exeHandler_8js_source.html

/*

Copyright 2018-2022 Intel Corporation


Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at


    http://www.apache.org/licenses/LICENSE-2.0


Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

*/


/*xjslint node: true */

/*xjslint plusplus: true */

/*xjslint maxlen: 256 */

/*jshint node: true */

/*jshint strict: false */

/*jshint esversion: 6 */

"use strict";


const exeJavaScriptGuid = 'B996015880544A19B7F7E9BE44914C18';

const exeMeshPolicyGuid = 'B996015880544A19B7F7E9BE44914C19';

const exeNullPolicyGuid = 'B996015880544A19B7F7E9BE44914C20';


// Changes a Windows Executable to add JavaScript inside of it.

// This method will write to destination stream and close it.

//

// options = {

//   platform: 'win32' or 'linux',

//   sourceFileName: 'pathToBinary',

//   destinationStream: 'outputStream'

//   js: 'jsContent',

//   peinfo {} // Optional, if PE header already parsed place it here.

// }

//

module.exports.streamExeWithJavaScript = function (options) {

    // Check all inputs

    if (!options.platform) { throw ('platform not specified'); }

    if (!options.destinationStream) { throw ('destination stream was not specified'); }

    if (!options.sourceFileName) { throw ('source file not specified'); }

    if (!options.js) { throw ('js content not specified'); }


    // If a Windows binary, parse it if not already parsed

    if ((options.platform == 'win32') && (!options.peinfo)) { options.peinfo = module.exports.parseWindowsExecutable(options.sourceFileName); }


    // If unsigned Windows or Linux, we merge at the end with the GUID and no padding.

    if (((options.platform == 'win32') && (options.peinfo.CertificateTableAddress == 0)) || (options.platform != 'win32')) {

        // This is not a signed binary, so we can just send over the EXE then the MSH

        options.destinationStream.sourceStream = require('fs').createReadStream(options.sourceFileName, { flags: 'r' });

        options.destinationStream.sourceStream.options = options;

        options.destinationStream.sourceStream.on('end', function () {

            // Once the binary is streamed, write the msh + length + guid in that order.

            this.options.destinationStream.write(this.options.js); // JS content

            var sz = Buffer.alloc(4);

            sz.writeUInt32BE(this.options.js.length, 0);

            this.options.destinationStream.write(sz); // Length in small endian

            this.options.destinationStream.end(Buffer.from(exeJavaScriptGuid, 'hex')); // GUID

        });

        // Pipe the entire source binary without ending the stream.

        options.destinationStream.sourceStream.pipe(options.destinationStream, { end: false });

    } else {

        throw ('streamExeWithJavaScript(): Cannot stream JavaScript with signed executable.');

    }

};


// Changes a Windows Executable to add the MSH inside of it.

// This method will write to destination stream and close it.

//

// options = {

//   platform: 'win32' or 'linux',

//   sourceFileName: 'pathToBinary',

//   destinationStream: 'outputStream'

//   msh: 'mshContent',

//   randomPolicy: true, // Set is the MSH contains random data

//   peinfo {} // Optional, if PE header already parsed place it here.

// }

//

module.exports.streamExeWithMeshPolicy = function (options) {

    // Check all inputs

    if (!options.platform) { throw ('platform not specified'); }

    if (!options.destinationStream) { throw ('destination stream was not specified'); }

    if (!options.sourceFileName) { throw ('source file not specified'); }

    if (!options.msh) { throw ('msh content not specified'); }

    options.mshbuf = Buffer.from(options.msh, 'utf8');


    // If a Windows binary, parse it if not already parsed

    if ((options.platform == 'win32') && (!options.peinfo)) { options.peinfo = module.exports.parseWindowsExecutable(options.sourceFileName); }


    // If unsigned Windows or Linux, we merge at the end with the GUID and no padding.

    if ((options.platform == 'win32' && options.peinfo.CertificateTableAddress == 0) || options.platform != 'win32') {

        // This is not a signed binary, so we can just send over the EXE then the MSH

        options.destinationStream.sourceStream = require('fs').createReadStream(options.sourceFileName, { flags: 'r' });

        options.destinationStream.sourceStream.options = options;

        options.destinationStream.sourceStream.on('end', function () {

            // Once the binary is streamed, write the msh + length + guid in that order.

            this.options.destinationStream.write(this.options.mshbuf); // MSH

            var sz = Buffer.alloc(4);

            sz.writeUInt32BE(this.options.mshbuf.length, 0);

            this.options.destinationStream.write(sz); // Length in small endian

            this.options.destinationStream.end(Buffer.from((this.options.randomPolicy === true) ? exeNullPolicyGuid : exeMeshPolicyGuid, 'hex'));  // Guid

        });

        // Pipe the entire source binary without ending the stream.

        options.destinationStream.sourceStream.pipe(options.destinationStream, { end: false });

    } else if (options.platform == 'win32' && options.peinfo.CertificateTableAddress != 0) {

        // Read up to the certificate table size and stream that out

        options.destinationStream.sourceStream = require('fs').createReadStream(options.sourceFileName, { flags: 'r', start: 0, end: options.peinfo.CertificateTableSizePos - 1 });

        options.destinationStream.sourceStream.mshPadding = (8 - ((options.peinfo.certificateDwLength + options.mshbuf.length + 20) % 8)) % 8; // Compute the padding with quad-align

        options.destinationStream.sourceStream.CertificateTableSize = (options.peinfo.CertificateTableSize + options.mshbuf.length + 20 + options.destinationStream.sourceStream.mshPadding); // Add to the certificate table size

        options.destinationStream.sourceStream.certificateDwLength = (options.peinfo.certificateDwLength + options.mshbuf.length + 20 + options.destinationStream.sourceStream.mshPadding); // Add to the certificate size

        options.destinationStream.sourceStream.options = options;


        options.destinationStream.sourceStream.on('end', function () {

            // We sent up to the CertificateTableSize, now we need to send the updated certificate table size

            var sz = Buffer.alloc(4);

            sz.writeUInt32LE(this.CertificateTableSize, 0);

            this.options.destinationStream.write(sz); // New cert table size


            // Stream everything up to the start of the certificate table entry

            var source2 = require('fs').createReadStream(options.sourceFileName, { flags: 'r', start: this.options.peinfo.CertificateTableSizePos + 4, end: this.options.peinfo.CertificateTableAddress - 1 });

            source2.options = this.options;

            source2.mshPadding = this.mshPadding;

            source2.certificateDwLength = this.certificateDwLength;

            source2.on('end', function () {

                // We've sent up to the Certificate DWLength, which we need to update

                var sz = Buffer.alloc(4);

                sz.writeUInt32LE(this.certificateDwLength, 0);

                this.options.destinationStream.write(sz); // New certificate length


                // Stream the entire binary until the end

                var source3 = require('fs').createReadStream(options.sourceFileName, { flags: 'r', start: this.options.peinfo.CertificateTableAddress + 4 });

                source3.options = this.options;

                source3.mshPadding = this.mshPadding;

                source3.on('end', function () {

                    // We've sent the entire binary... Now send: Padding + MSH + MSHLength + GUID

                    if (this.mshPadding > 0) { this.options.destinationStream.write(Buffer.alloc(this.mshPadding)); } // Padding

                    this.options.destinationStream.write(this.options.mshbuf); // MSH content

                    var sz = Buffer.alloc(4);

                    sz.writeUInt32BE(this.options.mshbuf.length, 0);

                    this.options.destinationStream.write(sz); // MSH Length, small-endian

                    this.options.destinationStream.end(Buffer.from((this.options.randomPolicy === true) ? exeNullPolicyGuid : exeMeshPolicyGuid, 'hex')); // Guid

                });

                source3.pipe(this.options.destinationStream, { end: false });

                this.options.sourceStream = source3;

            });

            source2.pipe(this.options.destinationStream, { end: false });

            this.options.destinationStream.sourceStream = source2;

        });

        options.destinationStream.sourceStream.pipe(options.destinationStream, { end: false });

    }

};


// Return information about this executable

// This works only on Windows binaries

module.exports.parseWindowsExecutable = function (exePath) {

    var retVal = {};

    var fs = require('fs');

    var fd = fs.openSync(exePath, 'r');

    var bytesRead;

    var dosHeader = Buffer.alloc(64);

    var ntHeader = Buffer.alloc(24);

    var optHeader;

    var numRVA;


    // Read the DOS header

    bytesRead = fs.readSync(fd, dosHeader, 0, 64, 0);

    if (dosHeader.readUInt16LE(0).toString(16).toUpperCase() != '5A4D') { throw ('unrecognized binary format'); }


    // Read the NT header

    bytesRead = fs.readSync(fd, ntHeader, 0, ntHeader.length, dosHeader.readUInt32LE(60));

    if (ntHeader.slice(0, 4).toString('hex') != '50450000') {

        throw ('not a PE file');

    }

    switch (ntHeader.readUInt16LE(4).toString(16)) {

        case '14c': // 32 bit

            retVal.format = 'x86';

            break;

        case '8664': // 64 bit

            retVal.format = 'x64';

            break;

        default: // Unknown

            retVal.format = undefined;

            break;

    }


    retVal.optionalHeaderSize = ntHeader.readUInt16LE(20);

    retVal.optionalHeaderSizeAddress = dosHeader.readUInt32LE(60) + 20;


    // Read the optional header

    optHeader = Buffer.alloc(ntHeader.readUInt16LE(20));

    bytesRead = fs.readSync(fd, optHeader, 0, optHeader.length, dosHeader.readUInt32LE(60) + 24);


    retVal.CheckSumPos = dosHeader.readUInt32LE(60) + 24 + 64;

    retVal.SizeOfCode = optHeader.readUInt32LE(4);

    retVal.SizeOfInitializedData = optHeader.readUInt32LE(8);

    retVal.SizeOfUnInitializedData = optHeader.readUInt32LE(12);


    switch (optHeader.readUInt16LE(0).toString(16).toUpperCase()) {

        case '10B': // 32 bit binary

            numRVA = optHeader.readUInt32LE(92);

            retVal.CertificateTableAddress = optHeader.readUInt32LE(128);

            retVal.CertificateTableSize = optHeader.readUInt32LE(132);

            retVal.CertificateTableSizePos = dosHeader.readUInt32LE(60) + 24 + 132;

            retVal.rvaStartAddress = dosHeader.readUInt32LE(60) + 24 + 96;

            break;

        case '20B': // 64 bit binary

            numRVA = optHeader.readUInt32LE(108);

            retVal.CertificateTableAddress = optHeader.readUInt32LE(144);

            retVal.CertificateTableSize = optHeader.readUInt32LE(148);

            retVal.CertificateTableSizePos = dosHeader.readUInt32LE(60) + 24 + 148;

            retVal.rvaStartAddress = dosHeader.readUInt32LE(60) + 24 + 112;

            break;

        default:

            throw ('Unknown Value found for Optional Magic: ' + ntHeader.readUInt16LE(24).toString(16).toUpperCase());

    }

    retVal.rvaCount = numRVA;


    if (retVal.CertificateTableAddress) {

        // Read the authenticode certificate, only one cert (only the first entry)

        var hdr = Buffer.alloc(8);

        fs.readSync(fd, hdr, 0, hdr.length, retVal.CertificateTableAddress);

        retVal.certificate = Buffer.alloc(hdr.readUInt32LE(0));

        fs.readSync(fd, retVal.certificate, 0, retVal.certificate.length, retVal.CertificateTableAddress + hdr.length);

        retVal.certificate = retVal.certificate.toString('base64');

        retVal.certificateDwLength = hdr.readUInt32LE(0);

    }

    fs.closeSync(fd);

    return (retVal);

};


//

// Hash a executable file. Works on both Windows and Linux.

// On Windows, will hash so that signature or .msh addition will not change the hash. Adding a .js on un-signed executable will change the hash.

//

// options = {

//   sourcePath: <string> Executable Path

//   targetStream: <stream.writeable> Hashing Stream

//   platform: <string> Optional. Same value as process.platform ('win32' | 'linux' | 'darwin')

// }

//

module.exports.hashExecutableFile = function (options) {

    if (!options.sourcePath || !options.targetStream) { throw ('Please specify sourcePath and targetStream'); }

    var fs = require('fs');


    // If not specified, try to determine platform type

    if (!options.platform) {

        try {

            // If we can parse the executable, we know it's windows.

            options.peinfo = module.exports.parseWindowsExecutable(options.sourcePath);

            options.platform = 'win32';

        } catch (e) {

            options.platform = 'other';

        }

    }


    // Setup initial state

    options.state = { endIndex: 0, checkSumIndex: 0, tableIndex: 0, stats: fs.statSync(options.sourcePath) };


    if (options.platform == 'win32') {

        if (options.peinfo.CertificateTableAddress != 0) { options.state.endIndex = options.peinfo.CertificateTableAddress; }

        options.state.tableIndex = options.peinfo.CertificateTableSizePos - 4;

        options.state.checkSumIndex = options.peinfo.CheckSumPos;

    }


    if (options.state.endIndex == 0) {

        // We just need to check for Embedded MSH file

        var fd = fs.openSync(options.sourcePath, 'r');

        var guid = Buffer.alloc(16);

        var bytesRead;


        bytesRead = fs.readSync(fd, guid, 0, guid.length, options.state.stats.size - 16);

        if (guid.toString('hex') == exeMeshPolicyGuid) {

            bytesRead = fs.readSync(fd, guid, 0, 4, options.state.stats.size - 20);

            options.state.endIndex = options.state.stats.size - 20 - guid.readUInt32LE(0);

        } else {

            options.state.endIndex = options.state.stats.size;

        }

        fs.closeSync(fd);

    }


    // Linux does not have a checksum

    if (options.state.checkSumIndex != 0) {

        // Windows

        options.state.source = fs.createReadStream(options.sourcePath, { flags: 'r', start: 0, end: options.state.checkSumIndex - 1 });

        options.state.source.on('end', function () {

            options.targetStream.write(Buffer.alloc(4));

            var source = fs.createReadStream(options.sourcePath, { flags: 'r', start: options.state.checkSumIndex + 4, end: options.state.tableIndex - 1 });

            source.on('end', function () {

                options.targetStream.write(Buffer.alloc(8));

                var source = fs.createReadStream(options.sourcePath, { flags: 'r', start: options.state.tableIndex + 8, end: options.state.endIndex - 1 });

                options.state.source = source;

                options.state.source.pipe(options.targetStream);

            });

            options.state.source = source;

            options.state.source.pipe(options.targetStream, { end: false });

        });

        options.state.source.pipe(options.targetStream, { end: false });

    } else {

        // Linux

        options.state.source = fs.createReadStream(options.sourcePath, { flags: 'r', start: 0, end: options.state.endIndex - 1 });

        options.state.source.pipe(options.targetStream);

    }

};