I cannot find any specific information about how is code signing implemented in Windows (specifically PE executables). I only find a lot of tutorials on how to sign an app but this is not what I want. I'm looking for low-level details.
I'm writing an article about security and data integrity and can't find any information whether a signed code could possibly be "unsigned" by malware.
Thanks.
Yes, the signature can be removed easily. The point of the signature is to prove authenticity of the software. The signature is not intended to be used for protection of code.
Windows PE code signing is properly named "Microsoft Authenticode" and doing google search for Authenticode will give you plenty of information about internal structure. But I think I've answered your real question above.