Win32 PE, ImageHlp, and Checksum (CRC)
- From: Jeffrey Walton <noloader@xxxxxxxxx>
- Date: Thu, 21 Jun 2007 12:21:44 -0700
Hi All,
To cut to the Chase: What is the Algorithm that Microsoft uses for the
PE checksum?
I'm researching shortcomings of the Windows Checksum in the Header.
Using ImageHlp I can extract the embedded checksum and have the file's
checksum recalculated.
I've used IDA Pro to perform a statc listing: CheckSumMappedFile()
from ImageHlp.dll eventually calls _ChkSum@12. So the function is
there.
I've also notice that Microsoft only uses the low order 24 bits of the
DWORD, so I suspect one of two things:
* CRC-24 or variant
* CRC-32 with some sort of truncation
I'm also aware most bets are off with .NET when using Cetificates to
verify the image's integrity.
Any Ideas,
Jeff
Jeffrey Walton
So far, I've looked at:
* Microsoft PE Executable Format
* Debbuging Applications, 1st Ed (John Robbins)
* Debbuging Applications, 3rd Ed (John Robbins)
* MSJ Under the Hood by Matt Pietrek
* An In-Depth Look into the Win32 Portable
Executable File Format, Part 1
* An In-Depth Look into the Win32 Portable
Executable File Format, Part 2
* What Goes On Inside Windows 2000: Solving the
Mysteries of the Loader
* Undocumented DOS (Personal Library)
* Undocumented Windows 2000 Secrets (Personal Library)
* Web Grep
.
- Follow-Ups:
- Re: Win32 PE, ImageHlp, and Checksum (CRC)
- From: Jeffrey Walton
- Re: Win32 PE, ImageHlp, and Checksum (CRC)
- Prev by Date: Strange problem with WTSQueryUserToken and ImpersonateLoggedOnUser
- Next by Date: fixed time slices?
- Previous by thread: Strange problem with WTSQueryUserToken and ImpersonateLoggedOnUser
- Next by thread: Re: Win32 PE, ImageHlp, and Checksum (CRC)
- Index(es):
Relevant Pages
|
Loading
