Didier Stevens

Sunday 7 June 2009

Update: Disitool V0.3

Filed under: My Software,Update — Didier Stevens @ 23:15

Last January, I got a little challenge from @hdmoore via my Twitter account: add data to a signed executable without invalidating the Authenticode signature. I updated my Digital signature tool, but I realize now I had only announced the update on Twitter, not on my blog.

The trick is to increase the size of the image data directory for the digital signature and inject the extra data after the digital signature. This way, the Authenticode validation algorithm ignores the extra data, because it considers it to be part of the signature. Use Disitool’s new inject command:

disitool.py inject ms-patch.exe data.bin ms-patch-data.exe

The authenticode signature of ms-patch.exe will remain valid in ms-patch-data.exe, provided that the length of the injected data (file data.bin) is a multiple of 8.

You can use the paddata option to make the injected data size a multiple of 8 if it isn’t:

disitool.py inject --paddata ms-patch.exe data.bin ms-patch-data.exe

Disitool can be downloaded here.

3 Comments »

  1. Didier,
    Data added this way won’t actually be executed, will it? Though I gotta admit, this would make a dandy way for an attacker to hide tools. They could build a whole filesystem out of a few K of space at the end of a lot of these files, and most people would never know it was there. With proper redundancy management, you could probably even run through a patch cycle where a bunch of them got replaced, and the evil code would be unaffected.
    John

    Comment by John McCash — Monday 8 June 2009 @ 19:54

  2. Correct John, it doesn’t get executed. The digital signature doesn’t even get loaded in memory when the program is executed.

    As to detecting it, that’s correct, the SHA1 hash for the Authenticode signature doesn’t change. But the SHA1 hash of the complete file changes, of course.

    Comment by Didier Stevens — Monday 8 June 2009 @ 20:06

  3. […] I decided to post the full dump of this signature. I extracted the signature from WuSetupV.exe with my digital signature tool and produced 2 dumps with […]

    Pingback by Flame Authenticode Dumps (KB2718704) « Didier Stevens — Wednesday 6 June 2012 @ 9:37


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.