Change Hash of a file for Security-Testing

IT-Security products very often rely on blacklisting based on hash-values of a file. In order to test those products, for example if the products promises to be hash/signature-less, that it can detect all kings of polymorphic threats or some other promise, it can be helpful to be able to change the hash of a file without changing to file too much.

In Windows this can be done using cmd or powershell:

echo "asdasdasd" >> file.exe

Using powershell (4.0 or higher) you can use "Get-FileHash .\file.exe -Algorithm MD5" to check the hash of the file:

Get-FileHash .\file.exe -Algorithm MD5
Get-FileHash .\file.exe -Algorithm SHA1
Get-FileHash .\file.exe -Algorithm SHA256
Get-FileHash .\file.exe -Algorithm SHA384
Get-FileHash .\file.exe -Algorithm SHA512
Most IT-Security products use MD5 hashing for their blacklisting purpose, some use SHA1 or SHA256 hashing.

To change the hash of the file:
PS C:\Users\Flo\Downloads> Get-FileHash .\KeePass-2.40-Setup.exe -Algorithm MD5

Algorithm Hash Path
--------- ---- ----
MD5 351D9EF64047F792AEE0520FFD27A78A C:\Users\...

PS C:\Users\Flo\Downloads> echo "HashAppend" >> .\KeePass-2.40-SetupTestHash.exe
PS C:\Users\Flo\Downloads> Get-FileHash .\KeePass-2.40-SetupTestHash.exe -Algorithm MD5
Algorithm Hash Path
--------- ---- ----MD5 2A41BDF3C7498664998A97DBF6341F75 C:\Users\...
  -> Hash changed, executable still can be opened/used.
at 1 comment:
Subscribe to: Posts (Atom)

Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...