|Meet Miss Identify
||[Feb. 19th, 2008|09:34 pm]
After several months of testing and refinement I am proud to release Miss Identify. Miss Identify is a program to find Win32 applications. In it's default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). In other words, it looks for executables hidden as other file types.
The program can also be run to display all of the executables encountered, regardless of their extensions. This is handy when you're looking for all of the executables on a drive. Other options allow the user to record the strings found in an executable and to work recursively. The manual page has more details.
Here's some sample output. First, we'll search for mislabeled executables:
C:\> missidentify *
C:\missidentify-1.0\sample.jpgNext, a search for all executables in a given directory:
C:\> missidentify -a *
C:\missidentify-1.0\missidentify.exeAnd finally, searching for all executables in the System directory:
C:\> missidentify -ar c:\windows\system32
You can download a Windows executable or the source code. The code has been tested on Linux, FreeBSD, Open Solaris, and Mac OS X, but should work on most platforms that support the GNU build tools (e.g. OpenBSD, SunOS, VMS, Amiga, Cray XMP, XBox, etc.) Enjoy!
The README.TXT in the zip file shows the command in the examples as "ssdeep" instead of "missidentify":
C:\> ssdeep *
C:\> ssdeep -a *
D'oh! Sorry, I should have been a bit more gentle in my wording instead of just blurting out the issue.
This does look like a cool tool, Jesse. I just wanted to help out by shining a light on the documentation discrepancy. :)
Again, my apologies at being a bit gruff!
You're right, oops. I've checked a fix into SVN for the next version. Serves me right for trying to reuse old documentation! [grin]. Hopefully people won't get too confused in the meantime.
Don't worry about being gentle with the above; it's fine. I've gotten user feedback along the lines of, "I DOWNLOAD YOUR PROGRAM IT DOSENT WORK. I CLICK IT AND NOHING HAPPENS. A WINDOW APPEAR AND GOES AWAY. WHY DOESNT YOUR PROGRAM WORK. YOU MUST HAVE A BUG!!!1!"
True, but I didn't want to be "That Guy". I'm quite happy being "That Guy" at work...toward people that are getting paid to produce our products and should know better, dammit
. (Except, as I've recently lamented to cipherpunk
, I'm getting tired of feeling like...if I don't make the effort to be "That Guy", nobody else will!)
But I don't want to be "That Guy" toward someone who volunteered their own time and effort to share an application.
One thing that I've noticed is that there are a fair number of hits that pop up from scanning the browser cache, but since the browser usually chooses arbitrary filenames for stuff in the cache, these files may well be legitimate... Dunno.
Well, what better place to hide than the user's browser cache? Files go in and out of there all the time, have random names, and are rarely looked at... Hmm....
While you certainly have a point, the browser cache is also a vulnerable place to try to live. In theory, at least, the browser cache should be wiped on a regular basis. So to keep a file in the browser cache, I would think you would need some sort of hook, elsewhere, to recreate that file in the browser cache.
Of course, I'm not arguing against your point. You and cipherpunk
have much more experience thinking about these things than I. The bulk of my experience is just cleaning up after a machine is afflicted. But I usually relied on tools created by others.
Bonus points if you can also produce MD5/SHA1/whatever hashes of misidentified files to help in malware identification.
Damn it, and here I was going to try and write it up as a patch. :)
Nothing is stopping you! [grin] IMHO it might be easiest to reuse the md5.c code from md5deep. It's already set up to use a state variable as found in miss identify. Just please don't make too much fun of my humble C code.
I'll take a look in the next day or so. My big concern, though, is the needs of software forensics is often not the same as the needs of software engineering: e.g., while I would normally have absolutely no qualms about writing procedural code in C++ and specifying C linkage (on the theory that G++ is available almost everywhere GCC is), I know that incident responders hate to have dependencies on anything but the standard C library, and even then, that would be nice to be avoided if possible.
Anyway. I'll holler at you some about coding standards and whatnot, in order to see if I can't make this as simple and as peaceable a patch as possible.
Although I don't have a problem with g++, please be sure that whatever you write can handle Unicode filenames when being cross compiled to Win32. The MinGW cross compiler
has g++, but has some special functions for Unicode characters.
If you have issues getting the buildcross script to work I can upload a package that builds it all automagically.
I wonder if you could somehow generate a signature for the executable portion of the file, in case it is padded out, somehow, with real image data...
But I also wasn't thinking about creating a signature to compare across the same drive, but was thinking in terms of cipherpunk
suggestion to aid in future malware detection...
Although, I'll look at this, anyway. I have a harddrive full of copies of prior harddrives full of copies of prior harddrives...it would be nice to have a good tool to work through all the duplicates.
I've used md5deep for this, in the past...but never finished the Perl script I wrote to process the output the way I wanted...
2008-02-22 05:11 pm (UTC)
Looks like a cool program Jesse. Would adding an option to notify you if a program Miss Identify finds is set to autorun when Windows loads, is a running process, or is encrypted/packed be of use?
Very cool - I think this will be a fine addition to the RAPIER module
options - will recommend to folks they incorporate it into their