├── README.md ├── generate.py ├── samples ├── cmd │ ├── 330.exe │ ├── 331.exe │ ├── 408.exe │ ├── README.md │ └── cmd.exe ├── msbuild_x86 │ ├── 216.exe │ ├── 217.exe │ ├── 218.exe │ ├── 219.exe │ ├── MSBuild.exe │ └── README.md └── regsvr32 │ ├── 320.exe │ ├── 321.exe │ ├── 322.exe │ ├── 323.exe │ ├── 400.exe │ ├── README.md │ └── regsvr32.exe ├── signcheck.bat └── signtool.exe /README.md: -------------------------------------------------------------------------------- 1 | # Generate Windows Signed Binary With a Different Hash 2 | 3 | The idea was to bypass endpoint solution that block known "malicious" signed application such as "regsvr32.exe". I wanted to find a way to get a valid signed file with a different hash. 4 | 5 | # The Analysis 6 | 7 | Using `signtool verify /v /a cmd.exe` 8 | 9 | ``` 10 | C:\signcheck>signtool verify /a /v cmd.exe 11 | 12 | Verifying: cmd.exe 13 | File is signed in catalog: C:\windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5- 14 | 00C04FC295EE}\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7 15 | 601.17514.cat 16 | Hash of file (sha1): 7EB22CBAA74B208DF433C70C06A99280036A52F3 17 | 18 | Signing Certificate Chain: 19 | Issued to: Microsoft Root Certificate Authority 20 | Issued by: Microsoft Root Certificate Authority 21 | Expires: Sun May 09 19:28:13 2021 22 | SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 23 | ``` 24 | 25 | I thought the "Hash of file" was the SHA1 of cmd.exe based on the output (7EB22CBAA74B208DF433C70C06A99280036A52F3) 26 | 27 | Further check revealed that the SHA1 of cmd.exe file was 28 | 29 | ``` 30 | $ sha1sum.exe cmd.exe 31 | 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8 *cmd.exe 32 | ``` 33 | 34 | Interesting same file 2 different hashes. 35 | 36 | # Generating Test Files 37 | 38 | At this point I suspected that the signature may not include all sections of the file. 39 | 40 | I wrote a simple python script to generate test files. 41 | 42 | ``` 43 | import sys 44 | 45 | orig = list(open(sys.argv[1], "rb").read()) 46 | 47 | i = 0 48 | while i < len(orig): 49 | current = list(orig) 50 | current[i] = chr(ord(current[i]) ^ 0xde) 51 | path = "%d.exe" % i 52 | 53 | output = "".join(str(e) for e in current) 54 | open(path, "wb").write(output) 55 | i += 1 56 | 57 | print "done" 58 | ``` 59 | 60 | `python generate.py cmd.exe` was then executed and generated more than 300 Gb of new files. 61 | 62 | # Final Step 63 | 64 | We now need to validate each files we created to see if they pass the signature test. 65 | 66 | A simple batch file can to that 67 | 68 | ``` 69 | FOR /L %%A IN (1,1,10000) DO ( 70 | signtool verify /v /a %%A.exe 71 | ) 72 | ``` 73 | 74 | The binary 330.exe passed the signature check. in this case the file is different since the offset 330 was modified. 75 | 76 | ``` 77 | C:\signcheck>signtool verify /a /v 330.exe 78 | 79 | Verifying: 330.exe 80 | File is signed in catalog: C:\windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5- 81 | 00C04FC295EE}\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7 82 | 601.17514.cat 83 | Hash of file (sha1): 7EB22CBAA74B208DF433C70C06A99280036A52F3 84 | ``` 85 | 86 | ``` 87 | $ sha1sum.exe 330.exe 88 | 4c05efb9d67291febe44f8c661db55a1ec06bc41 *330.exe 89 | 90 | $ sha1sum cmd.exe 91 | 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8 *cmd.exe 92 | ``` 93 | 94 | # cmd.exe 95 | 96 | The following bytes can be modified without breaking the signature: 97 | `330, 331, 408 - 412` 98 | 99 | 100 | # regsvr32.exe 101 | 102 | The following bytes can be modified without breaking the signature: 103 | `320 - 323, 400 - 407` 104 | 105 | 106 | # msbuild.exe (x86) 107 | 108 | The following bytes can be modified without breaking the signature: 109 | `216 - 219` 110 | -------------------------------------------------------------------------------- /generate.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | orig = list(open(sys.argv[1], "rb").read()) 4 | 5 | i = 0 6 | while i < len(orig): 7 | current = list(orig) 8 | current[i] = chr(ord(current[i]) ^ 0xde) 9 | path = "%d.exe" % i 10 | 11 | output = "".join(str(e) for e in current) 12 | open(path, "wb").write(output) 13 | i += 1 14 | 15 | print "done" 16 | -------------------------------------------------------------------------------- /samples/cmd/330.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/cmd/330.exe -------------------------------------------------------------------------------- /samples/cmd/331.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/cmd/331.exe -------------------------------------------------------------------------------- /samples/cmd/408.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/cmd/408.exe -------------------------------------------------------------------------------- /samples/cmd/README.md: -------------------------------------------------------------------------------- 1 | * cmd.exe is the original file sha1 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8 2 | * 330.exe is the modified version sha1 4c05efb9d67291febe44f8c661db55a1ec06bc41 3 | * 331.exe is the modified version sha1 077feb78393d6c5273d324a2ae3afe052a959b61 4 | * 408.exe is the modified version sha1 e7cd55463e9cf41dedc0a7da5de46f52bc8073c8 5 | 6 | -------------------------------------------------------------------------------- /samples/cmd/cmd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/cmd/cmd.exe -------------------------------------------------------------------------------- /samples/msbuild_x86/216.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/msbuild_x86/216.exe -------------------------------------------------------------------------------- /samples/msbuild_x86/217.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/msbuild_x86/217.exe -------------------------------------------------------------------------------- /samples/msbuild_x86/218.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/msbuild_x86/218.exe -------------------------------------------------------------------------------- /samples/msbuild_x86/219.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/msbuild_x86/219.exe -------------------------------------------------------------------------------- /samples/msbuild_x86/MSBuild.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/msbuild_x86/MSBuild.exe -------------------------------------------------------------------------------- /samples/msbuild_x86/README.md: -------------------------------------------------------------------------------- 1 | * MSBuild.exe is the original file sha1 abcae05ee61ee6292003aabd8c80583fa49edda2 2 | * 216.exe is the modified version sha1 291bf758a2286b7bcbf96f0107392e25ad7a9848 3 | * 217.exe is the modified version sha1 d6e5ced02d5a05126224d1e0b3ab55a082c1a53a 4 | * 218.exe is the modified version sha1 753f4a5fd9e0f1f7e09890ebfc569fd083615b38 5 | * 219.exe is the modified version sha1 d0486aded78f09057527c209b6c7470abcafcc40 6 | 7 | -------------------------------------------------------------------------------- /samples/regsvr32/320.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/regsvr32/320.exe -------------------------------------------------------------------------------- /samples/regsvr32/321.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/regsvr32/321.exe -------------------------------------------------------------------------------- /samples/regsvr32/322.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/regsvr32/322.exe -------------------------------------------------------------------------------- /samples/regsvr32/323.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/regsvr32/323.exe -------------------------------------------------------------------------------- /samples/regsvr32/400.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/regsvr32/400.exe -------------------------------------------------------------------------------- /samples/regsvr32/README.md: -------------------------------------------------------------------------------- 1 | * 20b1845c856a1e38ed5f88534602c2e01409f1d1 320.exe 2 | * 2c3c713f05f9fad6ad87e3e5b0a3ee16016e9116 321.exe 3 | * 6aeed91ab7f44aff076105d9c087a1a8c238ade6 322.exe 4 | * 515801533a1adfe6bca450ebfd42963c81aa9246 323.exe 5 | * 516d5570d906c4df8c662a11732bdd59fc43f9ce 400.exe 6 | * 645c424974fbe5fe7a04cac73f1c23c96e1570b8 regsvr32.exe 7 | 8 | -------------------------------------------------------------------------------- /samples/regsvr32/regsvr32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/samples/regsvr32/regsvr32.exe -------------------------------------------------------------------------------- /signcheck.bat: -------------------------------------------------------------------------------- 1 | FOR /L %%A IN (1,1,10000) DO ( 2 | signtool verify /v /a %%A.exe 3 | ) 4 | -------------------------------------------------------------------------------- /signtool.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mr-Un1k0d3r/Windows-SignedBinary/b2edbdb4e9bce0cf8430c43836fe816e60764edf/signtool.exe --------------------------------------------------------------------------------