| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269 |
- #!/usr/bin/env python3
- # LICENSE: BSD-3
- # Copyright: Josh Pitts @midnite_runr
- import sys
- import struct
- import shutil
- import io
- from optparse import OptionParser
- def gather_file_info_win(binary):
- """
- Borrowed from BDF...
- I could just skip to certLOC... *shrug*
- """
- flItms = {}
- binary = open(binary, 'rb')
- binary.seek(int('3C', 16))
- flItms['buffer'] = 0
- flItms['JMPtoCodeAddress'] = 0
- flItms['dis_frm_pehdrs_sectble'] = 248
- flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
- # Start of COFF
- flItms['COFF_Start'] = flItms['pe_header_location'] + 4
- binary.seek(flItms['COFF_Start'])
- flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
- binary.seek(flItms['COFF_Start'] + 2, 0)
- flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
- flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
- binary.seek(flItms['COFF_Start'] + 16, 0)
- flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
- flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
- #End of COFF
- flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
- #if flItms['SizeOfOptionalHeader']:
- #Begin Standard Fields section of Optional Header
- binary.seek(flItms['OptionalHeader_start'])
- flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
- flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
- flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
- flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
- flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
- flItms['SizeOfUninitializedData'] = struct.unpack("<I",
- binary.read(4))[0]
- flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
- flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
- flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
- if flItms['Magic'] != 0x20B:
- flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
- # End Standard Fields section of Optional Header
- # Begin Windows-Specific Fields of Optional Header
- if flItms['Magic'] == 0x20B:
- flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
- else:
- flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
- flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
- flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
- flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
- binary.read(2))[0]
- flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
- binary.read(2))[0]
- flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
- flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
- flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
- flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
- flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
- flItms['SizeOfImageLoc'] = binary.tell()
- flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
- flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
- flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
- flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
- flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
- if flItms['Magic'] == 0x20B:
- flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
- flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
- flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
- flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
- else:
- flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
- flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
- flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
- flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
- flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0] # zero
- flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
- # End Windows-Specific Fields of Optional Header
- # Begin Data Directories of Optional Header
- flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
- flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
- flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
- #ImportTable SIZE|LOC
- flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
- flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
- flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
- flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
- flItms['CertTableLOC'] = binary.tell()
- flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
- flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
- binary.close()
- return flItms
- def copyCert(exe):
- flItms = gather_file_info_win(exe)
- if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
- # not signed
- print("Input file Not signed!")
- sys.exit(-1)
- with open(exe, 'rb') as f:
- f.seek(flItms['CertLOC'], 0)
- cert = f.read(flItms['CertSize'])
- return cert
- def writeCert(cert, exe, output):
- flItms = gather_file_info_win(exe)
-
- if not output:
- output = output = str(exe) + "_signed"
- shutil.copy2(exe, output)
-
- print("Output file: {0}".format(output))
- with open(exe, 'rb') as g:
- with open(output, 'wb') as f:
- f.write(g.read())
- f.seek(0)
- f.seek(flItms['CertTableLOC'], 0)
- f.write(struct.pack("<I", len(open(exe, 'rb').read())))
- f.write(struct.pack("<I", len(cert)))
- f.seek(0, io.SEEK_END)
- f.write(cert)
- print("Signature appended. \nFIN.")
- def outputCert(exe, output):
- cert = copyCert(exe)
- if not output:
- output = str(exe) + "_sig"
- print("Output file: {0}".format(output))
- open(output, 'wb').write(cert)
- print("Signature ripped. \nFIN.")
- def check_sig(exe):
- flItms = gather_file_info_win(exe)
-
- if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
- # not signed
- print("Inputfile Not signed!")
- else:
- print("Inputfile is signed!")
- def truncate(exe, output):
- flItms = gather_file_info_win(exe)
-
- if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
- # not signed
- print("Inputfile Not signed!")
- sys.exit(-1)
- else:
- print( "Inputfile is signed!")
- if not output:
- output = str(exe) + "_nosig"
- print("Output file: {0}".format(output))
- shutil.copy2(exe, output)
- with open(output, "r+b") as binary:
- print('Overwriting certificate table pointer and truncating binary')
- binary.seek(-flItms['CertSize'], io.SEEK_END)
- binary.truncate()
- binary.seek(flItms['CertTableLOC'], 0)
- binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
- print("Signature removed. \nFIN.")
- def signfile(exe, sigfile, output):
- flItms = gather_file_info_win(exe)
-
- cert = open(sigfile, 'rb').read()
- if not output:
- output = output = str(exe) + "_signed"
- shutil.copy2(exe, output)
-
- print("Output file: {0}".format(output))
-
- with open(exe, 'rb') as g:
- with open(output, 'wb') as f:
- f.write(g.read())
- f.seek(0)
- f.seek(flItms['CertTableLOC'], 0)
- f.write(struct.pack("<I", len(open(exe, 'rb').read())))
- f.write(struct.pack("<I", len(cert)))
- f.seek(0, io.SEEK_END)
- f.write(cert)
- print("Signature appended. \nFIN.")
- if __name__ == "__main__":
- usage = 'usage: %prog [options]'
- print("\n\n!! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel\n\n")
- parser = OptionParser()
- parser.add_option("-i", "--file", dest="inputfile",
- help="input file", metavar="FILE")
- parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
- help='rip signature off inputfile')
- parser.add_option('-a', '--add', dest='addsig', action='store_true',
- help='add signautre to targetfile')
- parser.add_option('-o', '--output', dest='outputfile',
- help='output file')
- parser.add_option('-s', '--sig', dest='sigfile',
- help='binary signature from disk')
- parser.add_option('-t', '--target', dest='targetfile',
- help='file to append signature to')
- parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
- help='file to check if signed; does not verify signature')
- parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
- help='truncate signature (i.e. remove sig)')
- (options, args) = parser.parse_args()
-
- # rip signature
- # inputfile and rip to outputfile
- if options.inputfile and options.ripsig:
- print("Ripping signature to file!")
- outputCert(options.inputfile, options.outputfile)
- sys.exit()
- # copy from one to another
- # inputfile and rip to targetfile to outputfile
- if options.inputfile and options.targetfile:
- cert = copyCert(options.inputfile)
- writeCert(cert, options.targetfile, options.outputfile)
- sys.exit()
- # check signature
- # inputfile
- if options.inputfile and options.checksig:
- check_sig(options.inputfile)
- sys.exit()
- # add sig to target file
- if options.targetfile and options.sigfile:
- signfile(options.targetfile, options.sigfile, options.outputfile)
- sys.exit()
-
- # truncate
- if options.inputfile and options.truncate:
- truncate(options.inputfile, options.outputfile)
- sys.exit()
- parser.print_help()
- parser.error("You must do something!")
|
