Invalid checksums lead to an invalid signature. This checksum is called authentihash and shown on VirusTotal. The algorithm is described in more detail by checksum of the certificate is only present if the file was signed. I am not aware of any tool that can validate the repro hash at present, but I am going to add this validity check as a feature to PortexAnalyzer for the upcoming release. As there is no documentation or name for this hash yet, it will henceforth be referenced as repro hash.įor all files that were created with /BREPRO, manipulations can be detected by checking the validity of the repro hash value. The /BREPRO flag adds an entry to the debug section of the debug type IMAGE_DEBUG_TYPE_REPRO (0x16) and this entry in turn contains a SHA-256 hash value. This does not only lead to unusable timestamps but also an invalid Optional Header checksum. To accomplish this PE-related timestamps and the Optional Header checksum are replaced with a fixed value. That flag is used to create so called reproducible builds, which means that different builds based on the same source will have the same hash for the resulting binary. However, if you happen to find a file with a valid checksum and one without, the valid one is probably the original made me aware that Microsoft files created within the last few years generally use the /BREPRO flag for the linker. The reason is that Microsoft files built in recent years don't have valid checksums in their Optional Header anymore. The Optional Header checksum is always present, but certainly the least useful. While some of them are well-known, others might be surprising. PE files may contain several checksums which are useful to detect manipulation.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |