PowerShell v2 Function Get FileSignature

I started working on this one a few weeks ago, but, finally wrapped up a working, first version of a function that validates file signatures against extensions. Its basic, but, in simple usage, simply returns $true, $false, or, No matching signatures were found., indicating whether the file passed to the -FullName (aliased -Path) parameter has a signature matching its extension. Now, I have a pretty raw file signature database I pulled of Gary Kesslers site, but, it works well enough for this proof of concept:

http://www.garykessler.net/software/FileSigs_20110719.zip

To run it, with basic options, call the function like this, which returns a basic result:

Get-FileSignature -Fullname C:WindowsSystem32cmd.exe

True

If you want to pass pipelined objects to it as well, you can like this:

Get-ChildItem "C:WindowsSystem32c*" |

Where {!$_.PSIsContainer} |

% { Get-FileSignature -Fullname $_.fullname}

When you run it this way you get one of the three results listed above:

True

True

True

True

True

True

True

True

True

True

True

True

No match in database

A more useful example would be:

Get-ChildItem "C:WindowsSystem32c*" |Where {!$_.PSIsContainer} |
% { Get-FileSignature -Fullname $_.fullname}

which returns:

cabinet.dll - True

cabview.dll - True

cacls.exe - True

calc.exe - True

capiprovider.dll - True

capisp.dll - True

catsrv.dll - True

catsrvps.dll - True

catsrvut.dll - True

cca.dll - True

cdd.dll - True

cdosys.dll - True

cero.rs - No match in database

Some of the more "advanced" features are

• -UpdateSignatures: update the database
• -Suggestion: predictive analysis which returns possible matches based on file signatures 

In my case, I define the Signature database against a directory I have location on my machine. If the location does not exist the first time you run the script, it will be created for you. This option is best run not as a part of a pipelined command as it will continuously prompt you to test, download, and, update the .zip. Below is an example of how to run it:

Get-FileSignature -UpdateSignatures

To run the suggestions (useful if you are not sure about a given extensions validity) you can use this:

Get-ChildItem "C:WindowsSystem32c*" |

Where {!$_.PSIsContainer} |

% { Get-FileSignature -Fullname $_.fullname -Suggestion} |

select filename, fileextensions

This is a VERY chatty option unless you are dealing with obscure directories. In this case, here is a "small" sample output:

FileName                                                      FileExtensions                                              

--------                                                      --------------                                             

cabinet.dll                                                   COM|DLL|DRV|EXE|PIF|QTS|QTX|SYS                             

cabinet.dll                                                   ACM                                                        

cabinet.dll                                                   AX                                                         

cabinet.dll                                                   CPL                                                        

cabinet.dll                                                   FON                                                        

cabinet.dll                                                   OCX                                                        

cabinet.dll                                                   OLB                                                        

cabinet.dll                                                   SCR                                                        

cabinet.dll                                                   VBX                                                        

cabinet.dll                                                   VXD|386                                                    

cabinet.dll                                                   API                                                        

cabinet.dll                                                   AX                                                         

cabinet.dll                                                   FLT                                                        

cabinet.dll                                                   ZAP                                                        

cabview.dll                                                   COM|DLL|DRV|EXE|PIF|QTS|QTX|SYS                            

cabview.dll                                                   ACM                                                        

cabview.dll                                                   AX                                                         

cabview.dll                                                   CPL                                                         

cabview.dll                                                   FON                                                        

cabview.dll                                                   OCX                                                         

cabview.dll                                                   OLB                                                        

cabview.dll                                                   SCR                                                         

cabview.dll                                                   VBX                                                        

cabview.dll                                                   VXD|386                                                     

cabview.dll                                                   API                                                        

cabview.dll                                                   AX                                                         

cabview.dll                                                   FLT                                                        

cabview.dll                       &