Bug#468221: ITP: missidentify -- a program to find win32 applications

To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, 468221@bugs.debian.org
Subject: Bug#468221: ITP: missidentify -- a program to find win32 applications
From: Monniez Christophe <d-fence@swing.be>
Date: Wed, 27 Feb 2008 22:29:16 +0100
Message-id: <[🔎] 1204147757.7163.29.camel@thx1138.localdomain>
Reply-to: christophe.monniez@fccu.be, 468221@bugs.debian.org
In-reply-to: <[🔎] 20080227210256.GB29772@crustytoothpaste.ath.cx>
References: <[🔎] 1204142853.7163.9.camel@thx1138.localdomain> <[🔎] 20080227210256.GB29772@crustytoothpaste.ath.cx>

On mer, 2008-02-27 at 21:02 +0000, brian m. carlson wrote:
> What does this do that file(1) does not?
> 
> lakeview ok % file setup.exe 
> setup.exe: MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit, UPX compressed
> 

It search for executables files that doesn't have the right extension.
Main goal is to find malicious win32 executables on compromised systems.

You can do that with file but have to script a lot.

$ find /target ! -iname "*.exe" -exec file '{}' ';' | egrep "MS-DOS
executbale"

This simple example does not take the whole bunch of possible extensions
into account nor the possibles different descriptions that "file" have
for win32 executables.

missidentify will certainly do a better and faster job on real systems
with thousand of files.

--
Christophe Monniez

Reply to:

References:
- Bug#468221: ITP: missidentify -- a program to find win32 applications
  - From: Monniez Christophe <d-fence@swing.be>
- Bug#468221: ITP: missidentify -- a program to find win32 applications
  - From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>

Prev by Date: Bug#468132: ITP: packagekit [...]
Next by Date: Processed: tagging bugs that are closed by packages in NEW as pending
Previous by thread: Bug#468221: ITP: missidentify -- a program to find win32 applications
Next by thread: Bug#384644: marked as done (ITP: calendar-server -- Apple's calendar server)
Index(es):
- Date
- Thread