Didier Stevens

Tuesday 16 September 2014

FileScanner.exe Part 2

Filed under: My Software — Didier Stevens @ 0:00

My new FileScanner tool allows you to use rules to scan files. Here is how you define rules.

Rule syntax

If you provide rules to FileScanner, it will only report files that match one rule or several rules (unless you instruct it to report all scanned files). A rule has a name, a type and one or more conditions. These elements are separated by the : character (colon). A name can be any string, and it is best unique if you have several rules (but this is not enforced). If a name starts with a $ character (dollar), the rule is only tested if it is referred to by another rule. Valid rule types are:

  • md5
  • sizemd5
  • start
  • content
  • icontent
  • and

The md5 rule triggers if the file has the specified md5 hash. Example:

PSEXEC2:md5:AEEE996FD3484F28E5CD85FE26B6BDCD

The sizemd5 rule triggers if the file has the specified size and md5 hash. The size is tested first, and the md5 hash is only calculated when the size matches. This speeds up the scan process if you know the size. Example:

PSEXEC:sizemd5:381816:AEEE996FD3484F28E5CD85FE26B6BDCD

The start rule triggers if the content of the file starts with the specified bytes. You can specify these bytes with a hexadecimal sequence or with a string. When using a string, prefix it with keyword str=. This test is case-sensitive. Examples:

MZ:start:4D5A

PK:start:str=PK

The content rule triggers if the file contains the specified bytes. You can specify these bytes with a hexadecimal sequence or with a string. When using a string, prefix it with keyword str=. This test is case-sensitive. Examples:

META:content:4D414E49464553542E4D46

META:content:str=MANIFEST.MF

The icontent rule is identical to the content rule, except that it is not case-sensitive.

The and rule triggers if all specified rules do trigger. The specified rules are tested from left to right, and testing stops if a rule does not trigger. If a specified rule has a name that starts with $, it will also be tested. In the following example, the JAR rule triggers if the $PK and $META rules do trigger.

$PK:start:str=PK
$META:icontent:str=MANIFEST.MF
JAR:and:$PK $META

 

Defining rules

Rules can be defined in a text file. A single rule can be defined via a command-line option or via the executable filename.

A set of rules contained in a text file is passed to the FileScanner tool via command line options -a or -A. With option -a, only files that match one or several rules are analyzed and reported. With option -A, all files are reported. A rule-file can contain comments: lines with the # character as the first character are comments (and ignored). 2 directives can be set in a rule-file:

  • selectallfiles
  • exhaustive

The selectallfiles directive instructs FileScanner to report all files (even with option -a).

The exhaustive directive instructs FileScanner to test all rules defined in the text file. If this directive is not present, rule testing stops after the first rule matches.

Example of a rule-file:

exhaustive
PK:start:str=PK
$META:icontent:str=MANIFEST.MF
JAR:and:PK $META
CLASS:start:CAFEBABE
MZ:start:4D5A
PDF:start:str=%PDF-
OLE:start:D0CF11E0

Specifying a single rule can be done via option -r. Example:

filescanner.exe -sr PSEXEC:sizemd5:381816:AEEE996FD3484F28E5CD85FE26B6BDCD c:\

Finally, if you have to ask an inexperienced user to run filescanner on his machine, you can encode a rule in the filename and send him the program. Example:

filescanner-auto-rule-PSEXEC-sizemd5-381816-AEEE996FD3484F28E5CD85FE26B6BDCD.exe

Download

20140915-175358
FileScanner_V0_0_0_2.zip (https)
MD5: 9A89333C13DBB669A94226F57E5D919A
SHA256: 5F46312B06AE865957A36B95A4C2DDC41F20113B0E51B7F083A50929B38BD0F9

 

7 Comments »

  1. Very nice tool!

    Comment by Sven Faw — Tuesday 16 September 2014 @ 7:16

  2. I am unable to get the Rule file working. What is the format to use a text file. Doing a single MZ:start:4D5A in a file called executable.txt -a executable.txt does not work. command line for the MZ works?

    Comment by Mike Gough — Tuesday 16 September 2014 @ 18:55

  3. @Mike What error do you get? I just tested on my machine and your rule in a text file works.

    Comment by Didier Stevens — Tuesday 16 September 2014 @ 19:11

  4. […] is a new Windows tool I developed. Read part 1 and part 2 for more […]

    Pingback by FileScanner.exe Part 3 | Didier Stevens — Wednesday 17 September 2014 @ 0:00

  5. D:\Tools\File Scanner\FileScanner\x64\Release>FileScanner -As executable.txt d:\malware
    Error parsing analysis file executable.txt

    Comment by Mike Gough — Wednesday 17 September 2014 @ 16:20

  6. @Mike Is it possible your text is UNICODE and not ASCII?

    Comment by Didier Stevens — Wednesday 17 September 2014 @ 16:22

  7. […] read part 1, part 2 and part 3 for more […]

    Pingback by FileScanner.exe Part 4 | Didier Stevens — Thursday 18 September 2014 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: