Didier Stevens

Monday 16 October 2006

USBVirusScan

Filed under: My Software — Didier Stevens @ 10:09

When Bruce Scheiner blogged about USBDumper, I downloaded the program and filed it for some later experimentation.

During our vacation I started programming on a rainy evening, and USBVirusScan was born.

USBVirusScan will launch any program you provide as a command line parameter each time a USB stick is inserted. I use it to start a full virus scan on the inserted USB drive, hence the name.

For example, to start a cmd.exe on each USB drive you insert, you start USBVirusScan like this:

USBVirusScan cmd /k %c:

%c is a placeholder for the drive-letter of the inserted USB drive (yes, that’s %c like C’s printf function, and no, that’s not completely secure, but feel free to adapt it…).

USBVirusScan uses a system tray icon and balloons to announce the insertion of a USB drive. If you want to hide this system tray icon, start USBVirusScan with option -i, like this:
USBVirusScan -i cmd /k %c:

You can also hide the command line console with option -c. This only works with Console applications, not with Windows applications.

Here’s a Windows Script example (log.vbs) that will create a log.txt file on the inserted USB drive with the current date & time:

Dim objFSO

Dim objTextFile

Dim strFilename
strFilename = Wscript.Arguments.Item(0) & ":\\log.txt"

Set objFSO = CreateObject("Scripting.FileSystemObject")

If objFSO.FileExists(strFilename) Then

   Set objTextFile = objFSO.OpenTextFile(strFilename, 8 )

Else

   Set objTextFile = objFSO.CreateTextFile(strFilename)

End If

objTextFile.WriteLine Now()

objTextFile.Close

You start it with this command: USBVirusScan.exe wscript log.vbs %c

Example of the content of the log file after inserting the USB drive twice:

14/10/2006 17:05:00
14/10/2006 17:05:21

I used sample code for system tray programming from this Code Project article, and for the rest I generate a new GUID and did some cosmetic changes to the original USBDumper code.

Here is a YouTube movie showing you the program starting a virus scan. A hires (XviD) version can be found here.

Download:

USBVirusScan_V1_0_0.zip (https)

MD5: 7EC0D456717162B84A229CC4A8335B51

This ZIP file contains both the executable and the source code. If you don’t plan to modify the source code of this program, you’ll only need to extract USBVirusScan.exe.

Compiled with Borland’s free C++ 5.5 compiler. Tested on Windows XP SP2 and Windows Vista.

Blog at WordPress.com.