We help IT Professionals succeed at work.

How to write a runtime checksum algorithm for win32 app?

mhorsley99 asked
I'm developing an application for windows( WindowsXP, Vista ), and would like to create a function to do an integrity checksum. As the application runs, the checksum function will take a start/end address in the instruction memory and ensure that none of the instructions have changed. The trouble I'm having is that the assembly instructions that take address's, such as JMP, have a different address each time the application runs, since windows changes the base address at which the application resides in memory. How can I create a checksum algorithm that works in this environment? Basically, I'm trying to write my own software protection scheme.
static unsigned int addressStart;
static unsigned int addressEnd;
_asm mov eax,GUARD_1_BEGIN
_asm mov ebx,GUARD_1_END
_asm mov addressStart,eax
_asm mov addressEnd,ebx
unsigned int a = addressStart;
unsigned int sum = 0;
while (a <= addressEnd) {
        unsigned rawVal = *(unsigned int*)(a);
        sum += rawVal;
        a += 4;
if ( sum != 0x00127d69) {
        return 0;
} else {
   // it worked!!!

Open in new window

Watch Question

I think through the debug API you can request that a program load but not start.   So you can right then do a code checksum.

By the way, are you checksumming all the called DLL's too?

Senior Software Engineer (Avast)
The base address will be different but the offset will always be the same. Alternatively, if this is a DLL then maybe rebasing it will help you out (you'd have to read up about this for yourself, I am not 100% sure).


The checksums have to be computed every frame, or at least every minute or so. It won't checksum the entire app, just short code segments, maybe a hundred instructions or so. There will be multiple checksums spread throughout the app.


My trouble seems to be that as the checksum algorithm processes each bit of information,
1) it has to know the size of the opcode( which varies ), and
2) if the parameters to that opcode need to be offset by the base address

The code snippet I included worked fine until it processed JMP instructions. The only solution I could think of was to create some sort of table that tells me if the opcode being processed is one that requires an address reference, and if so, somehow "correct" the reference so that the checksum comes out the same everytime the app is run, no matter where in memory.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.