thanks for updating this the good news is that this passes the tests, with some interesting coverage the bad news is that the MR fails on the first real .exe I tested against (only the flags CERT_PE_IMAGE_DIGEST_RESOURCES |CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO generate correct information) (for the other flags, the tests show different values for nt header and section blobs; to start with) I tested then only this flag combination on a greater deal of images, and some fail; it seems however they all fail the same way: they miss to report an entire section; didn't investigate further the cause; but this doesn't look to complicated what I suggest for the next step is to concentrate on this set of flags (it seems you're not too far way for getting it right); and put a FIXME at the start of function in case the flags don't match that set; then in subsequent commits (could be even a different MR) start implementing the extra flag combination (test used mainly prints size + md5 of each blob reported in callback and compare text output on native & biultin) -- https://gitlab.winehq.org/wine/wine/-/merge_requests/10295#note_134105