Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature 6401: authenticode table with catalog file info #6677

Merged
merged 4 commits into from
Oct 1, 2020
Merged

feature 6401: authenticode table with catalog file info #6677

merged 4 commits into from
Oct 1, 2020

Conversation

farfella
Copy link
Contributor

Fix for #6401. Authenticode table will now show signature information for files, which themselves are not signed, but whose hashes are in a signed system catalog file.

theopolis
theopolis reviewed Sep 28, 2020
View reviewed changes
Copy link
Member

@theopolis theopolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with Windows or these APIs. Is there an example locate test run that demonstrates this is working?

theopolis
theopolis reviewed Sep 28, 2020
View reviewed changes
osquery/tables/system/windows/authenticode.cpp Outdated
@@ -125,6 +126,49 @@ void generateRow(Row& row, const SignatureInformation& signature_info) {
}
}

bool getCatalogPathForFilePath(const std::wstring path,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be passed by const reference too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, updated. Compiler will optimize these cases. Modern compilers have made me lazy. :)

@theopolis theopolis merged commit ecc5403 into osquery:master Oct 1, 2020
@theopolis
Copy link
Member

Thanks a ton!

@farfella
Copy link
Contributor Author

farfella commented Oct 1, 2020

Sure thing. For some reason, I didn't receive notification for your first comment. To answer that specific question: If you query for notepad.exe, you'll now see the catalog signature information. For example,

osquery> select * from authenticode where path='c:\windows\system32\notepad.exe';
+---------------------------------+-----------------------+----------------------------------------+---------------------------------------+-------------------+---------+
| path                            | original_program_name | serial_number                          | issuer_name                           | subject_name      | result  |
+---------------------------------+-----------------------+----------------------------------------+---------------------------------------+-------------------+---------+
| c:\windows\system32\notepad.exe |                       | 330000026551ae1bbd005cbfbd000000000265 | Microsoft Windows Production PCA 2011 | Microsoft Windows | trusted |
+---------------------------------+-----------------------+----------------------------------------+---------------------------------------+-------------------+---------+

@farfella farfella deleted the feature-6401 branch October 1, 2020 01:11
aikuchin pushed a commit to aikuchin/osquery that referenced this pull request Jul 11, 2023
@mogrein
Merge pull request osquery#13 in CLOUD/osquery from sync/osquery-4.5.…
db584cf 
…1 to master

* commit 'dc2c7d0ef21f7913448c664ae0ebddd034afc977': (43 commits)
  Changelog 4.5.1 (osquery#6692)
  Fix incorrect stat return checking within process_events (osquery#6694)
  tests: Reduce flakiness of test_osqueryi (osquery#6688)
  Flush stdout with --help (osquery#6693)
  Enable cppcheck target in macOS builds (osquery#6685)
  Fix dirPathsAreEqual the documented way (osquery#6690)
  Add broad exception catching for table execution (osquery#6689)
  Authenticode table with catalog file info (osquery#6677)
  Document max interval for scheduled queries (osquery#6683)
  Fix container overflow in curl_certificate (osquery#6664)
  Update documentation around build steps (osquery#6681)
  Incorporate suggested changes on PR 5789 from Directionless
  Copy-edit and Markdown lint the remaining deployment docs
  Copy-edit and Markdown lint, clarify section headers for HTTP API doc
  Copy-edit and Markdown lint, remove old comment about CI
  Copy-edit and Markdown lint many deployment docs
  Fixed handling of invalid array bound error with EvtNext function (osquery#6660)
  Copy-edit and Markdown lint (just nits) remaining developer docs
  Copy-edit and Markdown lint (just nits) several developer docs
  Copy-edit and Markdown lint the configuration plugin guidance; minor clarification
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theopolis theopolis theopolis approved these changes

Assignees
No one assigned
Labels
virtual tables Windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@farfella @theopolis