While I jumped through a lot of hoops with TP109's collaboration a few years ago to make it work with a detailed spreadsheet analysis, my increasing comfort with the command line got me working on a process that skips the GUI. For flexibility, I went ahead and set this all up inside my existing SigcheckGUI folder.
Setup:
- Create a folder “input” under the sigcheckgui folder where I put the files I want to analyze
- Run the following command (basically paste this into a .txt file that's renamed with a .bat suffix and then launch)
Code: Select all
sigcheck64.exe -nobanner -h -v -w file_report.txt .\input
Example output of two sigcheck files (analysis of the 32-bit and 64-bit analysis programs):
Why all this detail? I try to keep a "less is more" approach to posting here in forums, but testing often demands more. While most users are going to care first and foremost about the easy VirusTotal link and detection (--/76), there are some other advantages:
C:\Temp\Testing Tools\SigCheckGUI\input\sigcheck.exe:
Verified: Signed
Signing date: 3:45 PM 9/11/2020
Publisher: Microsoft Corporation
Company: Sysinternals - www.sysinternals.com
Description: File version and signature viewer
Product: Sysinternals Sigcheck
Prod version: 2.80
File version: 2.80
MachineType: 32-bit
MD5: 60C97B52BE2D988D8D39430CFB749106
SHA1: F1D5330D467E9F7950509F60B758453A86D7EED4
PESHA1: FB652CC0D7EF87911E93A37083C4EC5B1CBE4857
PE256: 1513648611DFDB6D04309339E814903D6600AA5839637B6C3B91D7B23BC36C0F
SHA256: 5141B3A6558EB65BD9EAA87ABAFF040920F6A0E1F6F1894DF7A14CA1254E99AB
IMP: 1FA91A5B71B4C34C060FC289B51FAAEE
VT detection: 0/76
VT link: https://www.virustotal.com/gui/file/514 ... /detection
C:\Temp\Testing Tools\SigCheckGUI\input\sigcheck64.exe:
Verified: Signed
Signing date: 3:42 PM 9/11/2020
Publisher: Microsoft Corporation
Company: Sysinternals - www.sysinternals.com
Description: File version and signature viewer
Product: Sysinternals Sigcheck
Prod version: 2.80
File version: 2.80
MachineType: 64-bit
MD5: B8CEB67F37D44F4AAA477F7C5CB6A6DB
SHA1: 2B772AAFE711483A2B9C87C277714DE321B570BE
PESHA1: F02FCE9287197086B7592836120B6587E2CB9383
PE256: B575A38362582C766B9B9B8EE8C0F223E0697ABABD6A2D0A610CADCAEDFB6CFC
SHA256: BD841661B5E82840B61F078F3E5B420969A3A8EA1345615C6820B9FE89000038
IMP: 9E056220139688D3D2268604BFB7E4A6
VT detection: 0/76
VT link: https://www.virustotal.com/gui/file/bd8 ... /detection
- Determine whether it's 64-bit only
- Make sure you're testing the latest-and-greatest version
- Find out if the application is signed, since that type of program will run on more computers (some machines are locked own to only allow signed apps). Note that this one is signed by Microsoft because Sysinternals is a Microsoft company.
- File verification - while SHA256 is more than adequate, if you only have an MD5 hash program handy (easily the most common), that should fine. Note that I don't think IMP, PE256 or PESHA1 are in wide use outside of Windows developers.