.The programs like sigverif/sigcheck/autoruns calculate signature of PE files and compare with signatures stored in CatRoot\{F75..}\*.CAT files.
This is not full-file hash, rather from subset of bits.
From
http://www.science.org/secalert/WFP_Old_Security_Catalog_Vulnerability.txt :
"In particular the
"Certificates Table" data directory entry [5] in the executable�s
IMAGE_DATA_DIRECTORY table located at the end of its PE header
IMAGE_OPTIONAL_HEADER structure is excluded from the hashed bits"
Someone knows how to calculate this hash without using of CryptAPI (CryptCATAdminCalcHashFromFileHandle), by parsing PE file, excluding these bits and calculating sha1 from the rest with C/Perl only ?
thanks
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}