def test_0d8c_valid(self):
with open(
str(root_dir / "test_data" /
"0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
), "rb") as f:
pefile = SignedPEFile(f)
pefile.verify()
def test_software_update(self):
with open(str(root_dir / "test_data" / "SoftwareUpdate.exe"),
"rb") as f:
fingerprinter = AuthenticodeFingerprinter(f)
fingerprinter.add_authenticode_hashers(hashlib.sha1)
hashes = fingerprinter.hash()
# Sanity check that the authenticode hash is still correct
self.assertEqual(
binascii.hexlify(hashes['sha1']).decode('ascii'),
'978b90ace99c764841d2dd17d278fac4149962a3')
pefile = SignedPEFile(f)
# This should not raise any errors.
signed_datas = list(pefile.signed_datas)
# There may be multiple of these, if the windows binary was signed multiple
# times, e.g. by different entities. Each of them adds a complete SignedData
# blob to the binary. For our sample, there is only one blob.
self.assertEqual(len(signed_datas), 1)
signed_data = signed_datas[0]
self.assertEqual(signed_data._rest_data, b'\0')
signed_data.verify()
# should work as well
pefile.verify()
def test_pciide(self):
with open(str(root_dir / "test_data" / "pciide.sys"), "rb") as f:
pefile = SignedPEFile(f)
signed_datas = list(pefile.signed_datas)
self.assertEqual(len(signed_datas), 1)
signed_data = signed_datas[0]
signed_data.verify()
pefile.verify()
def test_3a7de393a36ca8911cd0842a9a25b058_valid_different_contenttype(
self):
"""uses a different contenttype, 1.2.840.113549.1.9.16.1.4 instead of Data"""
with open(
str(root_dir / "test_data" /
"3a7de393a36ca8911cd0842a9a25b058"), "rb") as f:
pefile = SignedPEFile(f)
pefile.verify()
def test_0d8c_valid(self):
with open(
str(root_dir / "test_data" /
"0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198"
), "rb") as f:
pefile = SignedPEFile(f)
pefile.verify(
trusted_certificate_store=TRUSTED_CERTIFICATE_STORE_NO_CTL)
def test_jameslth_revoked(self):
"""this certificate is revoked"""
with open(str(root_dir / "test_data" / "jameslth"), "rb") as f:
pefile = SignedPEFile(f)
with self.assertRaises(VerificationError):
pefile.verify(verification_context_kwargs={
'allow_fetching': True,
'revocation_mode': 'hard-fail'
})
def test_sw_reporter(self):
"""Test for SHA256 hashes used in sig"""
with open(str(root_dir / "test_data" / "software_reporter_tool.exe"),
"rb") as f:
pefile = SignedPEFile(f)
signed_datas = list(pefile.signed_datas)
self.assertEqual(len(signed_datas), 1)
signed_data = signed_datas[0]
signed_data.verify()
pefile.verify()
def test_19e8_valid_within_period(self):
with open(
str(root_dir / "test_data" /
"19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR"
), "rb") as f:
pefile = SignedPEFile(f)
pefile.verify(
verification_context_kwargs={
'timestamp':
datetime.datetime(2013, 1, 1, tzinfo=datetime.timezone.utc)
})
def main():
data_file = sys.argv[1]
try:
with open(data_file, 'rb') as objf:
pefile = SignedPEFile(objf)
try:
pefile.verify()
except AuthenticodeVerificationError:
print("could not verify cert")
except Exception as error:
print("error with verify")
print(error.__class__.__name__ + ": " + error.message)
return {}
for signed_data in pefile.signed_datas:
print(signed_data.signer_info.program_name)
for cert in signed_data.certificates:
print(cert)
except Exception as error:
print("Gen error")
print(error.__class__.__name__ + ": " + error.message)
def test_jameslth_valid_when_revocation_not_checked(self):
# this certificate is revoked
with open(str(root_dir / "test_data" / "jameslth"), "rb") as f:
pefile = SignedPEFile(f)
pefile.verify()
def test_solwarwinds_valid_countersignature_rfc3161(self):
# Solarwinds includes a 1.3.6.1.4.1.311.3.3.1 type countersignature
with open(str(root_dir / "test_data" / "SolarWinds.exe"), "rb") as f:
pefile = SignedPEFile(f)
pefile.verify()
def test_zonealarm_rfc3161_different_hash_and_digest_algorithms(self):
"""this tests a RFC3161 sample that has distinct hash and digest algorithms"""
with open(str(root_dir / "test_data" / "zonealarm.exe"), "rb") as f:
pefile = SignedPEFile(f)
pefile.verify()
def test_whois_valid_countersignature_rfc3161(self):
"""whois includes a 1.3.6.1.4.1.311.3.3.1 type countersignature"""
with open(str(root_dir / "test_data" / "whois.exe"), "rb") as f:
pefile = SignedPEFile(f)
pefile.verify()