def print_signature(binary):
format_str = "{:<33} {:<30}"
format_hex = "{:<33} 0x{:<28x}"
format_dec = "{:<33} {:<30d}"
if not binary.has_signature:
return
signature = binary.signature
print("== Signature ==")
print(format_dec.format("Version:", signature.version))
print(format_str.format("Digest Algorithm:", oid_to_string(signature.digest_algorithm)))
print("")
print("-- Content Info --")
content_info = signature.content_info
print(format_str.format("Content Type:", oid_to_string(content_info.content_type)))
print(format_str.format("Type:", oid_to_string(content_info.type)))
print(format_str.format("Digest Algorithm:", oid_to_string(content_info.digest_algorithm)))
print("")
print("-- Certificates --")
certificates = signature.certificates
for crt in certificates:
sn_str = ":".join(map(lambda e : "{:02x}".format(e), crt.serial_number))
valid_from_str = "-".join(map(str, crt.valid_from[:3])) + " " + ":".join(map(str, crt.valid_from[3:]))
valid_to_str = "-".join(map(str, crt.valid_to[:3])) + " " + ":".join(map(str, crt.valid_to[3:]))
print(format_dec.format("Version:", crt.version))
print(format_str.format("Serial Number:", sn_str))
print(format_str.format("Signature Algorithm:", oid_to_string(crt.signature_algorithm)))
print(format_str.format("Valid from:", valid_from_str))
print(format_str.format("Valid to:", valid_to_str))
print(format_str.format("Issuer:", crt.issuer))
print(format_str.format("Subject:", crt.subject))
print("")
print("-- Signer Info --")
signer_info = signature.signer_info
issuer_str = " ".join(map(lambda e : oid_to_string(e[0]) + " = " + e[1], signer_info.issuer[0]))
print(format_dec.format("Version:", signer_info.version))
print(format_str.format("Issuer:", issuer_str))
print(format_str.format("Digest Algorithm:", oid_to_string(signer_info.digest_algorithm)))
print(format_str.format("Signature algorithm:", oid_to_string(signer_info.signature_algorithm)))
print(format_str.format("Program name:", signer_info.authenticated_attributes.program_name.encode('utf-8')))
print(format_str.format("Url:", signer_info.authenticated_attributes.more_info))
print("")
def get(malware, csv):
print((colors.WHITE +
"\n------------------------------- {0:^13}{1:3}".format(
"CERTIFICATE", " -------------------------------") +
colors.DEFAULT))
binary = lief.parse(malware)
format_str = "{:<33} {:<30}"
format_dec = "{:<33} {:<30d}"
if binary.has_signature:
for cert in binary.signature.certificates:
valid_from = "-".join(map(str, cert.valid_from[:3]))
dt = datetime.datetime.strptime(valid_from, '%Y-%m-%d')
timestamp = time.mktime(dt.timetuple())
cert_from = datetime.datetime.fromtimestamp(timestamp)
valid_to = "-".join(map(str, cert.valid_to[:3]))
dt = datetime.datetime.strptime(valid_to, '%Y-%m-%d')
timestamp = time.mktime(dt.timetuple())
cert_to = datetime.datetime.fromtimestamp(timestamp)
sn_str = ":".join(["{:02x}".format(e) for e in cert.serial_number])
if cert_from > datetime.datetime.now(
) or cert_to < datetime.datetime.now():
print((colors.RED + "[X]" + colors.DEFAULT +
" Invalid certificate"))
valid_from_str = "-".join(map(
str, cert.valid_from[:3])) + " " + ":".join(
map(str, cert.valid_from[3:]))
valid_to_str = "-".join(map(
str, cert.valid_to[:3])) + " " + ":".join(
map(str, cert.valid_to[3:]))
print((format_dec.format(
colors.WHITE + "Version:" + colors.DEFAULT, cert.version)))
print((format_str.format(
colors.WHITE + "Serial Number:" + colors.DEFAULT, sn_str)))
print((format_str.format(
colors.WHITE + "Signature Algorithm:" + colors.DEFAULT,
oid_to_string(cert.signature_algorithm))))
print((format_str.format(
colors.WHITE + "Valid from:" + colors.DEFAULT,
valid_from_str)))
print((format_str.format(
colors.WHITE + "Valid to:" + colors.DEFAULT,
valid_to_str)))
print((format_str.format(
colors.WHITE + "Issuer:" + colors.DEFAULT, cert.issuer)))
print((format_str.format(
colors.WHITE + "Subject:" + colors.DEFAULT, cert.subject)))
print('\n')
else:
print((colors.GREEN + "[" + '\u2713' + "]" + colors.DEFAULT +
" Valid certificate"))
valid_from_str = "-".join(map(
str, cert.valid_from[:3])) + " " + ":".join(
map(str, cert.valid_from[3:]))
valid_to_str = "-".join(map(
str, cert.valid_to[:3])) + " " + ":".join(
map(str, cert.valid_to[3:]))
print((format_dec.format(
colors.WHITE + "Version:" + colors.DEFAULT, cert.version)))
print((format_str.format(
colors.WHITE + "Serial Number:" + colors.DEFAULT, sn_str)))
print((format_str.format(
colors.WHITE + "Signature Algorithm:" + colors.DEFAULT,
oid_to_string(cert.signature_algorithm))))
print((format_str.format(
colors.WHITE + "Valid from:" + colors.DEFAULT,
valid_from_str)))
print((format_str.format(
colors.WHITE + "Valid to:" + colors.DEFAULT,
valid_to_str)))
print((format_str.format(
colors.WHITE + "Issuer:" + colors.DEFAULT, cert.issuer)))
print((format_str.format(
colors.WHITE + "Subject:" + colors.DEFAULT, cert.subject)))
print('\n')
csv.write("1,")
if not binary.has_signature:
print((colors.RED + "[X]" + colors.DEFAULT + " None"))
csv.write("0,")
