[SOLVED] the same file but different hash, why? ["C:\Windows\System32\browser.dll"]

[rickyzhang2008]

When using the C# code below to compute SHA256 for the same file named "browser.dll" in two different path, but the sha256 value are different, why?
the same file: "browser.dll",
first full path: "C:\Windows\System32\browser.dll",
second full path: "E:\xiufu\browser.dll".

important thing:
"browser.dll" in second full path was copied from the first full path "C:\Windows\System32\browser.dll", but their sha256 value are different totally.
the sha256 value of "C:\Windows\System32\browser.dll" : "QAEROIafVJaj5404yZALRmtvOHdSasIpUtzVKBc/RkU=",
the sha256 value of "E:\xiufu\browser.dll": "nMJfH5P6ym9s4j9461hZDDmi48ijrN9ADoqd4HV+ra4=".

so what happened to the file "browser.dll"? please help,thanks.

            using (SHA256 sha256 = SHA256.Create())
            {
                try
                {
                    
                    string fileFullPath = @"C:\Windows\System32\browser.dll";//@"E:\xiufu\browser.dll";
                    string combineHsh = "nMJfH5P6ym9s4j9461hZDDmi48ijrN9ADoqd4HV+ra4=||QAEROIafVJaj5404yZALRmtvOHdSasIpUtzVKBc/RkU=";
                    using (FileStream fileStream = File.Open(fileFullPath, FileMode.Open, FileAccess.Read, FileShare.Read))
                    {
                        string[] hssArr = combineHsh.Split(new string[] { "||" }, 2, StringSplitOptions.None);

                            try
                            {
                                
                                // Create a fileStream for the file.
                                // Be sure it's positioned to the beginning of the stream.
                                fileStream.Position = 0;
                                // Compute the hash of the fileStream.
                                byte[] hashValue = sha256.ComputeHash(fileStream);
              
                                string sha256Base64Str = Convert.ToBase64String(hashValue);

                                if (sha256Base64Str.CompareTo(hssArr[1]) == 0)
                                {
                                    bEqual = true;
                                }
                                else
                                {
                                    bEqual = false;
                                }

                            }
                            catch (IndexOutOfRangeException e)
                            {
                                Console.WriteLine("Hash compare:" + e.Message);
                            }
                    }
                }
                catch (IOException e)
                {
                    Console.WriteLine("Open file for hash:" + e.Message);
                }
                catch (UnauthorizedAccessException e)
                {
                    Console.WriteLine("Open file for hash:" + e.Message);
                }

            }

 

[rickyzhang2008]

When using the C# code below to compute SHA256 for the same file named "browser.dll" in two different path, but the sha256 value are different, why?
the same file: "browser.dll",
first full path: "C:\Windows\System32\browser.dll",
second full path: "E:\xiufu\browser.dll".

important thing:
"browser.dll" in second full path was copied from the first full path "C:\Windows\System32\browser.dll", but their sha256 value are different totally.
the sha256 value of "C:\Windows\System32\browser.dll" : "QAEROIafVJaj5404yZALRmtvOHdSasIpUtzVKBc/RkU=",
the sha256 value of "E:\xiufu\browser.dll": "nMJfH5P6ym9s4j9461hZDDmi48ijrN9ADoqd4HV+ra4=".

so what happened to the file "browser.dll"? please help,thanks.

            using (SHA256 sha256 = SHA256.Create())
            {
                try
                {
                   
                    string fileFullPath = @"C:\Windows\System32\browser.dll";//@"E:\xiufu\browser.dll";
                    string combineHsh = "nMJfH5P6ym9s4j9461hZDDmi48ijrN9ADoqd4HV+ra4=||QAEROIafVJaj5404yZALRmtvOHdSasIpUtzVKBc/RkU=";
                    using (FileStream fileStream = File.Open(fileFullPath, FileMode.Open, FileAccess.Read, FileShare.Read))
                    {
                        string[] hssArr = combineHsh.Split(new string[] { "||" }, 2, StringSplitOptions.None);

                            try
                            {
                               
                                // Create a fileStream for the file.
                                // Be sure it's positioned to the beginning of the stream.
                                fileStream.Position = 0;
                                // Compute the hash of the fileStream.
                                byte[] hashValue = sha256.ComputeHash(fileStream);
             
                                string sha256Base64Str = Convert.ToBase64String(hashValue);

                                if (sha256Base64Str.CompareTo(hssArr[1]) == 0)
                                {
                                    bEqual = true;
                                }
                                else
                                {
                                    bEqual = false;
                                }

                            }
                            catch (IndexOutOfRangeException e)
                            {
                                Console.WriteLine("Hash compare:" + e.Message);
                            }
                    }
                }
                catch (IOException e)
                {
                    Console.WriteLine("Open file for hash:" + e.Message);
                }
                catch (UnauthorizedAccessException e)
                {
                    Console.WriteLine("Open file for hash:" + e.Message);
                }

            }

Correct:
important thing:
"browser.dll" in second full path was copied from the first full path "C:\Windows\System32\browser.dll", but their base64(sha256) value are different totally.
the base64(sha256) value of "C:\Windows\System32\browser.dll" : "QAEROIafVJaj5404yZALRmtvOHdSasIpUtzVKBc/RkU=",
the base64(sha256) value of "E:\xiufu\browser.dll": "nMJfH5P6ym9s4j9461hZDDmi48ijrN9ADoqd4HV+ra4=".

 

[x BlueRobot]

The System32 folder is hardlinked to another folder within WinSxS, there can be several different versions of the same file and the "active" version can change. You also have to take into account Windows compressing those files and thus causing the hashes to change. If you want to verify the file hashes, then check the files within WinSxS and not System32.

You can use fsutil to examine hardlinks:

fsutil hardlink list %systemroot%\System32\browser.dll

 

[rickyzhang2008]

The System32 folder is hardlinked to another folder within WinSxS, there can be several different versions of the same file and the "active" version can change. You also have to take into account Windows compressing those files and thus causing the hashes to change. If you want to verify the file hashes, then check the files within WinSxS and not System32.

You can use fsutil to examine hardlinks:

fsutil hardlink list %systemroot%\System32\browser.dll

Thanks very much.
But I use several methods to calculate the file "c:\windows\system32\browser.dll",and don't copy it to another directory, and the result is that as follows:
1. hash tab's sha256 is same as the scanning result of windows tool sfc. means it is right.
2.using the python code, sha256 value is same as hash tab's, means it is right too.

import hashlib
file_name = "c:\\windows\\system32\\browser.dll"
hash_sha256 = hashlib.sha256()
with open(file_name, "rb") as f:
    for chunk in iter(lambda: f.read(4096), b""):
            hash_sha256.update(chunk)
print(hash_sha256.hexdigest())

the result of the two above are always right, and sha256 value never change regardless of how many times calculating.

3. using c++ code, open source code
hash-library
Crypto++

4. using c# code, as the posted code.

method 3,4 are always different values, means wrong, and sha256 value never change regardless of how many times calculating.

My question is how I can get the same sha256 value of hash Tab tool, the right value, with the C# or C++ code. any ways?

 

[x BlueRobot]

This seems to be working correctly for me:

using System.Security.Cryptography;

using FileStream file = File.Open("<path to file>", FileMode.Open);
file.Position = 0;

byte[] hash = SHA256.HashData(file);
string hash_string = Convert.ToBase64String(hash);

Console.WriteLine(hash_string);
Console.ReadKey();

 

[rickyzhang2008]

This seems to be working correctly for me:

using System.Security.Cryptography;

using FileStream file = File.Open("<path to file>", FileMode.Open);
file.Position = 0;

byte[] hash = SHA256.HashData(file);
string hash_string = Convert.ToBase64String(hash);

Console.WriteLine(hash_string);
Console.ReadKey();

Thanks for replying, I will try.

 

[rickyzhang2008]

Solved.

change to "x64", and compile & run.

when running the 32 bit program, it checks the "C:\Windows\SysWOW64\browser.dll" actually, not the "“C:\Windows\System32\browser.dll”.

so the sha256 value never change with many calculating and different methods(x64,x86) get different result.

Thank anyway.

 

[x BlueRobot]

It must be redirecting you then since you're running an x86 binary as you said. I would always check the WinSxS directory though rather than System32 and HashData is usually the preferred method for computing hashes, its much cleaner than creating a SHA256 object and using that.

 

[rickyzhang2008]

It must be redirecting you then since you're running an x86 binary as you said. I would always check the WinSxS directory though rather than System32 and HashData is usually the preferred method for computing hashes, its much cleaner than creating a SHA256 object and using that.

OK. Thanks, I got it.

 

[Shintaro]

I would say that what you are seeing is WoW64 (Windows on Windows) thunking. A very interesting topic of technology.