I don't understand at the moment how countersignings work.
I'm thinking about is it possible to manipulate a file and resign it with the orginal key including a faked countersign?
I'm using e.g.:
signtool.exe sign /f "mycert.pfx" /t "http://timestamp.verisign.com/scripts/timstamp.dll" /v "MyApp.exe"
So will I get a signed application with a contersign. But how does that work? Does the "timestamp" server simple sign the current timestamp? If I understand right that would be allow a replay attack. So that I could sign a file in the past.
How is the contersign protected?
In your particular case it's not countersigning at all. The Authenticode timestamp is included as an attribute in PKCS#7 packet of the original signature. It's a signature (its digest) that is timestamped. The server signs the digest and the time value with its certificate.
Consequently there's no room (or sense) for replay attack - if you change the data, you will get different timestamp packet and if you want to replace older timestamp of the same data with the new timesamp, you can just re-sign and re-timestamp the data instead of playing with timestamps.