Compiled Script Hash Never the Same

[Tupp]

I tried searching for this on the forum but didn't find anything.  I have an issue of needing to identify which script was used to create the EXE being used in our environment.  The individual who created it is no longer here and didn't keep EXE names consistent with script names.  I think we do have the script but when I compile it, the hash of the exe is not the same as the one in the environment.  After lots of testing various scripts (I got a folder full of possibilities) I noticed that the hash is never the same, even when I recompile a script who's code has not changed.  I'm assuming unique/random data is being inserted during compile time but I don't know what it is.  Does anyone know?  Is there a way to prevent this so the hash of the compiled exe is the same as long as the code is the same?  I'm using a Powershell script to get the MD5.  Thanks.

[AutoBert]

That's no random data, creation time is changed, may be File Version also (when autoincrement is enabled).

So there is no way you must compile every script and document its hash. Once a script is recompiled you have to update your documentation.

 

Edited February 2, 2016 by AutoBert

[EmilyLove]

File hashes only offer a false sense of security. There are programs out there that can inject malicious viruses into programs without changing the hash. I'm not one to really talk about security but I think the route you should take is to get your script digially signed.

Edited February 2, 2016 by BetaLeaf

[JohnOne]

You could try just hashing the data section of the compiled script leaving the header, interpreter,  and resources out.

Edited February 2, 2016 by JohnOne

[AutoBert]

@BetaLeaf: In theory possible to make changes that results the same hash, but in that time i also have a new File Version with a new hash.

The other way, malware-proggers changes there files a little to get new Hash, is often used. So AV-engines must check file complete. When FileName, Hash, creation date and filelength is identic they know it's this malicious file.

Edited February 2, 2016 by AutoBert

[Tupp]

@AutoBert   I figured creation time would probably be in there and causing (part of) it.
@BetaLeaf   It's not for security purposes, just for validating I had the right script so it could be modified but keep the other stuff the same.
@JohnOne   That sounds fantastic but I have no idea how to do that

[JohnOne]

I did have a thread on here somewhere, where I was doing virtually the same thing, but in C++, but it was few years ago, cannot remember what it is called or where it is.

Could be re-written in Autoit, but would be no small task for less than advanced user.

Should query yourself as to how important this is to you and if there is another route.

[Tupp]

It wouldn't be worth it.  We'll guess at which script or write a new one, depending on the customers needs.  Thank you everyone for your replies.