Certificate Bypass: Hiding and Executing Malware from a Digitally Signed Executable
ฝัง
- เผยแพร่เมื่อ 11 ก.ย. 2024
- by Tom Nipravsky
Malware developers are constantly looking for new ways to evade the detection and prevention capabilities of security solutions. In recent years, we have seen many different tools, such as packers and new encryption techniques, help malware reach this goal of hiding the malicious code. If the security solution cannot unpack the compressed or encrypted malicious content (or at least unpack it dynamically), then the security solution will not be able to identify that it is facing malware. To further complicate the matter, we present a new technique for hiding malware (encrypted and unencrypted) inside a digitally signed file (while still keeping the file with a valid certificate) and executing it from the memory, using a benign executable (which acts as a reflective EXE loader, written from scratch). Our research demonstrates our Certificate Bypass tool and the Reflective EXE Loader. During the presentation, we will focus on the research we conducted on the PE file structure. We will take a closer look at the certificate table and how we can inject data to the table without damaging the certificate itself (the file will still look and be treated as a valid digitally signed file). We will examine the tool we wrote to execute PE files from memory (without writing them to the disk). We will cover the relevant fields in the PE structure, as well as the steps required to run a PE file directly from the memory without requiring any files on disk. Last, we will conclude the demonstration with a live example and show how we bypass security solutions based on the way they look at the certificate table.
So, you put your code in a signed executable's metadata, and then run an UNSIGNED loader to execute the code from the metadata? okay....
No, it's the other way around. You can execute the code in a normal PE like any other executable since it's signed. BUT from this signed executables you can create an unsigned loader for more stuff
Nah, he explains it about 17 minutes in: You put the payload you want to execute in the metadata, and then you have to run a loader to run it, because normal executables don't execute the metadata.
How the fuck do you store code within a file without changing its hash!? Oh, that's how you store code within a file without changing its hash.
I still don’t really get it. Is it because the payload is only getting executed from memory?