Add second prodid hash for PhGetMappedImageProdIdHeader

dmex · dmex · commit 7b624d1b334f · 2021-02-03T11:14:15.000+11:00
diff --git a/phlib/include/mapimg.h b/phlib/include/mapimg.h
@@ -93,7 +93,8 @@ PhMappedImageRvaToSection(
     );
 
 PHLIBAPI
-_Success_(return != NULL)
+_Must_inspect_result_
+_Ret_maybenull_
 PVOID
 NTAPI
 PhMappedImageRvaToVa(
@@ -103,7 +104,8 @@ PhMappedImageRvaToVa(
     );
 
 PHLIBAPI
-_Success_(return != NULL)
+_Must_inspect_result_
+_Ret_maybenull_
 PVOID
 NTAPI
 PhMappedImageVaToVa(
@@ -534,6 +536,7 @@ typedef struct _PH_MAPPED_IMAGE_PRODID
     //WCHAR Key[PH_PTR_STR_LEN_1];
     BOOLEAN Valid;
     PPH_STRING Key;
+    PPH_STRING RawHash;
     PPH_STRING Hash;
     ULONG NumberOfEntries;
     PPH_MAPPED_IMAGE_PRODID_ENTRY ProdIdEntries;
diff --git a/phlib/mapimg.c b/phlib/mapimg.c
@@ -335,7 +335,6 @@ PIMAGE_SECTION_HEADER PhMappedImageRvaToSection(
     return NULL;
 }
 
-_Success_(return != NULL)
 PVOID PhMappedImageRvaToVa(
     _In_ PPH_MAPPED_IMAGE MappedImage,
     _In_ ULONG Rva,
@@ -358,7 +357,6 @@ PVOID PhMappedImageRvaToVa(
         ));
 }
 
-_Success_(return != NULL)
 PVOID PhMappedImageVaToVa(
     _In_ PPH_MAPPED_IMAGE MappedImage,
     _In_ ULONG Va,
@@ -2343,7 +2341,8 @@ NTSTATUS PhGetMappedImageProdIdHeader(
 
     if (richStartSignature == ProdIdTagStart && richEndSignature == ProdIdTagEnd)
     {
-        PPH_STRING hashString = NULL;
+        PPH_STRING hashRawContentString = NULL;
+        PPH_STRING hashContentString = NULL;
         ULONG currentCount = 0;
         PBYTE currentAddress;
         PBYTE currentEnd;
@@ -2362,17 +2361,69 @@ NTSTATUS PhGetMappedImageProdIdHeader(
 
             if (PhFinalHash(&hashContext, hash, 16, NULL))
             {
-                hashString = PhBufferToHexString(hash, 16);
+                hashRawContentString = PhBufferToHexString(hash, 16);
             }
         }
         __except (EXCEPTION_EXECUTE_HANDLER)
         {
             return GetExceptionCode();
         }
 
-        if (PhIsNullOrEmptyString(hashString))
+        if (PhIsNullOrEmptyString(hashRawContentString))
             return STATUS_FAIL_CHECK;
-        
+
+        // VT creates a different hash based on the decrypted header while other tools
+        // (including this one) create the hash based on the raw header. So create a second hash
+        // from the decrypted header so we can show and search both hashes (dmex)
+        {
+            PVOID richHeaderContentEnd;
+            ULONG richHeaderContentLength;
+            PULONG richHeaderContentBuffer;
+            PULONG richHeaderContentOffset;
+            PH_HASH_CONTEXT hashContext;
+            UCHAR hash[32];
+
+            // Recalculate the length needed for the hash since VT doesn't include the remaining entry.
+            richHeaderContentEnd = PTR_ADD_OFFSET(MappedImage->ViewBase, richHeaderEndOffset);
+            richHeaderContentLength = PtrToUlong(PTR_SUB_OFFSET(richHeaderContentEnd, richHeaderStart));
+
+            // We already probed above so this isn't really needed but probe again just to be sure.
+            __try
+            {
+                PhpMappedImageProbe(MappedImage, richHeaderStart, richHeaderContentLength);
+            }
+            __except (EXCEPTION_EXECUTE_HANDLER)
+            {
+                return GetExceptionCode();
+            }
+
+            richHeaderContentBuffer = PhAllocateZero(richHeaderContentLength);
+            memcpy(richHeaderContentBuffer, richHeaderStart, richHeaderContentLength);
+
+            // Walk the buffer and decrypt the entire thing.
+            for (
+                richHeaderContentOffset = richHeaderContentBuffer;
+                richHeaderContentOffset < (PULONG)PTR_ADD_OFFSET(richHeaderContentBuffer, richHeaderContentLength);
+                richHeaderContentOffset++
+                )
+            {
+                *richHeaderContentOffset ^= richHeaderKey;
+            }
+
+            PhInitializeHash(&hashContext, Md5HashAlgorithm);
+            PhUpdateHash(&hashContext, richHeaderContentBuffer, richHeaderContentLength);
+
+            if (PhFinalHash(&hashContext, hash, 16, NULL))
+            {
+                hashContentString = PhBufferToHexString(hash, 16);
+            }
+
+            PhFree(richHeaderContentBuffer);
+        }
+
+        if (PhIsNullOrEmptyString(hashContentString))
+            return STATUS_FAIL_CHECK;
+
         // Do a scan to determine how many entries there are.
         for (offset = currentAddress; offset < currentEnd; offset += sizeof(PRODITEM))
         {
@@ -2466,7 +2517,8 @@ NTSTATUS PhGetMappedImageProdIdHeader(
         //PhPrintPointer(ProdIdHeader->Key, UlongToPtr(richHeaderKey));
         ProdIdHeader->Valid = richHeaderKey == richHeaderValue;
         ProdIdHeader->Key = PhFormatString(L"%lx", richHeaderKey);
-        ProdIdHeader->Hash = hashString;
+        ProdIdHeader->RawHash = hashRawContentString;
+        ProdIdHeader->Hash = hashContentString;
         ProdIdHeader->NumberOfEntries = currentCount;
         ProdIdHeader->ProdIdEntries = PhFinalArrayItems(&richHeaderEntryArray);
 
