SigFlip: patching authenticode signed PE files without invalidating/breaking the existing signature
SigFlip is a tool for patching Authenticode signed PE files (exe, dll, sys ..etc) in a way that doesn’t affect or break the existing Authenticode signature, in other words, you can change PE file checksum/hash by embedding data (i.e shellcode) without breaking the file signature, integrity checks or PE file functionality.
SigInject encrypts and injects shellcode into a PE file’s [WIN_CERTIFICATE] certificate table, the encryption key is printed out for usage with a basic BOF/C/C# loader (SigLoader), SigInject saves changes to a modified PE file and keeps its signature and certificate validity intact.
SigLoader is a basic loader which takes a modified PE file path created by SigInject and the decryption key as parameters, then extracts and decrypts the embedded shellcode for usage with a shellcode injection of choice.
SigFlip will check if PE hash was successfully changed and also check and exit gracefully in case endpoints are hardened against such common misconfiguration. (check the “Details” section).
Quick Note: SigFlip, SigInject, and SigLoader are available as BOF scripts and .NET assemblies, the only difference is that SigInject functionality is implemented as part of SigFlip (-i) in case if you choose to use .NET artifacts instead of BOFs.
It can be used mainly for persistence, lateral movement, or code/command execution and can help with:
- Application whitelisting bypasses, changing the PE file hash (msbuild.exe for ex) without breaking the signature.
- Bypassing EDRs relying on specific LOLBINs’ hashes for malicious code/command execution detection.
- Load signed drivers using a different hash, might help circumvent any EDRs watching for common vulnerable signed drivers using a pre-defined list of hashes.
- Embed encrypted shellcode in a signed PE file and use a stager (sigloader) of your preference to parse, decrypt, load, and execute it.
- Endpoint security vendors tend to classify signed PE files as benign most of the time, embedding your unsigned code (shellcode ..etc.) in a signed PE file makes it a little bit hard to detect/flag.
- Bypassing endpoint security vendors relying mainly on the default WinVerifyTrust for signature validation.
- Improving OPSEC and challenging defenders relying solely on typical signature verification utilities such as signtool, sigcheck, Get-AuthenticodeSignature ..etc to validate the Authenticode signature of PE files.
Copyright (c) 2021 Mohamed El Azaar