How do I get the sha-256 hash of a section which contains code in a Portable Executable file, in Delphi?

Question

I would like to get the sha-256 hash for a section which contains code(.text, CODE) in a Portable Executable file, in Delphi.

So far, I've tried to get the start and end address of the section to which the AddressOfEntryPoint points to, but if I load the same file several times, I get different start and end addresses.

Can anyone please help me?

This is the code:

procedure TForm1.Button1Click(Sender: TObject);
var x:TJCLPEImage;
aoep,cs,ce: cardinal;
pise: Pimagesectionheader;
nos : integer;
i : integer;
begin

x := TJCLPEImage.Create();
x.FileName:=edit1.Text;
aoep := x.OptionalHeader32.AddressOfEntryPoint;
pise := Pointer(PByte(@(x.LoadedImage.FileHeader.OptionalHeader)) + x.LoadedImage.FileHeader.FileHeader.SizeOfOptionalHeader);

for i:=0 to x.ImageSectionCount-1 do
begin
if (pise.VirtualAddress <= aoep) and (aoep < (pise.VirtualAddress + pise.Misc.VirtualSize)) then
    break;

end;

inc(pise);

cs := DWORD(x.LoadedImage.MappedAddress) + DWORD(pise.PointerToRawData);
ce := cs + pise.Misc.VirtualSize;

Label1.caption:='Code start: '+Inttostr(cs);
Label2.caption:='Code end: '+inttostr(ce);

end;

Thank you.

Simply hashing the whole code section of relocated executables does not work. Relocation patches every piece of code that contains an absolute address. — CodesInChaos, Feb 05 '11 at 15:12
Can you retrieve the table of fix-ups (or whatever the windows lingo is)? If so, you can simply substitute zeros whereever a fix-up would occur, effectively "skipping" those location in the hash. — President James K. Polk, Feb 05 '11 at 15:26
It's a .exe and, as far as I know it gets mapped to 0x400000 from which you calculate RVA's, right? — dreamlost88, Feb 05 '11 at 16:08
I also found this, but I don't know how to write it in Delphi: — dreamlost88, Feb 05 '11 at 16:09
[link](http://www.codeproject.com/KB/cpp/VerifyIntegrity.aspx) — dreamlost88, Feb 05 '11 at 16:10

score 0 · Answer 1 · answered Feb 07 '11 at 17:11

I cant comment to your question yet, so i am trying to reply here, but not sure if i am thinking right about what you are asking.

Seems you want a way to assure no one changed your file after it loaded in memory. That's why you want a sha-256 hash of that section, and probably you need to get that section and then hash it.

I never used JCL classes to do that. But found this unit that maybe help for you. It allow you to edit PE files. Was written in 2007, so maybe you will need upgrade some code. But i am most sure you will find the bases to what you want. http://www.coderprofile.com/networks/source-codes/71/portable-executable-file-unit

I could not test it at all. But till what i tested, the start address did not changed here..

To get the Sha-256, will find many VCL components (or at least ActiveX) to do that. I could advise you to use LIBEAY32.DLL, but that would probably add one more dll to your application. Unless you already use it.

Hope that help in anyway.

You are welcome. :) If it help you or not, please, make some comment about that. How it helped or What problems you found? What parts of your intentions I did not got at all? That will guide me to be a better helper as I am not so good with English. — EMBarbosa, Feb 08 '11 at 12:51
As for SHA-256 hash for Delphi, you might consider the pack mentioned here http://stackoverflow.com/a/1403265/759049 . — Pateman, Apr 15 '12 at 10:08

How do I get the sha-256 hash of a section which contains code in a Portable Executable file, in Delphi?

1 Answers1