Here is a C utility to calculate the SHA1 hash and the
hash for cat file entries for any file. If the file does not
exist, the utility calculates the SHA1 hash of the string in
both ASCII and UNICODE formats.
Hash values are shown as hex bytes and also in b64 encoded
form.
CatHash:
http://www.jensign.com/hash/cathash.c
Compiled with VS 2005, and digitally signed exe:
http://www.jensign.com/hash/cathash.exe
Sample output:
-------------------------------------------------------
cathash.exe
Enter filename or string to hash: crypt32.dll
File to be hashed: crypt32.dll
SHA1 hash for file 'crypt32.dll' (597504 bytes) is:
Hex: B9 E1 4B 84 A8 D3 9E 98 2D 19 29 06 FC 0C 19 0E DC 1C CC A0
B64: ueFLhKjTnpgtGSkG/AwZDtwczKA=
Cat SHA1 hash for file 'crypt32.dll' (597504 bytes) is:
Hex: A7 41 49 4A F4 FE FF 83 C5 54 90 93 22 C6 43 D0 DB D2 F9 68
B64: p0FJSvT+/4PFVJCTIsZD0NvS+Wg=
---------------------------------------------------------
- Mitch Gallant
MVP Security
OK ..... thanks to a MS contact, here is some useful information on
-----------------
"A C14n pre-processing is done of the files before being hashed,
this removes the variable (per machine) bits of the data
so that the signatures can validate accross machines; remember some
bits in the pe header get modified periodically we wouldnt want the
signature to get invalidated.
Ones that are static do not have c14n done against them
which is why some match. "
--------------------
So related question to this, is there a tool or api to C14n process a PE
file? Does the resultant data represent a valid (and runable) PE file?
- Mitch
Post by Mitch Gallantcrypt32.dll file (file version 5.131.2600.2180).
B9E14B84A8D39E982D192906FC0C190EDC1CCCA0
The function CryptCATAdminCalcHashFromFileHandle() however
A741494AF4FEFF83C554909322C643D0DBD2F968
and THIS value is in fact in the NT5.cat catalog.
So what exactly IS hashed by CryptCATAdminCalcHashFromFileHandle()
and used for the cat file tag value?
- Mitch
Post by Alun JonesPost by Mitch GallantDoes anyone have any C/C++ samples for CryptCATOpen and
related functions for dealing with cat files?
Is that documentation correct (about there not being import libraries??)
It states that the function has no associated import library .. what about
wintrust.lib?
Any time I look at crypto documentation, I assume that the documentation is
incorrect unless it matches what I see in reality. I suspect that if the
function is exported enough that LoadLibrary / GetProcAddress work, it's
C:\WINDOWS>dumpbin /exports "d:\Program Files\Microsoft Platform
SDK\Lib\WinTrust.Lib" | findstr /i cryptcatopen
Post by Mitch GallantWhen I invoke CryptCATGetMemberInfo on one of the Tag entries
in a cat file (NT5.cat), the function succeeds, but the
CRYPTCATMEMBER.pwszFileName
returns NULL (but most other members are valid).
Why is this?
I'm not sure that the cat files actually contain the file name.
Try using CryptCatEnumerateAttr to see what attributes are actually stored.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.