Comments on: Update: Disitool V0.3 http://blog.didierstevens.com/2009/06/07/update-disitool-v0-3/ (blog 'DidierStevens) Wed, 08 Feb 2012 19:23:01 +0000 hourly 1 http://wordpress.com/ By: Didier Stevens http://blog.didierstevens.com/2009/06/07/update-disitool-v0-3/#comment-35085 Mon, 08 Jun 2009 20:06:50 +0000 http://blog.didierstevens.com/?p=1497#comment-35085 Correct John, it doesn’t get executed. The digital signature doesn’t even get loaded in memory when the program is executed.

As to detecting it, that’s correct, the SHA1 hash for the Authenticode signature doesn’t change. But the SHA1 hash of the complete file changes, of course.

]]> By: John McCash http://blog.didierstevens.com/2009/06/07/update-disitool-v0-3/#comment-35084 Mon, 08 Jun 2009 19:54:22 +0000 http://blog.didierstevens.com/?p=1497#comment-35084 Didier,
Data added this way won’t actually be executed, will it? Though I gotta admit, this would make a dandy way for an attacker to hide tools. They could build a whole filesystem out of a few K of space at the end of a lot of these files, and most people would never know it was there. With proper redundancy management, you could probably even run through a patch cycle where a bunch of them got replaced, and the evil code would be unaffected.
John

]]>