pevFind - Question and Answer thread

Hello,

As of late I have been trying to learn how to use pevFind for finding malware.

Instead of going to Billy for every question I have, and due to his preference so that others may learn too, I took his recommendation to create a thread here for discussions about pevFind.

Here is the URL you can d/l and read about the features of pevFind: https://bitbucket.org/BillyONeal/pevfind

_____________________________________________________________________________________________________________

There will undoubtedly be a lot of questions from me as I am eager to learn about this tool.

Here is my first one:

When I use the following code:

pev.exe -dc:G30 -r -sa:CDATE -sd:NAME --custom:##c . #m  #t  #f# AND "%windir%\*" OR "%windir%\system32\*" >>"%userprofile%\desktop\report.txt"

In the "report.txt" I get some of the following lines:

2011-12-28 19:22:51 . 2011-11-05 04:34:45 ----a-w- C:\Windows\system32\url.dll
2011-12-28 19:22:51 . 2011-11-05 02:48:51 ----a-w- C:\Windows\system32\mshtml.tlb
2011-12-28 19:22:46 . 2011-11-05 04:26:03 ----a-w- C:\Windows\system32\tzres.dll
2011-12-28 19:22:36 . 2011-10-15 05:38:59 ----a-w- C:\Windows\system32\EncDec.dll
1601-01-01 00:00:00 . 1601-01-01 00:00:00 ----a-w- C:\Windows\system32\AERTAC64.dll
1601-01-01 00:00:00 . 1601-01-01 00:00:00 ----a-w- C:\Windows\system32\AERTAR64.dll
1601-01-01 00:00:00 . 1601-01-01 00:00:00 ----a-w- C:\Windows\system32\FMAPO64.dll

The highlighted in red CDATE (Created date) and MDATE (Modified date) are obviously incorrect.

I am performing this command on a Windows 7 x64 system.
Also notice how not ALL system32 files are incorrect, just some of them.
What am I doing wrong here and how can I remedy this?

Could be a bug. What date does Windows Explorer (and/or "DIR") show for those files?

That date is significant because it's the NT epoch -- all dates in NT start from that date. See FILETIME structure on MSDN:

Contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).

Basically, another program could have easily gone through and had a bug, and set all the file times for those files to zero, or there could be a bug in PEV which somehow causes it to give Zero. I'm not sure which at present.

Billy3

Could be a bug. What date does Windows Explorer (and/or "DIR") show for those files?

Per your request:

07/22/2010  04:37 PM           200,800 AERTAC64.dll
               1 File(s)        200,800 bytes
               0 Dir(s)  101,847,498,752 bytes free


11/17/2009  06:12 PM           108,960 AERTAR64.dll
               1 File(s)        108,960 bytes
               0 Dir(s)  101,847,498,752 bytes free


05/05/2011  03:24 PM         2,085,440 FMAPO64.dll
               1 File(s)      2,085,440 bytes
               0 Dir(s)  101,847,498,752 bytes free

What version of pevFind are you using?

Billy3

What version of pevFind are you using?

Billy3

pevFind v1.5.9

Ok, I've confirmed this is a bug in PEV. I think I've found it; and I think it affects x64 platforms only -- PEV is disabling the WOW64 redirector (to see the 64 bit view of the file system) during the enumeration phase, but didn't disable the redirector again when it went to get the date and time data for the files. Please run this copy instead and tell me if it explodes. (I made it crash on purpose instead of printing out the bogus date where possible)

Go to https://bitbucket.org/BillyONeal/pevfind/downloads#download-54288 and download "pevFind_Debug_Thisisu_Jan14_2012.exe" and let me know how it goes.

Have a nice day,

Billy3

Ok, I've confirmed this is a bug in PEV. I think I've found it; and I think it affects x64 platforms only -- PEV is disabling the WOW64 redirector (to see the 64 bit view of the file system) during the enumeration phase, but didn't disable the redirector again when it went to get the date and time data for the files. Please run this copy instead and tell me if it explodes. (I made it crash on purpose instead of printing out the bogus date where possible)

Go to https://bitbucket.org/BillyONeal/pevfind/downloads#download-54288 and download "pevFind_Debug_Thisisu_Jan14_2012.exe" and let me know how it goes.

Have a nice day,

Billy3

It's working now, thank you!

2012-01-05 08:22:56 . 2011-05-05 21:24:02 ----a-w- C:\Windows\system32\FMAPO64.dll
2012-01-05 08:22:55 . 2009-11-18 00:12:40 ----a-w- C:\Windows\system32\AERTAR64.dll
2012-01-05 08:22:55 . 2010-07-22 22:37:14 ----a-w- C:\Windows\system32\AERTAC64.dll

Not a problem. Thank you for the bug report. Fixed in 1.5.10. (Available from https://bitbucket.org/BillyONeal/pevfind/downloads)

Have a nice day!

Billy3

Hi Billy,

Can you provide some examples on the below:

-sa Sort ascending by NOTE: Default is UNSORTED!
SIZE
DATE (defaults to modified)
ADATE Access Date
MDATE Modified Date
CDATE Created Date
HDATE PE Header Date
NAME
INAME Case insensitive name sort. (Over 2x time of standard name sort)

-sd Sort descending by
SIZE
DATE (defaults to modified)
ADATE Access Date
MDATE Modified Date
CDATE Created Date
HDATE PE Header Date
NAME
INAME Case insensitive name sort. (Over 2x time of standard name sort)

Multiple sort commands will result in a lower order of sort. For example,
to group items by size and then break ties by sorting by date, use
something like -sa:size -sa:date. The order obtained should be the order
in which the commmands are listed, if the sort commands are separated by
"intersting" items, such as AND, OR, XOR, etc, the results of the sort
are undefined.

Particularly on how to perform mass sorts. For example, sort by CDATE (newest) first, and then NAME (alphabetical) second on 3+ different directories.

I'm confused as to what you mean. I can answer specific questions but I'm not sure how to describe the sorting options any better than I already did in the readme...

Billy3

For example, let's say I wanted pevFind to search for newly created files within the past 30 days from these directories listed below:

• %appdata%
• %windir%
• %windir%\system32
• %temp%

Then I want ALL of the above search results to be sorted with the newest created file on the top of my "report.txt".

You'd have to combine two ideas. The first is how to include multiple directories in a single pevFind check. You do that using OR. E.g.

pevFind.exe "%appdata%" OR "%windir%" OR "%windir%\System32" OR "%temp%"

Of course, the System32 item is redundant, as %windir% will cover it.

Then you'd apply a filter that the files have a date that is less than 30 days ago:

pevFind.exe "%appdata%" OR "%windir%" OR "%windir%\System32" OR "%temp%" AND -dcg30d

The AND is necessary due to order of operations. Without the AND it would be interpreted as this:

pevFind.exe { "%appdata%" } OR { "%windir%" } OR { "%windir%\System32" } OR { "%temp%" -dcg30d }

which would limit the dates of the "temp" spec, which is not what you want -- you wanted to limit the whole query.

Finally, you'd sort by creation date.

pevFind.exe "%appdata%" OR "%windir%" OR "%windir%\System32" OR "%temp%" AND -dcg30d -sa:CDATE

Unfortunately, testing this on the version I uploaded recently has shown a ton of bugs with the existing code... I don't know why this doesn't work when it used to. (Probably because I've not seriously looked at PEV in about a year and a half.) I'll take a look as soon as I can.

Have a nice day,

Billy3

Scratch that -- not a bug. Just a bug in my query. It should look like this:

pevFind.exe "%appdata%\*" OR "%windir%\*" OR "%windir%\System32\*" OR "%temp%\*" AND -dcg30d -sa:CDATE

Note the extra \*s.

There was an off-by-one bug though which did get fixed in 1.5.11. (Just uploaded)

Billy3

Thank you Billy,

That last query you provided helps a lot
I am now using pevFind_1_5_11.exe

However now I'm noticing another problem:

For example, in this query:

pevFind.exe -r --custom:##t  #c . #m  #f# "%appdata%\*" OR "%windir%\*" OR "%windir%\System32\*" OR "%temp%\*" AND -dcg30d -sa:CDATE -sd:NAME >>%systemdrive%\report.txt

It seems like the sort by NAME is not functioning properly.

Examples:

AND -dcg30d -sa:CDATE -sd:NAME

I receive:

----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:30 C:\Windows\system32\RTEEL64A.dll
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:30 C:\Windows\system32\RTEEP64A.dll
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEEG64A.dll <--- Out of Order
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEED64A.dll <--- Out of Order

AND -dcg30d -sa:CDATE -sa:NAME

I receive:

----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:30 C:\Windows\system32\RTEEP64A.dll <--- Out of Order
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:30 C:\Windows\system32\RTEEL64A.dll <--- Out of Order
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEEG64A.dll <--- Out of Order
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEED64A.dll <--- Out of Order

You sorted by date first, and then broke ties by name. Reverse the order of the sort flags if you want name to be the primary sort.

Billy3