Skip to content
/ metatwin Public

The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another.

327 stars 67 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

threatexpress/metatwin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
src
src
 
 
.gitignore
.gitignore
 
 
metatwin.ps1
metatwin.ps1
 
 
readme.md
readme.md
 
 

Repository files navigation

META TWIN

=================================================================
 ___ ___    ___ ______   ____      ______  __    __  ____  ____
|   |   |  /  _]      | /    |    |      ||  |__|  ||    ||    \
| _   _ | /  [_|      ||  o  |    |      ||  |  |  | |  | |  _  |
|  \_/  ||    _]_|  |_||     | -- |_|  |_||  |  |  | |  | |  |  |
|   |   ||   [_  |  |  |  _  | --   |  |  |        | |  | |  |  |
|   |   ||     | |  |  |  |  |      |  |   \      /  |  | |  |  |
|___|___||_____| |__|  |__|__|      |__|    \_/\_/  |____||__|__|
=================================================================
Author: @joevest
=================================================================

The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another. Note: Signatures are copied, but no longer valid.

This project is based on a technique I've used for a few years. This has been updated and modified to include copying digital signatures.

Thanks @subtee for the tweet that encouraged this project to be updated and published !!

A blog post on this topic can be found at threatexpress.com

Resources

Note: SigThief and Resource Hacker may not detect valid metadata or digital signature. This project may switch to a different tool set, but for now, be aware of potential limitations.

Install

  • Clone this project
  • Download and unzip Resource Hacker to .\src\resource_hacker\ResourceHacker.exe
  • Enjoy...

Description

A version of this project has existed for several years to help a binary blend into a target environment by modifying it's metadata. A binary's metadata can be replaced with the metadata of a source. This includes values such as Product Name, Product Version, File Version, Copyright, etc. In addition to standard metadata, sigthief is now used to copy a digital signature.

Usage

SYNOPSIS
    MetaTwin copies metadata and AuthentiCode signature from one file and injects into another.

SYNTAX
    Invoke-MetaTwin [-Source] <Object> [-Target] <Object> [-Sign] 

    Source     Source binary containing metadata and signature
    
    Target     Target binary that will be updated

    Sign       Optional setting that will add the source's digital signature

Example

c:> powershell -ep bypass
PS> Import-Module c:\tools\metatwin.ps1
PS> cd c:\tools\metatwin\
PS> Invoke-MetaTwin -Source c:\windows\system32\netcfgx.dll -Target .\beacon.exe -Sign

About

The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another.

Resources

Readme
Activity
Custom properties

Stars

327 stars

Watchers

13 watching

Forks

67 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages