# Can anyone define the Windows PE Checksum Algorithm?

6

I would like to implement this in C#

I have looked here: http://www.codeproject.com/KB/cpp/PEChecksum.aspx

And am aware of the ImageHlp.dll MapFileAndCheckSum function.

However, for various reasons, I would like to implement this myself.

The best I have found is here: http://forum.sysinternals.com/optional-header-checksum-calculation_topic24214.html

But, I don't understand the explanation. Can anyone clarify how the checksum is calculated?

Thanks!

Update

I from the code example, I do not understand what this means, and how to translate it into C#

``````sum -= sum < low 16 bits of CheckSum in file // 16-bit borrow
sum -= low 16 bits of CheckSum in file
sum -= sum < high 16 bits of CheckSum in file
sum -= high 16 bits of CheckSum in file
``````

Update #2

Thanks, came across some Python code that does similar too here

``````    def generate_checksum(self):

# This will make sure that the data representing the PE image
# is updated with any changes that might have been made by
# assigning values to header fields as those are not automatically
# updated upon assignment.
#
self.__data__ = self.write()

# Get the offset to the CheckSum field in the OptionalHeader
#
checksum_offset = self.OPTIONAL_HEADER.__file_offset__ + 0x40 # 64

checksum = 0

#
remainder = len(self.__data__) % 4
data = self.__data__ + ( '\0' * ((4-remainder) * ( remainder != 0 )) )

for i in range( len( data ) / 4 ):

# Skip the checksum field
#
if i == checksum_offset / 4:
continue

dword = struct.unpack('I', data[ i*4 : i*4+4 ])[0]
checksum = (checksum & 0xffffffff) + dword + (checksum>>32)
if checksum > 2**32:
checksum = (checksum & 0xffffffff) + (checksum >> 32)

checksum = (checksum & 0xffff) + (checksum >> 16)
checksum = (checksum) + (checksum >> 16)
checksum = checksum & 0xffff

# The length is the one of the original data, not the padded one
#
return checksum + len(self.__data__)
``````

However, it's still not working for me - here is my conversion of this code:

``````using System;
using System.IO;

namespace CheckSumTest
{
class Program
{
static void Main(string[] args)
{

var PEStart = BitConverter.ToInt32(data, 0x3c);
var PECoffStart = PEStart + 4;
var PEOptionalStart = PECoffStart + 20;
var PECheckSum = PEOptionalStart + 64;
var checkSumInFile = BitConverter.ToInt32(data, PECheckSum);
Console.WriteLine(string.Format("{0:x}", checkSumInFile));

long checksum = 0;

var remainder = data.Length % 4;
if (remainder > 0)
{
Array.Resize(ref data, data.Length + (4 - remainder));
}

var top = Math.Pow(2, 32);

for (int i = 0; i < data.Length / 4; i++)
{
if (i == PECheckSum / 4)
{
continue;
}
var dword = BitConverter.ToInt32(data, i * 4);
checksum = (checksum & 0xffffffff) + dword + (checksum >> 32);
if (checksum > top)
{
checksum = (checksum & 0xffffffff) + (checksum >> 32);
}
}

checksum = (checksum & 0xffff) + (checksum >> 16);
checksum = (checksum) + (checksum >> 16);
checksum = checksum & 0xffff;

checksum += (uint)data.Length;
Console.WriteLine(string.Format("{0:x}", checksum));

}
}
}
``````

Can anyone tell me where I'm being stupid?

c#
algorithm
checksum
portable-executable
asked on Stack Overflow Jun 21, 2011 by Kram • edited Jun 21, 2011 by Kram

5

Ok, finally got it working ok... my problem was that I was using ints not uints!!! So, this code works (assuming data is 4-byte aligned, otherwise you'll have to pad it out a little) - and PECheckSum is the position of the CheckSum value within the PE (which is clearly not used when calculating the checksum!!!!)

``````static uint CalcCheckSum(byte[] data, int PECheckSum)
{
long checksum = 0;
var top = Math.Pow(2, 32);

for (var i = 0; i < data.Length / 4; i++)
{
if (i == PECheckSum / 4)
{
continue;
}
var dword = BitConverter.ToUInt32(data, i * 4);
checksum = (checksum & 0xffffffff) + dword + (checksum >> 32);
if (checksum > top)
{
checksum = (checksum & 0xffffffff) + (checksum >> 32);
}
}

checksum = (checksum & 0xffff) + (checksum >> 16);
checksum = (checksum) + (checksum >> 16);
checksum = checksum & 0xffff;

checksum += (uint)data.Length;
return (uint)checksum;

}
``````
answered on Stack Overflow Jun 22, 2011 by Kram
3

The code in the forum post is not strictly the same as what was noted during the actual disassembly of the Windows PE code. The CodeProject article you reference gives the "fold 32-bit value into 16 bits" as:

``````mov edx,eax    ; EDX = EAX
shr edx,10h    ; EDX = EDX >> 16    EDX is high order
and eax,0FFFFh ; EAX = EAX & 0xFFFF EAX is low order
add eax,edx    ; EAX = EAX + EDX    High Order Folded into Low Order
mov edx,eax    ; EDX = EAX
shr edx,10h    ; EDX = EDX >> 16    EDX is high order
add eax,edx    ; EAX = EAX + EDX    High Order Folded into Low Order
and eax,0FFFFh ; EAX = EAX & 0xFFFF EAX is low order 16 bits
``````

Which you could translate into C# as:

``````// given: uint sum = ...;
uint high = sum >> 16; // take high order from sum
sum &= 0xFFFF;         // clear out high order from sum
sum += high;           // fold high order into low order

high = sum >> 16;      // take the new high order of sum
sum += high;           // fold the new high order into sum
sum &= 0xFFFF;         // mask to 16 bits
``````
answered on Stack Overflow Jun 21, 2011 by user7116
2

Java code below from emmanuel may not work. In my case it hangs and does not complete. I believe this is due to the heavy use of IO in the code: in particular the data.read()'s. This can be swapped with an array as solution. Where the RandomAccessFile fully or incrementally reads the file into a byte array(s).

I attempted this but the calculation was too slow due to the conditional for the checksum offset to skip the checksum header bytes. I would imagine that the OP's C# solution would have a similar problem.

The below code removes this also.

public static long computeChecksum(RandomAccessFile data, int checksumOffset) throws IOException {

``````    ...
byte[] barray = new byte[(int) length];

long i = 0;
long ch1, ch2, ch3, ch4, dword;

while (i < checksumOffset) {

ch1 = ((int) barray[(int) i++]) & 0xff;
...

checksum += dword = ch1 | (ch2 << 8) | (ch3 << 16) | (ch4 << 24);

if (checksum > top) {
checksum = (checksum & 0xffffffffL) + (checksum >> 32);
}
}
i += 4;

while (i < length) {

ch1 = ((int) barray[(int) i++]) & 0xff;
...

checksum += dword = ch1 | (ch2 << 8) | (ch3 << 16) | (ch4 << 24);

if (checksum > top) {
checksum = (checksum & 0xffffffffL) + (checksum >> 32);
}
}

checksum = (checksum & 0xffff) + (checksum >> 16);
checksum = checksum + (checksum >> 16);
checksum = checksum & 0xffff;
checksum += length;

return checksum;
}
``````

I still however think that code was too verbose and clunky so I swapped out the raf with a channel and rewrote the culprit bytes to zero's to eliminate the conditional. This code could still probably do with a cache style buffered read.

``````public static long computeChecksum2(FileChannel ch, int checksumOffset)
throws IOException {

ch.position(0);
long sum = 0;
long top = (long) Math.pow(2, 32);
long length = ch.size();

ByteBuffer buffer = ByteBuffer.wrap(new byte[(int) length]);
buffer.order(ByteOrder.LITTLE_ENDIAN);

buffer.putInt(checksumOffset, 0x0000);

buffer.position(0);
while (buffer.hasRemaining()) {
sum += buffer.getInt() & 0xffffffffL;
if (sum > top) {
sum = (sum & 0xffffffffL) + (sum >> 32);
}
}
sum = (sum & 0xffff) + (sum >> 16);
sum = sum + (sum >> 16);
sum = sum & 0xffff;
sum += length;

return sum;
}
``````
answered on Stack Overflow Dec 16, 2012 by twinj • edited Dec 16, 2012 by twinj
0

I was trying to solve the same issue in Java. Here is Mark's solution translated into Java, using a RandomAccessFile instead of a byte array as input:

``````static long computeChecksum(RandomAccessFile data, long checksumOffset) throws IOException {
long checksum = 0;
long top = (long) Math.pow(2, 32);
long length = data.length();

for (long i = 0; i < length / 4; i++) {
if (i == checksumOffset / 4) {
data.skipBytes(4);
continue;
}

long dword = ch1 + (ch2 << 8) + (ch3 << 16) + (ch4 << 24);

checksum = (checksum & 0xffffffffL) + dword + (checksum >> 32);

if (checksum > top) {
checksum = (checksum & 0xffffffffL) + (checksum >> 32);
}
}

checksum = (checksum & 0xffff) + (checksum >> 16);
checksum = checksum + (checksum >> 16);
checksum = checksum & 0xffff;
checksum += length;

return checksum;
}
``````
answered on Stack Overflow May 14, 2012 by Emmanuel Bourg
0
``````private unsafe static int GetSetPEChecksum(byte[] Array) {
var Value = 0;
var Count = Array.Length;
if(Count >= 64)
fixed (byte* array = Array) {
var Index = 0;
var Coff = *(int*)(array + 60);
if(Coff >= 64 && Count >= Coff + 92) {
*(int*)(array + Coff + 88) = 0;
var Bound = Count >> 1;
if((Count & 1) != 0) Value = array[Count & ~1];
var Short = (ushort*)array;
while(Index < Bound) {
Value += Short[Index++];
Value = (Value & 0xffff) + (Value >> 16);
Value = (Value + (Value >> 16)) & 0xffff;
}
*(int*)(array + Coff + 88) = Value += Count;
}
}
return Value;
}
``````

If you need short unsafe... (Not need use Double and Long integers and not need Array aligning inside algorithm)

answered on Stack Overflow Dec 10, 2016 by (unknown user) • edited Dec 10, 2016 by (unknown user)
0

The Java example is not entirely correct. Following Java implementation corresponds with the result of Microsoft's original implementation from `Imagehlp.MapFileAndCheckSumA`.

It's important that the input bytes are getting masked with `inputByte & 0xff` and the resulting `long` masked again when it's used in the addition term with `currentWord & 0xffffffffL` (consider the L):

``````    long checksum = 0;
final long max = 4294967296L; // 2^32

final int remainder = data.length % 4;
final byte[] paddedData = Arrays.copyOf(data, data.length
+ (remainder > 0 ? 4 - remainder : 0));

for (int i = 0; i <= paddedData.length - 4; i += 4)
{
// skip the checksum field
if (i == this.offsetToOriginalCheckSum)
continue;

// take DWORD into account for computation
final long currentWord = (paddedData[i] & 0xff)
+ ((paddedData[i + 1] & 0xff) << 8)
+ ((paddedData[i + 2] & 0xff) << 16)
+ ((paddedData[i + 3] & 0xff) << 24);

checksum = (checksum & 0xffffffffL) + (currentWord & 0xffffffffL);

if (checksum > max)
checksum = (checksum & 0xffffffffL) + (checksum >> 32);
}

checksum = (checksum & 0xffff) + (checksum >> 16);
checksum = checksum + (checksum >> 16);
checksum = checksum & 0xffff;
checksum += data.length; // must be original data length
``````

In this case, Java is a bit inconvenient.

answered on Stack Overflow Mar 30, 2018 by PAX
0

No one really answered the original question of "Can anyone define the Windows PE Checksum Algorithm?" so I'm going to define it as simply as possible. A lot of the examples given so far are optimizing for unsigned 32-bit integers (aka DWORDs), but if you just want to understand the algorithm itself at its most fundamental, it is simply this:

1. Using an unsigned 16-bit integer (aka a WORD) to store the checksum, add up all of the WORDs of the data except for the 4 bytes of the PE optional header checksum. If the file is not WORD-aligned, then the last byte is a 0x00.

2. Convert the checksum from a WORD to a DWORD and add the size of the file.

The PE checksum algorithm above is effectively the same as the original MS-DOS checksum algorithm. The only differences are the location to skip and replacing the XOR 0xFFFF at the end and adding the size of the file instead.

From my WinPEFile class for PHP, the above algorithm looks like:

``````    \$x = 0;
\$y = strlen(\$data);
\$val = 0;
while (\$x < \$y)
{
// Skip the checksum field location.
if (\$x === \$this->pe_opt_header["checksum_pos"])  \$x += 4;
else
{
\$val += self::GetUInt16(\$data, \$x, \$y);

// In PHP, integers are either signed 32-bit or 64-bit integers.
if (\$val > 0xFFFF)  \$val = (\$val & 0xFFFF) + 1;
}
}