Checksum in PE files

Recently I have studied the structure of PE files. Every time I read this document, I have gained new insights, proving that there are many things that I still cannot understand deeply.

Today, I did an experiment on checksum and confirmed that at the application layer, when the system loads the program, CreateProcess does not perform checksum verification on the EXE, and loadlibrary does not perform validation on the DLL. According to the document, these are not to be checked and there is no problem. Another problem is to confirm that the checksum needs to be checked during driver loading. The following is an excerpt from the checksum of the PECOFF-v864/64 4 checksum image file. The algorithm for calculating the checksum is merged into imagehlp. dll. The following programs are validated during loading to determine if they are legal: all drivers, any DLL loaded at boot, and the DLL loaded into key Windows processes.

As for the checksum algorithm, it is not disclosed by Microsoft. Of course, it is not difficult to obtain it from the API functions of the checksum.

The following code is from the Internet. If the source cannot be found, the checksum can be calculated normally.

int main(int argc, char* argv[]){if (argc<2){printf("usage %s c:\myfile.exe\n",argv[0]);system("pause");return 0;}HANDLE hFile = CreateFile(argv[1], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);if(hFile == INVALID_HANDLE_VALUE){printf("Open File Failed!\n");system("pause");return 0;}HANDLE hFileMapping = CreateFileMapping(hFile,NULL,PAGE_READWRITE,0, 0, 0);if(hFileMapping == NULL){printf("Create Mapping File Failed!\n");CloseHandle(hFile);return 0;}LPVOID lpBase = MapViewOfFile(hFileMapping, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);if(lpBase == NULL){printf("Failed to Map the File!\n");CloseHandle(hFileMapping);CloseHandle(hFile);}PIMAGE_DOS_HEADER dosH = (PIMAGE_DOS_HEADER)lpBase;if(dosH->e_magic == 0x5a4d){DWORD off = dosH->e_lfanew;PIMAGE_NT_HEADERS ntH = (PIMAGE_NT_HEADERS)((PBYTE)dosH + off);if(ntH->Signature == 0x4550){printf("It's a PE File.\n");DWORD checksum = ntH->OptionalHeader.CheckSum;printf("CheckSum is : 0x%08X\n", checksum);ntH->OptionalHeader.CheckSum = 0;DWORD fileSize = GetFileSize(hFile, 0);DWORD checksum2 = 0;__asm{pushadxor eax, eaxmov ebx, fileSizemov ecx, ebxpush ecxshr ecx, 1mov esi, lpBaseclccal_checksum: adc ax, word ptr [esi]inc esi inc esi loop cal_checksum adc ax, 0pop ecxtest ecx, 1jz __endxor edi, edimovzx di, byte ptr [esi]clcadd ax, di__end:add eax, ebx ;mov checksum2, eaxpopad}printf("My CheckSum is : 0x%08X\n", checksum2);ntH->OptionalHeader.CheckSum = checksum;}}UnmapViewOfFile(lpBase);CloseHandle(hFileMapping);CloseHandle(hFile);system("pause");return 0;}