Avoid certutil for downloading certificates

[rabbitstack]

Hi,

I'm so happy I've found this package/library! Great work. I'm planning to sunset the PE introspection functionality I've initially built into Fibratus in favour of your package. I was glancing at the code and noticed you rely on certutil to fetch the certificates you later use for validation. Since certutil is frequently abused by threats actors for nefarious purposes, I'm wondering if there is a way to download the certificates by interacting with some specific Windows API?

[ayoubfaouzi]

Hello @rabbitstack

Thanks a lot for your feedback. I myself used fibratus some time ago, I remember it was python, did you re-write in go ? :)

The certificate validation is indeed tricky, we can't rely on the Windows API because we need the library to work on other platforms as well. That's already dealt with, now I just need to find an alternative to certutil to grab fresh certificates.

[rabbitstack]

Hi @LordNoteworthy,

Correct, it was Python, but I rewrote/redesigned from scratch in Go, a couple of years ago. There is still possibility to run the Python code (filaments) via CPython bindings.

What other platforms could be subject to PE parsing and wouldn't allow Windows API interaction? It would be great if you could ditch certutil.

Sorry I have to hijack this issue, but I got another question. Are you planning to incorporate any features that could enable detecting PE tampering and possibly detecting different process injection techniques? Tools like PESieve can do this.

Thanks

[ayoubfaouzi]

Correct, it was Python, but I rewrote/redesigned from scratch in Go, a couple of years ago. There is still possibility to run the Python code (filaments) via CPython bindings.

All right, I see, good job !

What other platforms could be subject to PE parsing and wouldn't allow Windows API interaction?

Mainly Linux and OSX. Some folks will be running this pkg on linux containers or something alike. I will keep this issue open ti find a workaround for certutil.

Are you planning to incorporate any features that could enable detecting PE tampering and possibly detecting different process injection techniques? Tools like PESieve can do this.

If it is something that we can do statically, I will be happy to do so. Tools like PESieve are more dynamic analysis tools, so I am doing this sort of detection in saferwall sandbox, though it is not yet completed.

[rabbitstack]

Mainly Linux and OSX. Some folks will be running this pkg on linux containers or something alike

It crystallized after you mentioned pe underpins the Saferwall service which would obviously make it runnable on non-Windows machines.

If it is something that we can do statically, I will be happy to do so. Tools like PESieve are more dynamic analysis tools, so I am doing this sort of detection in saferwall sandbox, though it is not yet completed.

PESieve essentially compares on-disk with in-memory PE structures and determines all sort of heuristics, so, I think dynamic analysis may be inevitable.

Thank you for your answers!