Didier Stevens

Wednesday 3 September 2014

Introducing Filescanner.exe

Filed under: My Software — Didier Stevens @ 0:17

Filescanner is a tool I started to develop almost 2 years ago.

Back then, I needed a stand-alone, single executable tool that would allow me to search for files based on their content. Filescanner is a Windows tool.

Without any options, the tool will report some properties of the scanned file:

20140902 225258

Remark that the first 4 bytes of the scanned file are reported.

Here are the options:


Option -f does a full read of the file and calculates some properties like entropy, md5, …


You can also output CSV with option -v and search through subfolders with option -s.

Rules can be defined to select specific files. For example, with option -r, I can specify a single rule that will be used to select files.

Here is a rule named EXE that triggers when the content of a file starts with MZ: EXE:start:str=MZ


A single rule can be passed as a command-line argument or be encoded in the executable filename. If you require more than 1 rule, put them inside a text file to define a ruleset.

Options -a and -A specify the ruleset to use. Here is an example of a ruleset:


Rules can also be defined for MD5 hashes.

In a next post, I’ll explain in detail the rule syntax.

FileScanner_V0_0_0_1.zip (https)
MD5: 9EE883A4E28A6D0649F6D7787BD76ED4
SHA256: 5AA71E6F4FED8E45A22B49FD9A0417933F7218AF9300FDEF24FEF696CF012F61

Blog at WordPress.com.