C language > Expert questions
Generating CheckSum for AMD64
PabloMack:
I have written a working assembler and library manager targeting AMD64. I am currently writing a linker. The PE specification I am using says the following for the CheckSum field that is in the Optional Header that makes up part of the target EXE file:
"The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process."
I noticed that there is a file called PellesC/Lib/Win64/imagehlp.lib in the Pelles C installation. Is this library capable of doing this function? If so, how would it be used?
Thanks.
TimoVJL:
See An Analysis of the Windows PE Checksum Algorithm
EDIT: MS old ChkSum function:
--- Code: ---USHORT ChkSum(ULONG PartialSum, PUSHORT Source, ULONG Length)
{
while (Length--)
{
PartialSum += *Source++;
PartialSum = (PartialSum >> 16) + (PartialSum & 0xffff);
}
return (USHORT)(((PartialSum >> 16) + PartialSum) & 0xffff);
}
--- End code ---
Length is ( filesize / 2 ).
To help optimizer:
--- Code: ---USHORT ChkSum1(ULONG ulPartialSum, PUSHORT pSource, ULONG nLength)
{
do
{
if ((nLength))
ulPartialSum += *pSource++;
ulPartialSum = (ulPartialSum >> 16) + (ulPartialSum & 0xffff);
} while (nLength--);
return (USHORT)ulPartialSum;
}
--- End code ---
PabloMack:
Interesting. The PEChecksum.exe program might be able to assist. But it would be a manual operation which will require me to run the windowed program every time I do a new build. The article says that the book "The Art Of Computer Virus Research And Defense" contains the complete algorithm but it costs $36 on Amazon. It seems that may be the only way I am going to make the my linker able to generate an EXE without having to do that extra manual step.
The source code for PECheckSum is C++ (not C) so it can't be used with Pelles C. Perhaps it can be used with the OpenWatcom tool chain that I've been using since it also supports C++ but it is only 32-bit so I don't know if it cold work on 64-bit executables. My linker is written in C (not C++) so I'm not sure what I want to do. The source code only shows how to call the DLL which is where all the action happens.
frankie:
Start reading the imaghelp.h functions reference on msdn.
Then read carefully MapFileAndCheckSum() and CheckSumMappedFile.
You may prefer the second, so after mapping your exe, and after got the chechsum through CheckSumMappedFile(), you can patch it adding the Checksum.
PabloMack:
The following web page seems to explain the algorithm while the link above
just talks about using some test programs.
http://bytepointer.com/resources/microsoft_pe_checksum_algo_distilled.htm
I see above that TimoVJL edited his post and it shows similar information .
But the complete algorithm seems to add the length after the partial is done.
Thanks to you both.
Navigation
[0] Message Index
[#] Next page
Go to full version