use /map: linker flag to avoid running a binary to capture the hash

[yoavwizstein]

Issues:

Resolves #3021

Description of changes:

I've done some rebasing after @justsmth merged #3013 (it was easier for me that way)

Call-outs:

Point out areas that need special attention or support during the review process. Discuss architecture or design changes.

Testing:

Ran some of the local tests, it seems to pass! though i would like to see if ci works, i believe the full testing matrix should pass :)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[justsmth]

Thanks for this PR! The approach of using the /MAP: linker flag to avoid running a binary during build aligns with how Linux and macOS already work.

The previous capture_hash approach had a nice side-effect: by running fips_empty_main.exe and observing the integrity check fail (with the placeholder hash), it implicitly proved the integrity check machinery was wired up and functional. With the new static-analysis approach, that implicit verification goes away.

To compensate, I've pushed a commit on top of yours that adds FIPS integrity validation to the Windows CI. It does a couple of things:

1. Extends break-hash.go with PE support -- this existing tool could only corrupt ELF binaries. It now accepts a -map flag and uses the same map file + debug/pe approach your PR adds to inject_hash.go to locate and corrupt the FIPS module in a Windows DLL.

2. Added a fips_build_and_test subroutine to run_windows_tests.bat -- after the normal build and test pass, it runs a negative test: corrupts crypto.dll via break-hash.go, runs test_fips.exe, and verifies the process aborts. This proves the integrity check actually runs on DLL load and can detect tampering.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.97%. Comparing base (be77a8a) to head (ff4483b).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3133   +/-   ##
=======================================
  Coverage   77.97%   77.97%           
=======================================
  Files         689      689           
  Lines      122630   122630           
  Branches    17078    17077    -1     
=======================================
+ Hits        95615    95626   +11     
+ Misses      26117    26105   -12     
- Partials      898      899    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[torben-hansen]

Haven't looked at the full implementation yet. When inspecting some of the failing CI dimensions, removal of capture_hash.go breaks some assumptions about its presence. I tried re-running them just in case, but I think this PR needs a few more changes to compensate/remove those assumptions.

[yoavwizstein]

@justsmth yea i've noticed your changes, thanks for helping here!
once current round of ci finishes i'll take a look too