Better Codedirectory Parsing and Added Requirements(_Code) Parsing

[abpolym]

The current CodeDirectory Parsing is not sufficient.

I used freely accessible information from the opensourced source code:

• http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity_codesigning/lib/codedirectory.h (SpecialSlots)
• http://www.opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/sys/codesign.h (CodeDirectory Structure, Magic Numbers)
• http://www.opensource.apple.com/source/security_systemkeychain/security_systemkeychain-55119/src/cs_dump.cpp
• http://www.opensource.apple.com/source/security_systemkeychain/security_systemkeychain-39457/src/codesign.cpp
  Tested on OS X

You have to modify the Parser, though.

My current Parser Version looks like this:

[...]
        if sig['type'] == MachOEntity.CODE_DIRECTORY:
            print "        [-] Length: %s" % sig['length']
            print "        [-] Version: %s" % sig['version']
            print "        [+] nSpecialSlots: %s" % sig['nSpecialSlots']
            for (slotname, hash) in sig['specialSlots']:
                print "          [-] %s: %s" % (slotname, hash)
            print "        [+] nCodeSlots: %s" % sig['nCodeSlots']
            for (slotname, hash) in sig['codeSlots']:
                print "          [-] %s: %s" % (slotname, hash)
            print "        [-] Identifier: %s" % sig['identifier']
            print "        [-] Hash type: %s" % sig['hashtype']
            print "        [-] Hash: %s" % sig['hash']
[...]

Edit: I've also implemented requirements parsing.

Source Code:

• https://opensource.apple.com/source/libsecurity_codesigning/libsecurity_codesigning-55032/lib/requirement.h
• http://opensource.apple.com/source/libsecurity_codesigning/libsecurity_codesigning-55032/lib/reqreader.cpp
• https://opensource.apple.com/source/libsecurity_codesigning/libsecurity_codesigning-55032/lib/reqdumper.cpp

The Parser Version thus looks like this:

        if sig['type'] == MachOEntity.REQUIREMENT_SET:
            print "        [+] nRequirements"
            for r in sig['requirements']:
                for e in r['requirement']:
                    print "          [-] %s => %s" % (r['type'], e['expr'])

The Requirements Parsing still needs a lot of boundary checks and some parsing for the OP_CERTGENERIC and OP_CERTPOLICY is missing (and breaks the parsing if it is encountered)

Match expressions also don't seem to work right now.

[mgoffin]

I'll try to get to checking this out when I can :) When you say you had to modify the Parser, which parser are you referring to? Is that something you have to do on top of accepting these changes to make stuff work?

[abpolym]

What I mean is this script - you have to edit this file if you want to display the information that can be extracted using the new Parser methods. I mixed up some terminology here. The stuff I implemented works so far, however it still has some flaws (mentioned above) that I or someone else has to fix or have a look into. I can try to add it in the coming days, but I got a lot of other workload that I have to finish first.

[mgoffin]

Sorry this took ages to get back to. I can run this and I do get some output. But it errors out and in the log it says Error running service: 'ver'. Any ideas?

[abpolym]

@mgoffin Can you give me the/an example MACH-O file, in which this error occurs, for me to reproduce?

[mgoffin]

I believe i used /bin/ls