Unsigned / Fake Digital Signatures

  • Description: Digital signatures are cryptographic mechanisms used to verify the authenticity and integrity of files. Legitimate software vendors sign their executables (.exe) and libraries (.dll) with code-signing certificates issued by trusted Certificate Authorities (CAs). This confirms the publisher's identity and ensures the file hasn't been tampered with since signing. Bypassers may attempt to leverage or mimic signatures to evade security checks or make malicious files appear legitimate.

  • Evasion Techniques:

    • Using Stolen Certificates: Attackers acquire legitimate code-signing certificates illicitly (e.g., through company breaches) and use them to sign malware, making it appear trusted initially.

    • Creating Fake/Self-Signed Certificates: Generating signatures using certificates they created themselves or that are issued by untrusted/fake CAs. Operating systems and validation tools will not trust these signatures.

    • Modifying Signed Files: Tampering with the content of a legitimately signed file (e.g., via hex editing) will invalidate the existing signature. Signature verification tools will detect this alteration.

    • Version Info Spoofing: Compiling malware with version information copied from legitimate software to make its properties look convincing, even if it's unsigned or uses a fake signature.

  • Why Cheaters Use It: To try and bypass automated SS tools or manual checks that might whitelist signed files or primarily flag unsigned files. A (fake) signature might lend an initial appearance of legitimacy.

  • Detection: The key is not just checking if a signature exists, but verifying its validity and trustworthiness.

    • Signature Verification Tools: Use tools that perform proper Authenticode signature validation against the system's trusted root CAs. This includes:

      • PowerShell: Get-AuthenticodeSignature C:\path\to\file.exe cmdlet. Check the Status property (should be Valid for trusted signatures). Statuses like NotSigned, HashMismatch (tampered after signing), or UnknownError/UntrustedRoot indicate issues.

      • BACA's Signature Checker Script: This PowerShell script (mentioned previously) automates checking multiple files and clearly reports the status (Valid, NotSigned, HashMismatch, NotTrusted).

      • Spokwn's Paths-Parser: This tool integrates signature checks (Authenticode and Catalog) alongside other analyses like generics and replacement checks, providing a comprehensive status report for lists of files. It specifically notes known signed cheats like Slinky and Vape.

      • Manual Check (File Properties): Right-click file -> Properties -> Digital Signatures tab. Select the signature and click "Details". Check the "Digital Signature Information" status (should say "This digital signature is OK") and view the certificate details (check the issuer and certificate path).

    • Focus on "NotSigned" and Errors: During screenshares, pay closest attention to files reported as NotSigned or having signature errors (HashMismatch, UntrustedRoot, UnknownError) by verification tools, especially executables or DLLs found in suspicious locations or via execution artifacts. While not all unsigned files are malicious, unsigned code loaded by or interacting with the game is highly suspect.

PreviousProcess HollowingNextEnvironment and Hardware Bypasses

Last updated