Zero-overhead, header-only C library for runtime memory integrity verification of Windows Portable Executable (PE) images. This library provides hardware-accelerated checksum computation and real-time detection of unauthorized code modifications in non-writable sections.
af_status af_mintegrity_initialize(af_mintegrity_t *integrity, af_byte *image);Initializes the integrity verification context with the specified PE image and computes the baseline checksum of all non-writable sections.
Parameters:
integrity: Pointer to integrity context structureimage: Base address of the PE image
Returns: Status code indicating success (AF_MINTEGRITY_SUCCESS) or failure (AF_MINTEGRITY_INVALID_IMAGE)
af_byte af_mintegrity_compare(af_mintegrity_t *integrity, af_dword *checksum);Performs runtime integrity verification by recomputing checksums and comparing to the baseline.
Parameters:
integrity: Pointer to integrity context structurechecksum: Current checksum value
Returns: Boolean result indicating integrity status (1 = intact, 0 = compromised)
void af_mintegrity_checksum(const af_byte *const data, af_dword length, af_dword *checksum);Computes hardware-accelerated CRC32 checksum over the specified byte array. This function can be overridden by defining AF_MINTEGRITY_CUSTOM_CHECKSUM.
- Microsoft Visual C++
- GCC/Clang: Requires
-mcrc32compilation flag for hardware acceleration
- Windows SDK (for PE structure definitions)
- CPU with SSE4.2 support (for hardware-accelerated checksums)
Available toolchains are msvc, gcc and clang.
examples\compile-example.bat (msvc|gcc|clang) (basic|custom|image-from-peb)- Cross-platform support extensions
- Security enhancement proposals