Home > Software design >  SHA256 of MakeCat in Windows is different than expected SHA256
SHA256 of MakeCat in Windows is different than expected SHA256

Time:10-22

Windows has a tool called enter image description here

However, putting the same file through any online or local file SHA256 calculator results in a different hash - 4C5E4407A6056B60089F8406CA75F230988A2528FA84F7965C5BF6ED883FB79A enter image description here

Any ideas how MakeCat is calculating the hash? I believe internally it calls CryptCATAdminCalcHashFromFileHandle Windows API.

My aim: Calculate this Makecat style hash for some files in a Linux environment and store it in a CDF file so I can use it later.

CodePudding user response:

It appears that the hash is from carefully selected portions of files to avoid some inconsistent hashing.

Attributes, optional data, and other potentially machine-specific data are ignored.

Here's the document from 2008 by Microsoft that details the whole structure of Portable Executable (PE) files and how data is stored, signed, and hashed.

(Warning: link directly downloads the word document from MS servers)

This hashing mechanism has already been implemented in the LIEF Project and hence we can get the same SHA256 hash by doing:

import lief

binary = lief.parse("Optane.dll") # Any file you wish to hash
sha256_hex_string = binary.authentihash_sha256.hex()

This hash will be the same as the one returned by CryptCATAdminCalcHashFromFileHandle2.

  • Related