[huy2n]

Inside the Authenticode signature, there is an area for unauthenticated attributes (e.g., if you timestamped your executable, the timestamp (PKCS#9) is stored as an unauthenticated attribute, http://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-u...). These attributes are not verified by Windows Authenticode when the executable is run. So if you can add a new unauthenticated attribute into the signature, you can make any change we want to that attribute without invalidate the signature.

In order to inject an unauthenticated attribute to the signature, you may want to use osslsigncode for signing (instead of MS signtool).