search

sassoftware / relic

Relic is a service and a tool for adding digital signatures to operating system packages for Linux and Windows
Apache License 2.0
151 stars 41 forks source link

Incorrect memory page size computation for PE page hashes algorithm #32

Closed dragon-dreamer closed 1 year ago

dragon-dreamer commented 1 year ago

The software incorrectly computes the page hashes for PE files. It uses the section alignment as a memory page size, which is incorrect. Instead, real architecture page size should be used: https://devblogs.microsoft.com/oldnewthing/20210510-00/?p=105200.

You can easily confirm this bug if you try to verify the page hashes for the C:\Windows\SysWOW64\kernel32.dll file on Windows 10, which uses the section alignment 0x10000, but the real page size is 0x1000:

c:\windows\syswow64\kernel32.dll ERROR: page hash mismatch

You should look at the image file header machine field. If it is IA64 (0x200), Alpha AXP (0x184) or Alpha AXP x64 (0x284), then the page size is 8K. Otherwise, the page size is 4K.

mtharp commented 1 year ago

Thanks for finding this, it's fixed in 7.6.0!