Jump to content
usmiv4o

razorwire hash check for files

Recommended Posts

usmiv4o
#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.4.3
 Author:         usmiv4o

 Script Function:
    AutoIt script to check if files in directory are changed. It is usefull for security contra-inteligense measures.

 Function Name:    LoadTripwireDB()
 Description:      Loads database (text file tripwire.txt) and compare files in /test folder for changes.
                    compares Hash (MD5) checksums. If they are not the same starts Initial()
 Function Name:    Initial()
 Description:      Checks directory and makes index of files and their MD5 checksums in text file (tripwire.txt)

 Function Name:    Hush()
 Description:      Checks file and returns its MD5 checksum.

 Requirement(s):   Windows XP
 Return Value(s):  On Success - Returns true. Files are the same as before.
                   On Failure - return false.

  Example:
 LoadTripwireDB()


#ce ----------------------------------------------------------------------------
#include <Crypt.au3>
#include <File.au3>
#include <Array.au3>


$sDir = @ScriptDir & "\Test"
$sFilePath = @ScriptDir & "\tripwire.txt"

Func Hush(ByRef $sFile)
    $sRead = FileOpen( $sFile)
    $dHash = _Crypt_HashData($sRead, $CALG_MD5) ; Create a hash of the text entered.
    ConsoleWrite("Hash of file " & $sFile & "  is " & $dHash & @CRLF)
EndFunc


    ;ConsoleWrite("Files in Dir are " & $aScriptDir[0] & @CRLF)
    ;$sFilePath = @ScriptDir & "\Examples.txt"
    ;_FileWriteFromArray($sFilePath, $aScriptDir, 1)
    ;_ArrayDisplay($aScriptDir, "1D display")

Func Initial()
    $aScriptDir = _FileListToArray($sDir)
    for $i = 1 To UBound($aScriptDir) - 1
        $dHash = _Crypt_HashData($i, $CALG_MD5)
        ;ConsoleWrite("File " & $aScriptDir[$i] & " is " & $dHash & @CRLF)
        ConsoleWrite($aScriptDir[$i] & ":" & $dHash & @CRLF)
        ;Hush($aScriptDir[$i])

        ;FileWrite

        $hFileOpen = FileOpen($sFilePath, $FO_APPEND)
        If $hFileOpen = -1 Then
            MsgBox($MB_SYSTEMMODAL, "", "An error occurred when reading the file.")
        EndIf
        FileWrite($hFileOpen, $aScriptDir[$i] & ":" & $dHash & @CRLF)
    Next
EndFunc

Func Monitor()
    $aScriptDir = _FileListToArray($sDir)
    for $i = 1 To UBound($aScriptDir) - 1

    Next
EndFunc

Func LoadTripwireDB()
    $comparison_ok = false
    $dArray = _FileListToArray($sDir)       ;directory
    $dArray0 = UBound($dArray) - 1
    $fArray =  FileReadToArray($sFilePath)  ;file
    $fArray0 = UBound($fArray)
    ;_ArrayDisplay($dArray, "files array")
    if $dArray0 = $fArray0 Then     ; are file same as recorded in txt file?
        ;ConsoleWrite("files in monitoring dir: " & $dArray[0] & " = file recorded: " & $fArray0 & @CRLF & $fArray[0]& @CRLF)
        for $i = 1 To UBound($dArray) - 1
            ;ConsoleWrite("i = " & $i & @CRLF)
            $dHash = _Crypt_HashData($i, $CALG_MD5) ;binary
            ;$dHash = BinaryToString($dHash)
            $ffhash = StringSplit( $fArray[$i-1],":")
            $fhash = $ffhash[2]

            ;ConsoleWrite("IsBinary $dHash " & IsBinary($dHash) & @CRLF)

            if  $dHash = $fhash  Then   ;if compared hashes are equal
                ;ConsoleWrite($fhash & ":" & $dHash & " equal" & @CRLF)
                ;ConsoleWrite("File:      " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal:     yes " & @CRLF)

            Else                        ;if compared hashes are not equal
                ;ConsoleWrite("File:      " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal:     not " & @CRLF)
                ;MsgBox(0,"hash md5",$fhash & ":" & $dHash & " not equal")
            EndIf

        Next
        ;ConsoleWrite("hashes are equal" & @CRLF)
        $comparison_ok = true
    Else
        ConsoleWrite("number of files in monitoring dir are not same as recorded" & @CRLF)
        ConsoleWrite("directory: " & $dArray[0] &":"& "files: " & UBound($fArray) - 1 & @CRLF)
    EndIf
    Return $comparison_ok
EndFunc

#main
if LoadTripwireDB() = true Then
    ConsoleWrite(" hashes are equal " & @CRLF)
ElseIf  LoadTripwireDB() <> true Then
    ConsoleWrite(" hashes are not equal " & @CRLF)
    ConsoleWrite(" hashes are not equal " & @CRLF)
    Initial()
EndIf

 

tripwire.au3

tripwire.txt


I have nothing to be proud: I am Bulgarian :~But there is no better place than 127.0.0.1Tutorial for newbies

Share this post


Link to post
Share on other sites
jchd

BTW, MD5 is rather weak nowadays, especially for security (anti-malicious) purposes.  SHA2 is way more secure (today and for some time).


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites
InunoTaishou

Hashing is a very good way to check the integrity of a file but something that should be noted is hashing large files will make this slow.

The Hash function hashes the first 524,288 characters (roughly 4mb if my math is correct); doesn't seem like a lot but then it's going to run that string through the actual hashing algorithm. A quicker way would be just to check the Date Modified, Date Created attributes, and size of the file.

Share this post


Link to post
Share on other sites
jchd
32 minutes ago, InunoTaishou said:

A quicker way would be just to check the Date Modified, Date Created attributes, and size of the file.

All these attributes can too easily be tampered with.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites
InunoTaishou
20 minutes ago, jchd said:

All these attributes can too easily be tampered with.

Yup, didn't say it was the best way to check integrity, just a quicker way.

Just warning if someone was trying to use this to monitor dozens of files that may be hundreds of mbs each. Since autoit cannot multi thread and create a process to hash each one, hashing each one of them, sequentially, is going to take a while (I tried a long time ago on about 100 files that were a few gbs each and it took, I think, around 40 minutes to do them all, can't remember the exact time since it was so long ago).

Edited by InunoTaishou

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • VADemon
      By VADemon
      I've encountered a problem with a single file where I cannot retrieve it's Date-time. So far my code has worked well for over 30 files, but this one is a mystery I cannot debug myself due to insufficient Au3 knowledge.
      In line 11 "_Date_Time_FileTimeToArray" is called and for this particular file it sets the @error to 10. I don't know what that error code means, but it's not set by the _Date functions themselves I think.
      Overall, it could be a problem caused by any of the functions below, how can I properly debug this? / Does anybody know a what's causing this?
      _WinAPI_CreateFile() / _Date_Time_GetFileTime() / _Date_Time_FileTimeToArray()
      Func _SetFileTimes($sFilePath) Local $monthNumber[13] = ["", "January", "February", "March", "April", "May", "Juny", "July", "August", "September", "October", "November", "December"] Local $dayNumber[7] = ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"] Local $fHandle = _WinAPI_CreateFile($sFilePath, 2, 2) ; read-only ; may NOT return a valid date for some reason! TODO Local $fTagFILETIME = _Date_Time_GetFileTime($fHandle) _WinAPI_CloseHandle($fHandle) ; This will return an empty array if theres no valid date $fModTime = _Date_Time_FileTimeToArray($fTagFILETIME[2]) ; last Modified if @error <> 10 then Local $year = $fModTime[2] Local $month = $fModTime[0] Local $day = $fModTime[1] Local $hour = $fModTime[3] Local $min = $fModTime[4] Local $sec = $fModTime[5] Local $ms = $fModTime[6] Local $weekday = $fModTime[7] Global $prettyTimestamp = StringFormat("%s, %s %d, %04d %02d:%02d:%02d", $dayNumber[$weekday], $monthNumber[$month], $day, $year, $hour, $min, $sec) Global $uploadDate = StringFormat("%04d-%02d-%02d", $year, $month, $day) $fModTime = _Date_Time_FileTimeToArray(_Date_Time_FileTimeToLocalFileTime($fTagFILETIME[2])) ; last Modified Local $year = $fModTime[2] Local $month = $fModTime[0] Local $day = $fModTime[1] Local $hour = $fModTime[3] Local $min = $fModTime[4] Local $sec = $fModTime[5] Local $ms = $fModTime[6] Local $weekday = $fModTime[7] ; GetUnixTime accounts for Local time, hence feed it local time Global $unixTimestamp = _GetUnixTime($year &"/"& $month &"/"& $day &" "& $hour&":"& $min &":"& $sec) else Global $prettyTimestamp = "N/A" Global $uploadDate = "" Global $unixTimestamp = "N/A" endif endfunc  
      _GetUnixTime returned the year 1601 start date, showing that $fModTime is probably equal 0. (But Why?)
      The file reports these dates in Explorer, it's on local NTFS drive:
      Created: ‎‎Wednesday, ‎31. ‎Januar ‎2018, ‏‎18:55:02
      Modified: ‎Wednesday, ‎10. ‎Januar ‎2018, ‏‎12:39:23
      Accessed: ‎Wednesday, ‎10. ‎Januar ‎2018, ‏‎12:39:23
    • Trisha
      By Trisha
      Hello,
      I Have clicked on save as option to save a file, while doing that I need to rename a file appending with sysdate. I have searched in google find the below one line of code:
      FileMove("C:\somefile.txt", "C:\somefile1.txt"), When I am trying to append with sysdate. It is not happening. Please help me out  with the small issue.
    • Overkill
      By Overkill
      Hi all,
      I am working on a GUI program to update Google's Dynamic DNS (API at https://support.google.com/domains/answer/6147083?authuser=1&hl=en if you scroll to bottom). I am not a programmer by any means - just a sysadmin who has picked up on some things along the way. I am sure that there's better ways to do a lot of things in this script; I'm just going with what I know.
      My challenge right now is that I'd like a better way to store the credentials both in memory as well as in system registry or INI file (not sure which way I want to go for local storage). How should I convert the passwords to a secure string in a manner that can't be easily reversed, yet is still accessible to the script? Is that even an option in AutoIt?
      Can anybody provide me with links to good reference posts, or coding suggestions for how best to achieve this in the script below? I am using the WinHTTP UDF (https://github.com/dragana-r/autoit-winhttp/releases) to make my API calls.
      #include<WinHTTP.au3> #include<GUIConstantsEx.au3> #include<EditConstants.au3> #include<iNet.au3> #include<Array.au3> DIM $aDomainList[1][4] $aDomainList[0][0] = 0 $gMainGUI = GUICreate("Overkill's Google DNS Updater",800,800) $gDomainLabel = GUICtrlCreateLabel("FQDN",21,8) $gDomainInput = GUICtrlCreateInput("",60,5,300) $gUserLabel = GUICtrlCreateLabel("Username",5,36) $gUserInput = GUICtrlCreateInput("",60,32,130,Default,BitOR($GUI_SS_DEFAULT_INPUT,$ES_PASSWORD)) $gPasswordLabel = GUICtrlCreateLabel("Password",6,64) $gPassInput = GUICtrlCreateInput("",60,60,130,Default,BitOR($GUI_SS_DEFAULT_INPUT,$ES_PASSWORD)) $gAddButton = GUICtrlCreateButton("ADD DOMAIN",200,31,160,52) $gCurrentIP = GUICtrlCreateLabel("Current IP: " & _CheckIP(),5,780) $gDomainList = GUICtrlCreateListView("Domain | Resolved IP | Update Status",5,120,600,600) GUISetState(@SW_SHOW,$gMainGUI) while 1 $m = GUIGetMsg() IF $M = $GUI_EVENT_CLOSE then Exit IF $M = $gAddButton Then $sAddDomain = GUICtrlRead($gDomainInput) $sAddUser = GUICtrlRead($gUserInput) $sAddPass = GUICtrlRead($gPassInput) $sResolveIP = _DNSCheck($sAddDomain) ;Google wants you to avoid sending updates when there are no changes If StringCompare($sResolveIP,_CheckIP()) = 0 Then $sStatus = "No change, not sending update" Else $sStatus = _DNSUpdate($sAddDomain,$sAddUser,$sAddPass) EndIf ;Check to make sure all fields are completed before continuing IF StringLen($sAddDomain) = 0 OR StringLen($sAddUser) = 0 OR StringLen($sAddPass) = 0 Then MsgBox(0,"","Please complete all fields") Else ; If the fields all have data, then continue ;Check to see if the entry exists in the array already $iSanity = _ArraySearch($aDomainList,$sAddDomain) IF $iSanity = 0 Then _ArrayAdd($aDomainList,$sAddDomain & "|" & $sAddUser & "|" & $sAddPass ) If @error = 0 Then $aDomainList[0][0] += 1 $aDomainList[$aDomainList[0][0]][3] = GUICtrlCreateListViewItem($sAddDomain & "|" & $sResolveIP & "|" & $sStatus,$gDomainList) Else MsgBox(0,"","Error adding input to list") EndIf Else ; If $iSanity <> 0 ; Update existing info in array and listviewitem $aDomainList[$iSanity][0] = $sAddDomain $aDomainList[$iSanity][1] = $sAddUser $aDomainList[$iSanity][2] = $sAddPass GUICtrlSetData($aDomainList[$iSanity][3],$sAddDomain & "|" & $sResolveIP & "|" & $sStatus) EndIf ; If $iSanity = 0 EndIf ; If StringLen... EndIf ; If $m = $gaddbutton WEnd ;---------------------------------------------------------------------------------------- Func _DNSCheck($sFQDN) $sJSON = _INetGetSource("https://dns.google.com/resolve?name=" & $sFQDN & "&cd=1") ConsoleWrite($sJSON & @CRLF) $sIPAddress = StringRegExpReplace($sJSON,'^.*data": "(.*?)".*?$',"\1") Return $sIPAddress EndFunc ;---------------------------------------------------------------------------------------- Func _DNSUpdate($sFQDN,$sUser,$sPass) Local $sGoogleAPIURI = "https://domains.google.com" Local $hOpen = _WinHttpOpen() Local $hConnect = _WinHttpConnect($hOpen, $sGoogleAPIURI) Local $sHeader = _ 'Authorization: Basic ' & _Base64Encode($sUser & ":" & $sPass) & @CRLF & _ 'Accept: */*' & @CRLF & _ 'User-Agent: AutoITScript/' & @AutoItVersion & @CRLF & _ 'Content-Type: application/x-www-form-urlencoded' Local $aHTTPResponse = _WinHttpSimpleSSLRequest($hConnect, "POST", "/nic/update", Default, "hostname=" & $sFQDN, $sHeader, True, Default, Default, Default, True) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) If IsArray($aHTTPResponse) Then $sHTTPResponse = "Header:" & @CRLF & $aHTTPResponse[0] & @CRLF & "Data:" & @CRLF & $aHTTPResponse[1] & @CRLF & @CRLF & @CRLF Return $aHTTPResponse[1] Else $sHTTPResponse = "NO REPLY" Return "No reply from " & $sGoogleAPIURI EndIf EndFunc ;---------------------------------------------------------------------------------------- Func _Base64Encode($sData) Local $oXml = ObjCreate("Msxml2.DOMDocument") If Not IsObj($oXml) Then SetError(1, 1, 0) EndIf Local $oElement = $oXml.createElement("b64") If Not IsObj($oElement) Then SetError(2, 2, 0) EndIf $oElement.dataType = "bin.base64" $oElement.nodeTypedValue = Binary($sData) Local $sReturn = $oElement.Text If StringLen($sReturn) = 0 Then SetError(3, 3, 0) EndIf Return $sReturn EndFunc ;---------------------------------------------------------------------------------------- Func _CheckIP() Return _INetGetSource("https://domains.google.com/checkip") EndFunc ;----------------------------------------------------------------------------------------  
    • lewisg
      By lewisg
      Suddenly a RunWait command has stop working after 2 years of no errors, issues, or problems. The code uses RunWait to start Plink.exe, a command-line remote connection tool similar to UNIX ssh. I'm using it to ssh to a linux (Centos) machine, run a Perl script, and redirect the output to a file on a PC running the AutoIt script.  
       
      $FilePath = "C:\AutoIT\LED" $FilePathPlus = $FilePath & "\plink.exe" $Code1 = RunWait(@ComSpec & " /c " & $FilePathPlus & " -ssh -l root -pw ?????? 10.170.4.163 /usr/local/nagios/etc/led.pl > C:\AutoIT\LED\led.txt ", @SW_SHOW) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : @ComSpec & " /c " & $FilePathPlus & " -ssh -l root -pw ????? 10.170.4.163 /usr/local/nagios/etc/led.pl > C:\AutoIT\LED\led.txt " = ' & @ComSpec & " /c " & $FilePathPlus & " -ssh -l root -pw ?????? 10.170.4.163 /usr/local/nagios/etc/led.pl > C:\AutoIT\LED\led.txt " & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console The ConsoleWrite output when cut-n-pasted into a DOS box produces the expected file so I know it works. I've also tried many variations of the function moving, adding, and changing the " and ' (quote) marks. Also tried it without the @ComSpec macro and other related functions...e.g.  ShellExecuteWait , etc.
      The PC is a Windows 10 64bit and AutoIT is version 3.3.14.2.
      Searching here and Google has not yielded any clues that helped. 
    • Danyfirex
      By Danyfirex
      Hello guys. Here is a small function to create a hash hmac  similar to hash_hmac PHP function.  
      Supported are: SHA512,SHA256,SHA1,SHA384,MD5 and RIPEMD160.
       
      Local $sSecret = "SecretKey" Local $sMessage = "AutoIt Rocks!!!" ConsoleWrite("HMAC-SHA256: " & @TAB & @TAB & _HashHMAC("SHA512", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-SHA256: " & @TAB & @TAB & _HashHMAC("SHA256", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-SHA1: " & @TAB & @TAB & _HashHMAC("SHA1", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-SHA384: " & @TAB & @TAB & _HashHMAC("SHA384", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-MD5: " & @TAB & @TAB & _HashHMAC("MD5", $sMessage, $sSecret) & @CRLF) ConsoleWrite("HMAC-RIPEMD160: " & @TAB & _HashHMAC("RIPEMD160", $sMessage, $sSecret) & @CRLF) Func _HashHMAC($sAlgorithm, $bData, $bKey, $bRaw_Output = False) Local $oHashHMACErrorHandler = ObjEvent("AutoIt.Error", "_HashHMACErrorHandler") Local $oHMAC = ObjCreate("System.Security.Cryptography.HMAC" & $sAlgorithm) If @error Then SetError(1, 0, "") $oHMAC.key = Binary($bKey) Local $bHash = $oHMAC.ComputeHash_2(Binary($bData)) Return SetError(0, 0, $bRaw_Output ? $bHash : StringLower(StringMid($bHash, 3))) EndFunc ;==>_HashHMAC Func _HashHMACErrorHandler($oError) ;Dummy Error Handler EndFunc ;==>_HashHMACErrorHandler It requires .NET Framework  2.0 or higher.
      Saludos
×