So I understand that Microsoft digitally signs most of its core executables and you can use tools like Process Explorer to verify if a process is indeed signed by Microsoft. So my question is this:
Is there any way to alter a file, replace it with the valid one but still be able to somehow digitally sign it to avoid detection?
5 Responses
As far as I know, you'd have to get a hold of the private key MS uses to sign their executables. And should that ever happen, you could be sure they'd invalidate it, pronto. You could spoof a signature claiming to be ms, but you'd have to manage to install your own certificate authority on the target's machine. Still, even that would only fool someone reading the cert (not any of the built-in checks).
Makes sense, in either case it sounds like it would be more trouble than it's worth. A different route would be more suitable. Thanks for the response
That's basically the point of certs, just like HTTPS.
The certificates are stored as hashes. NSA has used hash collisions of legitimate Microsoft certificates to digitally sign malicious executables.
OTW: Hmm, so essentially the idea is to have some certs, hash them and use the one that matches. Similar to rainbow tables then, makes sense. Thanks for the reply and for always helping out this forum
Share Your Thoughts