Topic
  • 13 replies
  • Latest Post - ‏2014-05-02T02:00:23Z by jgstew
jpeppers91
jpeppers91
111 Posts

Pinned topic Get Sha1 of a file located anywhere

‏2014-04-24T14:29:54Z |

Can someone help me with this?  I want to get the sha1 of a certain file on any fixed drive on a machine located in any directory.  I understand it is an intensive search.  For example I want to find abc.exe located on C:\ and return the sha1 value of that file. 

Updated on 2014-04-24T16:07:08Z at 2014-04-24T16:07:08Z by jpeppers91
  • jpeppers91
    jpeppers91
    111 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-24T18:39:46Z  

    Anyone?

  • Tim.Rice
    Tim.Rice
    79 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-24T19:21:24Z  

    I'm not sure I understand what you are asking.

    Are you wanting to generate a SHA1 hash of all files on all of your computers so you can compare them later?  Something like Tripwire?

    Or are you looking for a way to 'query' a remote computer for the SHA1 of a file somewhere on the system?

    Updated on 2014-04-24T19:40:18Z at 2014-04-24T19:40:18Z by Tim.Rice
  • jpeppers91
    jpeppers91
    111 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-24T19:26:51Z  
    • Tim.Rice
    • ‏2014-04-24T19:21:24Z

    I'm not sure I understand what you are asking.

    Are you wanting to generate a SHA1 hash of all files on all of your computers so you can compare them later?  Something like Tripwire?

    Or are you looking for a way to 'query' a remote computer for the SHA1 of a file somewhere on the system?

    I want to search any fixed drive on a computer for a file called xyz.exe.  If it finds xyz.exe I want the sha1 of that file.

  • Tim.Rice
    Tim.Rice
    79 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-24T20:19:11Z  

    I want to search any fixed drive on a computer for a file called xyz.exe.  If it finds xyz.exe I want the sha1 of that file.

    This is a non-trivial question and the IEM/TEM client really isn't suited to answer it.  It can be done with a combination of a Task (to find the files and generate the SHA1) and a Custom Analysis (used to gather the results of the Task).

    I'm using the example of "firefox.exe" since it's what I used when I tested the commands.

    Write a Task to find the file(s) you are interested in.  I used the built-in Win7 FCIV.exe utility to generate the SHA1.  One drawback here is that it generates extra output you might not want.  You could use any other utility of your choice (I'm sure you can find one via GOOGLE that will produce cleaner output).  You would need to DOWNLOAD it in the Task before you used it.

    1. Find the desired file "firefox.exe" ...
      • DIR /S /B firefox.exe > C:\AllFiles.txt
    2. Generate the SHA1 hash for each of the files ...
      • Delete C:\AllSHA1.txt
      • FOR /F "tokens=*" %A in (C:\AllFiles.txt) do FCIV -SHA1 "%A" >> AllSHA1.txt

    Now use an Analysis to pickup the contents of the AllSHA1.txt file if it exists.

    • if (exists file "C:\AllSHA1.txt") then (Lines of file "C:\AllSHA1.txt") ELSE Nothing

    Is this what you were looking for?  If so, be careful what you look for.  When you want to look for a different file, update the Task and re-run it to gather the information on the target file.

  • jpeppers91
    jpeppers91
    111 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-25T12:39:49Z  
    • Tim.Rice
    • ‏2014-04-24T20:19:11Z

    This is a non-trivial question and the IEM/TEM client really isn't suited to answer it.  It can be done with a combination of a Task (to find the files and generate the SHA1) and a Custom Analysis (used to gather the results of the Task).

    I'm using the example of "firefox.exe" since it's what I used when I tested the commands.

    Write a Task to find the file(s) you are interested in.  I used the built-in Win7 FCIV.exe utility to generate the SHA1.  One drawback here is that it generates extra output you might not want.  You could use any other utility of your choice (I'm sure you can find one via GOOGLE that will produce cleaner output).  You would need to DOWNLOAD it in the Task before you used it.

    1. Find the desired file "firefox.exe" ...
      • DIR /S /B firefox.exe > C:\AllFiles.txt
    2. Generate the SHA1 hash for each of the files ...
      • Delete C:\AllSHA1.txt
      • FOR /F "tokens=*" %A in (C:\AllFiles.txt) do FCIV -SHA1 "%A" >> AllSHA1.txt

    Now use an Analysis to pickup the contents of the AllSHA1.txt file if it exists.

    • if (exists file "C:\AllSHA1.txt") then (Lines of file "C:\AllSHA1.txt") ELSE Nothing

    Is this what you were looking for?  If so, be careful what you look for.  When you want to look for a different file, update the Task and re-run it to gather the information on the target file.

    I actually found the relevance...

    (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED")

     

    It gives the ouput like this..

    C:\xyz.exe, da39a3ee5e6b4b0d3255bfef95601890afd80709

    C:\Program Files (x86)\xyz.exe, da39a3ee5e6b4b0d3255bfef95601890afd80709

    C:\unzip\xyz.exe, da39a3ee5e6b4b0d3255bfef95601890afd80709

    My delima now is running it as a task.  I have this task below that I tried to modify and writing what it finds to a txt file and later use a property to pull the data but it fails.  Anyone see what is wrong with my task? 

     

    delete __appendfile
    delete procdump_exefiles.bat
    appendfile @echo off

    appendfile del "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"

    appendfile echo "{"**" & concatenation "**" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"

    move __appendfile procdump_exefiles.bat

    wait "{pathname of client folder of site "BESSupport"}\RunQuiet.exe" procdump_exefiles.bat 1>NUL 2>NUL

     

  • jpeppers91
    jpeppers91
    111 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-25T16:09:24Z  

    I actually found the relevance...

    (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED")

     

    It gives the ouput like this..

    C:\xyz.exe, da39a3ee5e6b4b0d3255bfef95601890afd80709

    C:\Program Files (x86)\xyz.exe, da39a3ee5e6b4b0d3255bfef95601890afd80709

    C:\unzip\xyz.exe, da39a3ee5e6b4b0d3255bfef95601890afd80709

    My delima now is running it as a task.  I have this task below that I tried to modify and writing what it finds to a txt file and later use a property to pull the data but it fails.  Anyone see what is wrong with my task? 

     

    delete __appendfile
    delete procdump_exefiles.bat
    appendfile @echo off

    appendfile del "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"

    appendfile echo "{"**" & concatenation "**" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"

    move __appendfile procdump_exefiles.bat

    wait "{pathname of client folder of site "BESSupport"}\RunQuiet.exe" procdump_exefiles.bat 1>NUL 2>NUL

     

    When I run it through the action debugger it says relevance clauses must be surrounded by { and }.  So where i have parentheses do i substitute with curly brackets?

     

    appendfile echo "{"**" & concatenation "**" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"
     

     

     

  • jpeppers91
    jpeppers91
    111 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-25T22:04:01Z  

    When I run it through the action debugger it says relevance clauses must be surrounded by { and }.  So where i have parentheses do i substitute with curly brackets?

     

    appendfile echo "{"**" & concatenation "**" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"
     

     

     

    Anyone?  I've been at thos all day, and I am more confused than when i started?

  • MattPeterson
    MattPeterson
    69 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-25T22:19:29Z  

    When I run it through the action debugger it says relevance clauses must be surrounded by { and }.  So where i have parentheses do i substitute with curly brackets?

     

    appendfile echo "{"**" & concatenation "**" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"
     

     

     

    The expression below will be much more efficient to run:

    concatenation " - " of sha1s of it of (files "abc.txt" of folders "\" of drives whose (type of it="DRIVE_FIXED"))

     

    If you wanted to write out to a file using a task your action line would look like this:

    appendfile {concatenation " - " of sha1s of it  of (files "abc.txt" of folders "\" of drives whose (type of it="DRIVE_FIXED"))}

  • jpeppers91
    jpeppers91
    111 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-26T01:36:55Z  

    The expression below will be much more efficient to run:

    concatenation " - " of sha1s of it of (files "abc.txt" of folders "\" of drives whose (type of it="DRIVE_FIXED"))

     

    If you wanted to write out to a file using a task your action line would look like this:

    appendfile {concatenation " - " of sha1s of it  of (files "abc.txt" of folders "\" of drives whose (type of it="DRIVE_FIXED"))}

    That doesn't recurse the folder. That is why I was using descendants of folder..

     

    Somewhere in here I have my escaping all wrong.

     

    appendfile echo "{"**" & concatenation "**" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"
     

  • jgstew
    jgstew
    410 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-26T13:39:27Z  

    That doesn't recurse the folder. That is why I was using descendants of folder..

     

    Somewhere in here I have my escaping all wrong.

     

    appendfile echo "{"**" & concatenation "**" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"
     

    I'm not sure where an escaping or similar issue is, but you are trying to combine an echo and an appendfile, which will not give the result you are looking for.

     

    Try this:

    dos echo "{"**" & concatenation "**" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"

     

    In general this is not a great idea, especially if the target computer does not have an SSD. Do you really have to search ALL folders, or is it a set of particular folders you want to search that may or may not exist?

     

    Are you trying to do a sort of virus scan? If so, then I would recommend taking a look at this:

    http://bigfix.me/fixlet/details/3721

    I also have an analysis I'm working on to report on the findings of the virus scan. I thought I published it, but I'm having trouble finding it.

     

  • jpeppers91
    jpeppers91
    111 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-26T17:44:23Z  
    • jgstew
    • ‏2014-04-26T13:39:27Z

    I'm not sure where an escaping or similar issue is, but you are trying to combine an echo and an appendfile, which will not give the result you are looking for.

     

    Try this:

    dos echo "{"**" & concatenation "**" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is "xyz.exe") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\procdump_exefiles.txt"

     

    In general this is not a great idea, especially if the target computer does not have an SSD. Do you really have to search ALL folders, or is it a set of particular folders you want to search that may or may not exist?

     

    Are you trying to do a sort of virus scan? If so, then I would recommend taking a look at this:

    http://bigfix.me/fixlet/details/3721

    I also have an analysis I'm working on to report on the findings of the virus scan. I thought I published it, but I'm having trouble finding it.

     

    its not a virus scan I'm looking for certain executables and they can be anywhere. I have the relevance that finds the files but when I added the pathanme of sha1 of it to the mix it gave me errors. Thanks for your reply but unfortunately that did not work either.

     

    Thanks

  • jpeppers91
    jpeppers91
    111 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-04-28T13:48:14Z  

    its not a virus scan I'm looking for certain executables and they can be anywhere. I have the relevance that finds the files but when I added the pathanme of sha1 of it to the mix it gave me errors. Thanks for your reply but unfortunately that did not work either.

     

    Thanks

    I understand this is not ideal but it is necessary in some cases.  I found the relevance after working on it all weekend.  Turns out I needed a semicolon

     

    pathnames of it ; sha1s of it

     

     

     

    delete __appendfile

    delete rf_exefiles.bat

    appendfile @echo off

    appendfile del "{pathname of parent folder of regapp "BESClient.exe"}\rf_exefiles.txt"

    appendfile echo "{"**" & concatenation "," of (pathnames of it ; sha1s of it) of descendants whose (name of it as lowercase is "jamie.txt") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\rf_exefiles.txt"

    move __appendfile rf_exefiles.bat

     

  • jgstew
    jgstew
    410 Posts

    Re: Get Sha1 of a file located anywhere

    ‏2014-05-02T02:00:23Z  

    I understand this is not ideal but it is necessary in some cases.  I found the relevance after working on it all weekend.  Turns out I needed a semicolon

     

    pathnames of it ; sha1s of it

     

     

     

    delete __appendfile

    delete rf_exefiles.bat

    appendfile @echo off

    appendfile del "{pathname of parent folder of regapp "BESClient.exe"}\rf_exefiles.txt"

    appendfile echo "{"**" & concatenation "," of (pathnames of it ; sha1s of it) of descendants whose (name of it as lowercase is "jamie.txt") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\rf_exefiles.txt"

    move __appendfile rf_exefiles.bat

     

     

    ah, I missed that. I hate it when it is something like that, it is so hard to track down.

     

    You do not need to do this with a .bat file, you could instead just do this with 2 lines of actionscript:

     

    delete "{pathname of parent folder of regapp "BESClient.exe"}\rf_exefiles.txt"

    dos echo "{"**" & concatenation "," of (pathnames of it ; sha1s of it) of descendants whose (name of it as lowercase is "jamie.txt") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\rf_exefiles.txt"

     

     

    Instead of "dos" you could also use "waithidden cmd /C" which is preferred, particularly in the case of WinXP:

     

    waithidden cmd /C echo "{"**" & concatenation "," of (pathnames of it ; sha1s of it) of descendants whose (name of it as lowercase is "jamie.txt") of folders "\" of drives whose (type of it="DRIVE_FIXED") & "**"}" >> "{pathname of parent folder of regapp "BESClient.exe"}\rf_exefiles.txt"