Forum Thread: Is It Possible to Digitally Sign an Altered Microsoft Executable?

So I understand that Microsoft digitally signs most of its core executables and you can use tools like Process Explorer to verify if a process is indeed signed by Microsoft. So my question is this:

Is there any way to alter a file, replace it with the valid one but still be able to somehow digitally sign it to avoid detection?

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

5 Responses

As far as I know, you'd have to get a hold of the private key MS uses to sign their executables. And should that ever happen, you could be sure they'd invalidate it, pronto. You could spoof a signature claiming to be ms, but you'd have to manage to install your own certificate authority on the target's machine. Still, even that would only fool someone reading the cert (not any of the built-in checks).

Makes sense, in either case it sounds like it would be more trouble than it's worth. A different route would be more suitable. Thanks for the response

That's basically the point of certs, just like HTTPS.

The certificates are stored as hashes. NSA has used hash collisions of legitimate Microsoft certificates to digitally sign malicious executables.

OTW: Hmm, so essentially the idea is to have some certs, hash them and use the one that matches. Similar to rainbow tables then, makes sense. Thanks for the reply and for always helping out this forum

Share Your Thoughts

  • Hot
  • Active