Goversioninfo
Goversioninfo is a Windows PE file tool for reading and embedding version information resources in binary files. It enables payload obfuscation by making malware appear as legitimate software with spoofed version strings, company names, and file descriptions.
Installation
# Install via Go
go get github.com/josephspurrier/goversioninfo
# Download precompiled binary
wget https://github.com/josephspurrier/goversioninfo/releases/download/v0.3/goversioninfo-windows-amd64.exe
# Build from source
git clone https://github.com/josephspurrier/goversioninfo
cd goversioninfo
go build -o goversioninfo.exeReading Version Information
Extract from Legitimate Binaries
# Read version info
goversioninfo.exe -n payload.exe
# Verbose output
goversioninfo.exe -n payload.exe -v
# Output formats
goversioninfo.exe -n legitimate.exe -j version.json
goversioninfo.exe -n legitimate.exe -x version.xml
goversioninfo.exe -n explorer.exe > explorer_version.txtVersion Information Components
| Component | Purpose | Example |
|---|---|---|
| FileVersion | Binary file version | 10.0.19041.1586 |
| ProductVersion | Product version number | 10.0.19041.1586 |
| CompanyName | Company attribution | Microsoft Corporation |
| FileDescription | File purpose | Windows Update |
| ProductName | Product name | Windows 10 |
| InternalName | Internal module name | update |
| OriginalFilename | Expected filename | explorer.exe |
| LegalCopyright | Copyright notice | © Microsoft Corporation |
Creating Version JSON
{
"FixedFileInfo": {
"FileVersion": "10.0.19041.1586",
"ProductVersion": "10.0.19041.1586",
"FileDateMS": 2234128384,
"FileDateLS": 67305472,
"FileOS": 4,
"FileType": 1,
"FileSubType": 0
},
"StringFileInfo": {
"ProductName": "Microsoft Windows",
"CompanyName": "Microsoft Corporation",
"FileDescription": "Windows Update",
"FileVersion": "10.0.19041.1586",
"InternalName": "update.exe",
"LegalCopyright": "© Microsoft Corporation",
"OriginalFilename": "explorer.exe",
"ProductVersion": "10.0.19041.1586"
},
"VarFileInfo": {
"Translation": 1033
}
}Embedding Version Information
Apply Version Info to Payload
# Add version information from another binary
goversioninfo.exe -n legitimate.exe > version.json
# Apply to payload
goversioninfo.exe \
--config version.json \
malware.exe
# Or with individual parameters
goversioninfo.exe \
-product-version "10.0.19041.1" \
-file-version "10.0.19041.1" \
-product-name "Windows Update" \
-company-name "Microsoft Corporation" \
-file-description "Windows Update Service" \
payload.exeSpoofing Legitimate Software
Mimic Windows System Files
# Appear as explorer.exe
goversioninfo.exe \
--config explorer_version.json \
-original-filename "explorer.exe" \
malware.exe
# Appear as svchost.exe
goversioninfo.exe \
-product-name "Service Host Process" \
-company-name "Microsoft Corporation" \
-file-description "Service Host Process" \
-original-filename "svchost.exe" \
-product-version "10.0.19041.1586" \
malware.exe
# Appear as SearchIndexer.exe
goversioninfo.exe \
-product-name "Windows Search" \
-company-name "Microsoft Corporation" \
-file-description "Windows Search Indexer" \
-original-filename "SearchIndexer.exe" \
malware.exeMimic Third-Party Software
# Adobe Reader
goversioninfo.exe \
-product-name "Adobe Acrobat Reader DC" \
-company-name "Adobe Inc." \
-file-description "Adobe Acrobat Reader DC" \
-product-version "2021.007.20091" \
malware.exe
# Google Chrome
goversioninfo.exe \
-product-name "Google Chrome" \
-company-name "Google LLC" \
-file-description "Google Chrome" \
-file-version "89.0.4389.90" \
malware.exe
# Microsoft Office
goversioninfo.exe \
-product-name "Microsoft Office 2019" \
-company-name "Microsoft Corporation" \
-file-description "Microsoft Word Document" \
-original-filename "WINWORD.EXE" \
malware.exeIcon and Manifest Embedding
Icon Manipulation
# Extract icon from legitimate binary
goversioninfo.exe -n legitimate.exe --extract-icon output.ico
# Apply icon to payload
goversioninfo.exe \
--icon legitimate.ico \
malware.exe
# Use Windows Defender icon
goversioninfo.exe \
--icon "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" \
malware.exeManifest Embedding
# Extract manifest
goversioninfo.exe -n legitimate.exe --extract-manifest output.xml
# Embed manifest
goversioninfo.exe \
--manifest legitimate.xml \
malware.exe
# Admin manifest (triggers UAC)
goversioninfo.exe \
--manifest admin-manifest.xml \
malware.exeTimestamp Spoofing
File Date Manipulation
# Extract file dates from legitimate binary
FILEDATE_MS=$(goversioninfo.exe -n C:\\Windows\\System32\\explorer.exe | grep FileDateMS)
FILEDATE_LS=$(goversioninfo.exe -n C:\\Windows\\System32\\explorer.exe | grep FileDateLS)
# Apply matching timestamps
goversioninfo.exe \
--file-date-ms "$FILEDATE_MS" \
--file-date-ls "$FILEDATE_LS" \
malware.exe
# Match Windows Update timestamp
goversioninfo.exe \
--file-date-ms 2234128384 \
--file-date-ls 67305472 \
malware.exeBatch Processing
Process Multiple Payloads
#!/bin/bash
# Apply version info to multiple payloads
LEGITIMATE="explorer.exe"
PAYLOAD_DIR="payloads"
# Extract version once
goversioninfo.exe -n "$LEGITIMATE" -j version.json
# Apply to all payloads
for payload in "$PAYLOAD_DIR"/*.exe; do
echo "[*] Processing $payload"
goversioninfo.exe --config version.json "$payload"
donePowerShell Automation
# PowerShell script for batch version spoofing
$legitimate = "C:\Windows\System32\explorer.exe"
$payloadDir = ".\payloads"
# Extract version info
& goversioninfo.exe -n $legitimate -j version.json
# Apply to all payloads
Get-ChildItem "$payloadDir\*.exe" | ForEach-Object {
Write-Host "Processing $($_.Name)"
& goversioninfo.exe --config version.json $_.FullName
}Detection Evasion Strategies
Blend with System Binaries
# Make payload indistinguishable from svchost.exe
goversioninfo.exe \
-product-name "Service Host Process" \
-company-name "Microsoft Corporation" \
-file-description "Service Host Process" \
-original-filename "svchost.exe" \
-product-version "10.0.19041.1586" \
payload.exe
# Result appears identical in Properties dialogSystem32 Placement
# Copy to System32 with spoofed properties
copy payload.exe C:\Windows\System32\update.exe
# Apply matching version info
goversioninfo.exe \
-product-name "Windows Update" \
-company-name "Microsoft Corporation" \
C:\Windows\System32\update.exeVerification & Testing
Verify Applied Information
# Check applied version info
goversioninfo.exe -n payload.exe
# Properties dialog verification
# Right-click payload.exe → Properties → Details
# Should show spoofed information
# File command
file payload.exe
# Sigcheck (Sysinternals)
sigcheck.exe payload.exeCode Signing Integration
Digital Signatures
# Check if payload passes signature checks
signtool verify /pa payload.exe
# Sign with certificate (requires valid cert)
signtool sign /f cert.pfx payload.exe
# Sign with timestamp
signtool sign /f cert.pfx /t http://timestamp.server payload.exeMulti-Language Support
Language Variants
# Add language version
goversioninfo.exe \
-language 0 \
-product-name "Windows 10" \
payload.exe
# Language codes
# 0 = English (US)
# 1 = English (UK)
# 7 = German
# 13 = French
# 16 = Italian
# 34 = SpanishAdvanced Techniques
Resource Section Analysis
# View resource section
objdump -R payload.exe
# View version resource
strings payload.exe | grep -i microsoft
# Check string tables
readpe --sections payload.exeCombined Obfuscation
# Apply version info + icon + manifest
goversioninfo.exe \
--config explorer_version.json \
--icon explorer.ico \
--manifest explorer.xml \
-original-filename "explorer.exe" \
malware.exe
# Result: Nearly indistinguishable from genuine explorer.exeBest Practices
- Extract legitimate binary version info for accuracy
- Match timestamps to system binaries
- Test modified payloads for functionality
- Combine with code signing for maximum effect
- Use meaningful company and product names
- Include appropriate copyright notices
- Test with file verification tools
- Document all modifications
References
- Goversioninfo GitHub
- Windows PE Format Specification
- Version Information Resource
- Signtool Documentation
Last updated: 2026-03-30