jessekornblum (jessekornblum) wrote,

Meet Miss Identify

After several months of testing and refinement I am proud to release Miss Identify. Miss Identify is a program to find Win32 applications. In it's default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). In other words, it looks for executables hidden as other file types.

The program can also be run to display all of the executables encountered, regardless of their extensions. This is handy when you're looking for all of the executables on a drive. Other options allow the user to record the strings found in an executable and to work recursively. The manual page has more details.

Here's some sample output. First, we'll search for mislabeled executables:
C:\> missidentify *
Next, a search for all executables in a given directory:
C:\> missidentify -a * 
And finally, searching for all executables in the System directory:
C:\> missidentify -ar c:\windows\system32
You can download a Windows executable or the source code. The code has been tested on Linux, FreeBSD, Open Solaris, and Mac OS X, but should work on most platforms that support the GNU build tools (e.g. OpenBSD, SunOS, VMS, Amiga, Cray XMP, XBox, etc.) Enjoy!
Tags: forensics
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded