SigcheckGUI - file information and hashing

Submit portable freeware that you find here. It helps if you include information like description, extraction instruction, Unicode support, whether it writes to the registry, and so on.
Message
Author
User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: SigcheckGUI - file information and hashing

#46 Post by webfork »

In my recent post about portability testing, I referenced SigcheckGUI's use in software analysis (mostly hash and VT values, but there's other available info.

While I jumped through a lot of hoops with TP109's collaboration a few years ago to make it work with a detailed spreadsheet analysis, my increasing comfort with the command line got me working on a process that skips the GUI. For flexibility, I went ahead and set this all up inside my existing SigcheckGUI folder.

Setup:
  1. Create a folder “input” under the sigcheckgui folder where I put the files I want to analyze
  2. Run the following command (basically paste this into a .txt file that's renamed with a .bat suffix and then launch)

    Code: Select all

    sigcheck64.exe -nobanner -h -v -w file_report.txt .\input
Result:

Example output of two sigcheck files (analysis of the 32-bit and 64-bit analysis programs):

C:\Temp\Testing Tools\SigCheckGUI\input\sigcheck.exe:
Verified: Signed
Signing date: 3:45 PM 9/11/2020
Publisher: Microsoft Corporation
Company: Sysinternals - www.sysinternals.com
Description: File version and signature viewer
Product: Sysinternals Sigcheck
Prod version: 2.80
File version: 2.80
MachineType: 32-bit
MD5: 60C97B52BE2D988D8D39430CFB749106
SHA1: F1D5330D467E9F7950509F60B758453A86D7EED4
PESHA1: FB652CC0D7EF87911E93A37083C4EC5B1CBE4857
PE256: 1513648611DFDB6D04309339E814903D6600AA5839637B6C3B91D7B23BC36C0F
SHA256: 5141B3A6558EB65BD9EAA87ABAFF040920F6A0E1F6F1894DF7A14CA1254E99AB
IMP: 1FA91A5B71B4C34C060FC289B51FAAEE
VT detection: 0/76
VT link: https://www.virustotal.com/gui/file/514 ... /detection

C:\Temp\Testing Tools\SigCheckGUI\input\sigcheck64.exe:
Verified: Signed
Signing date: 3:42 PM 9/11/2020
Publisher: Microsoft Corporation
Company: Sysinternals - www.sysinternals.com
Description: File version and signature viewer
Product: Sysinternals Sigcheck
Prod version: 2.80
File version: 2.80
MachineType: 64-bit
MD5: B8CEB67F37D44F4AAA477F7C5CB6A6DB
SHA1: 2B772AAFE711483A2B9C87C277714DE321B570BE
PESHA1: F02FCE9287197086B7592836120B6587E2CB9383
PE256: B575A38362582C766B9B9B8EE8C0F223E0697ABABD6A2D0A610CADCAEDFB6CFC
SHA256: BD841661B5E82840B61F078F3E5B420969A3A8EA1345615C6820B9FE89000038
IMP: 9E056220139688D3D2268604BFB7E4A6
VT detection: 0/76
VT link: https://www.virustotal.com/gui/file/bd8 ... /detection
Why all this detail? I try to keep a "less is more" approach to posting here in forums, but testing often demands more. While most users are going to care first and foremost about the easy VirusTotal link and detection (--/76), there are some other advantages:
  • Determine whether it's 64-bit only
  • Make sure you're testing the latest-and-greatest version
  • Find out if the application is signed, since that type of program will run on more computers (some machines are locked own to only allow signed apps). Note that this one is signed by Microsoft because Sysinternals is a Microsoft company.
  • File verification - while SHA256 is more than adequate, if you only have an MD5 hash program handy (easily the most common), that should fine. Note that I don't think IMP, PE256 or PESHA1 are in wide use outside of Windows developers.

TP109
Posts: 571
Joined: Sat Apr 08, 2006 7:12 pm
Location: Midwestern US

Re: SigcheckGUI - file information and hashing

#47 Post by TP109 »

It may be easier to scan programs or folders in their installed location instead of copying them to a test folder. A batch file can be used to scan programs and folders with SigCheck where they are installed and drop the result to a specified location. The attached batch file can do that by dragging and dropping a single file or folder onto it and send the results to the user's desktop. The drop location can be changed in the batch file. Be sure to change SigCheck's path in the batch file before using. The batch file can be modified to send the result to any other directory, or to a cmd window. Another handy way to use it is with OpenWithPlusPlus.

OpenWithPlusPlus with SigCheck entry
OpenWithPlusPlus with SigCheck entry
Sigcheck_to_fixed_file_location.zip
Zipped sigcheck batch file
(889 Bytes) Downloaded 331 times

User avatar
Midas
Posts: 6705
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: SigcheckGUI - file information and hashing

#48 Post by Midas »

Yep, I was going to note that you could replace de ".\input" part of webfork's BAT with "%1" to allow for dragging and dropping...

EDIT:

Code: Select all

:: Sigcheck Drag'n'drop Script v0.1 by Midas
:: Place in 'sigcheck64.exe' folder then drag'n'drop any executable file
:: to create a sidecar report file: '[exefilename]-sigchkd_[datetime].txt'

SET now=%time:~0,8%
%~dp0sigcheck64.exe -nobanner -h -vt -w %~n1-sigchkd_%date:-=%%now::=%.txt "%1"

Post Reply