A Geek Raised by Wolves - Meet Miss Identify [entries|archive|friends|userinfo]
jessekornblum

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Links
[Links:| Browse by Tag LiveJournal Portal Update Journal Logout ]

Meet Miss Identify [Feb. 19th, 2008|09:34 pm]
Previous Entry Share Next Entry
[Tags|]

After several months of testing and refinement I am proud to release Miss Identify. Miss Identify is a program to find Win32 applications. In it's default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). In other words, it looks for executables hidden as other file types.

The program can also be run to display all of the executables encountered, regardless of their extensions. This is handy when you're looking for all of the executables on a drive. Other options allow the user to record the strings found in an executable and to work recursively. The manual page has more details.

Here's some sample output. First, we'll search for mislabeled executables:
C:\> missidentify *
C:\missidentify-1.0\sample.jpg
Next, a search for all executables in a given directory:
C:\> missidentify -a * 
C:\missidentify-1.0\sample.jpg
C:\missidentify-1.0\missidentify.exe
And finally, searching for all executables in the System directory:
C:\> missidentify -ar c:\windows\system32
...
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\System32\ntoskrnl.exe
C:\WINDOWS\System32\NEVER-GONNA-CATCH-ME.EXE
C:\WINDOWS\System32\ntver.dll
...
You can download a Windows executable or the source code. The code has been tested on Linux, FreeBSD, Open Solaris, and Mac OS X, but should work on most platforms that support the GNU build tools (e.g. OpenBSD, SunOS, VMS, Amiga, Cray XMP, XBox, etc.) Enjoy!
LinkReply

Comments:
[User Picture]From: capnbuckle
2008-02-20 03:45 am (UTC)

(Link)

The README.TXT in the zip file shows the command in the examples as "ssdeep" instead of "missidentify":

C:\> ssdeep *
c:\missidentify-1.0\sample.jpg

C:\> ssdeep -a *
C:\missidentify-1.0\sample.jpg
C:\missidentify-1.0\ssdeep.exe
[User Picture]From: capnbuckle
2008-02-20 03:50 am (UTC)

(Link)

D'oh! Sorry, I should have been a bit more gentle in my wording instead of just blurting out the issue.

This does look like a cool tool, Jesse. I just wanted to help out by shining a light on the documentation discrepancy. :)

Again, my apologies at being a bit gruff!
[User Picture]From: jessekornblum
2008-02-20 11:12 am (UTC)

(Link)

You're right, oops. I've checked a fix into SVN for the next version. Serves me right for trying to reuse old documentation! [grin]. Hopefully people won't get too confused in the meantime.

Don't worry about being gentle with the above; it's fine. I've gotten user feedback along the lines of, "I DOWNLOAD YOUR PROGRAM IT DOSENT WORK. I CLICK IT AND NOHING HAPPENS. A WINDOW APPEAR AND GOES AWAY. WHY DOESNT YOUR PROGRAM WORK. YOU MUST HAVE A BUG!!!1!"

[User Picture]From: capnbuckle
2008-02-21 12:56 am (UTC)

(Link)

True, but I didn't want to be "That Guy". I'm quite happy being "That Guy" at work...toward people that are getting paid to produce our products and should know better, dammit. (Except, as I've recently lamented to cipherpunk, I'm getting tired of feeling like...if I don't make the effort to be "That Guy", nobody else will!)

But I don't want to be "That Guy" toward someone who volunteered their own time and effort to share an application.

*shrug*

One thing that I've noticed is that there are a fair number of hits that pop up from scanning the browser cache, but since the browser usually chooses arbitrary filenames for stuff in the cache, these files may well be legitimate... Dunno.
[User Picture]From: jessekornblum
2008-02-21 01:33 am (UTC)

(Link)

Well, what better place to hide than the user's browser cache? Files go in and out of there all the time, have random names, and are rarely looked at... Hmm....
[User Picture]From: capnbuckle
2008-02-22 01:29 am (UTC)

(Link)

While you certainly have a point, the browser cache is also a vulnerable place to try to live. In theory, at least, the browser cache should be wiped on a regular basis. So to keep a file in the browser cache, I would think you would need some sort of hook, elsewhere, to recreate that file in the browser cache.

Of course, I'm not arguing against your point. You and cipherpunk have much more experience thinking about these things than I. The bulk of my experience is just cleaning up after a machine is afflicted. But I usually relied on tools created by others.
[User Picture]From: cipherpunk
2008-02-20 02:06 pm (UTC)

(Link)

Bonus points if you can also produce MD5/SHA1/whatever hashes of misidentified files to help in malware identification.
[User Picture]From: jessekornblum
2008-02-20 10:56 pm (UTC)

(Link)

oooh... now that is a good idea. Duly noted!
[User Picture]From: cipherpunk
2008-02-20 11:10 pm (UTC)

(Link)

Damn it, and here I was going to try and write it up as a patch. :)
[User Picture]From: jessekornblum
2008-02-20 11:13 pm (UTC)

(Link)

Nothing is stopping you! [grin] IMHO it might be easiest to reuse the md5.c code from md5deep. It's already set up to use a state variable as found in miss identify. Just please don't make too much fun of my humble C code.
[User Picture]From: cipherpunk
2008-02-20 11:19 pm (UTC)

(Link)

I'll take a look in the next day or so. My big concern, though, is the needs of software forensics is often not the same as the needs of software engineering: e.g., while I would normally have absolutely no qualms about writing procedural code in C++ and specifying C linkage (on the theory that G++ is available almost everywhere GCC is), I know that incident responders hate to have dependencies on anything but the standard C library, and even then, that would be nice to be avoided if possible.

Anyway. I'll holler at you some about coding standards and whatnot, in order to see if I can't make this as simple and as peaceable a patch as possible.
[User Picture]From: jessekornblum
2008-02-21 01:37 am (UTC)

(Link)

Although I don't have a problem with g++, please be sure that whatever you write can handle Unicode filenames when being cross compiled to Win32. The MinGW cross compiler has g++, but has some special functions for Unicode characters.

If you have issues getting the buildcross script to work I can upload a package that builds it all automagically.
[User Picture]From: capnbuckle
2008-02-21 12:59 am (UTC)

(Link)

I wonder if you could somehow generate a signature for the executable portion of the file, in case it is padded out, somehow, with real image data...
[User Picture]From: jessekornblum
2008-02-21 01:38 am (UTC)

(Link)

Have you tried using fuzzy hashes?
[User Picture]From: capnbuckle
2008-02-22 01:33 am (UTC)

(Link)

Well, no.

But I also wasn't thinking about creating a signature to compare across the same drive, but was thinking in terms of cipherpunk suggestion to aid in future malware detection...

Although, I'll look at this, anyway. I have a harddrive full of copies of prior harddrives full of copies of prior harddrives...it would be nice to have a good tool to work through all the duplicates.

I've used md5deep for this, in the past...but never finished the Perl script I wrote to process the output the way I wanted...
From: (Anonymous)
2008-02-22 05:11 pm (UTC)

(Link)

Looks like a cool program Jesse. Would adding an option to notify you if a program Miss Identify finds is set to autorun when Windows loads, is a running process, or is encrypted/packed be of use?
[User Picture]From: pdxsharkey
2008-06-01 10:40 pm (UTC)

Thanks

(Link)

Very cool - I think this will be a fine addition to the RAPIER module
options - will recommend to folks they incorporate it into their
modules.

Good job!