Didier Stevens

Disitool

Disitool is a small Python program to manipulate embedded digital signatures.

  • delete a signature: disitool.py delete signed-file unsigned-file
  • copy a signature: disitool.py copy signed-source-file unsigned-file signed-file
  • extract a signature: disitool.py extract signed-file signature
  • add a signature: disitool.py add signature unsigned-file signed-file
  • inject data after the authenticode signature: disitool.py inject [–paddata] signed-source-file data-file signed-destination-file

It is not a tool to digitally sign executables, use signtool for this. When you add or copy a signature from one file to another file, the signature will not be valid.

disitool uses pefile, you’ll need to install this first.

Download:
disitool_v0_4.zip (https)
MD5: 3A41D8805340716913FAECE7C79B10A7
SHA256: 51EBFB0759FEEA69FFFB643659FD74DC5043338719A91CE36E427D175196661A

45 Comments »

  1. […] latest version of pefile has extra methods to handle the checksum of the PE header. My new disitool version uses these methods to correct the checksum when the signature is changed by […]

    Pingback by Update: Disitool V0.2 « Didier Stevens — Tuesday 15 April 2008 @ 8:25

  2. […] add data to a signed executable without invalidating the Authenticode signature. I updated my Digital signature tool, but I realize now I had only announced the update on Twitter, not on my […]

    Pingback by Update: Disitool V0.3 « Didier Stevens — Sunday 7 June 2009 @ 23:16

  3. Do you have any suggestions for how to troubleshoot this tool or enable debugging in Python? I was able to get disitool.py functional for a short time but now it seems to execute but does not create the destination unsigned executable. Unfortunately I am not familiar with Python & PEfile, but I believe I have it installed correctly.

    Thanks!

    Comment by Chris — Thursday 15 April 2010 @ 13:09

  4. Forget it, I figured it out. It would be nice if it could optionally provide some output if the process was successful.

    Comment by Chris — Thursday 15 April 2010 @ 14:57

  5. With Python 2.6.5, the latest version of pefile and 0.3 of disitool the signature is properly removed from my executables in both Windows 64 64bit and XP 32bit environments. However, it also appears to significantly truncate the executable such that a 10,311kb file is reduced to an 808kb file. I have tried several different instances of this executable and the issue occurs will all instances on all OSes (XP & Windows 7). Any idea how to troubleshoot this issue?

    Thanks

    Comment by Chris — Thursday 15 April 2010 @ 16:20

  6. @Chris Could I get a copy of your executable to test?

    Comment by Didier Stevens — Monday 26 April 2010 @ 9:09

  7. Hello,

    Is it possible to use Disitool to delete digital signature from msi file ??

    Comment by Ambrozy — Saturday 22 May 2010 @ 23:31

  8. @Ambrozy Disitool works on PE files, .msi files use another format. The .msi file format can be compared to a database format, I would guess that if you find a .msi file editor, you could delete the signature.

    Comment by Didier Stevens — Monday 24 May 2010 @ 8:04

  9. Hello Didier,

    Does your tool can be used to make a java .jar file be digested with other RSA-SHA1 output? I mean, I have no access to original .jar, but I have .jad that comes with MIDlet-Certificate-1-1 and MIDlet-Jar-RSA-SHA1, and I have my own .jar that needs to have the same MIDlet-Jar-RSA-SHA1 to be authenticated with that certificate.
    The problem is that I am in an secured envoirment that need signed applications only, but I cannot sign them.

    Comment by Ricardo Schmidt — Monday 7 February 2011 @ 14:50

  10. @Ricardo No, my tool is for AuthentiCode signed PE files only.

    Comment by Didier Stevens — Monday 7 February 2011 @ 15:29

  11. Hi, I am new to Python and am unsure as to where to place the exe file I am working on and the syntax used to recreate the exe without the digital signature. Could you advise?

    Many Thanks

    Andy

    Comment by Andrew Eustance — Friday 16 December 2011 @ 9:23

  12. @Andrew Did you get to run the program? Go to the command line and type disitool.py. What output do you get?

    Comment by Didier Stevens — Friday 16 December 2011 @ 9:37

  13. Hi,
    the response I got back was
    Traceback (most recent call last):
    File “”, line 1, in
    disitool.py
    NameError: name ‘disitool’ is not defined
    I am running the software on a Windows 7 32 bit laptop, Python v2.7.2 has been installed and the ‘pefile’ module was loaded in the gui from the file menu. Then the Disitool module was loaded and ran in the same manner. All the files have been added to the C:\Python27\Lib folder.
    Andy

    Comment by Andrew Eustance — Friday 16 December 2011 @ 9:47

  14. @Andrew Did you run that from cmd.exe? Start cmd.exe from the start menu, CD to the directory where you downloaded disitool.py, and type disitool.py.

    Comment by Didier Stevens — Friday 16 December 2011 @ 9:50

  15. Hi,
    I have placed the disitool.py file on C:, ran the command disitool.py form the command prompt with the disitool.py usage command options and a list of commands that can be ran follows.

    Andy

    Comment by Andrew Eustance — Friday 16 December 2011 @ 9:54

  16. @Andrew OK, so the program executes correctly. Say you want to remove the digital signature from c:\test.exe. Then you issue this command: disitool.py delete test.exe test2.exe
    File test.exe will remain untouched, and test2.exe is a new file without the signature.

    Comment by Didier Stevens — Friday 16 December 2011 @ 9:58

  17. Hi,
    I ran the command and it came back with the following error

    pefile.PEFormatError: ‘Unable to read the DOS Header, possibly a truncated file.

    Can you advise

    Andy

    Comment by Andrew Eustance — Friday 16 December 2011 @ 10:05

  18. @Andrew That means that your test.exe is not a valid executable, pefile can’t read the header. You’ll need to obtain a valid copy.

    Comment by Didier Stevens — Friday 16 December 2011 @ 10:08

  19. i dn’t have any idea about python program…i need to remove a digital sinature from a exe file…please help me how to use Digitool and will it serve my purpose?

    Comment by Anonymous — Friday 10 May 2013 @ 7:46

  20. @Anonymous I can’t tell you if you don’t explain what your purpose is?

    Comment by Didier Stevens — Friday 10 May 2013 @ 22:52

  21. Hi,

    I was wondering what license this program is released under? BSD would be awesome!

    Comment by Anonymous — Tuesday 2 July 2013 @ 15:07

  22. @Anonymous It’s Public Domain.

    Comment by Didier Stevens — Tuesday 2 July 2013 @ 18:39

  23. […] be added in the data directory that contains the signature, without invalidating the signature. My Disitool can do […]

    Pingback by A Bit More Than A Signature | Didier Stevens — Tuesday 13 August 2013 @ 19:07

  24. […] 2009 I added a command to my Disitool to inject data “into” an Authenticode signature without invalidating […]

    Pingback by MS13-098: Fixing Authenticode | Didier Stevens — Wednesday 11 December 2013 @ 23:17

  25. Hi Didier,

    this does not work anymore, does it?
    You write in another blog entry that the padding will not work anymore sometime in 2014. It seems to have stopped working some time ago already (Maybe at start of 2014, i cant really tell when).
    Can you confirm this? I am using Win 7.

    signtool verify /pa main.exe
    Successfully verified: main.exe

    signtool verify /pa thefile.withpadding.exe
    SignTool Error: No signature found.
    Number of errors: 1

    Comment by paramaru — Monday 13 January 2014 @ 8:55

  26. @paramu The tool still works, but the padding will invalidate the signature starting June 2014.

    What you are experiencing is probably something else. What did you add to the signature?

    Comment by Didier Stevens — Tuesday 14 January 2014 @ 1:52

  27. I have this working just fine on CentOS with Python 2.6.6.
    However, I had trouble on Windows. It turns out my Windows machine is running Python 3.3.4, and pefile does not support Python 3. You can, however, get a port of it for Python 3 (although it seems I am unable to post the link).

    Comment by Adam Thompson — Tuesday 18 February 2014 @ 9:15

  28. @Puthon 2 and Python 3 are different. Most of my programs, like this done, are developped for Python 2 and are not tested with Python 3.

    Comment by Didier Stevens — Wednesday 19 February 2014 @ 6:44

  29. […] As it turns out OSCE only accept signed binaries, that is a good approach to handle updates which are delivered over untrusted channels (handling TLS certificates in corporate environment can be tricky…). To overcome this problem I first looked for unsigned PE files in the OCSE installation using the disitool script of Didier Stevens: […]

    Pingback by Trend Micro OfficeScan – A chain of bugs | Silent Signal Techblog — Friday 6 June 2014 @ 10:01

  30. […] 看来OSCE只接受签名的二进制文件,在通过非可信通道中进行更新时,这是一个好方法(企业环境中处理TLS证书是非常棘手的。。。)。为了解决这个问题,我使用 Didier Stevens的脚本disitool,来寻找在OCSE安装期间未签名的PE文件: […]

    Pingback by 趋势OfficeScan系列产品漏洞分析 - FreeBuf.COM — Thursday 14 August 2014 @ 4:55

  31. […] 看来OSCE只接受签名的二进制文件,在通过非可信通道中进行更新时,这是一个好方法(企业环境中处理TLS证书是非常棘手的。。。)。为了解决这个问题,我使用 Didier Stevens的脚本disitool ,来寻找在OCSE安装期间未签名的PE文件: […]

    Pingback by 趋势OfficeScan系列产品漏洞分析 | BugSec — Friday 15 August 2014 @ 2:48

  32. HI Didier,

    I followed below steps:

    [1] Download disitool_v0_3.zip and unzipped it to get disitool.py
    [2] Downloaded Python from http://09c8d0b2229f813c1b93-c95ac804525aac4b6dba79b00b39d1d3.r79.cf1.rackcdn.com/Anaconda-2.0.1-Windows-x86_64.exe and installed it
    [3] Downloaded PEFile(pefile-1.2.10-63.zip) from https://code.google.com/p/pefile/downloads/list/ and unzipped it
    [4] Installed PEFile by following below steps:
    (a) Change directory to unzipped folder and install the pefile
    (b) cd pefile-1.2.10-114
    (c) python setup.py install
    [5] Go to the folder where disitool.py is and run below command: python disitool.py extract setup.exe setup.cer
    [6] It creates setup.cer

    My issue: When I open .cer file it says ‘This file is invalid for use as the following: Security certificate’. Why this issue? How to open this file then?

    Thanks.

    Comment by Jitendra Bhati — Thursday 21 August 2014 @ 15:08

  33. @Jitendra That’s normal. disitool does not extract certificates, it extracts the signature block.

    Comment by Didier Stevens — Thursday 21 August 2014 @ 19:11

  34. Thanks Didier. How can I use this signature block to verify digital signature?

    Comment by Jitendra Bhati — Friday 22 August 2014 @ 2:30

  35. @Jitendra I know of no tool that can do that. Verifying a signature implies that you also check the file that was signed, so I don’t see what yo want to do here.

    Comment by Didier Stevens — Saturday 23 August 2014 @ 12:25

  36. […] nel malware (PE). Per l’estrazione e la verifica della firma è sempre possibile ricorrere a disitool di Didier Stevens o altri strumenti come SignTool rilasciato da […]

    Pingback by Malware PE Firmati Digitalmente | Gianni Amato — Monday 25 August 2014 @ 15:14

  37. […] To manipulate (delete, copy, extract, add or inject) embedded digital signatures found on DLL or EXE files on Windows, we can use a Python utility called Disitool. […]

    Pingback by Windows: Remove Digital Signature From DLL / EXE Files - Digital Internals — Saturday 14 February 2015 @ 8:07

  38. […] Scan: Yara, ClamAV, TrID, ExifTool, virustotal-submit, Disitool […]

    Pingback by REMnux: Distribución de Linux especializada en en el análisis de malware | Skydeep — Thursday 20 August 2015 @ 1:50

  39. Hi Didier,
    I just tried it and got an exception thrown from pefile. I suspect pefile has changed over the years since your link here points to code.google.com and it redirects to GitHub presently. So, I am pretty sure I have a much much later version of pefile and perhaps it is incompatible with Disitool? By any chance, can you share the old pefile and its dependencies? BTW I attempted to extract the signature of procexp.exe as a test on my remnux.
    Traceback (most recent call last):
    File “disitool.py”, line 258, in
    Main()
    File “disitool.py”, line 241, in Main
    ExtractDigitalSignature(args[1], args[2])
    File “disitool.py”, line 123, in ExtractDigitalSignature
    pe = pefile.PE(SignedFile)
    File “C:\Users\ganesh\Downloads\disitool_v0_3\pefile.py”, line 1742, in __init
    __
    self.__parse__(name, data, fast_load)
    File “C:\Users\ganesh\Downloads\disitool_v0_3\pefile.py”, line 2099, in __pars
    e__
    self.parse_data_directories()
    File “C:\Users\ganesh\Downloads\disitool_v0_3\pefile.py”, line 2438, in parse_
    data_directories
    value = entry[1](dir_entry.VirtualAddress, dir_entry.Size)
    File “C:\Users\ganesh\Downloads\disitool_v0_3\pefile.py”, line 3071, in parse_
    resources_directory
    self.parse_version_information(rt_version_struct)
    File “C:\Users\ganesh\Downloads\disitool_v0_3\pefile.py”, line 3363, in parse_
    version_information
    max_length = string_struct.ValueLength )
    File “C:\Users\ganesh\Downloads\disitool_v0_3\pefile.py”, line 4344, in get_st
    ring_u_at_rva
    s = u”.join(map(chr, uchrs))
    UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xa9 in position 0: ordinal
    not in range(128)
    Thanks in advance.

    Comment by Ganesh — Monday 2 January 2017 @ 22:35

  40. Hi Didier,
    Yesterday I left a comment re disitool throwing an exception with the latest pefile from GitHub. I just wanted to write an update to my comment from yesterday. I found an older pefile.py in the remnux image that was available in the same folder where pyew.py was found. I copied this old pefile.py and tried your disitool successfully with this older pefile. So, my issue is resolved now.
    Thanks!

    Comment by Ganesh — Tuesday 3 January 2017 @ 20:10

  41. […] problema vi por primera vez para los archivos PE sin firmar en la instalación OCSE utilizando el guión disitool de Didier Stevens : $ Find. -iname ‘* .exe’ -exec eco {} ; python ~ / herramientas / disitool.py extracto […]

    Pingback by Trend Micro Office Scan algunas de sus cadenas de errores. - Carlos Crudo — Wednesday 4 January 2017 @ 17:36

  42. […] Scan Disitool disitool.py Manipulate digital signatures of Windows executables remnux-didier (APT) https://blog.didierstevens.com/programs/disitool/ Examine File Properties and Contents: Scan ExifTool exiftool Extract file properties […]

    Pingback by Remnux-A tool for reverse engineering Malware – Infohub — Saturday 8 April 2017 @ 22:40

  43. Hy
    I’m French. Your Python program is very interesting. I looked at your code. Do you think it’s possible to carry it as a cpp under Visual studio?
    I don’t agree with the line below
    <>

    Thanks

    Comment by Jean — Wednesday 3 June 2020 @ 6:40

  44. Yes, you could convert this to most programming languages.
    I see no line below.

    Comment by Didier Stevens — Friday 5 June 2020 @ 7:51

  45. […] This is a Python 3 update for my disitool. […]

    Pingback by Update: disitool.py Version 0.4 | Didier Stevens — Sunday 29 November 2020 @ 6:03


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.