Filescanner is a tool I started to develop almost 2 years ago.
Back then, I needed a stand-alone, single executable tool that would allow me to search for files based on their content. Filescanner is a Windows tool.
Without any options, the tool will report some properties of the scanned file:
Remark that the first 4 bytes of the scanned file are reported.
Here are the options:
Option -f does a full read of the file and calculates some properties like entropy, md5, …
You can also output CSV with option -v and search through subfolders with option -s.
Rules can be defined to select specific files. For example, with option -r, I can specify a single rule that will be used to select files.
Here is a rule named EXE that triggers when the content of a file starts with MZ: EXE:start:str=MZ
A single rule can be passed as a command-line argument or be encoded in the executable filename. If you require more than 1 rule, put them inside a text file to define a ruleset.
Options -a and -A specify the ruleset to use. Here is an example of a ruleset:
exhaustive PK:start:str=PK $META:icontent:str=MANIFEST.MF JAR:and:PK $META CLASS:start:CAFEBABE MZ:start:4D5A PDF:start:str=%PDF- OLE:start:D0CF11E0
Rules can also be defined for MD5 hashes.
In a next post, I’ll explain in detail the rule syntax.