Tupp

Compiled Script Hash Never the Same

8 posts in this topic

I tried searching for this on the forum but didn't find anything.  I have an issue of needing to identify which script was used to create the EXE being used in our environment.  The individual who created it is no longer here and didn't keep EXE names consistent with script names.  I think we do have the script but when I compile it, the hash of the exe is not the same as the one in the environment.  After lots of testing various scripts (I got a folder full of possibilities) I noticed that the hash is never the same, even when I recompile a script who's code has not changed.  I'm assuming unique/random data is being inserted during compile time but I don't know what it is.  Does anyone know?  Is there a way to prevent this so the hash of the compiled exe is the same as long as the code is the same?  I'm using a Powershell script to get the MD5.  Thanks.

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

That's no random data, creation time is changed, may be File Version also (when autoincrement is enabled).

So there is no way you must compile every script and document its hash. Once a script is recompiled you have to update your documentation.

 

Edited by AutoBert
1 person likes this

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

File hashes only offer a false sense of security. There are programs out there that can inject malicious viruses into programs without changing the hash. I'm not one to really talk about security but I think the route you should take is to get your script digially signed.

Edited by BetaLeaf

False Positive Reporter - Mass email all anti virus vendors with an attachment of your program for fast and easy whitelisting.

PortableApps.com App Creation Wizard  - A simple GUI-based Wizard for creating PortableApps.

SoundBoard - Play any song or sound you want at the press of a hotkey.

My GitHub Page: https://github.com/BetaLeaf

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

@BetaLeaf: In theory possible to make changes that results the same hash, but in that time i also have a new File Version with a new hash.

The other way, malware-proggers changes there files a little to get new Hash, is often used. So AV-engines must check file complete. When FileName, Hash, creation date and filelength is identic they know it's this malicious file.

Edited by AutoBert

Share this post


Link to post
Share on other sites

@AutoBert   I figured creation time would probably be in there and causing (part of) it.
@BetaLeaf   It's not for security purposes, just for validating I had the right script so it could be modified but keep the other stuff the same.
@JohnOne   That sounds fantastic but I have no idea how to do that :)

1 person likes this

Share this post


Link to post
Share on other sites

I did have a thread on here somewhere, where I was doing virtually the same thing, but in C++, but it was few years ago, cannot remember what it is called or where it is.

Could be re-written in Autoit, but would be no small task for less than advanced user.

Should query yourself as to how important this is to you and if there is another route.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

It wouldn't be worth it.  We'll guess at which script or write a new one, depending on the customers needs.  Thank you everyone for your replies.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now