jessekornblum (jessekornblum) wrote,

Meet Miss Identify

After several months of testing and refinement I am proud to release Miss Identify. Miss Identify is a program to find Win32 applications. In it's default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). In other words, it looks for executables hidden as other file types.

The program can also be run to display all of the executables encountered, regardless of their extensions. This is handy when you're looking for all of the executables on a drive. Other options allow the user to record the strings found in an executable and to work recursively. The manual page has more details.

Here's some sample output. First, we'll search for mislabeled executables:
C:\> missidentify *
C:\missidentify-1.0\sample.jpg
Next, a search for all executables in a given directory:
C:\> missidentify -a * 
C:\missidentify-1.0\sample.jpg
C:\missidentify-1.0\missidentify.exe
And finally, searching for all executables in the System directory:
C:\> missidentify -ar c:\windows\system32
...
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\System32\ntoskrnl.exe
C:\WINDOWS\System32\NEVER-GONNA-CATCH-ME.EXE
C:\WINDOWS\System32\ntver.dll
...
You can download a Windows executable or the source code. The code has been tested on Linux, FreeBSD, Open Solaris, and Mac OS X, but should work on most platforms that support the GNU build tools (e.g. OpenBSD, SunOS, VMS, Amiga, Cray XMP, XBox, etc.) Enjoy!
Tags: forensics
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded  

  • 17 comments