 |
| Gotcha |
Using the FOR /R command, I thought I would casually see how many files on my system have zero or incorrect checksums...
@ECHO OFF SET LOG=%~dpn0.log SET TO_LOG=^>^> "%LOG%" 2^>^&1 SET MFACS=%USERPROFILE%\Documents\MapFileAndCheckSum\mfacs32.exe :Recurse FOR /R %SystemDrive%\ %%f IN (*.exe *.dll *.ocx *.cpl *.scr *.ax) DO ( ECHO %%f %TO_LOG% "%MFACS%" "%%f" %TO_LOG% ) GOTO :EOF
As it turns out, they number in the thousands. Non-zero invalid checksums were significantly less numerous than zero checksums, but still surprisingly frequent, including many signed binaries.
So, it's not a very good sign of badness all by itself. Even so, I found that PE checksums might still be able to tell you one or two interesting things about a binary and the (type of) person who built it:
- 0x00000000 - That this is not a "release" version of the binary, or that the developer uses the command line or some other non-Visual Studio build system, and has omitted the /RELEASE linker flag, causing link.exe to omit the computation and insertion of the PE checksum. So perhaps your coder is a command line-oriented person?
- Mismatch - That the binary has been modified after it was compiled, or perhaps that a toolchain other than Microsoft's was used to create the binary.
There might be other conclusions that could be drawn as well. In any case, the source code for the utility, which is really just a command-line wrapper for the Imagehlp!MapFileAndCheckSum function, can be had here:
https://github.com/strictlymike/mfacs
No comments:
Post a Comment