/* Copyright 2018-2021 Intel Corporation Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ /*xjslint node: true */ /*xjslint plusplus: true */ /*xjslint maxlen: 256 */ /*jshint node: true */ /*jshint strict: false */ /*jshint esversion: 6 */ "use strict"; const exeJavaScriptGuid = 'B996015880544A19B7F7E9BE44914C18'; const exeMeshPolicyGuid = 'B996015880544A19B7F7E9BE44914C19'; const exeNullPolicyGuid = 'B996015880544A19B7F7E9BE44914C20'; // Changes a Windows Executable to add JavaScript inside of it. // This method will write to destination stream and close it. // // options = { // platform: 'win32' or 'linux', // sourceFileName: 'pathToBinary', // destinationStream: 'outputStream' // js: 'jsContent', // peinfo {} // Optional, if PE header already parsed place it here. // } // module.exports.streamExeWithJavaScript = function (options) { // Check all inputs if (!options.platform) { throw ('platform not specified'); } if (!options.destinationStream) { throw ('destination stream was not specified'); } if (!options.sourceFileName) { throw ('source file not specified'); } if (!options.js) { throw ('js content not specified'); } // If a Windows binary, parse it if not already parsed if ((options.platform == 'win32') && (!options.peinfo)) { options.peinfo = module.exports.parseWindowsExecutable(options.sourceFileName); } // If unsigned Windows or Linux, we merge at the end with the GUID and no padding. if ((options.platform == 'win32' && options.peinfo.CertificateTableAddress == 0) || options.platform != 'win32') { // This is not a signed binary, so we can just send over the EXE then the MSH options.destinationStream.sourceStream = require('fs').createReadStream(options.sourceFileName, { flags: 'r' }); options.destinationStream.sourceStream.options = options; options.destinationStream.sourceStream.on('end', function () { // Once the binary is streamed, write the msh + length + guid in that order. this.options.destinationStream.write(this.options.js); // JS content var sz = Buffer.alloc(4); sz.writeUInt32BE(this.options.js.length, 0); this.options.destinationStream.write(sz); // Length in small endian this.options.destinationStream.end(Buffer.from(exeJavaScriptGuid, 'hex')); // GUID }); // Pipe the entire source binary without ending the stream. options.destinationStream.sourceStream.pipe(options.destinationStream, { end: false }); } else { throw ('js content not specified'); } }; // Changes a Windows Executable to add the MSH inside of it. // This method will write to destination stream and close it. // // options = { // platform: 'win32' or 'linux', // sourceFileName: 'pathToBinary', // destinationStream: 'outputStream' // msh: 'mshContent', // randomPolicy: true, // Set is the MSH contains random data // peinfo {} // Optional, if PE header already parsed place it here. // } // module.exports.streamExeWithMeshPolicy = function (options) { // Check all inputs if (!options.platform) { throw ('platform not specified'); } if (!options.destinationStream) { throw ('destination stream was not specified'); } if (!options.sourceFileName) { throw ('source file not specified'); } if (!options.msh) { throw ('msh content not specified'); } options.mshbuf = Buffer.from(options.msh, 'utf8'); // If a Windows binary, parse it if not already parsed if ((options.platform == 'win32') && (!options.peinfo)) { options.peinfo = module.exports.parseWindowsExecutable(options.sourceFileName); } // If unsigned Windows or Linux, we merge at the end with the GUID and no padding. if ((options.platform == 'win32' && options.peinfo.CertificateTableAddress == 0) || options.platform != 'win32') { // This is not a signed binary, so we can just send over the EXE then the MSH options.destinationStream.sourceStream = require('fs').createReadStream(options.sourceFileName, { flags: 'r' }); options.destinationStream.sourceStream.options = options; options.destinationStream.sourceStream.on('end', function () { // Once the binary is streamed, write the msh + length + guid in that order. this.options.destinationStream.write(this.options.mshbuf); // MSH var sz = Buffer.alloc(4); sz.writeUInt32BE(this.options.mshbuf.length, 0); this.options.destinationStream.write(sz); // Length in small endian this.options.destinationStream.end(Buffer.from((this.options.randomPolicy === true) ? exeNullPolicyGuid : exeMeshPolicyGuid, 'hex')); // Guid }); // Pipe the entire source binary without ending the stream. options.destinationStream.sourceStream.pipe(options.destinationStream, { end: false }); } else if (options.platform == 'win32' && options.peinfo.CertificateTableAddress != 0) { // Read up to the certificate table size and stream that out options.destinationStream.sourceStream = require('fs').createReadStream(options.sourceFileName, { flags: 'r', start: 0, end: options.peinfo.CertificateTableSizePos - 1 }); options.destinationStream.sourceStream.mshPadding = (8 - ((options.peinfo.certificateDwLength + options.mshbuf.length + 20) % 8)) % 8; // Compute the padding with quad-align options.destinationStream.sourceStream.CertificateTableSize = (options.peinfo.CertificateTableSize + options.mshbuf.length + 20 + options.destinationStream.sourceStream.mshPadding); // Add to the certificate table size options.destinationStream.sourceStream.certificateDwLength = (options.peinfo.certificateDwLength + options.mshbuf.length + 20 + options.destinationStream.sourceStream.mshPadding); // Add to the certificate size options.destinationStream.sourceStream.options = options; options.destinationStream.sourceStream.on('end', function () { // We sent up to the CertificateTableSize, now we need to send the updated certificate table size var sz = Buffer.alloc(4); sz.writeUInt32LE(this.CertificateTableSize, 0); this.options.destinationStream.write(sz); // New cert table size // Stream everything up to the start of the certificate table entry var source2 = require('fs').createReadStream(options.sourceFileName, { flags: 'r', start: this.options.peinfo.CertificateTableSizePos + 4, end: this.options.peinfo.CertificateTableAddress - 1 }); source2.options = this.options; source2.mshPadding = this.mshPadding; source2.certificateDwLength = this.certificateDwLength; source2.on('end', function () { // We've sent up to the Certificate DWLength, which we need to update var sz = Buffer.alloc(4); sz.writeUInt32LE(this.certificateDwLength, 0); this.options.destinationStream.write(sz); // New certificate length // Stream the entire binary until the end var source3 = require('fs').createReadStream(options.sourceFileName, { flags: 'r', start: this.options.peinfo.CertificateTableAddress + 4 }); source3.options = this.options; source3.mshPadding = this.mshPadding; source3.on('end', function () { // We've sent the entire binary... Now send: Padding + MSH + MSHLength + GUID if (this.mshPadding > 0) { this.options.destinationStream.write(Buffer.alloc(this.mshPadding)); } // Padding this.options.destinationStream.write(this.options.mshbuf); // MSH content var sz = Buffer.alloc(4); sz.writeUInt32BE(this.options.mshbuf.length, 0); this.options.destinationStream.write(sz); // MSH Length, small-endian this.options.destinationStream.end(Buffer.from((this.options.randomPolicy === true) ? exeNullPolicyGuid : exeMeshPolicyGuid, 'hex')); // Guid }); source3.pipe(this.options.destinationStream, { end: false }); this.options.sourceStream = source3; }); source2.pipe(this.options.destinationStream, { end: false }); this.options.destinationStream.sourceStream = source2; }); options.destinationStream.sourceStream.pipe(options.destinationStream, { end: false }); } }; // Return information about this executable // This works only on Windows binaries module.exports.parseWindowsExecutable = function (exePath) { var retVal = {}; var fs = require('fs'); var fd = fs.openSync(exePath, 'r'); var bytesRead; var dosHeader = Buffer.alloc(64); var ntHeader = Buffer.alloc(24); var optHeader; var numRVA; // Read the DOS header bytesRead = fs.readSync(fd, dosHeader, 0, 64, 0); if (dosHeader.readUInt16LE(0).toString(16).toUpperCase() != '5A4D') { throw ('unrecognized binary format'); } // Read the NT header bytesRead = fs.readSync(fd, ntHeader, 0, ntHeader.length, dosHeader.readUInt32LE(60)); if (ntHeader.slice(0, 4).toString('hex') != '50450000') { throw ('not a PE file'); } switch (ntHeader.readUInt16LE(4).toString(16)) { case '14c': // 32 bit retVal.format = 'x86'; break; case '8664': // 64 bit retVal.format = 'x64'; break; default: // Unknown retVal.format = undefined; break; } retVal.optionalHeaderSize = ntHeader.readUInt16LE(20); retVal.optionalHeaderSizeAddress = dosHeader.readUInt32LE(60) + 20; // Read the optional header optHeader = Buffer.alloc(ntHeader.readUInt16LE(20)); bytesRead = fs.readSync(fd, optHeader, 0, optHeader.length, dosHeader.readUInt32LE(60) + 24); retVal.CheckSumPos = dosHeader.readUInt32LE(60) + 24 + 64; retVal.SizeOfCode = optHeader.readUInt32LE(4); retVal.SizeOfInitializedData = optHeader.readUInt32LE(8); retVal.SizeOfUnInitializedData = optHeader.readUInt32LE(12); switch (optHeader.readUInt16LE(0).toString(16).toUpperCase()) { case '10B': // 32 bit binary numRVA = optHeader.readUInt32LE(92); retVal.CertificateTableAddress = optHeader.readUInt32LE(128); retVal.CertificateTableSize = optHeader.readUInt32LE(132); retVal.CertificateTableSizePos = dosHeader.readUInt32LE(60) + 24 + 132; retVal.rvaStartAddress = dosHeader.readUInt32LE(60) + 24 + 96; break; case '20B': // 64 bit binary numRVA = optHeader.readUInt32LE(108); retVal.CertificateTableAddress = optHeader.readUInt32LE(144); retVal.CertificateTableSize = optHeader.readUInt32LE(148); retVal.CertificateTableSizePos = dosHeader.readUInt32LE(60) + 24 + 148; retVal.rvaStartAddress = dosHeader.readUInt32LE(60) + 24 + 112; break; default: throw ('Unknown Value found for Optional Magic: ' + ntHeader.readUInt16LE(24).toString(16).toUpperCase()); } retVal.rvaCount = numRVA; if (retVal.CertificateTableAddress) { // Read the authenticode certificate, only one cert (only the first entry) var hdr = Buffer.alloc(8); fs.readSync(fd, hdr, 0, hdr.length, retVal.CertificateTableAddress); retVal.certificate = Buffer.alloc(hdr.readUInt32LE(0)); fs.readSync(fd, retVal.certificate, 0, retVal.certificate.length, retVal.CertificateTableAddress + hdr.length); retVal.certificate = retVal.certificate.toString('base64'); retVal.certificateDwLength = hdr.readUInt32LE(0); } fs.closeSync(fd); return (retVal); }; // // Hash a executable file. Works on both Windows and Linux. // On Windows, will hash so that signature or .msh addition will not change the hash. Adding a .js on un-signed executable will change the hash. // // options = { // sourcePath: Executable Path // targetStream: Hashing Stream // platform: Optional. Same value as process.platform ('win32' | 'linux' | 'darwin') // } // module.exports.hashExecutableFile = function (options) { if (!options.sourcePath || !options.targetStream) { throw ('Please specify sourcePath and targetStream'); } var fs = require('fs'); // If not specified, try to determine platform type if (!options.platform) { try { // If we can parse the executable, we know it's windows. options.peinfo = module.exports.parseWindowsExecutable(options.sourcePath); options.platform = 'win32'; } catch (e) { options.platform = 'other'; } } // Setup initial state options.state = { endIndex: 0, checkSumIndex: 0, tableIndex: 0, stats: fs.statSync(options.sourcePath) }; if (options.platform == 'win32') { if (options.peinfo.CertificateTableAddress != 0) { options.state.endIndex = options.peinfo.CertificateTableAddress; } options.state.tableIndex = options.peinfo.CertificateTableSizePos - 4; options.state.checkSumIndex = options.peinfo.CheckSumPos; } if (options.state.endIndex == 0) { // We just need to check for Embedded MSH file var fd = fs.openSync(options.sourcePath, 'r'); var guid = Buffer.alloc(16); var bytesRead; bytesRead = fs.readSync(fd, guid, 0, guid.length, options.state.stats.size - 16); if (guid.toString('hex') == exeMeshPolicyGuid) { bytesRead = fs.readSync(fd, guid, 0, 4, options.state.stats.size - 20); options.state.endIndex = options.state.stats.size - 20 - guid.readUInt32LE(0); } else { options.state.endIndex = options.state.stats.size; } fs.closeSync(fd); } // Linux does not have a checksum if (options.state.checkSumIndex != 0) { // Windows options.state.source = fs.createReadStream(options.sourcePath, { flags: 'r', start: 0, end: options.state.checkSumIndex - 1 }); options.state.source.on('end', function () { options.targetStream.write(Buffer.alloc(4)); var source = fs.createReadStream(options.sourcePath, { flags: 'r', start: options.state.checkSumIndex + 4, end: options.state.tableIndex - 1 }); source.on('end', function () { options.targetStream.write(Buffer.alloc(8)); var source = fs.createReadStream(options.sourcePath, { flags: 'r', start: options.state.tableIndex + 8, end: options.state.endIndex - 1 }); options.state.source = source; options.state.source.pipe(options.targetStream); }); options.state.source = source; options.state.source.pipe(options.targetStream, { end: false }); }); options.state.source.pipe(options.targetStream, { end: false }); } else { // Linux options.state.source = fs.createReadStream(options.sourcePath, { flags: 'r', start: 0, end: options.state.endIndex - 1 }); options.state.source.pipe(options.targetStream); } };