private bool Validate32BitImage(BinaryAnalyzerContext context)
        {
            PEBinary    target       = context.PEBinary();
            PEHeader    peHeader     = target.PE.PEHeaders.PEHeader;
            SafePointer sp           = new SafePointer(target.PE.ImageBytes, peHeader.LoadConfigTableDirectory.RelativeVirtualAddress);
            SafePointer loadConfigVA = target.PE.RVA2VA(sp);
            ImageLoadConfigDirectory32 loadConfig = new ImageLoadConfigDirectory32(peHeader, loadConfigVA);

            UInt32 cookieVA    = (UInt32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.SecurityCookie);
            UInt32 baseAddress = (UInt32)peHeader.ImageBase;

            // we need to find the offset in the file based on the cookie's VA
            UInt32        sectionSize, sectionVA = 0;
            SectionHeader ish = new SectionHeader();
            bool          foundCookieSection = false;

            foreach (SectionHeader t in target.PE.PEHeaders.SectionHeaders)
            {
                sectionVA   = (UInt32)t.VirtualAddress + baseAddress;
                sectionSize = (UInt32)t.VirtualSize;
                if ((cookieVA >= sectionVA) &&
                    (cookieVA < sectionVA + sectionSize))
                {
                    ish = t;
                    foundCookieSection = true;
                    break;
                }
            }

            if (!foundCookieSection)
            {
                LogCouldNotLocateCookie(context);
                return(false);
            }

            UInt64      fileCookieOffset = (cookieVA - baseAddress) - (sectionVA - baseAddress) + (UInt32)ish.PointerToRawData;
            SafePointer fileCookiePtr    = loadConfigVA;

            fileCookiePtr.Address = (int)fileCookieOffset;

            SafePointer boundsCheck = fileCookiePtr + 4;

            if (!CookieOffsetValid(context, boundsCheck))
            {
                return(false);
            }

            UInt32 cookie = BitConverter.ToUInt32(fileCookiePtr.GetBytes(4), 0);

            if (!StackProtectionUtilities.DefaultCookiesX86.Contains(cookie) && target.PE.Machine == Machine.I386)
            {
                LogFailure(context, cookie.ToString("x"));
                return(false);
            }

            return(true);
        }
Ejemplo n.º 2
0
        private bool EnablesControlFlowGuard(BinaryAnalyzerContext context)
        {
            PEHeader peHeader = context.PE.PEHeaders.PEHeader;

            if (((uint)peHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_CONTROLFLOWGUARD) == 0)
            {
                return(false);
            }

            SafePointer loadConfigRVA = new SafePointer(context.PE.ImageBytes, peHeader.LoadConfigTableDirectory.RelativeVirtualAddress);

            if (loadConfigRVA.Address == 0)
            {
                return(false);
            }

            SafePointer loadConfigVA = context.PE.RVA2VA(loadConfigRVA);

            if (context.PE.Is64Bit)
            {
                ImageLoadConfigDirectory64 loadConfig = new ImageLoadConfigDirectory64(peHeader, loadConfigVA);

                Int32  imageDirectorySize          = (Int32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.Size);
                UInt64 guardCFCheckFunctionPointer = (UInt64)loadConfig.GetField(ImageLoadConfigDirectory64.Fields.GuardCFCheckFunctionPointer);
                UInt64 guardCFFunctionTable        = (UInt64)loadConfig.GetField(ImageLoadConfigDirectory64.Fields.GuardCFFunctionTable);
                UInt32 guardFlags = (UInt32)loadConfig.GetField(ImageLoadConfigDirectory64.Fields.GuardFlags);

                if (imageDirectorySize >= IMAGE_LOAD_CONFIG_MINIMUM_SIZE_64 &&
                    guardCFCheckFunctionPointer != 0 &&
                    guardCFFunctionTable != 0 &&
                    (guardFlags & IMAGE_GUARD_CF_CHECKS) == IMAGE_GUARD_CF_CHECKS)
                {
                    return(true);
                }
            }
            else
            {
                ImageLoadConfigDirectory32 loadConfig = new ImageLoadConfigDirectory32(peHeader, loadConfigVA);

                Int32  imageDirectorySize          = (Int32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.Size);
                UInt32 guardCFCheckFunctionPointer = (UInt32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.GuardCFCheckFunctionPointer);
                UInt32 guardCFFunctionTable        = (UInt32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.GuardCFFunctionTable);
                UInt32 guardFlags = (UInt32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.GuardFlags);

                if (imageDirectorySize >= IMAGE_LOAD_CONFIG_MINIMUM_SIZE_32 &&
                    guardCFCheckFunctionPointer != 0 &&
                    guardCFFunctionTable != 0 &&
                    (guardFlags & IMAGE_GUARD_CF_CHECKS) == IMAGE_GUARD_CF_CHECKS)
                {
                    return(true);
                }
            }

            return(false);
        }
Ejemplo n.º 3
0
        public override void Analyze(BinaryAnalyzerContext context)
        {
            PEHeader peHeader = context.PE.PEHeaders.PEHeader;

            /* IMAGE_DLLCHARACTERISTICS_NO_SEH */
            if ((peHeader.DllCharacteristics & DllCharacteristics.NoSeh) == DllCharacteristics.NoSeh)
            {
                // '{0}' is an x86 binary that does not use SEH, making it an invalid
                // target for exploits that attempt to replace SEH jump targets with
                // attacker-controlled shellcode.
                context.Logger.Log(this,
                                   RuleUtilities.BuildResult(ResultKind.Pass, context, null,
                                                             nameof(RuleResources.BA2018_Pass_NoSEH)));
                return;
            }

            // This will not raise false positives for non-C and C++ code, because the above
            // check for IMAGE_DLLCHARACTERISTICS_NO_SEH excludes things that don't actually
            // handle SEH exceptions like .NET ngen'd code.
            if (peHeader.LoadConfigTableDirectory.RelativeVirtualAddress == 0)
            {
                // '{0}' is an x86 binary which does not contain a load configuration table,
                // indicating that it does not enable the SafeSEH mitigation. SafeSEH makes
                // it more difficult to exploit memory corruption vulnerabilities that can
                // overwrite SEH control blocks on the stack, by verifying that the location
                // to which a thrown SEH exception would jump is indeed defined as an
                // exception handler in the source program (and not shellcode). To resolve
                // this issue, supply the /SafeSEH flag on the linker command line. Note
                // that you will need to configure your build system to supply this flag for
                // x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64.
                context.Logger.Log(this,
                                   RuleUtilities.BuildResult(ResultKind.Error, context, null,
                                                             nameof(RuleResources.BA2018_Fail),
                                                             RuleResources.BA2018_Fail_NoLoadConfigurationTable));
                return;
            }

            SafePointer sp           = new SafePointer(context.PE.ImageBytes, peHeader.LoadConfigTableDirectory.RelativeVirtualAddress);
            SafePointer loadConfigVA = context.PE.RVA2VA(sp);
            ImageLoadConfigDirectory32 loadConfig = new ImageLoadConfigDirectory32(peHeader, loadConfigVA);

            Int32 seHandlerSize = (Int32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.Size);

            if (seHandlerSize < 72)
            {
                // contains an unexpectedly small load configuration table {size 0}
                string seHandlerSizeText = String.Format(RuleResources.BA2018_Fail_LoadConfigurationIsTooSmall, seHandlerSize.ToString());

                context.Logger.Log(this,
                                   RuleUtilities.BuildResult(ResultKind.Error, context, null,
                                                             nameof(RuleResources.BA2018_Fail),
                                                             RuleResources.BA2018_Fail_LoadConfigurationIsTooSmall,
                                                             seHandlerSizeText));
                return;
            }

            UInt32 seHandlerTable = (UInt32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.SEHandlerTable);
            UInt32 seHandlerCount = (UInt32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.SEHandlerCount);

            if (seHandlerTable == 0 || seHandlerCount == 0)
            {
                string failureKind = null;
                if (seHandlerTable == 0)
                {
                    // has an empty SE handler table in the load configuration table
                    failureKind = RuleResources.BA2018_Fail_EmptySEHandlerTable;
                }
                else if (seHandlerCount == 0)
                {
                    // has zero SE handlers in the load configuration table
                    failureKind = RuleResources.BA2018_Fail_NoSEHandlers;
                }

                // '{0}' is an x86 binary which {1}, indicating that it does not enable the SafeSEH
                // mitigation. SafeSEH makes it more difficult to exploit memory corruption
                // vulnerabilities that can overwrite SEH control blocks on the stack, by verifying
                // that the location to which a thrown SEH exception would jump is indeed defined
                // as an exception handler in the source program (and not shellcode). To resolve
                // this issue, supply the /SafeSEH flag on the linker command line. Note that you
                // will need to configure your build system to supply this flag for x86 builds only,
                // as the /SafeSEH flag is invalid when linking for ARM and x64.
                context.Logger.Log(this,
                                   RuleUtilities.BuildResult(ResultKind.Error, context, null,
                                                             nameof(RuleResources.BA2018_Fail),
                                                             failureKind));
                return;
            }

            // ''{0}' is an x86 binary that enables SafeSEH, a mitigation that verifies SEH exception
            // jump targets are defined as exception handlers in the program (and not shellcode).
            context.Logger.Log(this,
                               RuleUtilities.BuildResult(ResultKind.Pass, context, null,
                                                         nameof(RuleResources.BA2018_Pass)));
        }
Ejemplo n.º 4
0
        public bool GS1Check(PEProp binInfo)
        {
            try
            {
                ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
                if (optionalHeader != null)
                {
                    ushort field = (ushort)binInfo.PE.OptionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
                    if ((field & 0x400) != 0)
                    {
                        return false;
                    }
                    SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress);
                    if (rva.Address == 0)
                    {
                        return false;
                    }
                    uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size);
                    ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva));
                    int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size);
                    if (FieldSize < 0x48)
                    {
                        return false;
                    }
                    uint GSCookieLoc = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.SecurityCookie);

                    if (GSCookieLoc != 0)
                    {
                        return true;
                    }
                }
                else
                {
                    return false;
                }
            }
            catch (Exception)
            {
                return false;
            }

            return false;
        }
Ejemplo n.º 5
0
 /// <summary>
 /// SafeSEH Check
 /// </summary>
 /// <param name="binInfo"></param>
 /// <returns></returns>
 public bool SafeSEH(PEProp binInfo)
 {
     try
     {
         ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
         if (optionalHeader != null)
         {
             ushort field = (ushort)binInfo.PE.OptionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics);
             if ((field & 0x400) != 0)
             {
                 return false;
             }
             SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress);
             if (rva.Address == 0)
             {
                 return false;
             }
             uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size);
             ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva));
             int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size);
             if (FieldSize < 0x48)
             {
                 return false;
             }
             uint SEHTable = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.SEHandlerTable);
             uint SEHTableCount = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.SEHandlerCount);
             if ((SEHTable != 0) && (SEHTableCount != 0))
             {
                 return true;
             }
             if (SEHTable == 0)
             {
                 return false;
             }
             if (SEHTableCount == 0)
             {
                 return false;
             }
         }
         else
         {
             return false;
         }
     }
     catch (Exception)
     {
         return false;
     }
     return false;
 }
Ejemplo n.º 6
0
        /// <summary>
        /// Size extraction related to MS12-001 size check
        /// </summary>
        /// <param name="binInfo"></param>
        /// <returns></returns>
        public int MS12001Sz(PEProp binInfo)
        {
            try
            {
                ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader;
                if (optionalHeader != null)
                {
                    SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress);
                    if (rva.Address == 0)
                    {
                        return 0;
                    }
                    uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size);

                    ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva));
                    int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size);
                    return FieldSize;
                }
                else
                {
                    return 0;
                }
            }
            catch (Exception)
            {
                return 0;
            }
            //return 0;
        }
        private bool Validate32BitImage(BinaryAnalyzerContext context)
        {
            PEHeader    peHeader     = context.PE.PEHeaders.PEHeader;
            SafePointer sp           = new SafePointer(context.PE.ImageBytes, peHeader.LoadConfigTableDirectory.RelativeVirtualAddress);
            SafePointer loadConfigVA = context.PE.RVA2VA(sp);
            ImageLoadConfigDirectory32 loadConfig = new ImageLoadConfigDirectory32(peHeader, loadConfigVA);

            UInt32 cookieVA    = (UInt32)loadConfig.GetField(ImageLoadConfigDirectory32.Fields.SecurityCookie);
            UInt32 baseAddress = (UInt32)peHeader.ImageBase;

            // we need to find the offset in the file based on the cookie's VA
            UInt32        sectionSize, sectionVA = 0;
            SectionHeader ish = new SectionHeader();
            bool          foundCookieSection = false;

            foreach (SectionHeader t in context.PE.PEHeaders.SectionHeaders)
            {
                sectionVA   = (UInt32)t.VirtualAddress + baseAddress;
                sectionSize = (UInt32)t.VirtualSize;
                if ((cookieVA >= sectionVA) &&
                    (cookieVA < sectionVA + sectionSize))
                {
                    ish = t;
                    foundCookieSection = true;
                    break;
                }
            }

            if (!foundCookieSection)
            {
                // '{0}' is a C or C++binary that enables the stack protection feature but the security cookie could not be located. The binary may be corrupted.
                context.Logger.Log(MessageKind.Fail, context,
                                   RuleUtilities.BuildMessage(context,
                                                              RulesResources.DoNotModifyStackProtectionCookie_CouldNotLocateCookie_Fail));
                return(false);
            }

            UInt64      fileCookieOffset = (cookieVA - baseAddress) - (sectionVA - baseAddress) + (UInt32)ish.PointerToRawData;
            SafePointer fileCookiePtr    = loadConfigVA;

            fileCookiePtr.Address = (int)fileCookieOffset;
            UInt32 cookie = BitConverter.ToUInt32(fileCookiePtr.GetBytes(8), 0);

            if (!StackProtectionUtilities.DefaultCookiesX86.Contains(cookie) && context.PE.Machine == Machine.I386)
            {
                // '{0}' is a C or C++ binary that interferes with the stack protector. The
                // stack protector (/GS) is a security feature of the compiler which makes
                // it more difficult to exploit stack buffer overflow memory corruption
                // vulnerabilities. The stack protector relies on a random number, called
                // the "security cookie", to detect these buffer overflows. This 'cookie'
                // is statically linked with your binary from a Visual C++ library in the
                // form of the symbol __security_cookie. On recent Windows versions, the
                // loader looks for the magic statically linked value of this cookie, and
                // initializes the cookie with a far better source of entropy -- the system's
                // secure random number generator -- rather than the limited random number
                // generator available early in the C runtime startup code. When this symbol
                // is not the default value, the additional entropy is not injected by the
                // operating system, reducing the effectiveness of the stack protector. To
                // resolve this issue, ensure that your code does not reference or create a
                // symbol named __security_cookie or __security_cookie_complement. NOTE:
                // the modified cookie value detected was: {1}
                context.Logger.Log(MessageKind.Fail, context,
                                   RuleUtilities.BuildMessage(context,
                                                              RulesResources.DoNotModifyStackProtectionCookie_Fail, cookie.ToString("x")));
                return(false);
            }

            return(true);
        }