This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 67%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGB%3C/text%3E%3C/svg%3E)
Windows SDK has a tool called MakeCat which generates a catalog file that contains SHA256 hashes of files on the operating system.
Let's say we take Optane.dll as an example file.
Using the Makecat tool to create a catalog file results in an stored SHA256 hash of 230EB11F89F6B7B4E6C8E069D6A2A68820E7002625D2DF2F30B80043906433F1.
However, putting the same file through any online or local file SHA256 calculator results in a different hash - 4C5E4407A6056B60089F8406CA75F230988A2528FA84F7965C5BF6ED883FB79A
Any ideas on how MakeCat is calculating the hash? I believe internally it calls CryptCATAdminCalcHashFromFileHandle Windows API.
My aim: Reproduce this Makecat style hash for some files in a Linux environment.
Hello @Gagan Bhat
MakeCat uses the mscat.h library : https://learn.microsoft.com/en-us/windows/win32/api/mscat/
About the implementation in Linux, I would recommend to open your question in a Linux Cryptography forum, as that community may be better equipped and experienced to andswer the question.
Hope this helps with your query,
-----
--If the reply is helpful, please Upvote and Accept as answer--
Yes, I see it uses mscat.h, however, where can we see the implementation of this function in Windows?
Cannot find an mscat.cpp, I think we get only the compiled binary.
I am interested in finding out how it has been implemented in Windows because the hash returned is not matching the hash of the file on disk.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 94%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I realise this question is over 3 years old but I figured I'd add an answer anyway in case anyone else has the same question, and because this is something that is widely misunderstood.
The hash calculated by CryptCATAdminCalcHashFromFileHandle (the one that appears in the catalog) is different to the hash of the file on disk because Authenticode does not use a simple flat hash of the file.
You'll find a link to the official specification for Authenticode below, but the gist is that it skips over a couple of key places in the file. From memory, these are the 32-bit timestamp in the PE header and also the part of the file where the signatures are stored. There are also a few other subtle gotchas (often missed in 3rd party implementations!) which relate to the order in which the various sections in the file should be fed into the digest calculator, but these have only theoretical consequences.