-
Notifications
You must be signed in to change notification settings - Fork 164
/
reference-public-rsa-key.yml
42 lines (41 loc) · 1.44 KB
/
reference-public-rsa-key.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rule:
meta:
name: reference public RSA key
namespace: data-manipulation/encryption/rsa
authors:
scope: function
mbc:
- Cryptography::Encryption Key [C0028]
references:
- https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc
- https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-rsapubkey
examples:
- b7b5e1253710d8927cbe07d52d2d2e10:0x417DF0
features:
- or:
# typedef struct _PUBLICKEYSTRUC {
# BYTE bType;
# BYTE bVersion;
# WORD reserved;
# ALG_ID aiKeyAlg;
# } BLOBHEADER, PUBLICKEYSTRUC;
#
# typedef struct _RSAPUBKEY {
# DWORD magic;
# DWORD bitlen;
# DWORD pubexp;
# } RSAPUBKEY;
#
- bytes: 06 02 00 00 00 A4 00 00 52 53 41 31
# ^^ bType = PUBLICKEYBLOB
# ^^ bVersion = CUR_BLOB_VERSION
# ^^ ^^ reserved
# ^^ ^^ ^^ ^^ aiKeyAlg = CALG_RSA_KEYX
# ^^ ^^ ^^ ^^ magic = RSA1 for public keys
# mov rax, 80031415352h
# ... 52 53 41 31 00 08 00 00
# ^^ ^^ ^^ ^^ bitlen (bits in modulus) = 2048
- number: 0x040031415352 = RSA1 bitlen 1024
- number: 0x080031415352 = RSA1 bitlen 2048
- number: 0x100031415352 = RSA1 bitlen 4096