Improving NDR packing for some easy to fix corner cases

Author: hakril

windows/rpc/ndr.py

@@ -266,6 +266,11 @@ def unpack(self, stream):
         rawguid = stream.partial_unpack("16s")[0]
         return gdef.IID.from_buffer_copy(rawguid)
 
+    @classmethod
+    def get_alignment(self):
+        return 1
+
+
 class NdrContextHandle(object):
     @classmethod
     def pack(cls, data):
@@ -278,6 +283,11 @@ def unpack(self, stream):
         attributes, rawguid = stream.partial_unpack("<I16s")
         return gdef.IID.from_buffer_copy(rawguid)
 
+    @classmethod
+    def get_alignment(self):
+        return 4
+
+
 
 class NdrStructure(object):
     """a NDR structure that tries to respect the rules of pointer packing, this class should be subclassed with
@@ -298,15 +308,19 @@ def pack(cls, data):
         res_size = 0
         pointed = []
         outstream = NdrWriteStream()
+        pointed_to_pack = []
+        # pointedoutstream = NdrWriteStream()
         for i, (member, memberdata) in enumerate(zip(cls.MEMBERS, data)):
             if hasattr(member, "pack_in_struct"):
                 x, y = member.pack_in_struct(memberdata, i)
-                outstream.align(member.get_alignment())
+                assert len(x) == 4, "Pointer should be size 4"
+                # Write the pointer
+                outstream.align(4)
                 outstream.write(x)
-                # res.append(x)
-                # res_size += len(x)
                 if y is not None:
-                    pointed.append(y)
+                    # Store the info to the pointed to pack
+                    pointed_to_pack.append((member.subcls.get_alignment(), y))
+                    # pointedoutstream.write(y)
             elif hasattr(member, "pack_conformant"):
                 size, data = member.pack_conformant(memberdata)
                 outstream.align(member.get_alignment())
@@ -318,7 +332,11 @@ def pack(cls, data):
                 packed_member = member.pack(memberdata)
                 outstream.align(member.get_alignment())
                 outstream.write(packed_member)
-        return dword_pad(b"".join(conformant_size)) + outstream.get_data() + dword_pad(b"".join(pointed))
+        # Pack the pointed to the stream
+        for alignement, pointed_data in pointed_to_pack:
+            outstream.align(alignement)
+            outstream.write(pointed_data)
+        return dword_pad(b"".join(conformant_size)) + outstream.get_data()
 
     @classmethod
     def unpack(cls, stream):

windows/wintrust.py

@@ -66,7 +66,8 @@ def check_signature(filename):
     win_trust_data.pPolicyCallbackData = None
     win_trust_data.pSIPClientData = None
     win_trust_data.dwUIChoice = WTD_UI_NONE
-    win_trust_data.fdwRevocationChecks = WTD_REVOKE_NONE
+    # win_trust_data.fdwRevocationChecks = WTD_REVOKE_NONE
+    win_trust_data.fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN
     win_trust_data.dwUnionChoice = WTD_CHOICE_FILE
     win_trust_data.dwStateAction = WTD_STATEACTION_VERIFY
     win_trust_data.hWVTStateData = None
@@ -119,6 +120,28 @@ def get_file_hash(filename):
         raise
     return buffer
 
+def get_file_hash2(filename): #POC: name/API will change/disapear
+    f = open(filename, "rb")
+    handle = windows.utils.get_handle_from_file(f)
+
+    cathand = HANDLE()
+    h = winproxy.CryptCATAdminAcquireContext2(cathand, None, "SHA256", None, 0)
+    print(cathand)
+
+    size = DWORD(0)
+    x = winproxy.CryptCATAdminCalcHashFromFileHandle2(cathand, handle, ctypes.byref(size), None, 0)
+    buffer = (BYTE * size.value)()
+    try:
+        x = winproxy.CryptCATAdminCalcHashFromFileHandle2(cathand, handle, ctypes.byref(size), buffer, 0)
+    except WindowsError as e:
+        if e.winerror == 1006:
+            # CryptCATAdminCalcHashFromFileHandle: [Error 1006]
+            # The volume for a file has been externally altered so that the opened file is no longer valid.
+            # (returned for empty file)
+            return None
+        raise
+    return buffer
+
 
 def get_catalog_name_from_handle(handle):
     cat_info = CATALOG_INFO()