Posted by / 30-Dec-2019 06:56


Both Windows 8 (x32) and Windows 7 (x64) booted fine without complaints.

I realize the method is probably most interesting as a steganographic solution, but in the download there also exist a signed executable (- Auto It) to show what can be done with that. But it is still somewhat disturbing that malware and stuff can be added to a signed executables. Actually it is possible to modify the code sections as well without invalidating the signature.

While doing some trickery, I ran into this weird thing, and thought it would be worth sharing.

One would expect that an executable that is signed with a digital certificate, should be impossible to tamper with without invalidating the certificate. Actually, when thinking about it, it may not be surprising given the design of Portable Executables.

For instance, it may be possible to spread data around with chunks inside several files too. Is there something wrong with how Windows evaluates the digital certificates in executables? The new version also supports compression, encryption and timestamp manipulation.

In addition, a separate program is included to extract the hidden data.

VMplayer.exe, signed by VMware) with the video embedded almost doubled its size, kept a valid signature and still worked perfectly. So far all examples have shown, that a certified file stays trustworthy. Just as an example, one could have a "signed" app like this: would "remain verified" no matter what you store in it Wonko I just noticed that the issue was described back in 2009; (and I did not know about that one until now).

The theoretical max size of "garbage" is 0x FFFFFFFF - size of original certificate. In the blogpost there also is a cpp source for a Po C.

On this case you wrecked the binary code portion, however I suspect that one can add the code as an extra data section that does not disturb normal functioning.

I'll see if I can hide a movie inside the kernel..

Yep, hiding a movie (3,1 MB in this case) was very successful. If one can actually make use of the added code, then i agree that it a design flaw.

Reuse the same signed executable with any compiled au3 attached (ie turn it into a completely different program), while keeping a valid signature.

@Wonko It does not matter what executable it is, as it is a design issue and works on all executables I think.


It now better detects file permission issues and if needed uses and to solve it before modification.

One thought on “invalidating”

  1. Denken Sie jedoch bitte daran, dass die HTML5-Version der Seite stark eingeschränkte Funktionen besitzt (nicht optimale Videoqualität und die Möglichkeit von verzögertem Streaming).