Binary Properties and Code Signing
Most of your legitimate binaries have some sort of properties attached to them. As we can see with ntdll.dll, we have many properties of this binary which make it seem more legitimate:
But with a freshly compiled binary, we see this:
We see a lot of empty fields which can be flagged as suspicious behaviour. Making our binary have these fields filled out can make our binary look more legit and pass under the radar more.
To fill out the empty fields, we can use resource hacker for this.
To do this click on the file tab and open our executable that we want to fill up the empty field with:
Then, import the binary you want to clone the module details from by clicking this and then selecting the binary you want to clone:
Then check off the version info box:
You should now see something like this, you can then modify the descriptions and values to fit whatever you are doing but for now, we are just going to stick with this:
After, we can then click the save button to save our file
Let's then check our the properties of our modified PE file:
tada! We have now filled up the binary properties of our executable
The next issue I want to discuss is code signing. Some AV engines may flag unsigned binaries as suspicious due to the fact that most legitimate binaries in windows ten have some code signing already.
We can see our PE file does not have a code signing tab in the its properties:
But binaries like ntdll.dll have one:
To sign a binary, we will need a certificate authority and code-signing certificate.
Let's first make the self signed CA:
makecert -r -pe -n "CN=Malwr CA" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv MalwrCA.pvk MalwrCA.cer
Then make the self signed Cert:
makecert -pe -n "CN=Malwr Cert" -a sha256 -cy end -sky signature -ic MalwrCA.cer -iv MalwrCA.pvk -sv MalwrCert.pvk MalwrCert.cer
Convert it to PFX:
pvk2pfx -pvk MalwrCert.pvk -spc MalwrCert.cer -pfx MalwrCert.pfx
and then sign our binary with it:
signtool sign /v /f MalwrCert.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll <executable>