Accenture
diff --git a/‎CHANGELOG.md
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎Codecepticon/Codecepticon.csproj
Lines changed: 3 additions & 2 deletions b/‎Codecepticon/Codecepticon.csproj
Lines changed: 3 additions & 2 deletions
diff --git a/‎Codecepticon/Help/Sign.txt
Lines changed: 5 additions & 3 deletions b/‎Codecepticon/Help/Sign.txt
Lines changed: 5 additions & 3 deletions
diff --git a/‎Codecepticon/Modules/CommandLineData.cs
Lines changed: 2 additions & 1 deletion b/‎Codecepticon/Modules/CommandLineData.cs
Lines changed: 2 additions & 1 deletion
diff --git a/‎Codecepticon/Modules/Sign/CommandLine/SignCommandLine.cs
Lines changed: 9 additions & 5 deletions b/‎Codecepticon/Modules/Sign/CommandLine/SignCommandLine.cs
Lines changed: 9 additions & 5 deletions
diff --git a/‎Codecepticon/Modules/Sign/CommandLine/ValidateCommandLine.cs
Lines changed: 20 additions & 8 deletions b/‎Codecepticon/Modules/Sign/CommandLine/ValidateCommandLine.cs
Lines changed: 20 additions & 8 deletions
diff --git a/‎Codecepticon/Modules/Sign/MsSign/ISigningTool.cs
Lines changed: 42 additions & 0 deletions b/‎Codecepticon/Modules/Sign/MsSign/ISigningTool.cs
Lines changed: 42 additions & 0 deletions
@@ -1,5 +1,9 @@
 # Codecepticon Changelog
 
+## v1.2.0
+
+* `[Update]` Removed the `signtool.exe` dependency and are now natively signing executables. The code was taken & customised from https://github.com/Danielku15/SigningServer, under MIT License - original author is Danielku15.
+
 ## v1.1.0
 
 * `[New]` Module: Implement the `sign` module, to enable creating self-signed certificates and using any given certificate to sign an executable. This functionality is using `signtool.exe`.
 
@@ -4,18 +4,19 @@
     <OutputType>Exe</OutputType>
     <TargetFramework>net472</TargetFramework>
     <SatelliteResourceLanguages>none</SatelliteResourceLanguages>
-    <PlatformTarget>x86</PlatformTarget>
+    <PlatformTarget>x64</PlatformTarget>
     <Platforms>AnyCPU;x86;x64</Platforms>
 	<LangVersion>9.0</LangVersion>
 	<PackageId>Codecepticon</PackageId>
 	<Title>Codecepticon</Title>
-	<Version>1.1.0</Version>
+	<Version>1.2.0</Version>
 	<Authors>Pavel Tsakalidis</Authors>
 	<Company>Accenture Security</Company>
 	<Product>Codecepticon</Product>
 	<Description>Offensive Security Code Obfuscator</Description>
 	<PackageProjectUrl>https://github.com/Accenture/Codecepticon</PackageProjectUrl>
 	<AssemblyVersion></AssemblyVersion>
+	<AllowUnsafeBlocks>True</AllowUnsafeBlocks>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
 
@@ -16,6 +16,8 @@ Usage: Codecepticon.exe --module sign [OPTIONS]...
 --overwrite                     When used with '--action cert' this will indicate whether to rewrite the target file
                                 if it already exists.
 --password                      Password for the pfx file (either to save or load, depending on the --action)
---signtool                      Only used with '--action sign' to indicate the location of signtool.exe on the system.
-                                If this argument is not passed, Codecepticon will try to find it automatically.
---path [executable]             Location of the executable file to be signed.
+--path [executable]             Location of the executable file to be signed.
+--algorithm                     When used with '--action sign', this argument will specify the signature algorithm.
+                                This can be one of: MD5, SHA1, SHA256, SHA384, SHA512.
+--timestamp                     When used with '--action sign', this is where the Timestamp Server is specified.
+                                For example 'http://timestamp.sectigo.com' or 'http://timestamp.digicert.com'.
@@ -155,7 +155,8 @@ public struct SignNewCertificate
         public struct SignSettings
         {
             public SignNewCertificate NewCertificate;
-            public string SignTool;
+            public string TimestampServer;
+            public string SignatureAlgorithm;
         }
 
         public struct RenameGeneratorStruct
 
@@ -21,7 +21,8 @@ public SignCommandLine(string[] args) : base(args)
                 { "password", "" },
                 { "pfx-file", "" },
                 { "overwrite", "switch" },
-                { "signtool", "" }
+                { "algorithm", "" },
+                { "timestamp", "" }
             };
             MergeArguments();
         }
@@ -67,19 +68,22 @@ protected override bool Parse(Dictionary<string, string> arguments)
                         }
                         break;
                     case "password":
-                        CommandLineData.Sign.NewCertificate.Password= argument.Value;
+                        CommandLineData.Sign.NewCertificate.Password = argument.Value;
                         break;
                     case "pfx-file":
-                        CommandLineData.Sign.NewCertificate.PfxFile= argument.Value;
+                        CommandLineData.Sign.NewCertificate.PfxFile = argument.Value;
                         break;
                     case "overwrite":
                         if (argument.Value.ToLower() != "false")
                         {
                             CommandLineData.Sign.NewCertificate.Overwrite = (argument.Value.Length > 0);
                         }
                         break;
-                    case "signtool":
-                        CommandLineData.Sign.SignTool = argument.Value;
+                    case "algorithm":
+                        CommandLineData.Sign.SignatureAlgorithm = argument.Value.ToUpper();
+                        break;
+                    case "timestamp":
+                        CommandLineData.Sign.TimestampServer = argument.Value;
                         break;
                 }
             }
 
@@ -133,23 +133,29 @@ protected bool ValidateParameters()
                         return false;
                     }
 
-                    if (String.IsNullOrEmpty(CommandLineData.Sign.SignTool))
+                    // Validate the PFX Password.
+                    if (!certificateManager.CheckPfxPassword(CommandLineData.Sign.NewCertificate.PfxFile, CommandLineData.Sign.NewCertificate.Password))
                     {
-                        Logger.Info("SignTool path is empty - will try to find signtool.exe");
+                        Logger.Error("Invalid PFX file password");
+                        return false;
                     }
-                    else if (!File.Exists(CommandLineData.Sign.SignTool))
+
+                    if (String.IsNullOrEmpty(CommandLineData.Sign.SignatureAlgorithm))
                     {
-                        Logger.Error("Path for signtool.exe does not exist: " + CommandLineData.Sign.SignTool);
+                        Logger.Error("Signature Algorithm not set");
                         return false;
                     }
-
-                    // Validate the PFX Password.
-                    if (!certificateManager.CheckPfxPassword(CommandLineData.Sign.NewCertificate.PfxFile, CommandLineData.Sign.NewCertificate.Password))
+                    else if (!IsValidSignatureAlgorithm(CommandLineData.Sign.SignatureAlgorithm))
                     {
-                        Logger.Error("Invalid PFX file password");
+                        Logger.Error("Invalid signature algorithm selected");
                         return false;
                     }
 
+                    if (String.IsNullOrEmpty(CommandLineData.Sign.TimestampServer))
+                    {
+                        CommandLineData.Sign.TimestampServer = ""; // Make sure it's not null.
+                    }
+
                     break;
                 default:
                     Logger.Error("Invalid action: " + CommandLineData.Global.Action.ToString());
@@ -158,6 +164,12 @@ protected bool ValidateParameters()
             return true;
         }
 
+        protected bool IsValidSignatureAlgorithm(string algorithm)
+        {
+            List<string> validAlgorithms = new() { "MD5", "SHA1", "SHA256", "SHA384", "SHA512" };
+            return validAlgorithms.Contains(algorithm);
+        }
+
         protected string FixDN(string dn)
         {
             // BouncyCastle does not recognise S=XXX within an X509Name, and it has to be in the form of ST=XXX.
 
@@ -0,0 +1,42 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Codecepticon.Modules.Sign.MsSign
+{
+    public interface ISigningTool
+    {
+        /// <summary>
+        /// Gets the name of the format the signing tool offers to sign.
+        /// </summary>
+        string FormatName { get; }
+
+        /// <summary>
+        /// Gets the list of hash algorithms supported by this signing tool.
+        /// </summary>
+        IReadOnlyList<string> SupportedHashAlgorithms { get; }
+
+        /// <summary>
+        /// Performs the signing of the given file through the request.
+        /// Might throw any exceptions describing the error during signing.
+        /// </summary>
+        /// <param name="signFileRequest">The request describing what to sign.</param>
+        /// <param name="cancellationToken">A token to support cancellation.</param>
+        /// <returns>The result of the signing operation.</returns>
+        SignFileResponse SignFile(SignFileRequest signFileRequest);
+
+        /// <summary>
+        /// Checks whether the given file is signed.
+        /// </summary>
+        /// <param name="inputFileName">The path to the file on disk.</param>
+        /// <param name="cancellationToken">A token to support cancellation.</param>
+        /// <returns>true if the file is considered signed, otherwise false.</returns>
+        /// <remarks>
+        /// Some tools might only do a very basic check and not a full validation on whether
+        /// all aspects of the signing are in place and valid.
+        /// </remarks>
+        bool IsFileSigned(string inputFileName);
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,8 @@ public struct SignNewCertificate`
`155`	`155`	`public struct SignSettings`
`156`	`156`	`{`
`157`	`157`	`public SignNewCertificate NewCertificate;`
`158`		`- public string SignTool;`
	`158`	`+ public string TimestampServer;`
	`159`	`+ public string SignatureAlgorithm;`
`159`	`160`	`}`
`160`	`161`
`161`	`162`	`public struct RenameGeneratorStruct`
Original file line number	Diff line number	Diff line change
`@@ -133,23 +133,29 @@ protected bool ValidateParameters()`
`133`	`133`	`return false;`
`134`	`134`	`}`
`135`	`135`
`136`		`- if (String.IsNullOrEmpty(CommandLineData.Sign.SignTool))`
	`136`	`+ // Validate the PFX Password.`
	`137`	`+ if (!certificateManager.CheckPfxPassword(CommandLineData.Sign.NewCertificate.PfxFile, CommandLineData.Sign.NewCertificate.Password))`
`137`	`138`	`{`
`138`		`- Logger.Info("SignTool path is empty - will try to find signtool.exe");`
	`139`	`+ Logger.Error("Invalid PFX file password");`
	`140`	`+ return false;`
`139`	`141`	`}`
`140`		`- else if (!File.Exists(CommandLineData.Sign.SignTool))`
	`142`	`+`
	`143`	`+ if (String.IsNullOrEmpty(CommandLineData.Sign.SignatureAlgorithm))`
`141`	`144`	`{`
`142`		`- Logger.Error("Path for signtool.exe does not exist: " + CommandLineData.Sign.SignTool);`
	`145`	`+ Logger.Error("Signature Algorithm not set");`
`143`	`146`	`return false;`
`144`	`147`	`}`
`145`		`-`
`146`		`- // Validate the PFX Password.`
`147`		`- if (!certificateManager.CheckPfxPassword(CommandLineData.Sign.NewCertificate.PfxFile, CommandLineData.Sign.NewCertificate.Password))`
	`148`	`+ else if (!IsValidSignatureAlgorithm(CommandLineData.Sign.SignatureAlgorithm))`
`148`	`149`	`{`
`149`		`- Logger.Error("Invalid PFX file password");`
	`150`	`+ Logger.Error("Invalid signature algorithm selected");`
`150`	`151`	`return false;`
`151`	`152`	`}`
`152`	`153`
	`154`	`+ if (String.IsNullOrEmpty(CommandLineData.Sign.TimestampServer))`
	`155`	`+ {`
	`156`	`+ CommandLineData.Sign.TimestampServer = ""; // Make sure it's not null.`
	`157`	`+ }`
	`158`	`+`
`153`	`159`	`break;`
`154`	`160`	`default:`
`155`	`161`	`Logger.Error("Invalid action: " + CommandLineData.Global.Action.ToString());`
`@@ -158,6 +164,12 @@ protected bool ValidateParameters()`
`158`	`164`	`return true;`
`159`	`165`	`}`
`160`	`166`
	`167`	`+ protected bool IsValidSignatureAlgorithm(string algorithm)`
	`168`	`+ {`
	`169`	`+ List<string> validAlgorithms = new() { "MD5", "SHA1", "SHA256", "SHA384", "SHA512" };`
	`170`	`+ return validAlgorithms.Contains(algorithm);`
	`171`	`+ }`
	`172`	`+`
`161`	`173`	`protected string FixDN(string dn)`
`162`	`174`	`{`
`163`	`175`	`// BouncyCastle does not recognise S=XXX within an X509Name, and it has to be in the form of ST=XXX.`