12 comments

[ 2.5 ms ] story [ 40.3 ms ] thread
On Windows this will require stripping a digital signature off the target exe file. Microsoft did a good job conditioning people into not running stuff that is not signed, so BDF'd binaries are really no good for online distribution. Thought I guess this may work with users who run all and everything they download from the Internet.
> Microsoft did a good job conditioning people into not running stuff that is not signed

Maybe this changed with Windows 8, but till Windows 7, Microsoft did a good job conditioning people to completely ignore the signature.

Or at least the status of the signature, whether it is trusted or not. Is there a further escalation if there is no signature at all I'm not aware of?

If not, there was a great article describing how much work was needed to get the small green checkmark by getting a signature as trusted, and how this did not have any benefit at all (because of styling and design of the dialogue, and UAC asking anyway for confirmation). Of course I don't find that now, but I'm pretty sure it was on HN some time ago, maybe you saw it (probably before Windows 8).

Windows 8 is much more persistent in warning you when running unsigned binaries. And IE under Windows 8 flat-out refuses to let you run unsigned binaries.

Getting binaries signed isn't that hard either.

Author here, I strip digital signature by default. Plus not everyone signs their windows binaries. Only Microsoft really. Plus I put BDF + mitmproxy together to patch binaries via MITM: https://github.com/secretsquirrel/BDFProxy
> Plus not everyone signs their windows binaries. Only Microsoft really.

Hahaha... no, not really. Pretty much every commercial app is signed, even if it's a freeware. Otherwise you get promptly hell-banned by MS's own SmartFilter and flagged as suspicious by every antivirus.

Hahaha, yea. OK, Apps coming from the Windows App Store are signed (same thing with apple). But I've been doing this research for a while and most windows application are NOT signed (even non-appstore commmercial software). AVs included, oh and sourceforge (they use NSIS, not certificates), that's freeware right? And AVs don't flag if you aren't signed, only if you have a bad signature, maybe (McAfee doesn't care). Plus I think you are meaning SmartScreen Filter, not SmartFilter; this doesn't stop malicious software, it only stops software that does have a bad signature, and warns when it's not commonly downloaded software (https://twitter.com/midnite_runr/status/451738775300087808/p...), so even if it was signed like the picture IE says "I don't know George, wtf". When Jimmy McKittenButts want's his catScreenSaver.exe he's going to get it, SmartSceen Filter be damned. The _only_ thing that stops this is whitelisting (Applocker) and a smart user. Here's a sample from BDF, patched with a reverse shell and still works normally: https://www.virustotal.com/en/file/a31ed901abcacd61a09a84157...

Edit: more sarcasm

(comment deleted)
(comment deleted)
Well, personally, I think it's cool because it's python, open source, easily extensible and supports 64 bit and 32 bit ELFs and PEs. I looked for such a tool before and they are not that abundant afaik (especially for ELF).
Sorry to delete my comment after you replied, but I realized it contributed essentially nothing and is not the type of comment I like to see on these posts. I think this is a cool tool as well.