1 个不稳定版本

0.1.0	2020年4月24日

#33 in #pe

Apache-2.0

12KB
117 代码行数

sigtransplant

将有效的代码签名从Portable Executable (PE) 二进制文件转移到另一个未签名的二进制文件。

这是一个简单的工具，用于测试可能仅验证有效代码证书签名的实现，但不验证附加到二进制文件的有效性。

安装

cargo install sigtransplant

构建/安装

git clone https://github.com/etke/sigtransplant
cd sigtransplant
cargo build --release
cargo install --path .

用法

Usage: sigtransplant <signed input> <unsigned input> <output>

示例

sigtransplant C:\\Windows\\System32\\ntdll.dll target.exe modified.exe
writing modified PE binary...
wrote 674304 bytes to modified.exe
appending certificate table...
wrote 26200 bytes to modified.exe

Get-AuthenticodeSignature -FilePath .\modified.exe


    Directory: C:\Users\etke\


SignerCertificate                         Status                                 Path
-----------------                         ------                                 ----
2FCC77934AAC546397EEE37C391229C9031DD785  HashMismatch                           modified.exe

signtool.exe verify /v .\modified.exe

Verifying: .\modified.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha256): 9CDAE679AFDE1E14DAB23F5CA5FF818AF502F7C2D2CD5F17945C810363EEA4D0

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sat Jun 23 15:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Windows Production PCA 2011
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Mon Oct 19 11:51:42 2026
        SHA1 hash: 580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D

            Issued to: Microsoft Windows
            Issued by: Microsoft Windows Production PCA 2011
            Expires:   Fri Jan 22 12:26:53 2021
            SHA1 hash: 2FCC77934AAC546397EEE37C391229C9031DD785

The signature is timestamped: Wed Apr 08 18:10:08 2020
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sat Jun 23 15:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Time-Stamp PCA 2010
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Tue Jul 01 14:46:55 2025
        SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA 2010
            Expires:   Thu Feb 11 14:40:43 2021
            SHA1 hash: 50EC03FC971BA4A54C5E9176561EFB33254D9BD9

SignTool Error: WinVerifyTrust returned error: 0x80096010
        The digital signature of the object did not verify.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

参考文献

Authenticode 验证漏洞模式 https://blog.devsecurity.eu/en/blog/Authenticode-verification-vulnerability-pattern-CreateFromSignedFile
将 Authenticode 签名应用于未签名代码 http://www.exploit-monday.com/2017/08/application-of-authenticode-signatures.html
SigPirate https://github.com/xorrior/Random-CSharpTools/tree/master/SigPirate/SigPirate
SigThief https://github.com/secretsquirrel/SigThief

依赖项

~2MB
~49K SLoC