Chinaunix首页 | 论坛 | 博客

lzyox的ChinaUnix博客

首页 |  博文目录 |  关于我

lzyox

  • 博客访问: 568116
  • 博文数量: 190
  • 博客积分: 10937
  • 博客等级: 上将
  • 技术积分: 2205
  • 用 户 组: 普通用户
  • 注册时间: 2009-04-07 11:28
文章分类

全部博文(190)

文章存档

2012年(1)

2011年(27)

2010年(20)

2009年(142)

我的朋友
最近访客
推荐博文
相关博文
验证微软数字签名

分类: WINDOWS

2009-07-01 09:13:42

意思就是说该程序是安全的,有微软的数字证书为证,通常情况下的杀软啊、ANTIROOTKIT工具等是不会对这样的文件下手的,在这里不是讨论咋个过,只看哈在我们自己写程序如何加上这样一个功能。
   我目前找到的方法就2个(都贡献了,不藏着的):
一、用360的。
    360有一个DLL文件,其中一个功能是对文件进行签名的验证,而这个DLL本身又是结果了微软签名,爽。360verify.dll,里面有3个导出函数
CheckFileTrustA
CheckFileTrustW
Validate360ResourceSignA
   从名字来看,前2个是我们需要的,分别对应ASCII和UNICODE的文件路径。
不知道函数的调用方式、调用参数、返回值等等。
OD载入,加载地址10001000, EntryPoint:1060
直接跳到10001060,
简单的跟踪后还原函数样子 复制内容到剪贴板
代码:
BOOL CheckFileTrustA(TCHAR *FileName);测试关键代码如下: 复制内容到剪贴板
代码:
DllModule = LoadLibrary("360verify.dll");
if (DllModule == NULL)
{
   printf("LoadLibrary 360verify.dll error! %d\n",GetLastError());
   ExitProcess(0);
}
CheckFileTrustA = (pCheckFileTrustA)GetProcAddress(DllModule,"CheckFileTrustA");
for(i = 1;i < argc;i++)
{
   ret = CheckFileTrustA(argv);
   if(ret)
printf("%s OK!\n",argv);
   else
printf("%s Sorry!\n",argv);
}
FreeLibrary(DllModule);二、我们自己写验证的过程。
   在这里()找到一篇
过程代码都有了,只是有的函数和数据结构没有,补充如下(头文件部分):

//filename:MicrosoftVerify.h
#ifndef _MICROSOFTVERIFY_H_
#define _MICROSOFTVERIFY_H_
#include "windows.h"
typedef struct WINTRUST_FILE_INFO_
{
    DWORD   cbStruct;
    LPCWSTR pcwszFilePath;
    HANDLE  hFile;
    GUID*   pgKnownSubject;
} WINTRUST_FILE_INFO, *PWINTRUST_FILE_INFO;

typedef struct _CRYPTOAPI_BLOB {
    DWORD   cbData;
    BYTE    *pbData;
} CRYPT_INTEGER_BLOB, *PCRYPT_INTEGER_BLOB,
  CRYPT_UINT_BLOB, *PCRYPT_UINT_BLOB,
  CRYPT_OBJID_BLOB, *PCRYPT_OBJID_BLOB,
  CERT_NAME_BLOB, *PCERT_NAME_BLOB,
  CERT_RDN_VALUE_BLOB, *PCERT_RDN_VALUE_BLOB,
  CERT_BLOB, *PCERT_BLOB,
  CRL_BLOB, *PCRL_BLOB,
  DATA_BLOB, *PDATA_BLOB,                   // JEFFJEFF temporary (too generic)
  CRYPT_DATA_BLOB, *PCRYPT_DATA_BLOB,
  CRYPT_HASH_BLOB, *PCRYPT_HASH_BLOB,
  CRYPT_DIGEST_BLOB, *PCRYPT_DIGEST_BLOB,
  CRYPT_DER_BLOB, *PCRYPT_DER_BLOB,
  CRYPT_ATTR_BLOB, *PCRYPT_ATTR_BLOB;

typedef struct _CTL_USAGE {
    DWORD               cUsageIdentifier;
    LPSTR               *rgpszUsageIdentifier;      // array of pszObjId
} CTL_USAGE, *PCTL_USAGE,
  CERT_ENHKEY_USAGE, *PCERT_ENHKEY_USAGE;
typedef struct _CRYPT_ALGORITHM_IDENTIFIER {
    LPSTR               pszObjId;
    CRYPT_OBJID_BLOB    Parameters;
} CRYPT_ALGORITHM_IDENTIFIER, *PCRYPT_ALGORITHM_IDENTIFIER;
typedef struct _CRYPT_ATTRIBUTE {
    LPSTR               pszObjId;
    DWORD               cValue;
    PCRYPT_ATTR_BLOB    rgValue;
} CRYPT_ATTRIBUTE, *PCRYPT_ATTRIBUTE;
typedef struct _CTL_ENTRY {
    CRYPT_DATA_BLOB     SubjectIdentifier;          // For example, its hash
    DWORD               cAttribute;
    PCRYPT_ATTRIBUTE    rgAttribute;                // OPTIONAL
} CTL_ENTRY, *PCTL_ENTRY;
typedef struct _CERT_EXTENSION {
    LPSTR               pszObjId;
    BOOL                fCritical;
    CRYPT_OBJID_BLOB    Value;
} CERT_EXTENSION, *PCERT_EXTENSION;
typedef struct _CTL_INFO {
    DWORD                       dwVersion;
    CTL_USAGE                   SubjectUsage;
    CRYPT_DATA_BLOB             ListIdentifier;     // OPTIONAL
    CRYPT_INTEGER_BLOB          SequenceNumber;     // OPTIONAL
    FILETIME                    ThisUpdate;
    FILETIME                    NextUpdate;         // OPTIONAL
    CRYPT_ALGORITHM_IDENTIFIER  SubjectAlgorithm;
    DWORD                       cCTLEntry;
    PCTL_ENTRY                  rgCTLEntry;         // OPTIONAL
    DWORD                       cExtension;
    PCERT_EXTENSION             rgExtension;        // OPTIONAL
} CTL_INFO, *PCTL_INFO;
typedef void *HCERTSTORE;
typedef void *HCRYPTMSG;
typedef struct _CTL_CONTEXT {
    DWORD                   dwMsgAndCertEncodingType;
    BYTE                    *pbCtlEncoded;
    DWORD                   cbCtlEncoded;
    PCTL_INFO               pCtlInfo;
    HCERTSTORE              hCertStore;
    HCRYPTMSG               hCryptMsg;
    BYTE                    *pbCtlContent;
    DWORD                   cbCtlContent;
} CTL_CONTEXT, *PCTL_CONTEXT;
typedef const CTL_CONTEXT *PCCTL_CONTEXT;
typedef struct WINTRUST_CATALOG_INFO_
{
    DWORD         cbStruct;
    DWORD         dwCatalogVersion;
    LPCWSTR       pcwszCatalogFilePath;
    LPCWSTR       pcwszMemberTag;
    LPCWSTR       pcwszMemberFilePath;
    HANDLE        hMemberFile;
    BYTE*         pbCalculatedFileHash;
    DWORD         cbCalculatedFileHash;
PCCTL_CONTEXT pcCatalogContext;
} WINTRUST_CATALOG_INFO, *PWINTRUST_CATALOG_INFO;
typedef struct WINTRUST_BLOB_INFO_
{
    DWORD   cbStruct;
    GUID    gSubject;
    LPCWSTR pcwszDisplayName;
    DWORD   cbMemObject;
    BYTE*   pbMemObject;
    DWORD   cbMemSignedMsg;
    BYTE*   pbMemSignedMsg;
} WINTRUST_BLOB_INFO, *PWINTRUST_BLOB_INFO;
typedef struct _CRYPT_ATTRIBUTES {
    IN DWORD                cAttr;
    IN PCRYPT_ATTRIBUTE     rgAttr;
} CRYPT_ATTRIBUTES, *PCRYPT_ATTRIBUTES;
typedef struct _CMSG_SIGNER_INFO {
    DWORD                       dwVersion;
    CERT_NAME_BLOB              Issuer;
    CRYPT_INTEGER_BLOB          SerialNumber;
    CRYPT_ALGORITHM_IDENTIFIER  HashAlgorithm;
    CRYPT_ALGORITHM_IDENTIFIER  HashEncryptionAlgorithm;
    CRYPT_DATA_BLOB             EncryptedHash;
    CRYPT_ATTRIBUTES            AuthAttrs;
    CRYPT_ATTRIBUTES            UnauthAttrs;
} CMSG_SIGNER_INFO, *PCMSG_SIGNER_INFO;
typedef struct WINTRUST_SGNR_INFO_
{
    DWORD             cbStruct;
    LPCWSTR           pcwszDisplayName;
    CMSG_SIGNER_INFO* psSignerInfo;
    DWORD             chStores;
    HCERTSTORE*       pahStores;
} WINTRUST_SGNR_INFO, *PWINTRUST_SGNR_INFO;
typedef struct _CRYPT_BIT_BLOB {
    DWORD   cbData;
    BYTE    *pbData;
    DWORD   cUnusedBits;
} CRYPT_BIT_BLOB, *PCRYPT_BIT_BLOB;
typedef struct _CERT_PUBLIC_KEY_INFO {
    CRYPT_ALGORITHM_IDENTIFIER    Algorithm;
    CRYPT_BIT_BLOB                PublicKey;
} CERT_PUBLIC_KEY_INFO, *PCERT_PUBLIC_KEY_INFO;
typedef struct _CERT_INFO {
    DWORD                       dwVersion;
    CRYPT_INTEGER_BLOB          SerialNumber;
    CRYPT_ALGORITHM_IDENTIFIER  SignatureAlgorithm;
    CERT_NAME_BLOB              Issuer;
    FILETIME                    NotBefore;
    FILETIME                    NotAfter;
    CERT_NAME_BLOB              Subject;
    CERT_PUBLIC_KEY_INFO        SubjectPublicKeyInfo;
    CRYPT_BIT_BLOB              IssuerUniqueId;
    CRYPT_BIT_BLOB              SubjectUniqueId;
    DWORD                       cExtension;
    PCERT_EXTENSION             rgExtension;
} CERT_INFO, *PCERT_INFO;
typedef struct _CERT_CONTEXT {
    DWORD                   dwCertEncodingType;
    BYTE                    *pbCertEncoded;
    DWORD                   cbCertEncoded;
    PCERT_INFO              pCertInfo;
    HCERTSTORE              hCertStore;
} CERT_CONTEXT, *PCERT_CONTEXT;
typedef struct WINTRUST_CERT_INFO_
{
    DWORD         cbStruct;
    LPCWSTR       pcwszDisplayName;
    CERT_CONTEXT* psCertContext;
    DWORD         chStores;
    HCERTSTORE*   pahStores;
    DWORD         dwFlags;
    FILETIME*     psftVerifyAsOf;
} WINTRUST_CERT_INFO, *PWINTRUST_CERT_INFO;
typedef struct _WINTRUST_DATA
{
    DWORD  cbStruct;
    LPVOID pPolicyCallbackData;
    LPVOID pSIPClientData;
    DWORD  dwUIChoice;
    DWORD  fdwRevocationChecks;
    DWORD  dwUnionChoice;
    union
    {
        struct WINTRUST_FILE_INFO_*    pFile;
        struct WINTRUST_CATALOG_INFO_* pCatalog;
        struct WINTRUST_BLOB_INFO_*    pBlob;
        struct WINTRUST_SGNR_INFO_*    pSgnr;
        struct WINTRUST_CERT_INFO_*    pCert;
    } DUMMYUNIONNAME;
    DWORD  dwStateAction;
    HANDLE hWVTStateData;
    WCHAR* pwszURLReference;
    DWORD  dwProvFlags;
    DWORD  dwUIContext;
} WINTRUST_DATA, *PWINTRUST_DATA;
typedef struct CATALOG_INFO_
{
    DWORD cbStruct;
    WCHAR wszCatalogFile[MAX_PATH];
} CATALOG_INFO;
typedef HANDLE HCATADMIN;
typedef HANDLE HCATINFO;
//oˉêy?¨ò?
BOOL (WINAPI *CryptCATAdminAcquireContext)(HCATADMIN*,const GUID*,DWORD);
BOOL (WINAPI *CryptCATAdminReleaseContext)(HCATADMIN,DWORD);
BOOL (WINAPI *CryptCATAdminCalcHashFromFileHandle)(HANDLE,DWORD*,BYTE*,DWORD);
HCATINFO  (WINAPI *CryptCATAdminEnumCatalogFromHash)(HCATADMIN,BYTE*,DWORD,DWORD,HCATINFO*);
BOOL (WINAPI *CryptCATAdminReleaseCatalogContext)(HCATADMIN,HCATINFO,DWORD);
BOOL (WINAPI *CryptCATCatalogInfoFromContext)(HCATINFO,CATALOG_INFO*,DWORD);
LONG (WINAPI *WinVerifyTrustX)( HWND hwnd,GUID *ActionID,LPVOID  ActionData);
/* dwUIChoice */
#define WTD_UI_ALL                1
#define WTD_UI_NONE               2
#define WTD_UI_NOBAD              3
#define WTD_UI_NOGOOD             4
/* fdwRevocationChecks */
#define WTD_REVOKE_NONE           0
#define WTD_REVOKE_WHOLECHAIN     1
/* dwUnionChoice */
#define WTD_CHOICE_FILE           1
#define WTD_CHOICE_CATALOG        2
#define WTD_CHOICE_BLOB           3
#define WTD_CHOICE_SIGNER         4
#define WTD_CHOICE_CERT           5
#define WTD_STATEACTION_IGNORE           0
#define WTD_STATEACTION_VERIFY           1
#define WTD_STATEACTION_CLOSE            2
#define WTD_STATEACTION_AUTO_CACHE       3
#define WTD_STATEACTION_AUTO_CACHE_FLUSH 4
#define WTD_SAFER_FLAG                          0x00000100
#define WINTRUST_ACTION_GENERIC_VERIFY_V2 \
    { 0xaac56b,   0xcd44, 0x11d0, { 0x8c,0xc2,0x00,0xc0,0x4f,0xc2,0x95,0xee }}
#endif


#include
#include
#include
#include "MicrosoftVerify.h"
//filename:MicrosoftVerify.c
//′ú??à′×?£o
BOOL CheckFileTrust( LPCWSTR lpFileName )
{
    BOOL bRet = FALSE;
    WINTRUST_DATA wd = { 0 };
    WINTRUST_FILE_INFO wfi = { 0 };
    WINTRUST_CATALOG_INFO wci = { 0 };
    CATALOG_INFO ci = { 0 };
    HCATADMIN hCatAdmin = NULL;
 HANDLE hFile = NULL;
    DWORD dwCnt = 100;
    BYTE byHash[100];
   
 DWORD dw = 0;
 HCATINFO hCatInfo;
 GUID action = WINTRUST_ACTION_GENERIC_VERIFY_V2;
 HRESULT hr;
 LPWSTR pszMemberTag = (LPWSTR)malloc(sizeof(WCHAR)*(dwCnt * 2 + 1));//new WCHAR[dwCnt * 2 + 1];
 if ( !CryptCATAdminAcquireContext( &hCatAdmin, NULL, 0 ) )
    {
        return FALSE;
    }
    hFile = CreateFileW( lpFileName, GENERIC_READ, FILE_SHARE_READ,
        NULL, OPEN_EXISTING, 0, NULL );
    if ( INVALID_HANDLE_VALUE == hFile )
    {
        CryptCATAdminReleaseContext( hCatAdmin, 0 );
        return FALSE;
    }
 //对整个文件做hash,采用标准SHA1_160bit算法
    CryptCATAdminCalcHashFromFileHandle( hFile, &dwCnt, byHash, 0 );
    CloseHandle( hFile );
   
 //将hash的结果 变换成unicode 例如0x8c -> 38 00 43 00
    for ( dw = 0; dw < dwCnt; ++dw )
    {
        wsprintfW( &pszMemberTag[dw * 2], L"%02X", byHash[dw] );
    }
    hCatInfo = CryptCATAdminEnumCatalogFromHash( hCatAdmin,  byHash, dwCnt, 0, NULL );
    if ( NULL == hCatInfo )
    {
        wfi.cbStruct       = sizeof( WINTRUST_FILE_INFO );
        wfi.pcwszFilePath  = lpFileName;
        wfi.hFile          = NULL;
        wfi.pgKnownSubject = NULL;
        wd.cbStruct            = sizeof( WINTRUST_DATA );
        wd.dwUnionChoice       = WTD_CHOICE_FILE;
//     wd.pFile               = &wfi;
  wd.DUMMYUNIONNAME.pFile      = &wfi;
        wd.dwUIChoice          = WTD_UI_NONE;
        wd.fdwRevocationChecks = WTD_REVOKE_NONE;
        wd.dwStateAction       = WTD_STATEACTION_IGNORE;
        wd.dwProvFlags         = WTD_SAFER_FLAG;
        wd.hWVTStateData       = NULL;
        wd.pwszURLReference    = NULL;
    }
    else
    {
        CryptCATCatalogInfoFromContext( hCatInfo, &ci, 0 );
        wci.cbStruct             = sizeof( WINTRUST_CATALOG_INFO );
        wci.pcwszCatalogFilePath = ci.wszCatalogFile;
        wci.pcwszMemberFilePath  = lpFileName;
        wci.pcwszMemberTag       = pszMemberTag;
        wd.cbStruct            = sizeof( WINTRUST_DATA );
        wd.dwUnionChoice       = WTD_CHOICE_CATALOG;
        wd.DUMMYUNIONNAME.pCatalog            = &wci;
        wd.dwUIChoice          = WTD_UI_NONE;
        wd.fdwRevocationChecks = WTD_STATEACTION_VERIFY;
        wd.dwProvFlags         = 0;
        wd.hWVTStateData       = NULL;
        wd.pwszURLReference    = NULL;
    }
   
    hr  = WinVerifyTrustX( NULL, &action, &wd );
 //关键在于跟踪WinVerifyTrust()的过程了,OD载入不了,IDA看的话又太复杂。郁闷啊!20090212
    bRet        = SUCCEEDED( hr );
    if ( NULL != hCatInfo )
    {
        CryptCATAdminReleaseCatalogContext( hCatAdmin, hCatInfo, 0 );
    }
    CryptCATAdminReleaseContext( hCatAdmin, 0 ); // 2007.4.10?DD?íˉ???÷?y??3?ò?′|?ú′?D1??
 free(pszMemberTag);// delete[] pszMemberTag;
    return bRet;
}
BOOL InitFunc()
{
 HMODULE dllHandle = NULL;
 dllHandle = LoadLibrary("wintrust.dll");
 if (NULL == dllHandle)
 {
  printf("LoadLibrary wintrust.dll error!%d\n",GetLastError());
  return FALSE;
 }
 (FARPROC &)CryptCATAdminAcquireContext =
  GetProcAddress(dllHandle,"CryptCATAdminAcquireContext");
 (FARPROC &)CryptCATAdminReleaseContext =
  GetProcAddress(dllHandle,"CryptCATAdminReleaseContext");
 (FARPROC &)CryptCATAdminCalcHashFromFileHandle =
  GetProcAddress(dllHandle,"CryptCATAdminCalcHashFromFileHandle");
 (FARPROC &)CryptCATAdminEnumCatalogFromHash =
  GetProcAddress(dllHandle,"CryptCATAdminEnumCatalogFromHash");
 (FARPROC &)CryptCATAdminReleaseCatalogContext =
  GetProcAddress(dllHandle,"CryptCATAdminReleaseCatalogContext");
 (FARPROC &)CryptCATCatalogInfoFromContext =
  GetProcAddress(dllHandle,"CryptCATCatalogInfoFromContext");
 (FARPROC &)WinVerifyTrustX =
  GetProcAddress(dllHandle,"WinVerifyTrust");
 if (CryptCATAdminAcquireContext == NULL
  || CryptCATAdminReleaseContext == NULL
  || CryptCATAdminCalcHashFromFileHandle == NULL
  || CryptCATAdminEnumCatalogFromHash == NULL
  || CryptCATAdminReleaseCatalogContext == NULL
  || CryptCATCatalogInfoFromContext == NULL
  || WinVerifyTrustX == NULL)
 {
  printf("GetProcAddress error 1%d\n",GetLastError());
  return FALSE;
 }
 return TRUE;
}
//测试驱动
int main(int argc,char **argv)
{
 BOOL ret;
 if (!InitFunc())
 {
  printf("%s %d error!",__FILE__,__LINE__);
  return 0;
 }
 ret = CheckFileTrust(L"C:\\111.exe");
 if (ret)
 {
  printf("OK!\n");
 }
 else
 {
  printf("Sorry!\n");
 }
 return 0;
}
阅读(2502) | 评论(0) | 转发(0) |
0

上一篇:ServerVariables变量列表

下一篇:WinINet

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6