已经签名的PE文件原则来说不再修改的,但总有需求要添加些数据在PE文件中,为了更文件分发等。经研究发现,签名的PE文件也是可以修改或追加数据的,当然追加的数据只能是纯数据,比如相关配置信息,或安装包的附加数据等。
我们先来看一下签名文件的格式及数据校验范围,此图引用自Microsoft的关于PE文件签名的文档[REF1]:
其中灰色部分是不进行签名校验的数据,但这三部分只有第三个区域才有追加数据的可能,因为第一部分是4个字节,是PE文件自有的校验数据,有兴趣的同学可以参阅 REF2;第二部分是PE文件头的数据目录,其结构是固定的8个字节(前4字节为偏移,后4字节为长度)。第三部分是签名数据部分,经有限观察,长度在3K字节左右。
实际实用中,最后“Remaining content”这部分并存在,签名数据就已经在文件尾了,所以这就给我们在签名数据中(亦是文件尾)加入我们自定义数据的可能。
下面不妨做个实验,以Intel显卡驱动igdkmd64.sys为例:
签名信息如下:
然后我们添加16个字符至文件尾:
检查下文件长度,从3,828,152变为3,828,168:
此时右键打开文件属性就会发现签名信息认证没有了:
之后,我们还要修改数据目录,以增大签名数据区的大小。用PE Tool 1.0.0.5打开igdkmd64.sys,查看数据目录部分:
所以我们只需要将文件偏移0x000001d0处的目录项中的长度从0x29B8改成029C8即可,即增加了16字节。修改好再来看文件属性,此时签名项的tab又出现了,即说明通过了Windows的签名检测:
不妨再用Windows签名工具检验一次,以确保签名数据的有效:
自此足以说明签过名的文件是可以修改的,当然只能做有限修改。对应用层PE程序,以上的修改便已足够,但对驱动程序来说,还要做一件事情,就是更新PE文件头的校验和。相关工具可以参见[REF2]中的工具,也可以通过我写了小程序[REF3]做校验和计算。
将新计算出的校验和 0x003A7A63更新至文件偏移0x180处即可,然后就可以用新文件替换掉老的,重启系统即可以加载新修改后的驱动了。
参考资料: REF1: Windows Authenticode Portable Executable Signature Format, Version 1.0 — March 21, 2008 http://www.microsoft.com/whdc/winlogo/drvsign/Authenticode_PE.mspx REF2: An Analysis of the Windows PE Checksum Algorithm by Jeffrey Walton http://www.codeproject.com/Articles/19326/An-Analysis-of-the-Windows-PE-Checksum-Algorithm REF3: PECheckSum: http://dynox.cn/soft/PECheckSum.zip
Just downloaded the soxo66app. Seems pretty slick! Hopefully it pays out better than my last punt. Wish me luck, lads!
Just had a spin on 70bet12. Not too shabby, not too shabby at all! Might give it another go later.
The w388app works great on my phone. Easy to navigate and place bets quickly. A must-have if you’re always on the move. Download the app here: w388app
I’ve been using kq net 9 from Ketqua04.info, it’s pretty decent for quick lotto updates. Super easy to find what I need fast. Have a look: kq net 9
Ketqua04.info is a decent site for checking lottery results. Quick and easy to use! Give it a try: https://ketqua04
I like Ketqua04.info, it’s pretty good for keeping up with the lotto. UI is clean and easy to grasp. Check them out: https://ketqua04
Heard W88 is running some ‘khuyến mãi w88’! Anyone know what the deals are? Need to check that out! khuyến mãi w88
Just saw an ad for adsbet88. Anyone using them? What’s the lowdown? adsbet88
Yo, I’ve been checking out ph33 and it seems legit. Anyone else had a good experience there? Looking for some real reviews before I dive in!
$175/day for posting photos on Instagram ! No other social media can bring as much engagement to your brand’s name as Instagram can. That’s why many businesses nowadays hopped on the bandwagon and are trying their best to be active on it. And that’s where they started needing ordinary folks like you and me to manage posting photos and videos of their products on their Instagram pages. You can find more info here: http://social-media-jobs.advertising4you.co.uk