Re: Win32 PE, ImageHlp, and Checksum (CRC)
- From: Jeffrey Walton <noloader@xxxxxxxxx>
- Date: Thu, 21 Jun 2007 21:17:04 -0700
Hi All,
I broke down and fired up WinDbg. I posted the results to the Crypto++
news gorup since I was approaching it as a CRC.
Jeff
http://groups.google.com/group/cryptopp-users/browse_thread/thread/73386ab6b2f2f0d8
On Jun 21, 3:21 pm, Jeffrey Walton <noloa...@xxxxxxxxx> wrote:
Hi All,
To cut to the Chase: What is the Algorithm that Microsoft uses for the
PE checksum?
I'm researching shortcomings of the Windows Checksum in the Header.
Using ImageHlp I can extract the embedded checksum and have the file's
checksum recalculated.
I've used IDA Pro to perform a statc listing: CheckSumMappedFile()
from ImageHlp.dll eventually calls _ChkSum@12. So the function is
there.
I've also notice that Microsoft only uses the low order 24 bits of the
DWORD, so I suspect one of two things:
* CRC-24 or variant
* CRC-32 with some sort of truncation
I'm also aware most bets are off with .NET when using Cetificates to
verify the image's integrity.
Any Ideas,
Jeff
Jeffrey Walton
So far, I've looked at:
* Microsoft PE Executable Format
* Debbuging Applications, 1st Ed (John Robbins)
* Debbuging Applications, 3rd Ed (John Robbins)
* MSJ Under the Hood by Matt Pietrek
* An In-Depth Look into the Win32 Portable
Executable File Format, Part 1
* An In-Depth Look into the Win32 Portable
Executable File Format, Part 2
* What Goes On Inside Windows 2000: Solving the
Mysteries of the Loader
* Undocumented DOS (Personal Library)
* Undocumented Windows 2000 Secrets (Personal Library)
* Web Grep
.
- References:
- Win32 PE, ImageHlp, and Checksum (CRC)
- From: Jeffrey Walton
- Win32 PE, ImageHlp, and Checksum (CRC)
- Prev by Date: Re: Canonical ACL ordering
- Next by Date: Re: Strange problem with WTSQueryUserToken and ImpersonateLoggedOnUser
- Previous by thread: Win32 PE, ImageHlp, and Checksum (CRC)
- Next by thread: fixed time slices?
- Index(es):
Relevant Pages
|
