Length; i++)
342 | {
343 | dataArray[i] = (byte)fileStream.ReadByte();
344 | if (dataArray[i] == 0x00) break;
345 | }
346 | }
347 |
348 | //Console.WriteLine(System.Text.Encoding.Default.GetString(dataArray));
349 | list.Add(System.Text.Encoding.Default.GetString(dataArray));
350 |
351 | /*
352 | rva4 = OpenPE.RVA2VA(rva4);
353 | int intIncr = 0;
354 | if (PE.Is64Bit) intIncr = 64;
355 | else intIncr = 32;
356 | int intCount = 0;
357 | using(FileStream fileStream = new FileStream(strFilename, FileMode.Open, FileAccess.Read))
358 | {
359 | fileStream.Seek(rva4.Address, SeekOrigin.Begin);
360 | for(int i = 0; i < fileStream.Length; i+=intIncr){
361 | Console.Write(".");
362 | fileStream.Read(dataArray, 0, intIncr);
363 | if (dataArray[0] == 0x00 && dataArray[1] == 0x00 && dataArray[2] == 0x00 && dataArray[3] == 0x00 && dataArray[4] == 0x00) break;
364 | else intCount++;
365 |
366 | }
367 | }
368 | */
369 | //Console.WriteLine("[!]" + intCount.ToString());
370 | /*
371 | uint field2 = 0;
372 | while(
373 | while(((uint)(field2)) != 0u)
374 | {
375 |
376 | if (OpenPE.Is64Bit == false)
377 | {
378 | try
379 | {
380 | if (((int)((uint)(field2)) & 0x80000000) == 0x80000000) // ordinal
381 | {
382 | Console.WriteLine("Ordinal");
383 | }
384 | else
385 | {
386 | Console.WriteLine("Not Ordinal");
387 | }
388 |
389 | }
390 | catch (SystemException exception)
391 | {
392 | throw (exception);
393 | }
394 |
395 | field2 += 4; // 32bit ILT
396 | }
397 | else
398 | {
399 | try
400 | {
401 | if (((int)((uint)(field2+4)) & 0x80000000) == 0x80000000) // ordinal
402 | {
403 | Console.WriteLine("Ordinal");
404 | }
405 | else
406 | {
407 | Console.WriteLine("NOT Ordinal");
408 | }
409 |
410 | }
411 | catch (SystemException exception)
412 | {
413 | throw (exception);
414 | }
415 |
416 | field2 += 8; // 64bit ILT
417 | }
418 | }
419 |
420 | field += 20; // IDT
421 | }
422 |
423 |
424 |
425 | */
426 | rva += 32; // IDT
427 | }
428 |
429 | }
430 | catch
431 | {
432 | return null;
433 |
434 |
435 | }
436 |
437 | list.Sort();
438 | this.m_delayImports = (string[])list.ToArray(typeof(string));
439 | return this.m_delayImports;
440 | }
441 |
442 | private string[] m_asImports;
443 |
444 |
445 | public string[] ImportFunctionsGet(PEFile OpenPE)
446 | {
447 |
448 | if (this.m_asImports == null){
449 | if (((OpenPE.DirectoryEntries == null) || ( OpenPE.DirectoryEntries.Length < 1)) || (OpenPE.DirectoryEntries[1] == null)){
450 | return null;
451 | }
452 | }
453 |
454 |
455 | ImageDataDirectory directory = OpenPE.DirectoryEntries[1];
456 | SafePointer field = (SafePointer)directory.GetField(ImageDataDirectory.Fields.VirtualAddress);
457 | ArrayList list = new ArrayList();
458 |
459 |
460 | if (field.Address != 0)
461 | {
462 |
463 | field = OpenPE.RVA2VA(field);
464 |
465 | while ( ((((uint)field) != 0) && (((uint)(field + 12)) != 0))) // IDT
466 | {
467 | SafePointer rva = field;
468 | rva.Address = (int)((uint)(field + 12)); // name of DLL
469 | string str = (string)OpenPE.RVA2VA(rva);
470 |
471 | /*
472 | * Ollie
473 | */
474 | SafePointer rva2 = field;
475 | rva2.Address = (int)((uint)(field)); // ILT RVA
476 |
477 | SafePointer field2;
478 | field2 = OpenPE.RVA2VA(rva2); // get the ILT RVA pointed too address
479 |
480 |
481 | while(((uint)(field2)) != 0u)
482 | {
483 |
484 | if (OpenPE.Is64Bit == false)
485 | {
486 | try
487 | {
488 | SafePointer rva3 = field2;
489 |
490 | if (((int)((uint)(field2)) & 0x80000000) == 0x80000000) // ordinal
491 | {
492 | //Console.WriteLine("Ordinal");
493 | //list.Add(str + " - Ordinal " + Convert.ToInt16((int)((uint)(field2))) );
494 | }
495 | else
496 | {
497 | rva3.Address = (int)((uint)(field2));
498 |
499 | string str2 = (string)(OpenPE.RVA2VA(rva3) + 2);
500 |
501 | //Console.WriteLine(str2.ToString());
502 | if (list.Contains(str2) == false)
503 | {
504 | //list.Add(str2 + "(" + str +")");
505 | list.Add(str2);
506 | }
507 | }
508 |
509 | }
510 | catch (SystemException exception)
511 | {
512 | throw (exception);
513 | }
514 |
515 | field2 += 4; // 32bit ILT
516 | }
517 | else
518 | {
519 | try
520 | {
521 | SafePointer rva3 = field2;
522 |
523 | if (((int)((uint)(field2+4)) & 0x80000000) == 0x80000000) // ordinal
524 | {
525 | //Console.WriteLine("Ordinal");
526 | //list.Add(str + " - Ordinal " + Convert.ToInt16((int)((uint)(field2))) );
527 | }
528 | else
529 | {
530 | rva3.Address = (int)((uint)(field2));
531 |
532 | string str2 = (string)(OpenPE.RVA2VA(rva3) + 2);
533 |
534 | //Console.WriteLine(str2.ToString());
535 | if (list.Contains(str2) == false)
536 | {
537 | //list.Add(str + " - " + str2);
538 | //list.Add(str2 + "(" + str + ")");
539 | list.Add(str2);
540 | }
541 | }
542 |
543 | }
544 | catch (SystemException exception)
545 | {
546 | throw (exception);
547 | }
548 |
549 | field2 += 8; // 64bit ILT
550 | }
551 | }
552 |
553 | field += 20; // IDT
554 |
555 | }
556 |
557 | }
558 |
559 | list.Sort();
560 | this.m_asImports = (string[])list.ToArray(typeof(string));
561 |
562 | return this.m_asImports;
563 | }
564 |
565 | }
566 |
567 |
568 | public enum MachineType
569 | {
570 | ALPHA = 0x184,
571 | ALPHA64 = 0x284,
572 | AM33 = 0x1d3,
573 | AMD64 = 0x8664,
574 | ARM = 0x1c0,
575 | AXP64 = 0x284,
576 | CEE = 0xc0ee,
577 | CEF = 0xcef,
578 | EBC = 0xebc,
579 | I386 = 0x14c,
580 | I860 = 0x14d,
581 | IA64 = 0x200,
582 | M32R = 0x9041,
583 | MIPS16 = 0x266,
584 | MIPSFPU = 870,
585 | MIPSFPU16 = 0x466,
586 | POWERPC = 0x1f0,
587 | POWERPCFP = 0x1f1,
588 | R10000 = 360,
589 | R3000 = 0x162,
590 | R4000 = 0x166,
591 | SH3 = 0x1a2,
592 | SH3DSP = 0x1a3,
593 | SH3E = 420,
594 | SH4 = 0x1a6,
595 | SH5 = 0x1a8,
596 | THUMB = 450,
597 | TRICORE = 0x520,
598 | UNKNOWN = 0,
599 | WCEMIPSV2 = 0x169
600 | }
601 |
602 | }
603 |
--------------------------------------------------------------------------------
/WinBinAudit/WinBinAuditv1SecurityInfo.cs:
--------------------------------------------------------------------------------
1 |
2 | /*
3 | Released as open source by NCC Group Plc - http://www.nccgroup.com/
4 |
5 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
6 |
7 | http://www.github.com/olliencc/WinBinaryAudit/
8 |
9 | Released under AGPL see LICENSE for more information
10 | */
11 |
12 | using System;
13 | using System.Collections.Generic;
14 | using System.Text;
15 | using System.Drawing;
16 |
17 |
18 | namespace WinBinAuditv1
19 | {
20 | public class SecurityInfo
21 | {
22 | public string FileName;
23 | public bool IsPE;
24 | public bool IsKernel;
25 | public bool Success;
26 | public string Type;
27 | public string Is32or64bit;
28 | public List CompilerVer;
29 | public string LinkerVer;
30 | public string Platform;
31 | public bool NoSEH;
32 | public bool SafeSEH;
33 | public bool DEP;
34 | public bool ASLR;
35 | public bool GS1;
36 | public bool DLLPlanting;
37 | public string DLLPlantReason;
38 | public int GS1Which;
39 | public int GS2;
40 | public string UACUIAccess;
41 | public string UACIntegrityLvl;
42 | public bool HeapSetInformation;
43 | public bool LoadLibrary;
44 | public bool SetDEPPolicy;
45 | public bool EncodePointer;
46 | public bool VirtualAlloc;
47 | public bool ProcessHeapExec;
48 | public bool InsecureSection;
49 | public bool ForceInt;
50 | public bool DotNet;
51 | public string DotNetVer;
52 | public bool DotNetFullyManaged;
53 | public bool DotNetStrongName;
54 | public bool DotNetAllowPartialTrustCallers;
55 | public bool DotNetSkipValidation;
56 | public int MSSDLCBannedCount;
57 | public string MSSDLCBannedList;
58 | public string Error;
59 | public string Manifest;
60 | public string[] Imports;
61 | public string MD5;
62 | public string SHA1;
63 | public string SHA2;
64 | public string Vendor;
65 | public string SigName;
66 | public string SigAlgo;
67 | public string SigIssuer;
68 | public Icon BinIcon;
69 | public long FileSize;
70 | public bool AppContainer;
71 | public bool MS12001;
72 | public int MS12001Sz;
73 | public uint MS12001SzTwo;
74 | public uint CodeSz;
75 | public bool isDLL;
76 | public string[] DelayImports;
77 | public bool bDelayLoaded;
78 | public string Version;
79 | public bool HighEntropy;
80 | public bool CFG;
81 |
82 | public SecurityInfo()
83 | {
84 | this.FileName = null;
85 | this.IsPE = false;
86 | this.IsKernel = false;
87 | this.Success = false;
88 | this.Type = null;
89 | this.Is32or64bit = null;
90 | this.CompilerVer = null;
91 | this.LinkerVer = null;
92 | this.Platform = null;
93 | this.NoSEH = false;
94 | this.SafeSEH = false;
95 | this.DEP = false;
96 | this.ASLR = false;
97 | this.GS1 = false;
98 | this.GS1Which = 0;
99 | this.GS2 = 0;
100 | this.UACUIAccess = null;
101 | this.UACIntegrityLvl = null;
102 | this.HeapSetInformation = false;
103 | this.SetDEPPolicy = false;
104 | this.VirtualAlloc = false;
105 | this.EncodePointer = false;
106 | this.ProcessHeapExec = false;
107 | this.InsecureSection = false;
108 | this.ForceInt = false;
109 | this.DotNet = false;
110 | this.DotNetVer = null;
111 | this.DotNetFullyManaged = false;
112 | this.DotNetStrongName = false;
113 | this.DotNetAllowPartialTrustCallers = false;
114 | this.DotNetSkipValidation = false;
115 | this.MSSDLCBannedCount = 0;
116 | this.MSSDLCBannedList = null;
117 | this.Error = null;
118 | this.Manifest = null;
119 | this.Imports = null;
120 | this.MD5 = null;
121 | this.SHA1 = null;
122 | this.SHA2 = null;
123 | this.Vendor = null;
124 | this.SigName = null;
125 | this.SigAlgo = null;
126 | this.SigIssuer = null;
127 | this.LoadLibrary = false;
128 | this.DLLPlanting = false;
129 | this.DLLPlantReason = null;
130 | this.FileSize = 0;
131 | this.AppContainer = false;
132 | this.MS12001 = false;
133 | this.MS12001Sz = 0;
134 | this.MS12001SzTwo = 0;
135 | this.CodeSz = 0;
136 | this.isDLL = false;
137 | this.DelayImports = null;
138 | this.bDelayLoaded = false;
139 | this.Version = null;
140 | this.HighEntropy = false;
141 | this.CFG = false;
142 | }
143 | }
144 | }
145 |
--------------------------------------------------------------------------------
/WinBinAudit/v5.cs:
--------------------------------------------------------------------------------
1 | /*
2 | Released as open source by NCC Group Plc - http://www.nccgroup.com/
3 |
4 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
5 |
6 | http://www.github.com/olliencc/WinBinaryAudit/
7 |
8 | Released under AGPL see LICENSE for more information
9 | */
10 |
11 |
12 | using System;
13 | using System.Collections.Generic;
14 | using System.Linq;
15 | using System.Text;
16 | using System.Threading.Tasks;
17 | using ManagedMD;
18 | using WinBinAuditv1;
19 | using WinBinAuditv1PE;
20 |
21 | namespace WinBinAudit
22 | {
23 | public class v5
24 | {
25 |
26 | public PEFile OpenPE;
27 | public WinBinAuditv1.SecurityInfo SecInfo;
28 | private PEProp OpenPEBI;
29 |
30 | ///
31 | /// Constructor
32 | ///
33 | public v5()
34 | {
35 |
36 |
37 | }
38 |
39 | ///
40 | /// Processes a file results are in the SecInfo object of file
41 | ///
42 | /// Full path to file to analyze
43 | public void ProcessFile(string strFile)
44 | {
45 |
46 | SecInfo = new WinBinAuditv1.SecurityInfo();
47 |
48 | try
49 | {
50 | this.OpenPE = new PEFile(strFile);
51 | this.OpenPEBI = new PEProp(strFile);
52 | WinBinAuditv1PEChecks PEChecks = new WinBinAuditv1PEChecks();
53 |
54 | SecInfo.MD5 = this.OpenPEBI.MD5Hash.ToString();
55 | SecInfo.SHA1 = this.OpenPEBI.SHA1Hash.ToString();
56 |
57 |
58 | //
59 | if (OpenPEBI.PE.IsPEFile == true)
60 | {
61 | SecInfo.Type = "PE";
62 | SecInfo.IsPE = true;
63 | SecInfo.Platform = OpenPEBI.Machine.ToString();
64 | if (SecInfo.Platform.Contains("UNKNOWN") == true) return;
65 | try
66 | {
67 | SecInfo.LinkerVer = OpenPEBI.LinkerVersion.ToString();
68 | }
69 | catch (Exception)
70 | {
71 | SecInfo.LinkerVer = "UNKNOWN";
72 | }
73 | }
74 | else
75 | {
76 | SecInfo.IsPE = false;
77 | return;
78 | }
79 |
80 | if (OpenPEBI.PE.Is64Bit == true)
81 | {
82 | SecInfo.Is32or64bit = "64";
83 | StringBuilder sbType = new StringBuilder();
84 | sbType.Append("PE+");
85 | SecInfo.Type = sbType.ToString();
86 | }
87 | else
88 | {
89 | SecInfo.Is32or64bit = "32";
90 | StringBuilder sbType = new StringBuilder();
91 | sbType.Append("PE");
92 | SecInfo.Type = sbType.ToString();
93 | }
94 |
95 | if (OpenPEBI.Kernel == true)
96 | {
97 | SecInfo.IsKernel = true;
98 | }
99 | else
100 | {
101 | SecInfo.IsKernel = false;
102 |
103 | if (PEChecks.IsDLL(this.OpenPEBI))
104 | {
105 | SecInfo.isDLL = true;
106 | }
107 | else
108 | {
109 | SecInfo.isDLL = false;
110 | }
111 |
112 | if (PEChecks.GetManifest(this.OpenPEBI, SecInfo))
113 | {
114 | string UACLvl = PEChecks.UACIntLevel(this.OpenPEBI);
115 | SecInfo.UACIntegrityLvl = UACLvl;
116 | string UACUI = PEChecks.UACUIAccess(this.OpenPEBI);
117 | SecInfo.UACUIAccess = UACUI;
118 | }
119 |
120 | if (OpenPEBI.Managed == true)
121 | {
122 | SecInfo.DotNet = true;
123 | if (OpenPEBI.ManagedP)
124 | {
125 | SecInfo.DotNetFullyManaged = true;
126 | }
127 | else
128 | {
129 | SecInfo.DotNetFullyManaged = false;
130 | }
131 |
132 | try
133 | {
134 | if (OpenPEBI.SkipValidation)
135 | {
136 | SecInfo.DotNetSkipValidation = true;
137 | }
138 | else
139 | {
140 | SecInfo.DotNetSkipValidation = false;
141 | }
142 | }
143 | catch (Exception)
144 | {
145 | SecInfo.DotNetSkipValidation = false;
146 | }
147 |
148 | if (PEChecks.DotNetStrongName(this.OpenPEBI) == true)
149 | {
150 | SecInfo.DotNetStrongName = true;
151 | }
152 |
153 | if (PEChecks.DotNetAllowPartialTrustCallers(this.OpenPEBI) == true)
154 | {
155 | SecInfo.DotNetAllowPartialTrustCallers = true;
156 | }
157 |
158 | SecInfo.DotNetVer = PEChecks.DotNetVer(this.OpenPEBI).ToString();
159 | if (SecInfo.DotNetVer.ToString() == "")
160 | {
161 | SecInfo.DotNetVer = new StringBuilder("Unknown").ToString();
162 | }
163 |
164 | if (PEChecks.NoSEH(this.OpenPEBI) == true)
165 | {
166 | SecInfo.NoSEH = true;
167 | }
168 | else if (PEChecks.SafeSEH(this.OpenPEBI) == true)
169 | {
170 | SecInfo.SafeSEH = true;
171 | }
172 |
173 |
174 | }
175 | else
176 | {
177 | SecInfo.Imports = OpenPEBI.ImportFunctionsGet(OpenPE);
178 | SecInfo.bDelayLoaded = OpenPEBI.DelayLoadImports(OpenPE);
179 | if (SecInfo.bDelayLoaded)
180 | {
181 | SecInfo.DelayImports = OpenPEBI.DelayLoadImportFunctionsGet(OpenPE, strFile);
182 | }
183 |
184 | if (SecInfo.Imports != null)
185 | {
186 | // FIX
187 | SecInfo.MSSDLCBannedCount = PEChecks.MSBannedAPIs(SecInfo, SecInfo.Imports);
188 | }
189 |
190 |
191 | if (PEChecks.NX(this.OpenPEBI) == true)
192 | {
193 | SecInfo.DEP = true;
194 | }
195 |
196 |
197 | if (PEChecks.NoSEH(this.OpenPEBI) == true)
198 | {
199 |
200 | SecInfo.NoSEH = true;
201 | }
202 | else if (PEChecks.SafeSEH(this.OpenPEBI) == true)
203 | {
204 | SecInfo.SafeSEH = true;
205 | }
206 |
207 |
208 | if (PEChecks.AppContainer(this.OpenPEBI) == true)
209 | {
210 | SecInfo.AppContainer = true;
211 | }
212 |
213 | if(PEChecks.ControlFlowGuard(this.OpenPEBI) == true)
214 | {
215 | SecInfo.CFG = true;
216 | }
217 |
218 | if (PEChecks.MS12001(this.OpenPEBI) == true)
219 | {
220 | SecInfo.MS12001 = true;
221 | }
222 |
223 |
224 | SecInfo.MS12001Sz = PEChecks.MS12001Sz(this.OpenPEBI);
225 | SecInfo.MS12001SzTwo = PEChecks.MS12001SzTwo(this.OpenPEBI);
226 |
227 | SecInfo.CodeSz = PEChecks.CodeSize(this.OpenPEBI);
228 |
229 | if (PEChecks.ASLR(this.OpenPEBI) == true)
230 | {
231 | SecInfo.ASLR = true;
232 | }
233 |
234 |
235 | if (PEChecks.InsecureSection(this.OpenPEBI) == true)
236 | {
237 | SecInfo.InsecureSection = true;
238 | }
239 |
240 |
241 | if (PEChecks.HeapSetInfo(this.OpenPEBI, SecInfo) == true)
242 | {
243 | SecInfo.HeapSetInformation = true;
244 | }
245 |
246 |
247 | if (PEChecks.LoadLibrary(this.OpenPEBI, SecInfo) == true)
248 | {
249 | SecInfo.LoadLibrary = true;
250 | }
251 |
252 |
253 | if (PEChecks.DLLPlanting(this.OpenPEBI, SecInfo) == true)
254 | {
255 | SecInfo.DLLPlanting = true;
256 | SecInfo.DLLPlantReason = PEChecks.DLLPlantingReason(this.OpenPEBI, this.SecInfo);
257 | }
258 |
259 |
260 | if (PEChecks.VirtualAlloc(this.OpenPEBI, SecInfo) == true)
261 | {
262 | SecInfo.VirtualAlloc = true;
263 | }
264 |
265 |
266 |
267 | if (PEChecks.EncodePointer(this.OpenPEBI, SecInfo) == true)
268 | {
269 | SecInfo.EncodePointer = true;
270 | }
271 |
272 |
273 | if (PEChecks.SetDEPPolicy(this.OpenPEBI, SecInfo) == true)
274 | {
275 | SecInfo.SetDEPPolicy = true;
276 | }
277 |
278 |
279 | if (PEChecks.ForceInt(this.OpenPEBI) == true)
280 | {
281 | SecInfo.ForceInt = true;
282 | }
283 |
284 |
285 | if (PEChecks.ProcessHeapExec(this.OpenPEBI) == true)
286 | {
287 | SecInfo.ProcessHeapExec = true;
288 | }
289 |
290 |
291 | if (this.OpenPE.Is64Bit == false)
292 | {
293 | if (PEChecks.GS1Check(this.OpenPEBI) == true)
294 | {
295 | SecInfo.GS1 = true;
296 | SecInfo.GS1Which = 1;
297 | }
298 | else
299 | {
300 | }
301 |
302 | if (PEChecks.GS3Check(this.OpenPEBI, SecInfo) == true)
303 | {
304 | SecInfo.GS1 = true;
305 | if (SecInfo.GS1Which == 1)
306 | {
307 | SecInfo.GS1Which = 3;
308 | }
309 | else
310 | {
311 | SecInfo.GS1Which = 2;
312 | }
313 | }
314 |
315 | }
316 |
317 | if (this.OpenPE.Is64Bit == false)
318 | {
319 | int intGS2 = PEChecks.GS2Check32(this.OpenPEBI);
320 | if (intGS2 > 0)
321 | {
322 | SecInfo.GS2 = intGS2;
323 | }
324 |
325 | }
326 | else
327 | {
328 | bool bGS = PEChecks.GSCheck64(this.OpenPEBI);
329 | SecInfo.GS1 = bGS;
330 | }
331 |
332 | SecInfo.CompilerVer = PEChecks.MSCompilerVers(this.OpenPEBI);
333 |
334 | }
335 |
336 | // From file properties
337 | try
338 | {
339 | SecInfo.Vendor = OpenPEBI.Vendor.ToString();
340 | }
341 | catch (Exception)
342 | {
343 | SecInfo.Vendor = "N/A";
344 |
345 | }
346 |
347 |
348 | // From file properties
349 | try
350 | {
351 | SecInfo.Version = OpenPEBI.Version.ToString();
352 | }
353 | catch (Exception)
354 | {
355 | SecInfo.Version = "N/A";
356 |
357 | }
358 |
359 | // Digital Signature
360 | PEChecks.SigDetails(SecInfo, this.OpenPEBI);
361 |
362 | // File size
363 | PEChecks.GetFileSize(SecInfo, this.OpenPEBI);
364 |
365 |
366 | if (this.OpenPE.Is64Bit == true)
367 | {
368 | SecInfo.HighEntropy = PEChecks.HighEntropy(SecInfo,this.OpenPEBI);
369 | }
370 | SecInfo.Success = true;
371 |
372 | }
373 | }
374 | catch (System.Threading.ThreadAbortException)
375 | {
376 |
377 | }
378 | catch (Exception exception)
379 | {
380 |
381 | SecInfo.Success = false;
382 | StringBuilder strErrorLocal = new StringBuilder();
383 | DateTime current = DateTime.Now;
384 | strErrorLocal.Append("Couldn't process " + strFile + " - " + exception.ToString());
385 | SecInfo.Error = strErrorLocal.ToString();
386 |
387 | try
388 | {
389 | SecInfo.Vendor = OpenPEBI.Vendor.ToString();
390 | }
391 | catch (Exception)
392 | {
393 | SecInfo.Vendor = "N/A";
394 |
395 | }
396 |
397 | }
398 | }
399 | }
400 | }
401 |
--------------------------------------------------------------------------------