There is a pretty interesting article over at winprogger.com about the problems connected with IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY (set through /integritycheck ever since VS2005) and ERROR_INVALID_IMAGE_HASH (aka Win32 error code 577). Now, I’ve been fighting with this problem for two full days and still haven’t gotten any closer to the solution, it seems.
Microsoft requires some binaries to have this bit set if they are to communicate with certain system components. This is not limited to kernel mode drivers. In general I never had trouble with this bit until recently. Having this bit set and using /ph as a parameter to signtool in order to have page hashes enabled is the prerequisite for what I’m doing. However, even though sigcheck (from Sysinternals/Technet) finds the signature on the file valid, the PE loader disagrees. Brilliant, because now that I have ruled out some annoying other possibilities the only one left is to dig down into the code with debugger and disassembler in order to find out what they’re trying to enforce and why all signature-checking tools are quite okay with the file, but the loader is not.
To be continued …
// Oliver (distressed)