SigThief - Stealing Signatures and Making One Invalid Signature at a Time

  •        80

I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess. So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not.

https://github.com/secretsquirrel/SigThief

Tags
Implementation
License
Platform

   




Related Projects

Manalyze - A static analyzer for PE executables.

  •    C++

My work on Manalyze started when my antivirus tried to quarantine my malware sample collection for the thirtieth time. It is also born from my increasing frustration with AV products which make decisions without ever explaining why they deem a file malicious. Obviously, most people are better off having an antivirus decide what's best for them. But it seemed to me that expert users (i.e. malware analysts) could use a tool which would analyze a PE executable, provide as many data as possible, and leave the final call to them. If you want to see some sample reports generated by the tool, feel free to try out the web service I created for it: manalyzer.org.

SpookFlare - Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures

  •    Python

SpookFlare has a different perspective to bypass security measures and it gives you the opportunity to bypass the endpoint countermeasures at the client-side detection and network-side detection. SpookFlare is a loader/dropper generator for Meterpreter, Empire, Koadic etc. SpookFlare has obfuscation, encoding, run-time code compilation and character substitution features. So you can bypass the countermeasures of the target systems like a boss until they "learn" the technique and behavior of SpookFlare payloads. Special thanks to the following projects and contributors.

ClamWin Free Antivirus

  •    C++

Looking for free Open Source Antivirus for Windows? Download ClamWin Free Antivirus and get free virus scanning and free virus definition updates. Free Antivirus software for Windows, using the well-respected ClamAV scanning engine. Includes virus scanner, scheduler, virus database updates, context menu integration to MS Windows Explorer and Add-in to MS Outlook. Also features easy setup program.

Moon Secure Antivirus

  •    Delphi

Moon Secure Antivirus aims to be the best Free Antivirus for Windows under GPL license. It offers multiple scan engines, Net shield, Firewall, On access, on Exec scanner and rootkits preventions plus features from Commercial Antivirus applications.


pe-sieve - Scans a given process

  •    C++

PE-sieve is a light-weight tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches. Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.

phishing_catcher - Phishing catcher using Certstream

  •    Python

Catching malicious phishing domain names using certstream SSL certificates live stream. The script should work fine using Python2 or Python3.

sharkey - Sharkey is a service for managing certificates for use by OpenSSH

  •    Go

Sharkey is a service for managing certificates for use by OpenSSH.Sharkey has a client component and a server component. The server is responsible for issuing signed host certificates, the client is responsible for installing host certificates on machines. Sharkey builds on the trust relationships of your existing X.509 PKI to manage trusted SSH certificates. Existing X.509 certificates can be minted into SSH certificates, so you don't have to maintain two separate PKI hierarchies.

Haze Anti-Virus

  •    CSharp

Haze Anti-Virus is a anti virus written in native C++, it uses signatures and heuristics scanning. This antivirus is aimed at providing all users with a secure computer enviroment, by making it as simple to use but still packs even more features than other complex antivirus so...

HERCULES - HERCULES is a special payload generator that can bypass antivirus softwares.

  •    Go

HERCULES is a customizable payload generator that can bypass antivirus software. WARNING: Don't change the location of the HERCULES folder.

python-certifi - (Python Distribution) A carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts

  •    Python

Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. It has been extracted from the Requests project. Browsers and certificate authorities have concluded that 1024-bit keys are unacceptably weak for certificates, particularly root certificates. For this reason, Mozilla has removed any weak (i.e. 1024-bit key) certificate from its bundle, replacing it with an equivalent strong (i.e. 2048-bit or greater key) certificate from the same CA. Because Mozilla removed these certificates from its bundle, certifi removed them as well.

habu - Python Network Hacking Toolkit

  •    Python

I'm developing Habu to teach (and learn) some concepts about Python and Network Hacking. These are basic functions that help with some tasks for Ethical Hacking and Penetration Testing.

yapep

  •    

yaPEp: Yet another PE Parser yaPEp is a Portable Executable (PE) parsing tool written in C to dump and display PE related information such as exports, imports, debug information, and other PE header information.

Registry Editor PE

  •    

Registry Editor PE is a plugin for Bart's PE Builder which allows for easy editing of remote registry hives and user profiles. A user booting from a Bart's PE CD can easily make changes to the Windows registry without having to boot into Windows.

gonzales-pe - CSS parser with support of preprocessors

  •    Javascript

Gonzales PE is a CSS parser which plays nicely with preprocessors. Currently those are supported: SCSS, Sass, LESS. Try out Gonzales PE online: Gonzales PE Playground. The different type of tree nodes can be found in docs/node-types.md.

Amber - Reflective PE packer.

  •    Assembly

amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode. It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products and application white-listing mitigations. If you want to learn more about the packing methodology used inside amber check out below. For more detail about usage, installation and how to decrease detection rate check out WIKI. Developed By Ege Balcı from INVICTUS/PRODAFT.

mkcert - A simple zero-config tool to make locally trusted development certificates with any names you'd like

  •    Go

mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration. Using certificates from real certificate authorities (CAs) for development can be dangerous or impossible (for hosts like localhost or 127.0.0.1), but self-signed certificates cause trust errors. Managing your own CA is the best solution, but usually involves arcane commands, specialized knowledge and manual steps.

WebTst

  •    Perl

WebTst is a perl/Apache Web development test infrastructure.Implements a proxy which records testers actions (http, https),replaying them during testing.Supports digital certificates,concurrency testing,pre-built tests,test suites for regression testing.

OWASP-Xenotix-XSS-Exploit-Framework - OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework

  •    Python

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

PSAttack - A portable console aimed at making pentesting with PowerShell a little easier.

  •    CSharp

A portable console aimed at making pentesting with PowerShell a little easier. PS>Attack combines some of the best projects in the infosec powershell community into a self contained custom PowerShell console. It's designed to make it easy to use PowerShell offensively and to evade antivirus and Incident Response teams. It does this with in a couple of ways.