CatHash: File, catalog tag and String SHA1 Calculator

CatHash.c is a C console application for Win32 and CryptoAPI which: The user is prompted for a file or string to hash.
- If the input string matches a valid file name, the file hash is calculated twice: First, the hash of the entire binary file is calculated and displayed in hex and b64 formats. Next, the hash for file-signature tags in .cat files is calculated and displayed.
- If the input string does NOT match a valid file name, the string specified is hashed twice (as ASCII and UNICODE). In this case, the input string is displayed in hex format, followed by the SHA1 hash in hex and b64 formats.

An input loop allows specifying consecutive file names or strings. Entering RETURN exits the loop.

SHA1 hash uses CryptoAPI CryptHashData() and related functions.
SHA1 hash for .cat file uses CryptoAPI CryptCATAdminCalcHashFromFileHandle()

In many cases, particularly with PE files, the actual data hashed for use as the reference tag (file-signature) in a signed .cat file member (e.g. for WFP) is not the entire binary file. C14 normalization of the binary data removes some variable (per machine) bits of the data, if present, so that the file-signatures in .cat files can validate across machines. This normalization is the same procedure used for data hashing in stand-alone Authenticode-signed PE files. This is the hash value returned by CryptCATAdminCalcHashFromFileHandle().

Related to this, the PSDK tool signtool supports .cat file member verification and displays (in verbose mode) the actual .cat file, from a .cat file database, which contains the file-signature (hash) corresponding to the file specified. Signtool is provided in the Windows Server 2003 SP1 Platform SDK (April 2005), .NET 2 SDK and VS 2005.

Sample output for cathash.exe (3 consecutive input items; a PE file, a string, a text file)

Sample output for signtool verify /a /v crypt32.dll

cathash.exe (Compiled VS 2005; signed and timestamped; (91,256 bytes)

Related Information:
In Windows OS that provide File Protection (W2k+), Windows maintains a list of system files that are protected from change. It is easy to enumerate this list using the windows api function SfcGetNextProtectedFile().
Wfplist.cpp is a simple console application that enumerates the list and lists the protected files in an output file wftlist.txt.

wfplist.exe (Compiled VS 2005; signed and timestamped; (74,872 bytes)