This guide provides a step-by-step process to create a Certificate Authority (CA), generate a Code-Signing Certificate, and sign executables to enhance their legitimacy.
Run the following command to generate a Root Certificate Authority:
makecert -r -pe -n "CN=Malwr CA" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv MalwrCA.pvk MalwrCA.cerOR
& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\MakeCert.exe" -r -pe -n "CN=Malwr CA" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv MalwrCA.pvk MalwrCA.cerAdd the generated Root Certificate to the certificate store:
certutil -user -addstore Root MalwrCA.cerUse the following command to create a Code-Signing Certificate:
makecert -pe -n "CN=Malwr Cert" -a sha256 -cy end -sky signature -ic MalwrCA.cer -iv MalwrCA.pvk -sv MalwrCert.pvk MalwrCert.cerOR
& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\MakeCert.exe" -pe -n "CN=Malwr Cert" -a sha256 -cy end -sky signature -ic MalwrCA.cer -iv MalwrCA.pvk -sv MalwrCert.pvk MalwrCert.cerConvert the generated private key and certificate into PFX format:
pvk2pfx -pvk MalwrCert.pvk -spc MalwrCert.cer -pfx MalwrCert.pfxOR
& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\pvk2pfx.exe" -pvk MalwrCert.pvk -spc MalwrCert.cer -pfx MalwrCert.pfxUse signtool to sign your binary:
signtool sign /v /f MalwrCert.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll malware1.exeOR
& "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /v /f MalwrCert.pfx /fd SHA256 /t http://timestamp.digicert.com malware1.exeEnsure the executable has been signed correctly:
signtool verify /pa /v malware1.exeBy following these steps, you can generate certificates and sign binaries to enhance their trustworthiness and reduce detection rates by antivirus engines.