Malware Binary Signing & Metadata Modification

Malware Binary Signing

Although security solutions will still scan the executable, additional scrutiny would've been placed on it had the binary been unsigned.

Purchased Certificate

https://www.digicert.com/

The most ideal way is to purchase the certificate from a trusted vendor

Self-signed certificate

To create a certificate first generate the required pem files:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

Next, generate a pfx file using the pem files:

openssl pkcs12 -inkey key.pem -in cert.pem -export -out sign.pfx

Then install signtool.exe (is part of Windows SDK, dowload here https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/)

signtool sign /f sign.pfx /p <pfx-password> /t http://timestamp.digicert.com /fd sha256 binary.exe

Malware Metadata Modification

The goal is to make the malicious binary appear as ordinary as possible avoiding blue teamers, but this may not directly decrease the likelihood of detection.

Metadata Modification

First, open up Visual Studio and create a new solution.

Right-click the project, select 'Add' > 'New Item'

Add a new resource file to the project.

Exit the resource viewer, right-click the resource file and select 'Open With' > 'Source Code (Text) Editor'.

Scroll down to the bottom of the file and insert the following contents:

1 VERSIONINFO
 FILEVERSION 112,0,5615,88 // File version separated by commas
 PRODUCTVERSION 1,0,0,0
 FILEFLAGSMASK 0x0L
#ifdef _DEBUG
 FILEFLAGS 0x1L
#else
 FILEFLAGS 0x0L
#endif
 FILEOS 0x0L
 FILETYPE 0x0L
 FILESUBTYPE 0x0L
BEGIN
    BLOCK "StringFileInfo"
    BEGIN
        BLOCK "040904B0"
        BEGIN 
            // Modify the values below
            VALUE "CompanyName", "Google LLC."
            VALUE "FileDescription", "Google Chrome"
            VALUE "InternalName", "Chrome"
            VALUE "LegalCopyright", "Copyright 2023 Google LLC."
            VALUE "OriginalFilename", "chrome.exe"
            VALUE "ProductName", "Google Chrome"
            VALUE "ProductVersion", "112.0.5615.86"
        END
    END
    BLOCK "VarFileInfo"
    BEGIN
        VALUE "Translation", 0x409, 1200
    END
END

Finally, build the solution and view the properties of the newly compiled binary.

Binary Icon

First, download the desired .ico file.

Next, place the file in the same location where the .sln file is located.

In the resource file, insert the following line.

// chrome.ico is the name of the icon from the previous step
IDI_ICON1 ICON "chrome.ico"

Finally, build the solution and the binary should now have an icon.

PreviousPEs & DLLsNextPayload Placement

Last updated