MakeCat SHA256 in Windows is different than expected SHA256 - CryptCATAdminCalcHashFromFileHandle

Gagan Bhat 1 Reputation point
2021-10-19T23:40:46.063+00:00

Windows SDK has a tool called MakeCat which generates a catalog file that contains SHA256 hashes of files on the operating system.

Let's say we take Optane.dll as an example file.

Using the Makecat tool to create a catalog file results in an stored SHA256 hash of 230EB11F89F6B7B4E6C8E069D6A2A68820E7002625D2DF2F30B80043906433F1.

MRFaC.png

However, putting the same file through any online or local file SHA256 calculator results in a different hash - 4C5E4407A6056B60089F8406CA75F230988A2528FA84F7965C5BF6ED883FB79A

nD4EU.png

Any ideas on how MakeCat is calculating the hash? I believe internally it calls CryptCATAdminCalcHashFromFileHandle Windows API.

My aim: Reproduce this Makecat style hash for some files in a Linux environment.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,728 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,296 Reputation points
    2021-10-20T14:07:10.237+00:00

    Hello @Gagan Bhat

    MakeCat uses the mscat.h library : https://learn.microsoft.com/en-us/windows/win32/api/mscat/

    About the implementation in Linux, I would recommend to open your question in a Linux Cryptography forum, as that community may be better equipped and experienced to andswer the question.

    Hope this helps with your query,

    -----
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Gagan Bhat 1 Reputation point
    2021-10-20T14:11:12.373+00:00

    Yes, I see it uses mscat.h, however, where can we see the implementation of this function in Windows?

    Cannot find an mscat.cpp, I think we get only the compiled binary.

    I am interested in finding out how it has been implemented in Windows because the hash returned is not matching the hash of the file on disk.

    0 comments No comments