MD5 values of windows files is there a list?

[Galdorf]

I was looking at a quick way to identify patched system files using md5 hash checks is there any web page with info on hashs of windows system files or a program that has them built in the compares the values automatically?.

atapi.sys and nvata.sys patch rootkits are very common but with all updates that nvidia does on their controller files its hard to get md5 of all versions.

I was thinking of making a utility to put on my bootcd that compares md5 hash values and replaces the infected file with clean one.

On another note i did find software that monitor files for changes using hashs and security signatures and such called tripwire the open source one only supports linux and commercial version supports windows.

 

[Paul]

Found this one for you hope it helps and its free.The only thing with it is you have to brouse and insert the file into the file checksum and then compare each file, if you have the time to check each dll file you can create your own checksum report by copying all of checksum values into notepad for future refrence to compare. heres the link: http://www.top4download.com/file-checksum-tool/zqqdcfkt.html

 

[othersteve]

There really needs to be a pay app that compares MD5 hashes from WinPE environments to known good values and flags those which are not known and not cryptographically signed by a good publisher. If anyone is interested in writing such an app, I'd love to help out with the project! There's probably some money in it to be sure, but unfortunately my VB coding is a bit rusty these days.

 

[othersteve]

So I spent around an hour writing up a batch script which will scan the system directories for files with specific extensions and calculate their MD5 hashes, then compare said hashes to an internal whitelist I generated based on a couple of my other known clean machines and output any erroneous/inconsistent findings to a log file.

Now I'm wondering how many different versions of each system file I ought to worry about however. Does anyone know how many different versions of each Microsoft system file one might find on each Windows OS? For instance, has mshtml.dll gone through, say, 3 revisions throughout XP's lifespan, or more like 20?

Just curious... not even sure where I might find such information.

 

[MobileTechie]

I had an atapi.sys rootkit over the weekend. It took ages to find it. Most of the rootkit apps missed it.

 

[othersteve]

Hey MobileTechie--yeah, the newest of those are strongly polymorphic. This MD5 stuff is truly the way of the future in terms of rootkit detection I think.

 

[MobileTechie]

Any idea where Windows' own sigverif would come into this?

That should be able to check if a driver like atapi.sys is signed or not. I'm assuming the original is signed. That sound like a simple way of detecting doctored drivers.

 

[othersteve]

Hey Mobile,

Yes, I actually originally considered integrating that into my process. My only issue (and it might by mine specifically--you guys might not have this problem) is that I am having trouble getting all of the dependencies to run properly in my VistaPE custom boot environment I have constructed. Namely, Cryptographic Services is proving rather challenging, and if I could get that running, I could simply run the system file checker to verify the critical files anyhow, so...

Here's the page on sigverif's dependencies:

http://msdn.microsoft.com/en-us/library/aa940402(WinEmbedded.5).aspx

So yeah, where I stand is with a script which does not discriminate (it looks at all DLL, SYS, and EXE files) and calculates their hashes for whitelist comparison. I don't know how practical this actually is in the field because of the ubiquity of different device drivers. It would be impossible to catalog everything, and I've yet to find a reliable online service with which I can check the validity of a questionable file via hash from a batch file. I am working on that. If I can get it going, I will release the code to you guys here for your use.

Any ideas on the subject?

 

[othersteve]

Apologies for the double post, but I just had another idea as well. Anyone ever seen malware loading from the WinSxS directories? If not, I may provide a mechanism for skipping those altogether when scanning for modified binaries. I don't recall seeing much malware activity from those folders myself, but I thought it'd be safer just to ask everyone else their opinion on the matter.

Thanks!

 

[dbdawn]

would something like sigcheck from sysinternals work? You can check for unsigned files, or does malware hide under digitally signed files as well?

 

[othersteve]

AFAIK malware can indeed hide within a digitally signed file, but that particular file must be signed after the file is completed. I suppose it would be possible to patch a system file and then digitally sign it with a bogus certificate to try and evade detection. I'm willing to bet this technique is actually used.

But your suggestion holds merit I think! Sigcheck does seem to work within WinPE and other portable environments even without CryptSvc running in the background. Only problem is I don't believe it is picking up on all of the digitally signed files. This could be a side effect from running it within a remote environment.

I need to do additional investigating I suppose.

 

[hyfidel]

This thread is a bit old now but I didn't see anyone mention using sfc, which is built into Windows. It doesn't do MD5 verification, but I've used it a few times with success after virus removal.