Tuesday, April 26, 2016

PowerShell v2 Function Get FileSignature

I started working on this one a few weeks ago, but, finally wrapped up a working, first version of a function that validates file signatures against extensions. Its basic, but, in simple usage, simply returns $true, $false, or, No matching signatures were found., indicating whether the file passed to the -FullName (aliased -Path) parameter has a signature matching its extension. Now, I have a pretty raw file signature database I pulled of Gary Kesslers site, but, it works well enough for this proof of concept:
http://www.garykessler.net/software/FileSigs_20110719.zip
To run it, with basic options, call the function like this, which returns a basic result:
Get-FileSignature -Fullname C:WindowsSystem32cmd.exe
True
If you want to pass pipelined objects to it as well, you can like this:
Get-ChildItem "C:WindowsSystem32c*" |
Where {!$_.PSIsContainer} |
% { Get-FileSignature -Fullname $_.fullname}
When you run it this way you get one of the three results listed above:
True
True
True
True
True
True
True
True
True
True
True
True
No match in database
A more useful example would be:
Get-ChildItem "C:WindowsSystem32c*" |Where {!$_.PSIsContainer} |
% { Get-FileSignature -Fullname $_.fullname}
which returns:
cabinet.dll - True
cabview.dll - True
cacls.exe - True
calc.exe - True
capiprovider.dll - True
capisp.dll - True
catsrv.dll - True
catsrvps.dll - True
catsrvut.dll - True
cca.dll - True
cdd.dll - True
cdosys.dll - True
cero.rs - No match in database
Some of the more "advanced" features are

  • -UpdateSignatures: update the database
  • -Suggestion: predictive analysis which returns possible matches based on file signatures 
In my case, I define the Signature database against a directory I have location on my machine. If the location does not exist the first time you run the script, it will be created for you. This option is best run not as a part of a pipelined command as it will continuously prompt you to test, download, and, update the .zip. Below is an example of how to run it:
Get-FileSignature -UpdateSignatures
To run the suggestions (useful if you are not sure about a given extensions validity) you can use this:
Get-ChildItem "C:WindowsSystem32c*" |
Where {!$_.PSIsContainer} |
% { Get-FileSignature -Fullname $_.fullname -Suggestion} |
select filename, fileextensions
This is a VERY chatty option unless you are dealing with obscure directories. In this case, here is a "small" sample output:
FileName                                                      FileExtensions                                              
--------                                                      --------------                                             
cabinet.dll                                                   COM|DLL|DRV|EXE|PIF|QTS|QTX|SYS                             
cabinet.dll                                                   ACM                                                        
cabinet.dll                                                   AX                                                         
cabinet.dll                                                   CPL                                                        
cabinet.dll                                                   FON                                                        
cabinet.dll                                                   OCX                                                        
cabinet.dll                                                   OLB                                                        
cabinet.dll                                                   SCR                                                        
cabinet.dll                                                   VBX                                                        
cabinet.dll                                                   VXD|386                                                    
cabinet.dll                                                   API                                                        
cabinet.dll                                                   AX                                                         
cabinet.dll                                                   FLT                                                        
cabinet.dll                                                   ZAP                                                        
cabview.dll                                                   COM|DLL|DRV|EXE|PIF|QTS|QTX|SYS                            
cabview.dll                                                   ACM                                                        
cabview.dll                                                   AX                                                         
cabview.dll                                                   CPL                                                         
cabview.dll                                                   FON                                                        
cabview.dll                                                   OCX                                                         
cabview.dll                                                   OLB                                                        
cabview.dll                                                   SCR                                                         
cabview.dll                                                   VBX                                                        
cabview.dll                                                   VXD|386                                                     
cabview.dll                                                   API                                                        
cabview.dll                                                   AX                                                         
cabview.dll                                                   FLT                                                        
cabview.dll                       &

Related Post:

0 comments:

Post a Comment

 
Copyright 2009 Information Blog
Powered By Blogger