Didier Stevens

Disitool

Disitool is a small Python program to manipulate embedded digital signatures.

  • delete a signature: disitool.py delete signed-file unsigned-file
  • copy a signature: disitool.py copy signed-source-file unsigned-file signed-file
  • extract a signature: disitool.py extract signed-file signature
  • add a signature: disitool.py add signature unsigned-file signed-file
  • inject data after the authenticode signature: disitool.py inject [--paddata] signed-source-file data-file signed-destination-file

It is not a tool to digitally sign executables, use signtool for this. When you add or copy a signature from one file to another file, the signature will not be valid.

disitool uses pefile, you’ll need to install this first. This new version (V0.2) will update the PE header checksum.

Download:

disitool_v0_3.zip (https)

MD5: 08D1CA036DC905D8E42AB3016A1B7821

SHA256: AEF923F49E53C7C2194058F34A73B293D21448DEB7E2112819FC1B3B450347B8

36 Comments »

  1. [...] latest version of pefile has extra methods to handle the checksum of the PE header. My new disitool version uses these methods to correct the checksum when the signature is changed by [...]

    Pingback by Update: Disitool V0.2 « Didier Stevens — Tuesday 15 April 2008 @ 8:25

  2. [...] add data to a signed executable without invalidating the Authenticode signature. I updated my Digital signature tool, but I realize now I had only announced the update on Twitter, not on my [...]

    Pingback by Update: Disitool V0.3 « Didier Stevens — Sunday 7 June 2009 @ 23:16

  3. Do you have any suggestions for how to troubleshoot this tool or enable debugging in Python? I was able to get disitool.py functional for a short time but now it seems to execute but does not create the destination unsigned executable. Unfortunately I am not familiar with Python & PEfile, but I believe I have it installed correctly.

    Thanks!

    Comment by Chris — Thursday 15 April 2010 @ 13:09

  4. Forget it, I figured it out. It would be nice if it could optionally provide some output if the process was successful.

    Comment by Chris — Thursday 15 April 2010 @ 14:57

  5. With Python 2.6.5, the latest version of pefile and 0.3 of disitool the signature is properly removed from my executables in both Windows 64 64bit and XP 32bit environments. However, it also appears to significantly truncate the executable such that a 10,311kb file is reduced to an 808kb file. I have tried several different instances of this executable and the issue occurs will all instances on all OSes (XP & Windows 7). Any idea how to troubleshoot this issue?

    Thanks

    Comment by Chris — Thursday 15 April 2010 @ 16:20

  6. @Chris Could I get a copy of your executable to test?

    Comment by Didier Stevens — Monday 26 April 2010 @ 9:09

  7. Hello,

    Is it possible to use Disitool to delete digital signature from msi file ??

    Comment by Ambrozy — Saturday 22 May 2010 @ 23:31

  8. @Ambrozy Disitool works on PE files, .msi files use another format. The .msi file format can be compared to a database format, I would guess that if you find a .msi file editor, you could delete the signature.

    Comment by Didier Stevens — Monday 24 May 2010 @ 8:04

  9. Hello Didier,

    Does your tool can be used to make a java .jar file be digested with other RSA-SHA1 output? I mean, I have no access to original .jar, but I have .jad that comes with MIDlet-Certificate-1-1 and MIDlet-Jar-RSA-SHA1, and I have my own .jar that needs to have the same MIDlet-Jar-RSA-SHA1 to be authenticated with that certificate.
    The problem is that I am in an secured envoirment that need signed applications only, but I cannot sign them.

    Comment by Ricardo Schmidt — Monday 7 February 2011 @ 14:50

  10. @Ricardo No, my tool is for AuthentiCode signed PE files only.

    Comment by Didier Stevens — Monday 7 February 2011 @ 15:29

  11. Hi, I am new to Python and am unsure as to where to place the exe file I am working on and the syntax used to recreate the exe without the digital signature. Could you advise?

    Many Thanks

    Andy

    Comment by Andrew Eustance — Friday 16 December 2011 @ 9:23

  12. @Andrew Did you get to run the program? Go to the command line and type disitool.py. What output do you get?

    Comment by Didier Stevens — Friday 16 December 2011 @ 9:37

  13. Hi,
    the response I got back was
    Traceback (most recent call last):
    File “”, line 1, in
    disitool.py
    NameError: name ‘disitool’ is not defined
    I am running the software on a Windows 7 32 bit laptop, Python v2.7.2 has been installed and the ‘pefile’ module was loaded in the gui from the file menu. Then the Disitool module was loaded and ran in the same manner. All the files have been added to the C:\Python27\Lib folder.
    Andy

    Comment by Andrew Eustance — Friday 16 December 2011 @ 9:47

  14. @Andrew Did you run that from cmd.exe? Start cmd.exe from the start menu, CD to the directory where you downloaded disitool.py, and type disitool.py.

    Comment by Didier Stevens — Friday 16 December 2011 @ 9:50

  15. Hi,
    I have placed the disitool.py file on C:, ran the command disitool.py form the command prompt with the disitool.py usage command options and a list of commands that can be ran follows.

    Andy

    Comment by Andrew Eustance — Friday 16 December 2011 @ 9:54

  16. @Andrew OK, so the program executes correctly. Say you want to remove the digital signature from c:\test.exe. Then you issue this command: disitool.py delete test.exe test2.exe
    File test.exe will remain untouched, and test2.exe is a new file without the signature.

    Comment by Didier Stevens — Friday 16 December 2011 @ 9:58

  17. Hi,
    I ran the command and it came back with the following error

    pefile.PEFormatError: ‘Unable to read the DOS Header, possibly a truncated file.

    Can you advise

    Andy

    Comment by Andrew Eustance — Friday 16 December 2011 @ 10:05

  18. @Andrew That means that your test.exe is not a valid executable, pefile can’t read the header. You’ll need to obtain a valid copy.

    Comment by Didier Stevens — Friday 16 December 2011 @ 10:08

  19. i dn’t have any idea about python program…i need to remove a digital sinature from a exe file…please help me how to use Digitool and will it serve my purpose?

    Comment by Anonymous — Friday 10 May 2013 @ 7:46

  20. @Anonymous I can’t tell you if you don’t explain what your purpose is?

    Comment by Didier Stevens — Friday 10 May 2013 @ 22:52

  21. Hi,

    I was wondering what license this program is released under? BSD would be awesome!

    Comment by Anonymous — Tuesday 2 July 2013 @ 15:07

  22. @Anonymous It’s Public Domain.

    Comment by Didier Stevens — Tuesday 2 July 2013 @ 18:39

  23. […] be added in the data directory that contains the signature, without invalidating the signature. My Disitool can do […]

    Pingback by A Bit More Than A Signature | Didier Stevens — Tuesday 13 August 2013 @ 19:07

  24. […] 2009 I added a command to my Disitool to inject data “into” an Authenticode signature without invalidating […]

    Pingback by MS13-098: Fixing Authenticode | Didier Stevens — Wednesday 11 December 2013 @ 23:17

  25. Hi Didier,

    this does not work anymore, does it?
    You write in another blog entry that the padding will not work anymore sometime in 2014. It seems to have stopped working some time ago already (Maybe at start of 2014, i cant really tell when).
    Can you confirm this? I am using Win 7.

    signtool verify /pa main.exe
    Successfully verified: main.exe

    signtool verify /pa thefile.withpadding.exe
    SignTool Error: No signature found.
    Number of errors: 1

    Comment by paramaru — Monday 13 January 2014 @ 8:55

  26. @paramu The tool still works, but the padding will invalidate the signature starting June 2014.

    What you are experiencing is probably something else. What did you add to the signature?

    Comment by Didier Stevens — Tuesday 14 January 2014 @ 1:52

  27. I have this working just fine on CentOS with Python 2.6.6.
    However, I had trouble on Windows. It turns out my Windows machine is running Python 3.3.4, and pefile does not support Python 3. You can, however, get a port of it for Python 3 (although it seems I am unable to post the link).

    Comment by Adam Thompson — Tuesday 18 February 2014 @ 9:15

  28. @Puthon 2 and Python 3 are different. Most of my programs, like this done, are developped for Python 2 and are not tested with Python 3.

    Comment by Didier Stevens — Wednesday 19 February 2014 @ 6:44

  29. […] As it turns out OSCE only accept signed binaries, that is a good approach to handle updates which are delivered over untrusted channels (handling TLS certificates in corporate environment can be tricky…). To overcome this problem I first looked for unsigned PE files in the OCSE installation using the disitool script of Didier Stevens: […]

    Pingback by Trend Micro OfficeScan – A chain of bugs | Silent Signal Techblog — Friday 6 June 2014 @ 10:01

  30. […] 看来OSCE只接受签名的二进制文件,在通过非可信通道中进行更新时,这是一个好方法(企业环境中处理TLS证书是非常棘手的。。。)。为了解决这个问题,我使用 Didier Stevens的脚本disitool,来寻找在OCSE安装期间未签名的PE文件: […]

    Pingback by 趋势OfficeScan系列产品漏洞分析 - FreeBuf.COM — Thursday 14 August 2014 @ 4:55

  31. […] 看来OSCE只接受签名的二进制文件,在通过非可信通道中进行更新时,这是一个好方法(企业环境中处理TLS证书是非常棘手的。。。)。为了解决这个问题,我使用 Didier Stevens的脚本disitool ,来寻找在OCSE安装期间未签名的PE文件: […]

    Pingback by 趋势OfficeScan系列产品漏洞分析 | BugSec — Friday 15 August 2014 @ 2:48

  32. HI Didier,

    I followed below steps:

    [1] Download disitool_v0_3.zip and unzipped it to get disitool.py
    [2] Downloaded Python from http://09c8d0b2229f813c1b93-c95ac804525aac4b6dba79b00b39d1d3.r79.cf1.rackcdn.com/Anaconda-2.0.1-Windows-x86_64.exe and installed it
    [3] Downloaded PEFile(pefile-1.2.10-63.zip) from https://code.google.com/p/pefile/downloads/list/ and unzipped it
    [4] Installed PEFile by following below steps:
    (a) Change directory to unzipped folder and install the pefile
    (b) cd pefile-1.2.10-114
    (c) python setup.py install
    [5] Go to the folder where disitool.py is and run below command: python disitool.py extract setup.exe setup.cer
    [6] It creates setup.cer

    My issue: When I open .cer file it says ‘This file is invalid for use as the following: Security certificate’. Why this issue? How to open this file then?

    Thanks.

    Comment by Jitendra Bhati — Thursday 21 August 2014 @ 15:08

  33. @Jitendra That’s normal. disitool does not extract certificates, it extracts the signature block.

    Comment by Didier Stevens — Thursday 21 August 2014 @ 19:11

  34. Thanks Didier. How can I use this signature block to verify digital signature?

    Comment by Jitendra Bhati — Friday 22 August 2014 @ 2:30

  35. @Jitendra I know of no tool that can do that. Verifying a signature implies that you also check the file that was signed, so I don’t see what yo want to do here.

    Comment by Didier Stevens — Saturday 23 August 2014 @ 12:25

  36. […] nel malware (PE). Per l’estrazione e la verifica della firma è sempre possibile ricorrere a disitool di Didier Stevens o altri strumenti come SignTool rilasciato da […]

    Pingback by Malware PE Firmati Digitalmente | Gianni Amato — Monday 25 August 2014 @ 15:14


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 234 other followers

%d bloggers like this: