Jump to content

On checking .PDFs are OK throughout one disk...

dencorso
 Share

Recommended Posts

dencorso

dencorso

Posted
Posted

BACKGROUND: My client was hit by a crypto ransomware. The machine has Windows 8.1. However, his disk was partitioned and all datafiles were in disk D:, which is FAT-32. I have created a copy of the D: disk, from which I have already recovered some files still intact, so I have reason to believe the ransomware was not able to encrypt the whole contents of that disk. The folder I recovered contained assorted .jpg .gif .doc .docx and .pdf files, all of them intact, and all those types of files are usually targeted by that malware. However, some other files did get encrypted. I verified that when .pdfs are encrypted they keep the name but the %PDF signature at their 1st four bytes disappears. I intend to do a fast evaluation of how far did the encryptation go, so I thought of transversing the D: tree looking for .pdfs inside each folder, and when found check their 4 1st bytes and output the fully qualified file name to a text log, folowed by "OK" or "BAD".
However, to do such a task with a .cmd requires much more ability at batch writing than I do command.
Would you please help me, at least, get started? Thanks a lot in advance.


gunsmokingman

gunsmokingman

Posted
Posted

Here is a VBS script that output results to CMD prompt window. You will have to add the file type that you want to search for. 

'-> Main Search Object Change 'vbs' to 'FileTypeHere'
Dim Col :Set Col = Wmi.ExecQuery("Select * from CIM_DataFile Where Extension = 'vbs'") 

Dim Str :Str = "."
Dim Wmi :Set Wmi = GetObject("winmgmts:\\" & Str & "\root\cimv2")
'-> Main Search Object Change 'vbs' to 'FileTypeHere'
Dim Col :Set Col = Wmi.ExecQuery("Select * from CIM_DataFile Where Extension = 'vbs'")
Dim Res
'-> Check To Nake Sure Cscript Is Used
  If InStr(1,WScript.FullName,"cscript",1) Then
   Main()
  End If
'-> Main Function To Collect All The Files
   Function Main() 
    If Col.count = 0 Then
     WScript.StdOut.WriteLine "Can Not Find This File Type"
     WScript.Sleep 3500
     WScript.Quit 
     Else
      WScript.StdOut.WriteLine "Processing..."
      For Each Obj in Col 
'-> Display File Type 
       WScript.StdOut.WriteLine  Obj.Name
       WScript.Sleep 500  
       Next  
      End If
    CloseCmd()
   End Function
'-> Close The CMD Window
   Function CloseCmd()
    Do While Res = ""
      WScript.StdOut.WriteLine "Total File Count : " & Col.count
      WScript.StdOut.WriteLine "   Type quit Or exit to close CMD window"
     Res = Wscript.StdIn.ReadLine
     Select Case LCase(Res)
     Case "exit" 
      WScript.Quit 
     Case "quit"
     End Select
    Loop 
   End Function

I have tested this script on my computer with no run-time error. I will help you edit this script so it will do what you want.

dencorso

dencorso

Posted
  • Author
Posted

Wow! Thanks! It also runs OK on my machine. And I can see it does somewhat more than required, as it searches all disks, not just one. But, for sure, I'll have to study it some more to understand it enough to be able to propose any changes... Those WMI commands are fully above my head.

gunsmokingman

gunsmokingman

Posted
Posted

I have updated the original script

1:\ Added a message box to appear with instructions on how to use

2:\ Added a new user input to search for the file type

New Code 

Dim Col,Str, Res :Str = "."
Dim Wmi :Set Wmi = GetObject("winmgmts:\\" & Str & "\root\cimv2")
'-> Check To Nake Sure Cscript Is Used
  If InStr(1,WScript.FullName,"cscript",1) Then
    UserImput()
'-> Main Search Object Using The User Input
   Set Col = Wmi.ExecQuery("Select * from CIM_DataFile Where Extension = '" & Res &"'") 
    WScript.StdOut.WriteLine "Begin Querry For " & Res
   Main()
  Else
'-> Wrong Script Engine
   MsgBox Space(10) & "Error Wrong Scripting Engine" & vbCrLf & _
   "You must right click this script and select the Cmd Prompt or" & vbCrLf & _
   "Csript option to run this script",4128,"Error Wrong Script Engine"
  End If
'-> Main Function To Collect All The Files
   Function Main() 
    If Col.count = 0 Then
     WScript.StdOut.WriteLine "Can Not Find This File Type"
     WScript.Sleep 3500
     WScript.Quit 
     Else
      WScript.StdOut.WriteLine "Processing Please Wait..."
      For Each Obj in Col 
'-> Display File Type 
       WScript.StdOut.WriteLine  Obj.Name
       WScript.Sleep 300  
       Next  
      End If
     Res = ""
    CloseCmd()
   End Function
'-> Get User Input For File Type
   Function UserImput()
    Do While Res = ""
     WScript.StdOut.WriteBlankLines 1
     WScript.StdOut.WriteLine _
     "Type the file type you are searching for in this" & vbCrLf &_
     "format txt or vbs or cmd no dot is needed." & vbCrLf & _
     "Type exit or quit to stop the script."
     WScript.StdOut.WriteBlankLines 1
     Res = Wscript.StdIn.ReadLine
     Select Case LCase(Res)
     Case "exit" 
      WScript.Quit 
     Case "quit"
      WScript.Quit 
     End Select
    Loop
   End Function
'-> Close The CMD Window
   Function CloseCmd()
    Do While Res = ""
      WScript.StdOut.WriteBlankLines 2
      WScript.StdOut.WriteLine "Total File Count : " & Col.count
      WScript.StdOut.WriteLine "Type quit Or exit to close CMD window"
     Res = Wscript.StdIn.ReadLine
     Select Case LCase(Res)
     Case "exit" 
      WScript.Quit 
     Case "quit"
      WScript.Quit 
     End Select
    Loop 
   End Function

Rename WmiUserInExtSearch.vbs.txt to WmiUserInExtSearch.vbs to make active

WmiUserInExtSearch.vbs.txt

jaclaz

jaclaz

Posted
Posted
17 hours ago, dencorso said:

However, to do such a task with a .cmd requires much more ability at batch writing than I do command.
 

Maybe you are underestimating yourself.

Please meet dumphex:

http://rbach.priv.at/DumpHex/

So you could easily dump the first four bytes of each .pdf and compare the output with the result of a good .pdf, such as:
  

C:>dumphex /L4 /nc agoodpdf.pdf
DumpHex Version 1.0.1
Copyright (c) 2003 Robert Bachmann

00000000h: 25 50 44 46

BUT, trid:

http://mark0.net/soft-trid-e.html
 

 might be easier.

Of course using a "whole" database would be probably a tadbit slower, so creating a specific definition file might be better.

Unfortunately current version of trid seemingly chokes on .xml files created by tridscan, you can however use the attached, it is Trid version 1.56 with ONLY the appropriate adobe_pdf.trid.xml 

C:\VSS\VSS2\tridpack\Simple>trid agoodpdf.pdf

TrID/32 - File Identifier v1.56 - (C) 2003-04 By M.Pontello

Collecting data from file: agoodpdf.pdf
Definitions found: 1
Analyzing...

100.0% (.PDF) Adobe Portable Document Format (7000/1)

C:\VSS\VSS2\tridpack\Simple>trid abadpdf.pdf

TrID/32 - File Identifier v1.56 - (C) 2003-04 By M.Pontello

Collecting data from file: abadpdf.pdf
Definitions found: 1
Analyzing...

Unknown!

jaclaz



 

Trid_for_Den.7z

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...