Listen to this Post

Introduction:
Portable Executable (PE) files form the backbone of the Windows operating system, governing how applications load, execute, and interact with system resources. In cybersecurity, verifying the integrity of these binaries is critical to detecting unauthorized modifications, malware injection, or supply chain attacks. The `PE-Integrity-Checker` is a lightweight C-based tool designed to compute and compare cryptographic hashes of PE files, allowing security professionals and system administrators to quickly identify tampered executables.
Learning Objectives:
- Understand the structure of Portable Executable (PE) files and why integrity checking is essential for endpoint security.
- Learn to compile, configure, and execute the PE-Integrity-Checker tool on both Linux and Windows environments.
- Implement automated integrity monitoring workflows to detect unauthorized changes in critical system binaries.
You Should Know:
1. Prerequisites and Tool Compilation
This tool, written in C, requires a C compiler and the OpenSSL library to compute SHA-256 hashes. The following steps guide you through setting up the environment and compiling the source code.
For Linux (Debian/Ubuntu):
sudo apt update sudo apt install build-essential libssl-dev git git clone https://github.com/maximilianfeldthusen/PE-Integrity-Checker.git cd PE-Integrity-Checker gcc -o pe_integrity_checker pe_integrity_checker.c -lssl -lcrypto
For Windows (using MinGW or Visual Studio Developer Command Prompt):
– Install MinGW-w64 and add it to your PATH, or use Visual Studio’s cl.exe.
– Ensure OpenSSL libraries are available (precompiled binaries can be obtained from sources like slproweb.com).
– Compile using:
gcc -o pe_integrity_checker.exe pe_integrity_checker.c -lssl -lcrypto -L"C:\OpenSSL-Win64\lib" -I"C:\OpenSSL-Win64\include"
This command links against OpenSSL’s crypto library, enabling SHA-256 hashing of the PE file content.
2. Basic Usage: Verifying a Single PE File
Once compiled, the tool accepts a file path as an argument. It reads the PE header, parses sections, and computes a hash of the executable’s raw data. If the file has been modified—even by a single byte—the hash will differ from the original.
Linux/Windows Command:
./pe_integrity_checker /path/to/application.exe
The tool outputs a SHA-256 hash. To establish a baseline, run it on a known-good version of the executable and store the hash. Later, re-run the tool and compare results. Any mismatch indicates potential tampering.
3. Automating Integrity Checks with Scripts
For continuous monitoring, integrate the tool into a scheduled script. The example below calculates hashes for critical system executables and logs discrepancies.
Bash Script (Linux):
!/bin/bash
CRITICAL_FILES=("/mnt/c/Windows/System32/notepad.exe" "/mnt/c/Windows/System32/cmd.exe")
BASELINE_FILE="hashes.txt"
for file in "${CRITICAL_FILES[@]}"; do
current_hash=$(./pe_integrity_checker "$file")
expected_hash=$(grep "$file" "$BASELINE_FILE" | awk '{print $2}')
if [ "$current_hash" != "$expected_hash" ]; then
echo "ALERT: $file has been modified!" | logger -t pe_integrity
fi
done
PowerShell Script (Windows):
$criticalPaths = @("C:\Windows\System32\notepad.exe", "C:\Windows\System32\cmd.exe")
$baseline = Import-Csv -Path "C:\baseline.csv"
foreach ($path in $criticalPaths) {
$currentHash = & .\pe_integrity_checker.exe $path
$expectedHash = ($baseline | Where-Object { $_.Path -eq $path }).Hash
if ($currentHash -ne $expectedHash) {
Write-Warning "Integrity violation: $path"
Add alerting logic (email, SIEM, etc.)
}
}
Place these scripts in a cron job (Linux) or Task Scheduler (Windows) to run at regular intervals.
- Understanding the Code: How PE Integrity is Calculated
The tool does not merely hash the entire file; it focuses on the raw data of the PE sections, ignoring areas that may legitimately change (like the checksum or timestamps) depending on implementation. A deeper look at the C code reveals:
– Use of OpenSSL‘s SHA256_Init, SHA256_Update, and `SHA256_Final` functions.
– Parsing of the DOS header and PE signature to locate the section table.
– Iterating through each section header to read the raw data pointer and size, then updating the hash.
For a more robust approach, consider hashing only code sections (.text) and critical data sections while excluding the `.reloc` section if relocation is expected.
- Extending the Tool: Integrating with API Security and Cloud Workloads
In modern environments, PE files are often deployed in cloud instances or containerized Windows workloads. You can extend the tool’s functionality to work with cloud APIs. For instance, use AWS Lambda or Azure Functions to periodically invoke the integrity checker on virtual machine snapshots.
Example: Using AWS Systems Manager to Run the Checker on EC2 Instances
Send command to an EC2 instance running Windows aws ssm send-command --instance-ids "i-12345" --document-name "AWS-RunPowerShellScript" --parameters commands="C:\Tools\pe_integrity_checker.exe C:\Windows\System32\notepad.exe" --output text
The output can be streamed to CloudWatch for alerting. This allows for centralized, scalable integrity monitoring across fleets of Windows servers.
6. Mitigation Strategies When Tampering is Detected
If the integrity checker flags a modification, immediate incident response steps include:
– Isolating the affected host from the network.
– Capturing a memory dump and the modified binary for forensics.
– Restoring from a known-good backup or redeploying from a trusted source.
– Analyzing the change using tools like `sigcheck` from Sysinternals to verify digital signatures and VirusTotal for reputation.
Command to verify digital signature on Windows:
sigcheck.exe -a -n C:\Windows\System32\notepad.exe
If a signed file fails signature validation, it is a strong indicator of compromise.
What Undercode Say:
- Integrity verification is a foundational security control: The `PE-Integrity-Checker` exemplifies how simple, low-level tools can provide critical detection capabilities against file tampering and malware persistence.
- Automation and integration are key to scalability: While the tool itself is basic, combining it with scripts, schedulers, and cloud APIs transforms it into a powerful component of a comprehensive security monitoring strategy.
Prediction:
As software supply chain attacks continue to rise, tools like the PE-Integrity-Checker will evolve into essential components of DevSecOps pipelines. Expect to see tighter integration with CI/CD systems, where build artifacts are automatically hashed and verified before deployment. Furthermore, AI-driven anomaly detection may soon augment such tools, using baseline behavior models to identify not just hash mismatches but also subtle deviations in PE structure that could indicate sophisticated malware. The shift toward zero-trust architectures will demand continuous integrity verification at the endpoint, making lightweight, open-source utilities like this invaluable for both defenders and red teams alike.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Maximilianfeldthusen Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


