My data in your signed code

Presented at ToorCamp 2022, July 16, 2022, 1 p.m. (20 minutes).

Could a signed Windows executable be modified, but still have a valid signature? Everyone told me "no", so I built a set of tools that does exactly that. Lets talk Authenticode, PE/COFF and a trivial Microsoft limitation that allows one to inject data without breaking signatures or triggering Defender and EDR warnings. Then, see what you can do with that "feature". 3 min - Background on Microsoft Authenticode - why it's there, how it works, peculiarities and limitations. Previous research of making undetectable changes. 2 min - My discovery - attaching new self-signed signatures does not invalidate the existing signatures, keeps Microsoft happy. 2 min - How to pack new custom signatures chock-full of your data 1 min - How to have your code extract that data from the new signatures at run-time. 5 min - Demo - walk through a specific use case: An installer exe is injected with unique registration keys generated per each installation. It uses this technique to self-register at install time without requiring any user interactions or triggering Windows alerts. 5 min - Limitations. Ideas for other uses (signed execs as data mules, code exec from inside custom signatures) 2 min - Q&A

Presenters:

  • Alex Ivkin
    Alex Ivkin leads a security solutions group at Eclypsium, a US security startup. His focus is on researching secure deployments of (in)secure software, including container orchestration, application security, and firmware security. Alex has two decades of itsec experience, delivered security trainings, holds MS in Computer Science, co-authored security certifications and climbs mountains in his spare time.

Links:

Similar Presentations: