usmiv4o

razorwire hash check for files

5 posts in this topic

#1 ·  Posted

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.4.3
 Author:         usmiv4o

 Script Function:
    AutoIt script to check if files in directory are changed. It is usefull for security contra-inteligense measures.

 Function Name:    LoadTripwireDB()
 Description:      Loads database (text file tripwire.txt) and compare files in /test folder for changes.
                    compares Hash (MD5) checksums. If they are not the same starts Initial()
 Function Name:    Initial()
 Description:      Checks directory and makes index of files and their MD5 checksums in text file (tripwire.txt)

 Function Name:    Hush()
 Description:      Checks file and returns its MD5 checksum.

 Requirement(s):   Windows XP
 Return Value(s):  On Success - Returns true. Files are the same as before.
                   On Failure - return false.

  Example:
 LoadTripwireDB()


#ce ----------------------------------------------------------------------------
#include <Crypt.au3>
#include <File.au3>
#include <Array.au3>


$sDir = @ScriptDir & "\Test"
$sFilePath = @ScriptDir & "\tripwire.txt"

Func Hush(ByRef $sFile)
    $sRead = FileOpen( $sFile)
    $dHash = _Crypt_HashData($sRead, $CALG_MD5) ; Create a hash of the text entered.
    ConsoleWrite("Hash of file " & $sFile & "  is " & $dHash & @CRLF)
EndFunc


    ;ConsoleWrite("Files in Dir are " & $aScriptDir[0] & @CRLF)
    ;$sFilePath = @ScriptDir & "\Examples.txt"
    ;_FileWriteFromArray($sFilePath, $aScriptDir, 1)
    ;_ArrayDisplay($aScriptDir, "1D display")

Func Initial()
    $aScriptDir = _FileListToArray($sDir)
    for $i = 1 To UBound($aScriptDir) - 1
        $dHash = _Crypt_HashData($i, $CALG_MD5)
        ;ConsoleWrite("File " & $aScriptDir[$i] & " is " & $dHash & @CRLF)
        ConsoleWrite($aScriptDir[$i] & ":" & $dHash & @CRLF)
        ;Hush($aScriptDir[$i])

        ;FileWrite

        $hFileOpen = FileOpen($sFilePath, $FO_APPEND)
        If $hFileOpen = -1 Then
            MsgBox($MB_SYSTEMMODAL, "", "An error occurred when reading the file.")
        EndIf
        FileWrite($hFileOpen, $aScriptDir[$i] & ":" & $dHash & @CRLF)
    Next
EndFunc

Func Monitor()
    $aScriptDir = _FileListToArray($sDir)
    for $i = 1 To UBound($aScriptDir) - 1

    Next
EndFunc

Func LoadTripwireDB()
    $comparison_ok = false
    $dArray = _FileListToArray($sDir)       ;directory
    $dArray0 = UBound($dArray) - 1
    $fArray =  FileReadToArray($sFilePath)  ;file
    $fArray0 = UBound($fArray)
    ;_ArrayDisplay($dArray, "files array")
    if $dArray0 = $fArray0 Then     ; are file same as recorded in txt file?
        ;ConsoleWrite("files in monitoring dir: " & $dArray[0] & " = file recorded: " & $fArray0 & @CRLF & $fArray[0]& @CRLF)
        for $i = 1 To UBound($dArray) - 1
            ;ConsoleWrite("i = " & $i & @CRLF)
            $dHash = _Crypt_HashData($i, $CALG_MD5) ;binary
            ;$dHash = BinaryToString($dHash)
            $ffhash = StringSplit( $fArray[$i-1],":")
            $fhash = $ffhash[2]

            ;ConsoleWrite("IsBinary $dHash " & IsBinary($dHash) & @CRLF)

            if  $dHash = $fhash  Then   ;if compared hashes are equal
                ;ConsoleWrite($fhash & ":" & $dHash & " equal" & @CRLF)
                ;ConsoleWrite("File:      " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal:     yes " & @CRLF)

            Else                        ;if compared hashes are not equal
                ;ConsoleWrite("File:      " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal:     not " & @CRLF)
                ;MsgBox(0,"hash md5",$fhash & ":" & $dHash & " not equal")
            EndIf

        Next
        ;ConsoleWrite("hashes are equal" & @CRLF)
        $comparison_ok = true
    Else
        ConsoleWrite("number of files in monitoring dir are not same as recorded" & @CRLF)
        ConsoleWrite("directory: " & $dArray[0] &":"& "files: " & UBound($fArray) - 1 & @CRLF)
    EndIf
    Return $comparison_ok
EndFunc

#main
if LoadTripwireDB() = true Then
    ConsoleWrite(" hashes are equal " & @CRLF)
ElseIf  LoadTripwireDB() <> true Then
    ConsoleWrite(" hashes are not equal " & @CRLF)
    ConsoleWrite(" hashes are not equal " & @CRLF)
    Initial()
EndIf

 

tripwire.au3

tripwire.txt


I have nothing to be proud: I am Bulgarian :~But there is no better place than 127.0.0.1Tutorial for newbies

Share this post


Link to post
Share on other sites



#2 ·  Posted

BTW, MD5 is rather weak nowadays, especially for security (anti-malicious) purposes.  SHA2 is way more secure (today and for some time).


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

#3 ·  Posted

Hashing is a very good way to check the integrity of a file but something that should be noted is hashing large files will make this slow.

The Hash function hashes the first 524,288 characters (roughly 4mb if my math is correct); doesn't seem like a lot but then it's going to run that string through the actual hashing algorithm. A quicker way would be just to check the Date Modified, Date Created attributes, and size of the file.

Share this post


Link to post
Share on other sites

#4 ·  Posted

32 minutes ago, InunoTaishou said:

A quicker way would be just to check the Date Modified, Date Created attributes, and size of the file.

All these attributes can too easily be tampered with.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

20 minutes ago, jchd said:

All these attributes can too easily be tampered with.

Yup, didn't say it was the best way to check integrity, just a quicker way.

Just warning if someone was trying to use this to monitor dozens of files that may be hundreds of mbs each. Since autoit cannot multi thread and create a process to hash each one, hashing each one of them, sequentially, is going to take a while (I tried a long time ago on about 100 files that were a few gbs each and it took, I think, around 40 minutes to do them all, can't remember the exact time since it was so long ago).

Edited by InunoTaishou

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • Danyfirex
      By Danyfirex
      Hello guys. Here is a small function to create a hash hmac  similar to hash_hmac PHP function.  
      Supported are: SHA512,SHA256,SHA1,SHA384,MD5 and RIPEMD160.
       
      Local $sSecret = "SecretKey" Local $sMessage = "AutoIt Rocks!!!" ConsoleWrite("HMAC-SHA256: " & @TAB & @TAB & _HashHMAC("SHA512", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-SHA256: " & @TAB & @TAB & _HashHMAC("SHA256", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-SHA1: " & @TAB & @TAB & _HashHMAC("SHA1", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-SHA384: " & @TAB & @TAB & _HashHMAC("SHA384", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-MD5: " & @TAB & @TAB & _HashHMAC("MD5", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-RIPEMD160: " & @TAB & _HashHMAC("RIPEMD160", $sMessage, $sSecret) & @CRLF) Func _HashHMAC($sAlgorithm, $bData, $bKey, $bRaw_Output = False) Local $oHashHMACErrorHandler = ObjEvent("AutoIt.Error", "_HashHMACErrorHandler") Local $oHMAC = ObjCreate("System.Security.Cryptography.HMAC" & $sAlgorithm) If @error Then SetError(1, 0, "") $oHMAC.key = Binary($bKey) Local $bHash = $oHMAC.ComputeHash_2(Binary($bData)) Return SetError(0, 0, $bRaw_Output ? $bHash : StringLower(StringMid($bHash, 3))) EndFunc ;==>_HashHMAC Func _HashHMACErrorHandler($oError) ;Dummy Error Handler EndFunc ;==>_HashHMACErrorHandler It requires .NET Framework  2.0 or higher.
      Saludos
    • Miliardsto
      By Miliardsto
      Hello. Im trying to make my scripts safe - unnable to decompile. I search for obfuscators and other security methods but the search has come to nothing.
      Then one guy gave that idea below. If I rightly understood this idea lets we talk about example program with this secutiy method.
      Program have two parts, first is only login gui and the second part is the main program Second part (main program) is uploaded on ftp server lets say that on http://xxx/autoit/main_program.au3 So we have the first gui with login, we put correctly login and pass and this is the moment when code from http://xxx/autoit/main_program.au3 will be downloaded and executed Finally main program will be appear This is the similiar way like new games are protected by cracking.
      I have few questions in this moment about this:
      Is something like that even possible to do with the autoit? First part of program (login gui) must have somewhere given that link to download the rest of code - http://xxx/autoit/main_program.au3 to make it execute. As we know this first part of program is easy able to hack and retrieve this web url http://xxx/autoit/main_program.au3 where located is main part of program. Is the way to encrypt or secure it? If only code will be stored in .php we know it cannot be previewed. So it could for example get code from .php file instead of .au3 I know that methods works in other languages (I dont know exactly how) thats becouse I only speculates, maybe something may looks different in these solution? Other way would be compiling second part of code on web server (there are available web autoit servers) maybe this way is possible? Tell me anything U know about this ideas and if its even possible to achieve.
      Thanks for ur any response, advice or thoughts
       

       
       
    • rudi
      By rudi
      Hello.
      I'm too stupid to see my mistake:
      To investigate the internal "dictionary" of TIFF files I'd like to read in the files in binary mode and to check, if there are more than one pages "in" this TIFF.
      Notepad++, "View as Hex" is presenting the first bytes as "49 49 2a 20 08 20 20 20 12" for the TIF attached to this posting
      The "TIFF Header Format" is easy:
      Offset 00h, 2 Byte = Byte Order, "II"=intel, "MM"=motorola. (I = 0x49)
      --> II
      Offset 02h, 2 Byte = Version Nr.
      Offset 04h, 4 Byte = pointer to first IFD entry
      Description of TIFF header: https://www.awaresystems.be/imaging/tiff/faq.html#q3
       

      Howto read and analyse the binary content correctly? This is my messy, not operational code:
       
      $sampleTiff="H:\daten\tif\11\11\111111.TIF" $h=FileOpen($sampleTiff,16) $content=FileRead($h) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $content = ' & $content & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console FileClose($h) $type=VarGetType($content) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $type = ' & $type & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console $ToString=BinaryToString($content) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $ToString = ' & $ToString & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console ConsoleWrite(@CRLF & @CRLF) $content=StringTrimLeft($content,2) ; cut off the leading "0x" ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $content = ' & $content & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console for $i = 1 to 8 step 8 $next=StringMid($content,$i,2) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $next = ' & $next & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console $Chr=BinaryToString($next) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $Chr = ' & $Chr & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console ConsoleWrite(@CRLF & "---" & @CRLF) Next Regards, Rudi.
      111111.TIF
    • Dent
      By Dent
      @Blueman @Damein
      Dear all,
      I couldn't find anything that related exactly to what I'm trying to achieve although I did find some examples from the two people I've tagged in which has gotten me so far.
      I understand this topic could be a contentious issue and perhaps that's why there's no threads that I could find that relate directly to it. If the subject is taboo then I'll completely understand it if this thread is deleted.
      I want to write a program that periodically posts the IP address and Geo/GPS location data to me some way e.g. ftp/POST/email - the back-story is below.
      Ok so recently I had a computer stolen from my office, the actual value of the computer is very low as it was 10 years old and just for basic office tasks. Whilst the important files were backed up I never got around to automating this process so I lost a couple of weeks work when it was stolen.
      Anyway, this computer was used mainly by one employee and as I wouldn't be at the office a lot of the time I would use VNC to help when they got stuck with a particular task. As the IP was dynamic I found the dynamic DNS solutions supported by the router not to be very reliable so I wrote a small AutoIt program that called the dynamic DNS update link every 15 minutes, this program was in the Start Menu -> Programs -> Start Up folder and worked fine. This computer was a desktop box with no Wifi so was connected via Ethernet.
      As the accounts on the machine are password protected, whoever ends up with the box is likely to format the HD and put a fresh OS on there so this program is unlikely to run again which is a shame because as it's a desktop box with no Wifi I could use the IP address to give to the Police who could get the users name and address by matching who that IP was assigned to at that time. This is very unlikely to be a coffee shop etc.
      So I'm a lot more security and disaster recovery minded now and have replaced that box with a laptop that the staff member can take home with them each day and it automatically backs up to OneDrive upon log in.
      I've put VNC and the dynamic DNS AutoIt program on there but as this is a laptop with Wifi it's obviously very portable and can be used to get online from more locations.
      What I want to do is create another program that gets the device location as well as the IP and sends it to me every 15 minutes or so. I'd plan to put this program in a Guest account that has no password so if this laptop were ever stolen the next user would actually be able to log in and this program would run. Even better would be for this program to be started as a service so it runs before logging in to an account, just like VNC does. Being a laptop it could be used by a thief or other unauthorised user in a coffee shop etc.
      The solution I have explored so far is have a local .htm file that is opened via AutoIt program which when it has loaded displays the latitude and longitude of the machine, the program then saves this to a file with IP address and date/time stamp and sends it to me somehow (I'll probably implement multiple ways of it notifying me just in case of firewalls). The instance of IE would load minimized and quit after the lat/long is read; as it is such a small page running locally this all happens very quickly so is hard for any user to detect and cancel/intercept.
      My only problem with this implementation is I can't find a way for the page to start the script and obtain the location without user interaction (clicking Allow). I know why this is like this, because it could be used to spy on peoples location so could be open to mis-use.
      So perhaps there is a better way, programmatically within AutoIt using Google Maps API (which I haven't looked into properly yet) to do this where there is no user interaction required?
      There are probably commercial applications to do just this (similar to FindMyiPhone) but I've not investigated the availability of those for Windows and don't see how such a commercial application would be any less open to mis-use so why not create my own little app if possible and avoid the cost.
    • Graeme
      By Graeme
      I was looking for a way to calculate the sha512 value of files downloaded and eventually came across crypt.au3 in my include folder. It looks good but when I looked at the global constants the three values for Sha 2 are commented out. Is there a reason for that or should these be made available?