# Leaked Code Certificates

Simple `SignTool.exe` wrapper script that abuses few leaked code signing certificates.

## Available certificates

| # |     name     | description                                                                            |
|---|--------------|----------------------------------------------------------------------------------------|
| 1 |  hangil2024  | Already revoked but valid until Nov, 2024. Leaked Hangil IT Co., Ltd signed by Sectigo |
| 2 |   izex2015   | IZEX certificate disclosed in Github tdevuser/MalwFinder, expired in 2015.             |
| 3 | mediatek2017 | (+) MediaTek Code Signing Certificate, may lower detection rate                        |
| 4 |   msi2021    | (+) MoneyMessage - MSI Leaked 2021 Code Signing certificate, revoked.                  |
| 5 |   msi2024    | (+) MoneyMessage - MSI Leaked 2024 Code Signing certificate, revoked.                  |
| 6 | netgear2014  | NetGear Inc. 2014 Code Signing Certificate                                             |
| 7 | netgear2017  | (+) NetGear Inc. 2017 Code Signing Certificate, may lower detection rate               |
| 8 |  nvidia2014  | (+) NVIDIA certificate that expired in 2014, may lower detection rate (+)              |
| 9 |  nvidia2018  | NVIDIA certificate that expired in 2018                                                |

## Parameters

- `-Infile` - input file to be signed.
- `-Outfile` - output signed file.
- `-Leaked` - name of the leaked certificate to abuse.

## Usage

```
PS> . .\SignMyPayload.ps1
PS> Sign-Payload -Infile evil.exe -Outfile signed-evil.exe -Leaked msi2024
```