Didier Stevens

Disitool

Disitool is a small Python program to manipulate embedded digital signatures.

  • delete a signature: disitool.py delete signed-file unsigned-file
  • copy a signature: disitool.py copy signed-source-file unsigned-file signed-file
  • extract a signature: disitool.py extract signed-file signature
  • add a signature: disitool.py add signature unsigned-file signed-file
  • inject data after the authenticode signature: disitool.py inject [--paddata] signed-source-file data-file signed-destination-file

It is not a tool to digitally sign executables, use signtool for this. When you add or copy a signature from one file to another file, the signature will not be valid.

disitool uses pefile, you’ll need to install this first. This new version (V0.2) will update the PE header checksum.

Download:

disitool_v0_3.zip (https)

MD5: 08D1CA036DC905D8E42AB3016A1B7821

SHA256: AEF923F49E53C7C2194058F34A73B293D21448DEB7E2112819FC1B3B450347B8

8 Comments »

  1. [...] latest version of pefile has extra methods to handle the checksum of the PE header. My new disitool version uses these methods to correct the checksum when the signature is changed by [...]

    Pingback by Update: Disitool V0.2 « Didier Stevens — Tuesday 15 April 2008 @ 8:25

  2. [...] add data to a signed executable without invalidating the Authenticode signature. I updated my Digital signature tool, but I realize now I had only announced the update on Twitter, not on my [...]

    Pingback by Update: Disitool V0.3 « Didier Stevens — Sunday 7 June 2009 @ 23:16

  3. Do you have any suggestions for how to troubleshoot this tool or enable debugging in Python? I was able to get disitool.py functional for a short time but now it seems to execute but does not create the destination unsigned executable. Unfortunately I am not familiar with Python & PEfile, but I believe I have it installed correctly.

    Thanks!

    Comment by Chris — Thursday 15 April 2010 @ 13:09

  4. Forget it, I figured it out. It would be nice if it could optionally provide some output if the process was successful.

    Comment by Chris — Thursday 15 April 2010 @ 14:57

  5. With Python 2.6.5, the latest version of pefile and 0.3 of disitool the signature is properly removed from my executables in both Windows 64 64bit and XP 32bit environments. However, it also appears to significantly truncate the executable such that a 10,311kb file is reduced to an 808kb file. I have tried several different instances of this executable and the issue occurs will all instances on all OSes (XP & Windows 7). Any idea how to troubleshoot this issue?

    Thanks

    Comment by Chris — Thursday 15 April 2010 @ 16:20

  6. @Chris Could I get a copy of your executable to test?

    Comment by Didier Stevens — Monday 26 April 2010 @ 9:09

  7. Hello,

    Is it possible to use Disitool to delete digital signature from msi file ??

    Comment by Ambrozy — Saturday 22 May 2010 @ 23:31

  8. @Ambrozy Disitool works on PE files, .msi files use another format. The .msi file format can be compared to a database format, I would guess that if you find a .msi file editor, you could delete the signature.

    Comment by Didier Stevens — Monday 24 May 2010 @ 8:04


RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.