import ctypes
import struct
import windows
from collections import namedtuple
from windows import winproxy
import windows.generated_def as gdef
from windows.generated_def.winstructs import *
# From: um/SoftPub.h
WINTRUST_ACTION_GENERIC_VERIFY_V2 = gdef.IID.from_string("00AAC56B-CD44-11d0-8CC2-00C04FC295EE")
DRIVER_ACTION_VERIFY = gdef.IID.from_string("F750E6C3-38EE-11d1-85E5-00C04FC295EE")
wintrust_know_return_value = [
TRUST_E_PROVIDER_UNKNOWN,
TRUST_E_ACTION_UNKNOWN,
TRUST_E_SUBJECT_FORM_UNKNOWN,
DIGSIG_E_ENCODE,
TRUST_E_SUBJECT_NOT_TRUSTED,
TRUST_E_BAD_DIGEST,
DIGSIG_E_DECODE,
DIGSIG_E_EXTENSIBILITY,
PERSIST_E_SIZEDEFINITE,
DIGSIG_E_CRYPTO,
PERSIST_E_SIZEINDEFINITE,
PERSIST_E_NOTSELFSIZING,
TRUST_E_NOSIGNATURE,
CERT_E_EXPIRED,
CERT_E_VALIDITYPERIODNESTING,
CERT_E_PURPOSE,
CERT_E_ISSUERCHAINING,
CERT_E_MALFORMED,
CERT_E_UNTRUSTEDROOT,
CERT_E_CHAINING,
TRUST_E_FAIL,
CERT_E_REVOKED,
CERT_E_UNTRUSTEDTESTROOT,
CERT_E_REVOCATION_FAILURE,
CERT_E_CN_NO_MATCH,
CERT_E_WRONG_USAGE,
TRUST_E_EXPLICIT_DISTRUST,
CERT_E_UNTRUSTEDCA,
CERT_E_INVALID_POLICY,
CERT_E_INVALID_NAME,
CRYPT_E_FILE_ERROR,
]
wintrust_return_value_mapper = gdef.FlagMapper(*wintrust_know_return_value)
[docs]def check_signature(filename):
"""Check if ``filename`` embeds a valid signature.
:return: :class:`int`: ``0`` if ``filename`` have a valid signature else the error
"""
file_data = WINTRUST_FILE_INFO()
file_data.cbStruct = ctypes.sizeof(WINTRUST_FILE_INFO)
file_data.pcwszFilePath = filename
file_data.hFile = None
file_data.pgKnownSubject = None
WVTPolicyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2
win_trust_data = WINTRUST_DATA()
win_trust_data.cbStruct = ctypes.sizeof(WINTRUST_DATA)
win_trust_data.pPolicyCallbackData = None
win_trust_data.pSIPClientData = None
win_trust_data.dwUIChoice = WTD_UI_NONE
# win_trust_data.fdwRevocationChecks = WTD_REVOKE_NONE
win_trust_data.fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN
win_trust_data.dwUnionChoice = WTD_CHOICE_FILE
win_trust_data.dwStateAction = WTD_STATEACTION_VERIFY
win_trust_data.hWVTStateData = None
win_trust_data.pwszURLReference = None
win_trust_data.dwUIContext = 0
#win_trust_data.dwProvFlags = 0x1000 + 0x10 + 0x800
win_trust_data.tmp_union.pFile = ctypes.pointer(file_data)
x = winproxy.WinVerifyTrust(None, ctypes.byref(WVTPolicyGUID), ctypes.byref(win_trust_data))
win_trust_data.dwStateAction = WTD_STATEACTION_CLOSE
winproxy.WinVerifyTrust(None, ctypes.byref(WVTPolicyGUID), ctypes.byref(win_trust_data))
return wintrust_return_value_mapper[x & 0xffffffff]
def get_catalog_for_filename(filename):
ctx = HCATADMIN()
winproxy.CryptCATAdminAcquireContext(ctypes.byref(ctx), DRIVER_ACTION_VERIFY, 0)
hash = get_file_hash(filename)
if hash is None:
return None
t = winproxy.CryptCATAdminEnumCatalogFromHash(ctx, hash, len(hash), 0, None)
if t is None:
return None
tname = get_catalog_name_from_handle(t)
while t is not None:
t = winproxy.CryptCATAdminEnumCatalogFromHash(ctx, hash, len(hash), 0, ctypes.byref(HCATINFO(t)))
# Todo: how to handle multiple catalog ?
winproxy.CryptCATAdminReleaseCatalogContext(ctx, t, 0)
winproxy.CryptCATAdminReleaseContext(ctx, 0)
return tname
def get_file_hash(filename):
f = open(filename, "rb")
handle = windows.utils.get_handle_from_file(f)
size = DWORD(0)
x = winproxy.CryptCATAdminCalcHashFromFileHandle(handle, ctypes.byref(size), None, 0)
buffer = (BYTE * size.value)()
try:
x = winproxy.CryptCATAdminCalcHashFromFileHandle(handle, ctypes.byref(size), buffer, 0)
except WindowsError as e:
if e.winerror == 1006:
# CryptCATAdminCalcHashFromFileHandle: [Error 1006]
# The volume for a file has been externally altered so that the opened file is no longer valid.
# (returned for empty file)
return None
raise
return buffer
def get_file_hash2(filename): #POC: name/API will change/disapear
f = open(filename, "rb")
handle = windows.utils.get_handle_from_file(f)
cathand = HANDLE()
h = winproxy.CryptCATAdminAcquireContext2(cathand, None, "SHA256", None, 0)
print(cathand)
size = DWORD(0)
x = winproxy.CryptCATAdminCalcHashFromFileHandle2(cathand, handle, ctypes.byref(size), None, 0)
buffer = (BYTE * size.value)()
try:
x = winproxy.CryptCATAdminCalcHashFromFileHandle2(cathand, handle, ctypes.byref(size), buffer, 0)
except WindowsError as e:
if e.winerror == 1006:
# CryptCATAdminCalcHashFromFileHandle: [Error 1006]
# The volume for a file has been externally altered so that the opened file is no longer valid.
# (returned for empty file)
return None
raise
return buffer
def get_catalog_name_from_handle(handle):
cat_info = CATALOG_INFO()
cat_info.cbStruct = ctypes.sizeof(cat_info)
winproxy.CryptCATCatalogInfoFromContext(handle, ctypes.byref(cat_info), 0)
return cat_info.wszCatalogFile
SignatureData = namedtuple("SignatureData", ["signed", "catalog", "catalogsigned", "additionalinfo"])
"""Signature information for ``FILENAME``:
* ``signed``: True if ``FILENAME`` embeds a valide signature
* ``catalog``: The filename of the catalog ``FILENAME`` is part of (if any)
* ``catalogsigned``: True if ``catalog`` embeds a valide signature
* ``additionalinfo``: The return error of ``check_signature(FILENAME)``
``additionalinfo`` is useful to know if ``FILENAME`` signature was rejected for an invalid root / expired cert.
"""
[docs]def is_signed(filename):
"""Check if ``filename`` is signed:
* File embeds a valid signature
* File is part of a signed catalog file
:return: :class:`bool`
"""
check_sign = check_signature(filename)
if check_sign == 0:
return True
catalog = get_catalog_for_filename(filename)
if catalog is None:
return False
catalogsigned = not bool(check_signature(catalog))
return catalogsigned