“The system cannot execute the specified program.”

There is a pretty interesting article over at winprogger.com about the problems connected with IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY (set through /integritycheck ever since VS2005) and ERROR_INVALID_IMAGE_HASH (aka Win32 error code 577). Now, I’ve been fighting with this problem for two full days and still haven’t gotten any closer to the solution, it seems.

Microsoft requires some binaries to have this bit set if they are to communicate with certain system components. This is not limited to kernel mode drivers. In general I never had trouble with this bit until recently. Having this bit set and using /ph as a parameter to signtool in order to have page hashes enabled is the prerequisite for what I’m doing. However, even though sigcheck (from Sysinternals/Technet) finds the signature on the file valid, the PE loader disagrees. Brilliant, because now that I have ruled out some annoying other possibilities the only one left is to dig down into the code with debugger and disassembler in order to find out what they’re trying to enforce and why all signature-checking tools are quite okay with the file, but the loader is not.

To be continued … 😕

// Oliver (distressed)

This entry was posted in EN, IT Security, Programming, Reversing, Software and tagged , , , . Bookmark the permalink.

4 Responses to “The system cannot execute the specified program.”

  1. Christian says:

    You should file this as a bug to Mark, maybe you get more information from him then.

  2. Oliver says:

    Russinovich? If so, where? Sysinternals forum or do they have a tracker?

  3. rhett says:

    i meet the same problem, have you resolved this? if you do , please send me an email, thanks

  4. Oliver says:

    Find the followup here 😉

    Hope it helps,

    // Oliver

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.