Search code examples
checksumportable-executable

Why does an executable still run despite changes to checksum, or changes to data section without new checksum?

I have a "Hello World" console app compiled with Flat Assembler. The size of the executable is 2048 bytes and the checksum is 0x3797.

Question:

  1. Does it matter if I make changes to the data section and minor change to code section of the executable while maintaining the same checksum?

Not really changing the opcode, just inserting different input.Length (length of null-terminated text string in data section)

         push 0xfffffff5 // - 11
         call DWORD PTR ds:0x40304c // .idata [GetStdHandle]
         push 0x0
         push 0x401014
         push [input.Length]
         push 0x401000 // .data
         push eax
         call DWORD PTR ds:0x403050 // .idata [WriteConsole]
         push 0x0
         call DWORD PTR ds:0x0403048 // .idata [ExitProcess]
  1. Why does it still run even though I use different checksum?

For example, it still run even if I change the checksum to 0x995A or 0x5A99.

I use ImageHlp.dll to compute the checksum as summarized in this post.

Solution

  • The PE checksum is documented here. It is just a field as part of the PE file format and is considered optional for normal user-mode applications. The linker usually defaults the field to zero, at least when building from Microsoft Visual C++. Windows ignores the field in most applications and you are free to make modifications to the binary without updating this value.

    The exception is that the checksum needs to match for drivers and critical system processes. From the link provided, "all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process", you need a checksum that matches, otherwise Windows will fail to load the module.

    Side note: Windows requires that drivers need an embedded code-signing certificate in addition to a matching checksum in order for that module to load in versions of Windows AFTER XP (i.e. Vista and up). For more information, see the Authenticode specification.

    You can calculate and store the correct checksum to your PE file (many tools will do this for you too) as you may choose to write the logic to verify this value at runtime should you want a rudimentary integrity check against executable modification - but this is optional. A more robust integrity check is accessible through the WinTrust APIs, should you want to embed a code-signing certificate at the end of the PE file (see Authenticode link above).