How to Modify Signed Executables Using Unsigntool Digital signatures ensure executable files remain authentic and untampered with. However, reverse engineers, security researchers, and developers often need to modify these files for debugging or analysis. Modifying a signed binary breaks its digital signature, causing operating systems like Windows to block execution.
Unsigntool is a utility designed to strip digital signatures from executables cleanly. Removing the signature allows you to modify the binary and re-sign it using your own certificate or test environment parameters. Why Remove a Digital Signature?
Modifying a signed executable directly causes security mechanisms to flag the file as corrupt. Stripping the signature first offers several advantages:
Prevents Verification Crashes: Some security tools crash or throw errors if a file contains a mutated, invalid signature block.
Enables Safe Editing: Removing the signature reverts the file to an unsigned state, allowing hex editors or patching tools to work without triggering immediate integrity alarms.
Facilitates Re-Signing: It provides a clean slate to apply a new self-signed certificate for local lab testing. Prerequisites and Requirements
Before you begin, ensure you have the necessary tools installed on your workstation:
Unsigntool: Download the compiled binary or build it from its open-source repository.
Hex Editor or PE Editor: Tools like HxD, PEview, or CFF Explorer to modify the executable.
Command Prompt or PowerShell: Run with standard or administrative privileges depending on file locations.
Target File: A signed Portable Executable (PE) file, such as an .exe or .dll. Step 1: Verify the Original Signature
Before stripping the signature, verify that the target executable is actually signed. Right-click the executable file in Windows Explorer. Select Properties. Look for the Digital Signatures tab.
If the tab exists and lists a signer, the file is signed and eligible for processing. Step 2: Strip the Signature Using Unsigntool
Unsigntool operates via the command-line interface. It locates the security directory entry in the PE header and zeroes out the signature data pointers.
Open your terminal and navigate to the directory containing unsigntool.exe. Run the tool using the following command syntax: unsigntool.exe -i input_file.exe -o output_file.exe Use code with caution. -i: Specifies the original signed input executable. -o: Specifies the name of the new, unsigned output file.
(Note: Some versions of the tool modify the file in place if you do not specify an output argument. Always create a backup copy of your original file first.)
Verify the Properties of the new output file. The Digital Signatures tab should now be completely missing. Step 3: Modify the Executable
With the signature removed, you can safely modify the binary code or resources without leaving a corrupted signature block behind.
Open output_file.exe in your hex editor or reverse engineering framework (such as Ghidra or IDA Pro).
Apply your required patches, string changes, or configuration edits. Save the changes to the file. Step 4: Re-Signing the Executable (Optional)
If your operating system or testing environment enforces code signing (such as 64-bit Windows kernel mode drivers or specific user-mode policies), you must re-sign the modified binary using a test certificate.
You can use the official Windows SDK tool SignTool to apply a new signature:
signtool sign /a /f MyTestCertificate.pfx /p CertificatePassword output_file.exe Use code with caution. /a: Automatically selects the best signing certificate.
/f: Specifies the path to your personal test certificate file (.pfx). /p: Specifies the password for the certificate file.
Once signed, the modified executable will run seamlessly within environments configured to trust your test certificate. Conclusion and Security Warning
Using Unsigntool simplifies the pipeline for binary analysis and local software testing by neatly cleaning up PE headers. However, remember that modifying third-party binaries bypasses developer protections and should only be performed in secure, isolated sandbox environments for legitimate research, debugging, or educational purposes.
To help you get the best results with your project, tell me:
What is the target operating system or environment where you will run this modified file?
Do you plan to re-sign the file, or do you just need it unsigned?
Leave a Reply