![]() ![]() It's conventionally zero (NULL) bytes, but can be changed as long as the total file length doesn't change. The executable image (code and static data) are always included.īeyond all of that, there's some padding between sections of file, and at the end of the file, that is not used in the digest. The ImageGetDigestStream function is documented at, which shows that it accepts a bitfield indicating optional file sections to include: the import data, the debug symbols, and the resource section (which is used for things like embedded image files and other large binary blobs). Based on the parameters that are passed to ImageGetDigestStream, other data from the PE image can be omitted from the hash computation. This data stream remains consistent when certificates are added to or removed from a PE file. The Win32 ImageGetDigestStream function provides a data stream from a target PE file with which to hash functions. This is because the act of adding a Certificate changes these fields and would cause a different hash value to be calculated. ![]() When included in a certificate, the image digest must exclude certain fields in the PE Image, such as the Checksum and Certificate Table entry in Optional Header Data Directories.
0 Comments
Leave a Reply. |