Didier Stevens

My new FileScanner tool allows you to use rules to scan files. Here is how you define rules.

Rule syntax

If you provide rules to FileScanner, it will only report files that match one rule or several rules (unless you instruct it to report all scanned files). A rule has a name, a type and one or more conditions. These elements are separated by the : character (colon). A name can be any string, and it is best unique if you have several rules (but this is not enforced). If a name starts with a $ character (dollar), the rule is only tested if it is referred to by another rule. Valid rule types are:

• md5
• sizemd5
• start
• content
• icontent
• and

The md5 rule triggers if the file has the specified md5 hash. Example:

PSEXEC2:md5:AEEE996FD3484F28E5CD85FE26B6BDCD

The sizemd5 rule triggers if the file has the specified size and md5 hash. The size is tested first, and the md5 hash is only calculated when the size matches. This speeds up the scan process if you know the size. Example:

PSEXEC:sizemd5:381816:AEEE996FD3484F28E5CD85FE26B6BDCD

The start rule triggers if the content of the file starts with the specified bytes. You can specify these bytes with a hexadecimal sequence or with a string. When using a string, prefix it with keyword str=. This test is case-sensitive. Examples:

MZ:start:4D5A

PK:start:str=PK

The content rule triggers if the file contains the specified bytes. You can specify these bytes with a hexadecimal sequence or with a string. When using a string, prefix it with keyword str=. This test is case-sensitive. Examples:

META:content:4D414E49464553542E4D46

META:content:str=MANIFEST.MF

The icontent rule is identical to the content rule, except that it is not case-sensitive.

The and rule triggers if all specified rules do trigger. The specified rules are tested from left to right, and testing stops if a rule does not trigger. If a specified rule has a name that starts with $, it will also be tested. In the following example, the JAR rule triggers if the $PK and $META rules do trigger.

$PK:start:str=PK
$META:icontent:str=MANIFEST.MF
JAR:and:$PK $META

Defining rules

Rules can be defined in a text file. A single rule can be defined via a command-line option or via the executable filename.

A set of rules contained in a text file is passed to the FileScanner tool via command line options -a or -A. With option -a, only files that match one or several rules are analyzed and reported. With option -A, all files are reported. A rule-file can contain comments: lines with the # character as the first character are comments (and ignored). 2 directives can be set in a rule-file:

• selectallfiles
• exhaustive

The selectallfiles directive instructs FileScanner to report all files (even with option -a).

The exhaustive directive instructs FileScanner to test all rules defined in the text file. If this directive is not present, rule testing stops after the first rule matches.

Example of a rule-file:

exhaustive
PK:start:str=PK
$META:icontent:str=MANIFEST.MF
JAR:and:PK $META
CLASS:start:CAFEBABE
MZ:start:4D5A
PDF:start:str=%PDF-
OLE:start:D0CF11E0

Specifying a single rule can be done via option -r. Example:

filescanner.exe -sr PSEXEC:sizemd5:381816:AEEE996FD3484F28E5CD85FE26B6BDCD c:\

Finally, if you have to ask an inexperienced user to run filescanner on his machine, you can encode a rule in the filename and send him the program. Example:

filescanner-auto-rule-PSEXEC-sizemd5-381816-AEEE996FD3484F28E5CD85FE26B6BDCD.exe

Download

FileScanner_V0_0_0_2.zip (https)
MD5: 9A89333C13DBB669A94226F57E5D919A
SHA256: 5F46312B06AE865957A36B95A4C2DDC41F20113B0E51B7F083A50929B38BD0F9