0

I have the python code which generates the hash value of two files. The first file is located in c:\windows\system32\wscript.exe and another file which is the clone of the first file which is located in d:\clone.exe.

python code

import os
strcommand ='certutil -hashfile c:\windows\system32\wscript.exe md2'
p=os.popen(strcommand ).read()
print(str(p).split('\n')[1])

strcommand1='certutil -hashfile d:\clone.exe md2'
p=os.popen(strcommand1 ).read()
print(str(p).split('\n')[1])

The output is 

D:\pythonprogram>python clonefinder.py
4cef03889db08179b57035e4463a84d5
db1cefe474ce12678ea4d6c61dc42291

But when I use the command which is used in python in command prompt the hash values of the two files are same

Command prompt

D:\pythonprogram>certutil -hashfile c:\windows\system32\wscript.exe md2
MD2 hash of c:\windows\system32\wscript.exe:
db1cefe474ce12678ea4d6c61dc42291
CertUtil: -hashfile command completed successfully.

D:\pythonprogram>certutil -hashfile d:\clone.exe md2
MD2 hash of d:\clone.exe:
db1cefe474ce12678ea4d6c61dc42291
CertUtil: -hashfile command completed successfully.

I want the hash values to be the same if I am executing the python program

any help with this?

snakecharmerb
  • 47,570
  • 11
  • 100
  • 153
Therockster
  • 3
  • 2
  • You said in command prompt the hash values of the two files are the same. However I see they are different. Both the files are probably different. From your output run from Command prompt they are: 4cef03889db08179b57035e4463a84d5 and db1cefe474ce12678ea4d6c61dc42291 They are different aren't they? – MagnumCodus Oct 10 '19 at 06:46
  • @MagnumCodus edited that now. I cloned different file and took hash of that so it was showing different hash values – Therockster Oct 10 '19 at 06:50
  • Great, can you now run your python script and check the output? – MagnumCodus Oct 10 '19 at 06:53
  • @MagnumCodus the output which you can see in the python code, same output I am getting even though I tried it again. – Therockster Oct 10 '19 at 06:55
  • Are you sure that is the exact python code. You are supposed to escape backslashes, you don't seem to have done that. Can you copy and paste the exact code from your script – MagnumCodus Oct 10 '19 at 07:08
  • I don't think that's the issue, but still better do do proper escaping or use a raw string. I'd suggest to use `strcommand = r'certutil -hashfile c:\windows\system32\wscript.exe md2'` I added the "r" character before the string. this auto-escapes all backslashes except in a string (except if it is the last character of the string) – gelonida Oct 10 '19 at 08:10
  • @MagnumCodus I checked it once again and the problem is I'm not getting same hash values for both files – Therockster Oct 10 '19 at 11:04
  • @gelonida I used your method but I'm not able to get same hash values – Therockster Oct 10 '19 at 11:05

1 Answers1

0

Windows can be a rather funny operating system and due to its age, some magic has been added to allow old windows code to still work with windows 7/8/10 Under some circumstances you can see different versions of files in directories like C:\windows. Depending on your privileges / depending on whether you start a 32 bit / 64 bit application. I do not know all these mechanics by heart, but had already some bad surprises.

To be 100% sure, that you do not execute the certutil command in two different environments. I propose following.

  1. open one cmd.exe window
  2. type the certutil commands from that window
  3. now call the python script also from the same window with C:\Path_to_your_python\python.exe name_of_your_python_script.py use the version of the python script where you prefixed the regexp string with the r (r"regex")

If you still have different results, then check whether you have a 32 bit version or 64 bit version of python installed. C:\Path_to_your_python\python.exe -V

If you have a 32 bit version, then I suggest to install a 64 bit version of python to test again.

gelonida
  • 5,327
  • 2
  • 23
  • 41
  • so you're still using 32 bits, but uninstalling / reinstalling helped? – gelonida Oct 10 '19 at 16:53
  • I'm using 64bit version now. My bad did a mistake in the previous comment. I uninstalled 32bit version and installed 64bit version.Thanks a lot. – Therockster Oct 10 '19 at 17:00