Codesign an executable and allow the modification of some bytes
I use signtool.exe to codesign a Windows executable.
Which options of this tool can be used to define that a few bytes should be omitted from the hash calculation, and thus allowing that a digitally signed executable can have 8 or 16 bytes modified later?
This technique has been used by Mozilla (their .exe installer is different for each download, but has the same digital signature), see How can a .exe be modified and still keep a valid digital signature?.
The WinAPI function ImageGetDigestStream has an option DigestLevel to exclude resource information from the hash computation, but how to use this option when actually with signtool.exe or a similar tool?
This is explained by Didier Stevens in an article here: It's in the signature and he also provides a tool "disitool" to manipulate the signature.
Here are the steps to sign a file using Authenticode, and to append some data to it without breaking the signature:
A) Create a code siging certificate (you'll be required to enter passwords):
MakeCert /n "CN=MyOrg" /r /h 0 /eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" /sv MyOrg.pvk MyOrg.cer
note: 1.3.6.1.5.5.7.3.3 is szOID_PKIX_KP_CODE_SIGNING and 1.3.6.1.4.1.311.10.3.13 is szOID_KP_LIFETIME_SIGNING. This will create a private key file and a certificate file.
B) Add certificate to store (needs admin rights, could be a different store):
Certutil -addStore TrustedPeople MyOrg.cer
C) Create a Pfx file to sign:
Pvk2Pfx /pvk MyOrg.pvk /pi [Password goes here] /spc MyOrg.cer /pfx MyOrg.pfx
D) Sign your file:
SignTool.exe sign /fd SHA256 /v /a /f MyOrg.pfx /p [Password goes here] MyFile.exe
At this point MyFile.exe is signed using Authenticode:
E) Create some data.txt file. I've created one that just contains the "[Kilroy was here!]" text.
F) Now run disitool:
python.exe disitool.py inject --paddata MyFile.exe data.txt MyFile2.exe
And here is the result, MyFile2.exe is still valid without resigning the file:
While you can see data.txt's content added to its end:
From the original file's end:
In my answer here How to read altered certificate data using WinApi?, I explain how to read the extra data using the Windows API.
- what is the easiest way to read and process serial data for windows 32-bit systems?
- How to make SendMessage unblocking?
- unresolved external symbol IID_IADs?
- GetRawInputDeviceInfo with RIDI_DEVICENAME returns invalid memory
- Strange characters instead national letters using Unicode in WinAPI
- Delphi notification when a file gets updated
- Can I keep the handle open for the whole program lifetime
- Both MoveWindow and SetWindowPos result in incorrect window position/size
- WM_HOTKEY Message Not Triggering Window Resize in WinMain Message Loop
- Programmatically changing the "presentation display mode"
- Where to find the win32api module for Python?
- Convert bytes from "OpenSavePidlMRU" into "ITEMIDLIST"
- Decrypting a p7m file using CNG
- Win32 API convert ID3D11Texture2D to cv::Mat
- Error while trying to use OpenGL
- AlphaBlend generating incorrect colors
- Positioning a Dialog in Win32 C++
- What's the actual page size for a 32-bit process running on WOW64?
- pass arguments with ShellExecute to Powershell with admin
- Copy PIL/PILLOW Image to Windows Clipboard
- How do I draw characters without corresponding cmap through the system API?
- Instead throwing BSOD nothing happend after clicking button
- Do Windows apps support SIGINT for user-defined signal handlers?
- Issue Creating a Tooltip in VBA
- Can Video For Windows (VFW) allow multiple video streams in one file?
- Which Win32 API is responsible for Multiple Display support in Eclipse SWT
- How can change language keyboard layout in Windows (c++)
- Can I use IFileOperation with virtual files (IStream)?
- How to programatically restore a recycle bin item
- Handles for certain programs are not properly detached when launched using the CreateProcess function in Windows