An input loop allows specifying consecutive file names or strings. Entering RETURN exits the loop.
SHA1 hash uses CryptoAPI
CryptHashData() and related functions.
SHA1 hash for .cat file uses CryptoAPI CryptCATAdminCalcHashFromFileHandle()
In many cases, particularly with PE files, the actual data hashed for use as the reference tag (file-signature) in a signed .cat file member (e.g. for WFP) is not the entire binary file. C14 normalization of the binary data removes some variable (per machine) bits of the data, if present, so that the file-signatures in .cat files can validate across machines. This normalization is the same procedure used for data hashing in stand-alone Authenticode-signed PE files. This is the hash value returned by CryptCATAdminCalcHashFromFileHandle().
Related to this, the PSDK tool signtool supports .cat file member verification and displays (in verbose mode) the actual .cat file, from a .cat file database, which contains the file-signature (hash) corresponding to the file specified. Signtool is provided in the Windows Server 2003 SP1 Platform SDK (April 2005), .NET 2 SDK and VS 2005.
Sample output for cathash.exe (3 consecutive input items; a PE file, a string, a text file)
Sample output for signtool verify /a /v crypt32.dll
cathash.exe (Compiled VS 2005; signed and timestamped; (91,256 bytes)
In Windows OS that provide File Protection (W2k+), Windows maintains a list of system files that are protected from change. It is easy to enumerate this list using the windows api function SfcGetNextProtectedFile().
Wfplist.cpp is a simple console application that enumerates the list and lists the protected files in an output file wftlist.txt.
wfplist.exe (Compiled VS 2005; signed and timestamped; (74,872 bytes)