Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pevFind - Question and Answer thread


  • Please log in to reply
23 replies to this topic

#1 thisisu

thisisu

    U


  • Malware Response Team
  • 2,208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:38 PM

Posted 14 January 2012 - 03:57 AM

Hello,

As of late I have been trying to learn how to use pevFind for finding malware.

Instead of going to Billy for every question I have, and due to his preference so that others may learn too, I took his recommendation to create a thread here for discussions about pevFind.

Here is the URL you can d/l and read about the features of pevFind: https://bitbucket.org/BillyONeal/pevfind

_____________________________________________________________________________________________________________

There will undoubtedly be a lot of questions from me as I am eager to learn about this tool.

Here is my first one:

When I use the following code:

pev.exe -dc:G30 -r -sa:CDATE -sd:NAME --custom:##c . #m  #t  #f# AND "%windir%\*" OR "%windir%\system32\*" >>"%userprofile%\desktop\report.txt"

In the "report.txt" I get some of the following lines:

2011-12-28 19:22:51 . 2011-11-05 04:34:45 ----a-w- C:\Windows\system32\url.dll
2011-12-28 19:22:51 . 2011-11-05 02:48:51 ----a-w- C:\Windows\system32\mshtml.tlb
2011-12-28 19:22:46 . 2011-11-05 04:26:03 ----a-w- C:\Windows\system32\tzres.dll
2011-12-28 19:22:36 . 2011-10-15 05:38:59 ----a-w- C:\Windows\system32\EncDec.dll
1601-01-01 00:00:00 . 1601-01-01 00:00:00 ----a-w- C:\Windows\system32\AERTAC64.dll
1601-01-01 00:00:00 . 1601-01-01 00:00:00 ----a-w- C:\Windows\system32\AERTAR64.dll
1601-01-01 00:00:00 . 1601-01-01 00:00:00 ----a-w- C:\Windows\system32\FMAPO64.dll


The highlighted in red CDATE (Created date) and MDATE (Modified date) are obviously incorrect.

I am performing this command on a Windows 7 x64 system.
Also notice how not ALL system32 files are incorrect, just some of them.
What am I doing wrong here and how can I remedy this?

Edited by thisisu, 14 January 2012 - 04:01 AM.


BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,994 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:38 PM

Posted 14 January 2012 - 04:06 AM

Could be a bug. What date does Windows Explorer (and/or "DIR") show for those files?

That date is significant because it's the NT epoch -- all dates in NT start from that date. See FILETIME structure on MSDN:

Contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).


Basically, another program could have easily gone through and had a bug, and set all the file times for those files to zero, or there could be a bug in PEV which somehow causes it to give Zero. I'm not sure which at present.

Billy3

Edited by Billy O'Neal, 14 January 2012 - 04:07 AM.

Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#3 thisisu

thisisu

    U

  • Topic Starter

  • Malware Response Team
  • 2,208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:38 PM

Posted 14 January 2012 - 04:15 AM

Could be a bug. What date does Windows Explorer (and/or "DIR") show for those files?

Per your request:
07/22/2010  04:37 PM           200,800 AERTAC64.dll
               1 File(s)        200,800 bytes
               0 Dir(s)  101,847,498,752 bytes free


11/17/2009  06:12 PM           108,960 AERTAR64.dll
               1 File(s)        108,960 bytes
               0 Dir(s)  101,847,498,752 bytes free


05/05/2011  03:24 PM         2,085,440 FMAPO64.dll
               1 File(s)      2,085,440 bytes
               0 Dir(s)  101,847,498,752 bytes free


#4 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,994 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:38 PM

Posted 14 January 2012 - 04:19 AM

What version of pevFind are you using?

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#5 thisisu

thisisu

    U

  • Topic Starter

  • Malware Response Team
  • 2,208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:38 PM

Posted 14 January 2012 - 04:21 AM

What version of pevFind are you using?

Billy3


pevFind v1.5.9

#6 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,994 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:38 PM

Posted 14 January 2012 - 04:56 AM

Ok, I've confirmed this is a bug in PEV. I think I've found it; and I think it affects x64 platforms only -- PEV is disabling the WOW64 redirector (to see the 64 bit view of the file system) during the enumeration phase, but didn't disable the redirector again when it went to get the date and time data for the files. Please run this copy instead and tell me if it explodes. (I made it crash on purpose instead of printing out the bogus date where possible)

Go to https://bitbucket.org/BillyONeal/pevfind/downloads#download-54288 and download "pevFind_Debug_Thisisu_Jan14_2012.exe" and let me know how it goes.

Have a nice day,

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#7 thisisu

thisisu

    U

  • Topic Starter

  • Malware Response Team
  • 2,208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:38 PM

Posted 14 January 2012 - 05:11 AM

Ok, I've confirmed this is a bug in PEV. I think I've found it; and I think it affects x64 platforms only -- PEV is disabling the WOW64 redirector (to see the 64 bit view of the file system) during the enumeration phase, but didn't disable the redirector again when it went to get the date and time data for the files. Please run this copy instead and tell me if it explodes. (I made it crash on purpose instead of printing out the bogus date where possible)

Go to https://bitbucket.org/BillyONeal/pevfind/downloads#download-54288 and download "pevFind_Debug_Thisisu_Jan14_2012.exe" and let me know how it goes.

Have a nice day,

Billy3


It's working now, thank you! :thumbsup:

2012-01-05 08:22:56 . 2011-05-05 21:24:02 ----a-w- C:\Windows\system32\FMAPO64.dll
2012-01-05 08:22:55 . 2009-11-18 00:12:40 ----a-w- C:\Windows\system32\AERTAR64.dll
2012-01-05 08:22:55 . 2010-07-22 22:37:14 ----a-w- C:\Windows\system32\AERTAC64.dll



#8 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,994 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:38 PM

Posted 14 January 2012 - 05:30 AM

Not a problem. Thank you for the bug report. Fixed in 1.5.10. (Available from https://bitbucket.org/BillyONeal/pevfind/downloads)

Have a nice day!

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#9 thisisu

thisisu

    U

  • Topic Starter

  • Malware Response Team
  • 2,208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:38 PM

Posted 14 January 2012 - 01:05 PM

Hi Billy,

Can you provide some examples on the below:

-sa Sort ascending by NOTE: Default is UNSORTED!
SIZE
DATE (defaults to modified)
ADATE Access Date
MDATE Modified Date
CDATE Created Date
HDATE PE Header Date
NAME
INAME Case insensitive name sort. (Over 2x time of standard name sort)

-sd Sort descending by
SIZE
DATE (defaults to modified)
ADATE Access Date
MDATE Modified Date
CDATE Created Date
HDATE PE Header Date
NAME
INAME Case insensitive name sort. (Over 2x time of standard name sort)

Multiple sort commands will result in a lower order of sort. For example,
to group items by size and then break ties by sorting by date, use
something like -sa:size -sa:date. The order obtained should be the order
in which the commmands are listed, if the sort commands are separated by
"intersting" items, such as AND, OR, XOR, etc, the results of the sort
are undefined.


Particularly on how to perform mass sorts. For example, sort by CDATE (newest) first, and then NAME (alphabetical) second on 3+ different directories.

#10 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,994 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:38 PM

Posted 14 January 2012 - 05:27 PM

I'm confused as to what you mean. I can answer specific questions but I'm not sure how to describe the sorting options any better than I already did in the readme...

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#11 thisisu

thisisu

    U

  • Topic Starter

  • Malware Response Team
  • 2,208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:38 PM

Posted 14 January 2012 - 07:37 PM

For example, let's say I wanted pevFind to search for newly created files within the past 30 days from these directories listed below:

  • %appdata%
  • %windir%
  • %windir%\system32
  • %temp%

Then I want ALL of the above search results to be sorted with the newest created file on the top of my "report.txt".

#12 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,994 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:38 PM

Posted 17 January 2012 - 11:44 PM

You'd have to combine two ideas. The first is how to include multiple directories in a single pevFind check. You do that using OR. E.g.

pevFind.exe "%appdata%" OR "%windir%" OR "%windir%\System32" OR "%temp%"

Of course, the System32 item is redundant, as %windir% will cover it.

Then you'd apply a filter that the files have a date that is less than 30 days ago:

pevFind.exe "%appdata%" OR "%windir%" OR "%windir%\System32" OR "%temp%" AND -dcg30d

The AND is necessary due to order of operations. Without the AND it would be interpreted as this:

pevFind.exe { "%appdata%" } OR { "%windir%" } OR { "%windir%\System32" } OR { "%temp%" -dcg30d }

which would limit the dates of the "temp" spec, which is not what you want -- you wanted to limit the whole query.

Finally, you'd sort by creation date.

pevFind.exe "%appdata%" OR "%windir%" OR "%windir%\System32" OR "%temp%" AND -dcg30d -sa:CDATE

Unfortunately, testing this on the version I uploaded recently has shown a ton of bugs with the existing code... I don't know why this doesn't work when it used to. (Probably because I've not seriously looked at PEV in about a year and a half.) I'll take a look as soon as I can.

Have a nice day,

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#13 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,994 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:38 PM

Posted 17 January 2012 - 11:50 PM

Scratch that -- not a bug. Just a bug in my query. It should look like this:

pevFind.exe "%appdata%\*" OR "%windir%\*" OR "%windir%\System32\*" OR "%temp%\*" AND -dcg30d -sa:CDATE

Note the extra \*s. :)

There was an off-by-one bug though which did get fixed in 1.5.11. (Just uploaded)

Billy3

Edited by Billy O'Neal, 17 January 2012 - 11:57 PM.

Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#14 thisisu

thisisu

    U

  • Topic Starter

  • Malware Response Team
  • 2,208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:38 PM

Posted 18 January 2012 - 01:22 AM

Thank you Billy,

That last query you provided helps a lot
I am now using pevFind_1_5_11.exe

However now I'm noticing another problem:

For example, in this query:

pevFind.exe -r --custom:##t  #c . #m  #f# "%appdata%\*" OR "%windir%\*" OR "%windir%\System32\*" OR "%temp%\*" AND -dcg30d -sa:CDATE -sd:NAME >>%systemdrive%\report.txt

It seems like the sort by NAME is not functioning properly.

Examples:

AND -dcg30d -sa:CDATE -sd:NAME
I receive:

----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:30 C:\Windows\system32\RTEEL64A.dll
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:30 C:\Windows\system32\RTEEP64A.dll
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEEG64A.dll <--- Out of Order
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEED64A.dll <--- Out of Order



AND -dcg30d -sa:CDATE -sa:NAME
I receive:

----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:30 C:\Windows\system32\RTEEP64A.dll <--- Out of Order
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:30 C:\Windows\system32\RTEEL64A.dll <--- Out of Order
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEEG64A.dll <--- Out of Order
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEED64A.dll <--- Out of Order



#15 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,994 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:38 PM

Posted 18 January 2012 - 01:24 AM

You sorted by date first, and then broke ties by name. Reverse the order of the sort flags if you want name to be the primary sort.

Billy3

Edited by Billy O'Neal, 18 January 2012 - 01:24 AM.

Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users