Jump to content

razorwire hash check for files


usmiv4o
 Share

Recommended Posts

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.4.3
 Author:         usmiv4o

 Script Function:
    AutoIt script to check if files in directory are changed. It is usefull for security contra-inteligense measures.

 Function Name:    LoadTripwireDB()
 Description:      Loads database (text file tripwire.txt) and compare files in /test folder for changes.
                    compares Hash (MD5) checksums. If they are not the same starts Initial()
 Function Name:    Initial()
 Description:      Checks directory and makes index of files and their MD5 checksums in text file (tripwire.txt)

 Function Name:    Hush()
 Description:      Checks file and returns its MD5 checksum.

 Requirement(s):   Windows XP
 Return Value(s):  On Success - Returns true. Files are the same as before.
                   On Failure - return false.

  Example:
 LoadTripwireDB()


#ce ----------------------------------------------------------------------------
#include <Crypt.au3>
#include <File.au3>
#include <Array.au3>


$sDir = @ScriptDir & "\Test"
$sFilePath = @ScriptDir & "\tripwire.txt"

Func Hush(ByRef $sFile)
    $sRead = FileOpen( $sFile)
    $dHash = _Crypt_HashData($sRead, $CALG_MD5) ; Create a hash of the text entered.
    ConsoleWrite("Hash of file " & $sFile & "  is " & $dHash & @CRLF)
EndFunc


    ;ConsoleWrite("Files in Dir are " & $aScriptDir[0] & @CRLF)
    ;$sFilePath = @ScriptDir & "\Examples.txt"
    ;_FileWriteFromArray($sFilePath, $aScriptDir, 1)
    ;_ArrayDisplay($aScriptDir, "1D display")

Func Initial()
    $aScriptDir = _FileListToArray($sDir)
    for $i = 1 To UBound($aScriptDir) - 1
        $dHash = _Crypt_HashData($i, $CALG_MD5)
        ;ConsoleWrite("File " & $aScriptDir[$i] & " is " & $dHash & @CRLF)
        ConsoleWrite($aScriptDir[$i] & ":" & $dHash & @CRLF)
        ;Hush($aScriptDir[$i])

        ;FileWrite

        $hFileOpen = FileOpen($sFilePath, $FO_APPEND)
        If $hFileOpen = -1 Then
            MsgBox($MB_SYSTEMMODAL, "", "An error occurred when reading the file.")
        EndIf
        FileWrite($hFileOpen, $aScriptDir[$i] & ":" & $dHash & @CRLF)
    Next
EndFunc

Func Monitor()
    $aScriptDir = _FileListToArray($sDir)
    for $i = 1 To UBound($aScriptDir) - 1

    Next
EndFunc

Func LoadTripwireDB()
    $comparison_ok = false
    $dArray = _FileListToArray($sDir)       ;directory
    $dArray0 = UBound($dArray) - 1
    $fArray =  FileReadToArray($sFilePath)  ;file
    $fArray0 = UBound($fArray)
    ;_ArrayDisplay($dArray, "files array")
    if $dArray0 = $fArray0 Then     ; are file same as recorded in txt file?
        ;ConsoleWrite("files in monitoring dir: " & $dArray[0] & " = file recorded: " & $fArray0 & @CRLF & $fArray[0]& @CRLF)
        for $i = 1 To UBound($dArray) - 1
            ;ConsoleWrite("i = " & $i & @CRLF)
            $dHash = _Crypt_HashData($i, $CALG_MD5) ;binary
            ;$dHash = BinaryToString($dHash)
            $ffhash = StringSplit( $fArray[$i-1],":")
            $fhash = $ffhash[2]

            ;ConsoleWrite("IsBinary $dHash " & IsBinary($dHash) & @CRLF)

            if  $dHash = $fhash  Then   ;if compared hashes are equal
                ;ConsoleWrite($fhash & ":" & $dHash & " equal" & @CRLF)
                ;ConsoleWrite("File:      " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal:     yes " & @CRLF)

            Else                        ;if compared hashes are not equal
                ;ConsoleWrite("File:      " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal:     not " & @CRLF)
                ;MsgBox(0,"hash md5",$fhash & ":" & $dHash & " not equal")
            EndIf

        Next
        ;ConsoleWrite("hashes are equal" & @CRLF)
        $comparison_ok = true
    Else
        ConsoleWrite("number of files in monitoring dir are not same as recorded" & @CRLF)
        ConsoleWrite("directory: " & $dArray[0] &":"& "files: " & UBound($fArray) - 1 & @CRLF)
    EndIf
    Return $comparison_ok
EndFunc

#main
if LoadTripwireDB() = true Then
    ConsoleWrite(" hashes are equal " & @CRLF)
ElseIf  LoadTripwireDB() <> true Then
    ConsoleWrite(" hashes are not equal " & @CRLF)
    ConsoleWrite(" hashes are not equal " & @CRLF)
    Initial()
EndIf

 

tripwire.au3

tripwire.txt

I have nothing to be proud: I am Bulgarian :~But there is no better place than 127.0.0.1Tutorial for newbies

Link to comment
Share on other sites

BTW, MD5 is rather weak nowadays, especially for security (anti-malicious) purposes.  SHA2 is way more secure (today and for some time).

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

Hashing is a very good way to check the integrity of a file but something that should be noted is hashing large files will make this slow.

The Hash function hashes the first 524,288 characters (roughly 4mb if my math is correct); doesn't seem like a lot but then it's going to run that string through the actual hashing algorithm. A quicker way would be just to check the Date Modified, Date Created attributes, and size of the file.

Link to comment
Share on other sites

32 minutes ago, InunoTaishou said:

A quicker way would be just to check the Date Modified, Date Created attributes, and size of the file.

All these attributes can too easily be tampered with.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

20 minutes ago, jchd said:

All these attributes can too easily be tampered with.

Yup, didn't say it was the best way to check integrity, just a quicker way.

Just warning if someone was trying to use this to monitor dozens of files that may be hundreds of mbs each. Since autoit cannot multi thread and create a process to hash each one, hashing each one of them, sequentially, is going to take a while (I tried a long time ago on about 100 files that were a few gbs each and it took, I think, around 40 minutes to do them all, can't remember the exact time since it was so long ago).

Edited by InunoTaishou
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...