STATUS_INVALID_IMAGE_HASH (0xc0000428) on valid PE files

-2

I tried loading the DLL file "bcryptprimitives.dll" (which in my case, originally sits under "C:\Windows\syswow64\bcryptprimitives.dll") from another location, with this snippet of code:

LoadLibraryW(L"<altered path>\\bcryptprimitives.dll");

However, right after executing this line of code I get the following error:

enter image description here

C:\Program Files (x86)\Notepad++\bcryptprimitives.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000428.

I searched the 0xc0000428 NTSTATUS in the following dictionary: https://msdn.microsoft.com/en-us/library/cc704588.aspx and apparently this status means STATUS_INVALID_IMAGE_HASH.

The error at first makes sense, because I changed the "LoaderFlags" field in the image PE header from 0x00000000 to 0x00000001 (which doesn't need to affect anything because this field is deprecated), but even though I changed the field, I fixed the PE checksum.

enter image description here

As you can see: enter image description here

However, LoadLibrary still refuses to load the DLL. Diving deep into ntdll reveals that the error is returned from kernel:

enter image description here

It makes me think that the DLL is somehow signed and the kernel checks whether the DLL was altered. So to my point, how can I load this DLL from another location anyway and remove the sign check?

c
windows
winapi
assembly
internals
asked on Stack Overflow Jul 14, 2016 by Aviv

2 Answers

5

If a DLL is signed, then by changing a single byte in the file will invalidate the signature. It appears you are doing exactly that by modifying PE header.

This blog post might be of interest to for deeper insight how this technology works:

Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

answered on Stack Overflow Jul 14, 2016 by Brandon
1

Found a quick solution:

DWORD dwIndex = 0;

hFile = CreateFileW(L"C:\\Program Files (x86)\\Notepad++\\bcryptprimitives.dll", FILE_READ_DATA | FILE_WRITE_DATA, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

while (ImageRemoveCertificate(hFile, dwIndex))
{
    ++dwIndex;
}

LoadLibraryW(L"C:\\Program Files (x86)\\Notepad++\\bcryptprimitives.dll");

It is working like a charm :)

This is how the API works:

    1. Calculate the offset of the end of the last section.
    1. Remove all the data following that section.
    1. Remove the security data directory.
    1. Shrink the image.
    1. Calculate an updated checksum of the PE.
answered on Stack Overflow Jul 14, 2016 by Aviv • edited Jul 14, 2016 by Aviv

User contributions licensed under CC BY-SA 3.0