Didier Stevens

Wednesday 3 September 2014

Introducing Filescanner.exe

Filed under: My Software — Didier Stevens @ 0:17

Filescanner is a tool I started to develop almost 2 years ago.

Back then, I needed a stand-alone, single executable tool that would allow me to search for files based on their content. Filescanner is a Windows tool.

Without any options, the tool will report some properties of the scanned file:

20140902 225258

Remark that the first 4 bytes of the scanned file are reported.

Here are the options:

20140902-225711

Option -f does a full read of the file and calculates some properties like entropy, md5, …

20140902-225858

You can also output CSV with option -v and search through subfolders with option -s.

Rules can be defined to select specific files. For example, with option -r, I can specify a single rule that will be used to select files.

Here is a rule named EXE that triggers when the content of a file starts with MZ: EXE:start:str=MZ

20140902-230520

A single rule can be passed as a command-line argument or be encoded in the executable filename. If you require more than 1 rule, put them inside a text file to define a ruleset.

Options -a and -A specify the ruleset to use. Here is an example of a ruleset:

exhaustive
PK:start:str=PK
$META:icontent:str=MANIFEST.MF
JAR:and:PK $META
CLASS:start:CAFEBABE
MZ:start:4D5A
PDF:start:str=%PDF-
OLE:start:D0CF11E0

Rules can also be defined for MD5 hashes.

In a next post, I’ll explain in detail the rule syntax.

FileScanner_V0_0_0_1.zip (https)
MD5: 9EE883A4E28A6D0649F6D7787BD76ED4
SHA256: 5AA71E6F4FED8E45A22B49FD9A0417933F7218AF9300FDEF24FEF696CF012F61

13 Comments »

  1. The program looks great. But do you know that there are already similar programs:
    * file – http://www.darwinsys.com/file/ – shipped with any unix-os and in Cygwin.
    * other unix utils – md5sum, objdump, winedump, etc.

    So I think you can write your program as bash/tcl/whatever script which call all needed tools. It is not standalone, but does not force you to create another bicycle 🙂
    I recommend you to try Ubuntu or other GNU/Linux, or maybe Cygwin under Windows..

    Comment by Norbert X — Wednesday 3 September 2014 @ 9:24

  2. Thanks for all of the tools and videos you produce. I read this blog every day and really enjoy it! Thank-You!

    Comment by Matt — Wednesday 3 September 2014 @ 17:09

  3. @Norbert That doesn’t match my requirements.

    I started using Unix in 1987, I haven’t seen a program that does what filescanner.exe does. Yara and clam-av are similar, but Yara doesn’t do MD5 and clam-av stops matching after the first rule match.

    Comment by Didier Stevens — Wednesday 3 September 2014 @ 19:49

  4. @Didier
    Thank you for reply and info about Yara. Nice to hear, that you are experienced in Unix technologies too.

    Comment by Norbert X — Wednesday 3 September 2014 @ 20:16

  5. yara3.0 can be extended with custom modules. You could write a module that includes MD5 and still leverage’s the power of yara.

    http://yara.readthedocs.org/en/latest/writingmodules.html

    Comment by Kevin Breen (@KevTheHermit) — Thursday 4 September 2014 @ 14:29

  6. @KevTheHermit Correct, but when I started developing this, Yara 3.0 didn’t exist.

    Comment by Didier Stevens — Thursday 4 September 2014 @ 14:32

  7. Sounds great, will give it a try. Thanks!

    Comment by Calin C. — Monday 8 September 2014 @ 11:41

  8. […] new FileScanner tool allows you to use rules to scan files. Here is how you define […]

    Pingback by FileScanner.exe Part 2 | Didier Stevens — Tuesday 16 September 2014 @ 0:00

  9. Why don’t you include the missing MSVCP120.dll? or instructions where a trusted source is.

    Comment by Mike Gough — Tuesday 16 September 2014 @ 18:14

  10. @Mike That’s the C runtime you are missing. You can get it by installing the “Visual C++ Redistributable Packages for Visual Studio 2013” found here http://www.microsoft.com/en-us/download/details.aspx?id=40784

    But I always use the Release CRT versions. These executables contain the C runtime, so they even run on computers where it is not installed.
    I suggest you try them out before you install the redistributable package.

    Comment by Didier Stevens — Tuesday 16 September 2014 @ 18:21

  11. […] is a new Windows tool I developed. Read part 1 and part 2 for more […]

    Pingback by FileScanner.exe Part 3 | Didier Stevens — Wednesday 17 September 2014 @ 0:00

  12. […] read part 1, part 2 and part 3 for more […]

    Pingback by FileScanner.exe Part 4 | Didier Stevens — Thursday 18 September 2014 @ 0:00

  13. […] output and adds some complexity. Didier responded on Twitter with another tool he also developed: filescanner.exe. This tool does exactly the job we expect by searching for patterns into a file but it runs only on […]

    Pingback by Searching for Microsoft Office Files Containing Macro | /dev/random — Thursday 8 January 2015 @ 21:33


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: