Forensics Tools

Meta Twin – File Resource Cloner

The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another. Note: The signature is added, but not valid.

 

=================================================================
 ___ ___    ___ ______   ____      ______  __    __  ____  ____
|   |   |  /  _]      | /    |    |      ||  |__|  ||    ||    \
| _   _ | /  [_|      ||  o  |    |      ||  |  |  | |  | |  _  |
|  \_/  ||    _]_|  |_||     | -- |_|  |_||  |  |  | |  | |  |  |
|   |   ||   [_  |  |  |  _  | --   |  |  |        | |  | |  |  |
|   |   ||     | |  |  |  |  |      |  |   \      /  |  | |  |  |
|___|___||_____| |__|  |__|__|      |__|    \_/\_/  |____||__|__|
=================================================================
Author: @joevest
=================================================================

 

Resources

Note: SigThief and Resource Hacker may not detect valid metadata or digital signature. This project may switch to a different tool set, but for now, be aware of potential limitations.

 

Install

 

Description

A version of this project has existed for several years to help a binary blend into a target environment by modifying it’s metadata. A binary’s metadata can be replaced with the metadata of a source. This includes values such as Product Name, Product Version, File Version, Copyright, etc. In addition to standard metadata, sigthief is used to add the digital signature.

 

Usage

SYNOPSIS - Invoke-MetaTwin copies metadata from one file ane inject into another.

SYNTAX
    Invoke-MetaTwin [-Source] <Object> [-Target] <Object> [-Sign] 

    Source     Source binary containing metadata and signature
    Target     Target binary that will be updated
    Sign       Optional setting that will add the source's digital signature   

 

Example

c:> powershell -ep bypass
PS> Import-Module .\metatwin.ps1
PS> Invoke-MetaTwin -Source c:\windows\system32\netcfgx.dll -Target .\beacon.exe -Sign

Download Meta Twin

About the author

Mazen Elzanaty

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: