A file's MD5 or SHA-1 file hash is what I often check to verify a particular file's validity. Software developers often publish these hashes to help users determine if the file has been tampered with.
With the Sysinternals tools is a file and signature viewer called sigcheck. Here a short tutorial on how to use sigcheck to get the file hash from a file.
1. Obtain the file hash from the software developer's website or distribution site.
2. Download sigcheck from Microsoft Sysinternals, or better yet get the whole Sysinternals Suite
3. Run sigcheck.exe with the -h parameter against the file.
It will show the file version and the file hashes of the file. Here is an example of sigcheck in action. Here, I used the lophtcrack password auditing software from http://www.lophtcrack.com. The website offers a CNET website and an alternative download site. Let's compare the file hashes.
Lophtcrack website says the file must have these hashes:
MD5 Hash: a2fd2af0b3300fea67e6b836f9ca05f2
SHA1 Hash: 142590a4751fa26919cc902d91aa9c92c8e602fd
Here's the hashes obtained from the executable file obtained from the CNET website:
C:\Documents and Settings\machine\My Documents\Downloads>sigcheck -h cnet_lc6setu
p_v6_0_12a_exe.exe
Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Documents and Settings\machine\My Documents\Downloads\cnet_lc6setup_v6_0_12a_exe.exe:
Verified: Signed
Signing date: 5:58 AM 7/19/2011
Publisher: CBS Interactive
Description: CNET Download.com Installer
Product: CNET Download.com Installer
Version: 1.2.3.0
File version: 1.2.3.0
MD5: 5a888686e6b6744afd3e1c19d84a2b10
SHA1: dadee7f3da2ac8e4916d414fcd500ac85d40cb48
SHA256: a5528ab0650d406a2d526c5608fac24404fe07a49ca90bb4bc1c5dfdc5c912f8
Here's the file obtained directly from lophtcrack's site:
C:\Documents and Settings\machine\My Documents\Downloads>sigcheck -h lc6setup_v6.
0.12a.exe
Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Documents and Settings\machine\My Documents\Downloads\lc6setup_v6.0.12a.exe:
Verified: Unsigned
File date: 3:03 PM 8/23/2011
Publisher: L0pht Holdings, LLC
Description:
Product: L0phtCrack 6
Version: 6.0
File version: 6.0
MD5: a2fd2af0b3300fea67e6b836f9ca05f2
SHA1: 142590a4751fa26919cc902d91 aa9c92c8e602fd
SHA256: 786800c069a0aa6db8ca44f9ec9617294ece72d7d0b5154a88ef77d73784d450
Might be a good idea to use the 2nd file in this instance and not to trust the file from the CNET download.com website
Do you have a better methodology to check if a file has been tampered with or contains malware?
