Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MS binary integrity baseline

from [Mark Burnett] Network Security [Permanent Link]
Subject: Re: MS binary integrity baseline
Date: Thu, 19 Aug 2004 08:45:52 -0600 
There are several ways I check the integrity of files in Windows:

1. To verify the digital signatures of drivers, you can use sigverif.exe. This 
tool is meant to verify the HCL signature from Microsoft to verify Windows 
compatibility, but it is useful nonetheless.

2. To verify all files protected by Windows File Protection, you can use sfc 
/scannow (note: look inside sfcfiles.dll to see what it checks).

3. To check the authenticode certificate of signed files, use chktrust (found 
in various resource kits and sdk's)

4. You can also check the NTFS file journal of a file to see if a file has 
changed, if you have the journal enabled for that volume: fsutil usn readdata 
c:\windows\notepad.exe

5. Most hotfix scanners use hashes, file dates, etc. to check file versions and 
are quite good at verifying that the files are authentic.

But there's no built-in method to verify hash signatures of files. You can use 
a tool like fsum (http://www.slavasoft.com/fsum/) to create and verify hashes 
but it isn't easy to directly compare them to the files on the install CD 
because the files on the CD are all compressed. You would have to build a 
baseline system and compare them to that.  

One other note: In Windows XP and 2003 you can use Group Policy to set software 
restriction policies to only run programs that you specify. You can set hash 
rules for the policy so that the file only runs if the MD5 and SHA-1 hashes 
match that in the policy. Setting this up would obviously be time-consuming but 
would probably be worth it when protecting a critical server. 


Hope this helps,
Mark Burnett



On Wed, 18 Aug 2004 16:55:06 +0000, Chris Conacher wrote:

Dear List

Is there anything that performs binary integrity checks for Windows
OS such as  rpm does for Redhat or apt does for Debian?

I want something that will check Windows binaries against a trusted
source - MS site, install cd, etc so that I can determine integrity
baselines of current production systems before deploying an
integrity checking application.

I would have thought that this would be something Microsoft would
provide, but have not seen anything.

Thanks for any input

Chris

_________________________________________________________________
Express yourself with cool new emoticons
http://www.msn.co.uk/specials/myemo


--------------------------------------------------------------------
------- ------------------------------------------------------------
---------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MS binary integrity baseline, Harlan Carvey
Next by Date:  SecurityFocus Microsoft Newsletter #202, Marc Fossi
Previous by Thread:  Re: MS binary integrity baseline, Harlan Carvey
Next by Thread:  RE: MS binary integrity baseline, dave kleiman
Indexes:  [Date] [Thread] [Top] [All Lists]