Tweet
When ever you download software off the Internet every serious vendor will provide you with hashes of files. This is to verify if the file you downloaded was not corrupted or changed in transit.
It will also let you determine if a milicious program was just renamed to what ever you are using to hide it. Say, "evil.exe" could be renamed to "whois.exe" but as the hash of the file does not change, it is possible to verify if the file is what it claims to be. Hashes for a lot of milicious files as well as perfecty legit files can be tested on sites such as Virus Total.
One popular program for extracting the hash of a file is the build-in "certutil" program and can be used as shown here for the "whois.exe" executable file.
Certutil defaults to sha1 if no hash type is given but can also do MD5.
Finding hashes for files are not limited to executable files but ca be done on any file such as text files, ISO images and any other type.
Below is an example using PowerShell.
Powershell defaults to SHA256 as you can see below.
You don't have to use "Format-List" but I find that it makes the output more complete than without it. Long paths will be cropped.
PowerShell supports a lot of formats such as SHA384, SHA512 and others. To get an overview you can use the "Get-Help Get-FileHash" PowerShell command.
It will also let you determine if a milicious program was just renamed to what ever you are using to hide it. Say, "evil.exe" could be renamed to "whois.exe" but as the hash of the file does not change, it is possible to verify if the file is what it claims to be. Hashes for a lot of milicious files as well as perfecty legit files can be tested on sites such as Virus Total.
One popular program for extracting the hash of a file is the build-in "certutil" program and can be used as shown here for the "whois.exe" executable file.
C:\>certutil -hashfile whois.exe
SHA1 hash of whois.exe:
7c7528ca82e5bc15b6465f06ef6eb64379cfb337
CertUtil: -hashfile command completed successfully.
C:\>certutil -hashfile whois.exe md5
MD5 hash of whois.exe:
b35a03c5745e1f78a7b278e24cae4f2e
CertUtil: -hashfile command completed successfully.
C:\>certutil -hashfile whois.exe sha1
SHA1 hash of whois.exe:
7c7528ca82e5bc15b6465f06ef6eb64379cfb337
CertUtil: -hashfile command completed successfully.
SHA1 hash of whois.exe:
7c7528ca82e5bc15b6465f06ef6eb64379cfb337
CertUtil: -hashfile command completed successfully.
C:\>certutil -hashfile whois.exe md5
MD5 hash of whois.exe:
b35a03c5745e1f78a7b278e24cae4f2e
CertUtil: -hashfile command completed successfully.
C:\>certutil -hashfile whois.exe sha1
SHA1 hash of whois.exe:
7c7528ca82e5bc15b6465f06ef6eb64379cfb337
CertUtil: -hashfile command completed successfully.
Finding hashes for files are not limited to executable files but ca be done on any file such as text files, ISO images and any other type.
Below is an example using PowerShell.
PS C:\> Get-FileHash -algorithm md5 install.log | Format-List
Algorithm : MD5
Hash : E859DE2B87B72437D7CA96CB7BEAA06A
Path : C:\install.log
PS C:\> Get-FileHash -algorithm sha1 install.log | Format-List
Algorithm : SHA1
Hash : D2DED821CE0DFD3D2F13E7D4428F418188913F32
Path : C:\install.log
PS C:\>
Algorithm : MD5
Hash : E859DE2B87B72437D7CA96CB7BEAA06A
Path : C:\install.log
PS C:\> Get-FileHash -algorithm sha1 install.log | Format-List
Algorithm : SHA1
Hash : D2DED821CE0DFD3D2F13E7D4428F418188913F32
Path : C:\install.log
PS C:\>
PS C:\> Get-FileHash install.log | Format-List
Algorithm : SHA256
Hash : D1F1AF26A4DB61F018C930BAD1724EA7D1E8B73EDC113EF61F 09E4AA840E30AC
Path : C:\install.log
PS C:\>
Algorithm : SHA256
Hash : D1F1AF26A4DB61F018C930BAD1724EA7D1E8B73EDC113EF61F 09E4AA840E30AC
Path : C:\install.log
PS C:\>
PowerShell supports a lot of formats such as SHA384, SHA512 and others. To get an overview you can use the "Get-Help Get-FileHash" PowerShell command.