Checksum in PE files

Source: Internet
Author: User

Recently I have studied the structure of PE files. Every time I read this document, I have gained new insights, proving that there are many things that I still cannot understand deeply.

Today, I did an experiment on checksum and confirmed that at the application layer, when the system loads the program, CreateProcess does not perform checksum verification on the EXE, and loadlibrary does not perform validation on the DLL. According to the document, these are not to be checked and there is no problem. Another problem is to confirm that the checksum needs to be checked during driver loading. The following is an excerpt from the checksum of the PECOFF-v864/64 4 checksum image file. The algorithm for calculating the checksum is merged into imagehlp. dll. The following programs are validated during loading to determine if they are legal: all drivers, any DLL loaded at boot, and the DLL loaded into key Windows processes.

As for the checksum algorithm, it is not disclosed by Microsoft. Of course, it is not difficult to obtain it from the API functions of the checksum.

The following code is from the Internet. If the source cannot be found, the checksum can be calculated normally.

int main(int argc, char* argv[]){if (argc<2){printf("usage %s c:\myfile.exe\n",argv[0]);system("pause");return 0;}HANDLE hFile = CreateFile(argv[1], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);if(hFile == INVALID_HANDLE_VALUE){printf("Open File Failed!\n");system("pause");return 0;}HANDLE hFileMapping = CreateFileMapping(hFile,NULL,PAGE_READWRITE,0, 0, 0);if(hFileMapping == NULL){printf("Create Mapping File Failed!\n");CloseHandle(hFile);return 0;}LPVOID lpBase = MapViewOfFile(hFileMapping, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);if(lpBase == NULL){printf("Failed to Map the File!\n");CloseHandle(hFileMapping);CloseHandle(hFile);}PIMAGE_DOS_HEADER dosH = (PIMAGE_DOS_HEADER)lpBase;if(dosH->e_magic == 0x5a4d){DWORD off = dosH->e_lfanew;PIMAGE_NT_HEADERS ntH = (PIMAGE_NT_HEADERS)((PBYTE)dosH + off);if(ntH->Signature == 0x4550){printf("It's a PE File.\n");DWORD checksum = ntH->OptionalHeader.CheckSum;printf("CheckSum is : 0x%08X\n", checksum);ntH->OptionalHeader.CheckSum = 0;DWORD fileSize = GetFileSize(hFile, 0);DWORD checksum2 = 0;__asm{pushadxor eax, eaxmov ebx, fileSizemov ecx, ebxpush ecxshr ecx, 1mov esi, lpBaseclccal_checksum: adc ax, word ptr [esi]inc esi inc esi loop cal_checksum adc ax, 0pop ecxtest ecx, 1jz __endxor edi, edimovzx di, byte ptr [esi]clcadd ax, di__end:add eax, ebx ;mov checksum2, eaxpopad}printf("My CheckSum is : 0x%08X\n", checksum2);ntH->OptionalHeader.CheckSum = checksum;}}UnmapViewOfFile(lpBase);CloseHandle(hFileMapping);CloseHandle(hFile);system("pause");return 0;}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.