Maxstar
November 20, 2023, 3:34pm
1
Hi,
I’m using the following REG script to calculate hash values with a right click on the file. How can I mofify this script to calculate the Base64 hashes for SHA1 and SHA256 as well?
[HKEY_CLASSES_ROOT\*\shell\hash]
"MUIVerb"="Calculate Hash Value"
"SubCommands"=""
[HKEY_CLASSES_ROOT\*\shell\hash\shell\SHA1]
"MUIVerb"="SHA1"
[HKEY_CLASSES_ROOT\*\shell\hash\shell\SHA1\command]
@="powershell -noexit get-filehash -literalpath '%1' -algorithm SHA1 | format-list"
[HKEY_CLASSES_ROOT\*\shell\hash\shell\SHA256]
"MUIVerb"="SHA256"
[HKEY_CLASSES_ROOT\*\shell\hash\shell\SHA256\command]
@="powershell -noexit get-filehash -literalpath '%1' -algorithm SHA256 | format-list"
For example:
Algorithm : SHA256 and Base64
Hash : 6A33947B40670D815B3DC7D1435FB0B432BECA371FD5E05E2E5190AEF337DF9B
Hash b64 : ajOUe0BnDYFbPcfRQ1+wtDK+yjcf1eBeLlGQrvM335s=
Path : C:\Windows\explorer.exe
Olaf
November 20, 2023, 5:19pm
2
Maxstar,
What exactly do you mean by …
?
If I got it right the Base64 represantation of the hash string in your example would be
NgBBADMAMwA5ADQANwBCADQAMAA2ADcAMABEADgAMQA1AEIAMwBEAEMANwBEADEANAAzADUARgBCADAAQgA0ADMAMgBCAEUAQwBBADMANwAxAEYARAA1AEUAMAA1AEUAMgBFADUAMQA5ADAAQQBFAEYAMwAzADcARABGADkAQgA=
Does this help:
?
May I ask what’s the purpose of that requirement? Whatfor do you need that?
EDIT:
$Path = 'C:\Windows\explorer.exe'
[PSCustomObject]@{
Path = $Path
SHA1 = (Get-FileHash -Path $Path -Algorithm SHA1).Hash
SHA256 = (Get-FileHash -Path $Path).Hash
} |
Format-List
The output looks like this:
Path : C:\Windows\explorer.exe
SHA1 : 38013D682C7F81AB01367298BD27FE14A18B005F
SHA256 : DC66E22C929AA80A3265F19E506885A00DFEC3ADAA9A14CD89C3F4E820E4C6DB
Maxstar
November 20, 2023, 5:43pm
3
Hi Olaf,
The purpose of this script is to check hash values of WinSxS payload files to determine the hash value as SHA256 as well as SHA256 Base64 like this example below…
Algorithm : SHA256 and Base64
Hash : 6A33947B40670D815B3DC7D1435FB0B432BECA371FD5E05E2E5190AEF337DF9B
Hash b64 : ajOUe0BnDYFbPcfRQ1+wtDK+yjcf1eBeLlGQrvM335s=
Olaf
November 20, 2023, 5:49pm
4
How did you calculate the Base64 value?
Maxstar
November 20, 2023, 5:57pm
5
To calculate the SHA256 Base64 I use HashTab - Download HashTab - MajorGeeks
What I want is to create is an REG which will show both hash values.
Olaf
November 20, 2023, 6:10pm
6
I just installed HashTab on a test PC but there is no SHA256 Base64 hash!?!
Olaf
November 20, 2023, 6:40pm
7
OK, if you know how to actually calculate the value you’re after you can use this reg key as a blueprint:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\*\shell\SuperHash]
"MUIVerb"="Super Hash"
[HKEY_CLASSES_ROOT\*\shell\SuperHash\command]
@="powershell -NoLogo -NoProfile -NoExit -Command '%1' | Select-Object -Property @{Name = 'Path'; Expression = {$_}},@{Name = 'SHA1'; Expression = {(Get-FileHash -Path $_ -Algorithm SHA1).Hash}},@{Name = 'SHA256'; Expression = {(Get-FileHash -Path $_).Hash}} | Format-List"
The output looks like this:
Path : C:\Windows\explorer.exe
SHA1 : 38013D682C7F81AB01367298BD27FE14A18B005F
SHA256 : DC66E22C929AA80A3265F19E506885A00DFEC3ADAA9A14CD89C3F4E820E4C6DB
Maxstar
November 21, 2023, 11:45am
8
Thanks…
I found the following at StackOverflow base64 - How to get sha256 hash output as binary data instead of hex using powershell? - Stack Overflow
But I don’t know I can use this example in your blueprint.
$ClearString= "test"
$hasher = [System.Security.Cryptography.HashAlgorithm]::Create('sha256')
$hash = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($ClearString))
# $hash is a Byte[] array
# convert to Base64
[Convert]::ToBase64String($hash)
Edit:
I also found this example: sha1 - Powershell SHA-1 and base64 encode - Stack Overflow
Olaf
November 21, 2023, 12:30pm
9
So you’re hashing the hash. What purpuse does that serve?
And what do you do with the hashes and the hash of the hash coded in Base64???
And I’d like to ask again:
@="powershell -NoLogo -NoProfile -NoExit -Command '%1' | Select-Object -Property @{Name = 'Path'; Expression = {$_}},@{Name = 'SHA1'; Expression = {(Get-FileHash -Path $_ -Algorithm SHA1).Hash}},@{Name = 'SHA256'; Expression = {(Get-FileHash -Path $_).Hash}},@{Name='Base64';Expression={[Convert]::ToBase64String(([System.Security.Cryptography.HashAlgorithm]::Create('sha256')).ComputeHash([System.Text.Encoding]::UTF8.GetBytes((Get-FileHash -Path $_).Hash)))}}| Format-List"
Maxstar
November 21, 2023, 12:33pm
10
You’ll need to activate SHA256 Base64 from the settings option, it is not enabled by default.
Maxstar
November 21, 2023, 12:38pm
11
Sometimes the CBS.log will show the default SHA256 value, and sometimes the Base64 variant. Also for the SHA1 values. So I want to create a script (reg file) to calculate both values to check if a payload file is corrupted or not.
Maxstar
November 21, 2023, 1:57pm
13
It shows a SHA256 value in base64 format, but it is not the same hash value when I use HashTab? So apparently something goes wrong with calculating the Base64 hash file for some reason?
For example: the installer of Download HashTab 6.0.0.34
PowerShell result:
Path : C:\Users\Administrator\Desktop\HashTab_v6.0.0.34_Setup.exe
SHA256 : B8FF1DD80F370B137922A9DD2D8B04E16FD4F8681458F92C566E65E2E80724AD
Base64 : WX6U+TEPyNdf33UKQJocfljFruqqGdzYBUTUSSjfGT0=
HashTab result:
B8FF1DD80F370B137922A9DD2D8B04E16FD4F8681458F92C566E65E2E80724AD
uP8d2A83CxN5IqndLYsE4W/U+GgUWPksVm5l4ugHJK0=
Olaf
November 21, 2023, 2:17pm
14
That’s what I meant with …
and
Maxstar
November 21, 2023, 2:41pm
15
That’s the whole point, I don’t know exactly how HashTab is calculating the Base64 value. I see a lot of different options to covert HEX to Base64. So I don’t know how to get the same Base64 hash as showed by HashTab.
https://asecuritysite.com/powershell/enc05
Olaf
November 21, 2023, 3:32pm
16
Try this:
@="powershell -NoLogo -NoProfile -NoExit -Command '%1' | Select-Object -Property @{Name = 'Path'; Expression = {$_}},@{Name = 'SHA1'; Expression = {(Get-FileHash -Path $_ -Algorithm SHA1).Hash}},@{Name = 'SHA256'; Expression = {(Get-FileHash -Path $_).Hash}},@{Name='Base64';Expression={[System.Convert]::ToBase64String(([System.Security.Cryptography.SHA256]::Create()).ComputeHash((Get-Content -Path $_ -Encoding Byte)))}}| Format-List"
Attention !! … it is very slow.
Edit:
Try this as well … it might be faster:
@="powershell -NoLogo -NoProfile -NoExit -Command '%1' | Select-Object -Property @{Name = 'Path'; Expression = {$_}},@{Name = 'SHA1'; Expression = {(Get-FileHash -Path $_ -Algorithm SHA1).Hash}},@{Name = 'SHA256'; Expression = {(Get-FileHash -Path $_).Hash}},@{Name='Base64';Expression={[System.Convert]::ToBase64String(([System.Security.Cryptography.SHA256]::Create()).ComputeHash((Get-Content -Path $_ -Encoding Byte -ReadCount 0)))}}| Format-List"
1 Like
Maxstar
November 21, 2023, 4:01pm
17
Olaf
November 21, 2023, 4:05pm
18
For the record - it is the Base64 encoded SHA256 hash of the byte stream of the file content.
Yet another piece of for me useless information in my brain.
1 Like
