📜 ⬆️ ⬇️

Deleting a digital signature of a PE file

For signing PE files (exe, dll, sys and others), in most cases, the signtool.exe utility is used, but which utility should be used if the digital signature needs to be removed from the file? And there is no such utility officially. You can only sign or re-sign (put your signature on top of the existing one), but not delete it. What to do if you need to correct the file in the Hex or PE editor and do not want to leave the file with a deliberately damaged digital signature?

What is it for

The article describes a method of manual removal of a digital signature, simple enough that anyone who has used a Hex editor at least once in their life can understand it.


To work we need the following utilities:
1. Hex editor. I prefer winhex .
2. Utility to correct the checksum of the PE file ModifyPE .
3. Hex calculator is in the system.


For example, we will delete the digital signature from the distribution kit of a wonderful open and free program for encrypting DiskCryptor disk partitions (the object is selected randomly). By the way of this example, it will be seen that deleting a digital signature does not affect the performance of PE files in any way.
Open dcrypt_setup.exe in a Hex editor and look for a 4-byte sequence of 50450000h (in the text you can see it as PE followed by two zero bytes). This signature identifies the file as a PE format file and immediately follows the MS-DOS header. In this case, the beginning of the signature is at an offset of 100h:

The next thing you need to fix after removing the digital signature is the checksum of the file. It is located 58h bytes after the PE-format signature, that is, 100h + 58h = 158h, hence the current checksum (dword type, that is, 4 bytes) of this file is 9F36Ch (bytes are flipped):

The following two values ​​refer directly to the digital signature. If they consist of zeros - no signature. The first is located 40h bytes after the start of the checksum, or 98h bytes after the beginning of the signature - 100h + 98h = 198h:

This 4-byte value means the offset at which the beginning of the digital signature is located. Now it is 8E438h:

The second, again 4-byte value, is immediately after the first:

It means the size of the digital signature, which in this case is equal to 1500h or 5376 bytes. So the end of the signature will be at offset 8E438h + 1500h = 8F938h. As a rule, a digital signature goes to the end of the file, check:

Everything coincides, so this block can be safely removed, after which the end of the file will be 8E437h:

Only a little remains - to wipe with zeroes the offsets and the size of the digital signature:

And adjust the checksum using the ModifyPE utility:


Done! Now the installation package of the program is exactly as it was before the signature, bytes per byte.

PS Do not judge strictly, this is the first time, in the future the quality will increase. Constructive criticism is welcome.

PPS The author of the topic is a beginner systracer habrauser, who asked me to publish his text. Pluses should be addressed to him, leave me the minuses.

Source: https://habr.com/ru/post/104333/

All Articles