New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix PE checksums in Windows release #6194
Comments
I wrote a small script which uses the Python import sys
import itertools
import pathlib
import pefile
files = sys.argv[1:]
if not files:
p = pathlib.Path('.')
files = itertools.chain(p.rglob('**/*.pyd'), p.rglob('**/*.dll'), p.rglob('**/*.exe'))
for fn in files:
pe = pefile.PE(fn)
print(f'{pe.verify_checksum()} {fn}') the result:
So it's certainly not only I hope we can use |
The API used to update the resources doesn't save/update the checksum (and a quick search at the code, doesn't seem to do so at a later time). According to Microsoft, the checksum validation is performed for "all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process", so maybe it wasn't deemed necessary by Pyinstaller developers. |
I think all we need with import pefile
pe = pefile.PE('qutebrowser.exe')
pe.OPTIONAL_HEADER.CheckSum = pe.generate_checksum()
pe.close()
pe.write('qutebrowser.exe') Running that over the 2.0.2 release (64bit standalone) changes the checksum at file offset 0x160 from "00 00 00 00" to "5B AD 44 00". It results in this file, which I haven't gotten around to cross-checking it with another tool or checking it at VirusTotal. If you want to give it a look, that'd be much appreciated! |
Yes, the checksum is correct! |
And VirusTotal gives 6 detections on updated check (same hash as my previous test). |
I've tried faking a "3.0.0 release" with a new version number and everything, based on the current master. Without the checksum patching, we get 8 false-positives. Much better than expected... 😅 But it includes Microsoft Defender. After the patching, that's down to 6, most notably not including Microsoft Defender anymore. I suppose this fixes #6081 then, at least to the extent that we can do so. I've also reported this to PyInstaller: pyinstaller/pyinstaller#5579 Thanks for getting the ball rolling, I didn't even know that this existed! |
This should help with virus scanner false positives. See pyinstaller/pyinstaller#5579 Fixes #6081 Fixes #6194 (cherry picked from commit 2b91081)
I've now regenerated and pushed v2.0.2.post1 releases for Windows with the fixed checksum. Now Microsoft does detect it as malware again... Argh. This is all so random. 😢 |
I found out that adding a PE checksum to
qutebrowser.exe
, the number of false positives for v2.0.2 goes down from 31 to 7. Similarly v2.0.0 goes down to 6 from 29 and v2.0.1 goes down to 8 from 15.An open source tool to update the checksum: https://gist.github.com/jay/d662cc9615f3e1ffc75e4ae9485da685
The binary: FixPEChecksum.exe.gz
Maybe this should be forwarded to Pyinstaller, as I think it would benefit more programs with the same issue. AFAIK Pyintaller
does not write a checksum to the executable (has value 0).
Originally posted by @bitraid in #6081 (comment)
The text was updated successfully, but these errors were encountered: