jessekornblum (jessekornblum) wrote,

md5deep 4.1 with Windows executable identification

This morning I have published md5deep version 4.1. There is one new feature, an expert mode which processes Windows PE (executable) files. Traditionally expert mode has been used to include or exclude symbolic links, block files, etc. But a recent feature request asked for the ability to recognize and hash PE files. Using the functionality I wrote for Miss Identify, I've added the feature to md5deep and hashdeep.

Here's an example of the new feature in action. First, we recursively hash a directory tree without any restrictions:
C:\temp>md5deep -r .
2baa55c512b251ba3ca882fcf14bde7f  C:\temp\bar\EVILEVIL.txt
3fed0738937bb96527cf6e7b17299d23  C:\temp\bar\sha1deep.exe
6dd4566eb245627b49f3abb7e4502dd6  C:\temp\bar\sometext.txt
3fed0738937bb96527cf6e7b17299d23  C:\temp\bin\hashdeep.exe
4bcd10a9e5a367e91df7dbc55f7a22f5  C:\temp\foo.txt
607e033a16006ed1e9987cfc62562f72  C:\temp\hexdump.exe

Note the two "text" files, foo.txt and EVILEVIL.txt. When we request that md5deep only hash Windows executables, we see the latter was mislabeled! The program displays a warning about this file and hashes it:
C:\temp>md5deep -r -o e .
C:\temp\bar\EVILEVIL.txt: Is Windows executable but does not have executable extension
2baa55c512b251ba3ca882fcf14bde7f  C:\temp\bar\EVILEVIL.txt
3fed0738937bb96527cf6e7b17299d23  C:\temp\bar\sha1deep.exe
3fed0738937bb96527cf6e7b17299d23  C:\temp\bin\hashdeep.exe
607e033a16006ed1e9987cfc62562f72  C:\temp\hexdump.exe

There is also one bug fix in this release, better handling of junction points on Windows. As usual you can download a Windows executable or the *nix source code.
Tags: hashing, md5deep
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded  

  • 0 comments