Bug#468221: ITP: missidentify -- a program to find win32 applications

Monniez Christophe d-fence at swing.be
Wed Feb 27 21:29:16 UTC 2008


On mer, 2008-02-27 at 21:02 +0000, brian m. carlson wrote:
> What does this do that file(1) does not?
> 
> lakeview ok % file setup.exe 
> setup.exe: MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit, UPX compressed
> 

It search for executables files that doesn't have the right extension.
Main goal is to find malicious win32 executables on compromised systems.

You can do that with file but have to script a lot.

$ find /target ! -iname "*.exe" -exec file '{}' ';' | egrep "MS-DOS
executbale"

This simple example does not take the whole bunch of possible extensions
into account nor the possibles different descriptions that "file" have
for win32 executables.

missidentify will certainly do a better and faster job on real systems
with thousand of files.


--
Christophe Monniez






More information about the forensics-devel mailing list