Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Injecting custom payload into signed Windows executables

Igor Glücksmann
REcon 2012
Indexed on
Aug 22, 2014
File name
File size
3.7 MB

A valid signature of a PE executable file doesn't always guarantee that the file hasn't been tampered with. The talk will explain the problem, show the vulnerable targets as well as their possible modifications, and discuss available fixes. Digital signing of executable modules has become a de facto standard in mainstream software products on Microsoft Windows. A file's digital signature confirms that the file has really been created by the signer and its content has not been tampered with by any third party. The signature implies a certain level of trust - if you trust the company that created the file, you trust the file itself. However, we discovered a way to modify certain classes of signed executables while keeping their digital signatures valid. It means that we can take a trusted signed application and inject our own payload that gets executed or installed when this application is run; this modified executable is still correctly signed by the original signer. We have reported this vulnerability to Microsoft (CVE-2012-0151) and they have released a fix in April 2012. However, since the issue is not just a bug in Windows code, but also a design feature combined with bugs in third-party applications, the fix does not cover 100% of possible cases. In my talk, I would like to present the technical aspects of the problem. I will describe how a signed executable can be modified, what the suitable/vulnerable candidates are, and what the released hotfix actually does. I will offer some advice for software developers on how to avoid creating applications which are vulnerable to this type of attack.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !