PowerShell v2 Function Get FileSignature

Tuesday, April 26, 2016

PowerShell v2 Function Get FileSignature

Posted by karjana , at 8:11 PM

I started working on this one a few weeks ago, but, finally wrapped up a working, first version of a function that validates file signatures against extensions. Its basic, but, in simple usage, simply returns $true, $false, or, No matching signatures were found., indicating whether the file passed to the -FullName (aliased -Path) parameter has a signature matching its extension. Now, I have a pretty raw file signature database I pulled of Gary Kesslers site, but, it works well enough for this proof of concept:

http://www.garykessler.net/software/FileSigs_20110719.zip

To run it, with basic options, call the function like this, which returns a basic result:

Get-FileSignature -Fullname C:WindowsSystem32cmd.exe
True

If you want to pass pipelined objects to it as well, you can like this:

Get-ChildItem "C:WindowsSystem32c*" |
Where {!$_.PSIsContainer} |
% { Get-FileSignature -Fullname $_.fullname}

When you run it this way you get one of the three results listed above:

True
True
True
True
True
True
True
True
True
True
True
True
No match in database

A more useful example would be:

Get-ChildItem "C:WindowsSystem32c*" |Where {!$_.PSIsContainer} |
% { Get-FileSignature -Fullname $_.fullname}

which returns:

cabinet.dll - True
cabview.dll - True
cacls.exe - True
calc.exe - True
capiprovider.dll - True
capisp.dll - True
catsrv.dll - True
catsrvps.dll - True
catsrvut.dll - True
cca.dll - True
cdd.dll - True
cdosys.dll - True
cero.rs - No match in database

Some of the more "advanced" features are

-UpdateSignatures: update the database
-Suggestion: predictive analysis which returns possible matches based on file signatures

In my case, I define the Signature database against a directory I have location on my machine. If the location does not exist the first time you run the script, it will be created for you. This option is best run not as a part of a pipelined command as it will continuously prompt you to test, download, and, update the .zip. Below is an example of how to run it:

Get-FileSignature -UpdateSignatures

To run the suggestions (useful if you are not sure about a given extensions validity) you can use this:

Get-ChildItem "C:WindowsSystem32c*" |
Where {!$_.PSIsContainer} |
% { Get-FileSignature -Fullname $_.fullname -Suggestion} |
select filename, fileextensions

This is a VERY chatty option unless you are dealing with obscure directories. In this case, here is a "small" sample output:

FileName                                                      FileExtensions
--------                                                      --------------
cabinet.dll                                                   COM|DLL|DRV|EXE|PIF|QTS|QTX|SYS
cabinet.dll                                                   ACM
cabinet.dll                                                   AX
cabinet.dll                                                   CPL
cabinet.dll                                                   FON
cabinet.dll

OCX

cabinet.dll OLB

cabinet.dll SCR

cabinet.dll VBX

cabinet.dll VXD|386

cabinet.dll API

cabinet.dll AX

cabinet.dll FLT

cabinet.dll ZAP

cabview.dll COM|DLL|DRV|EXE|PIF|QTS|QTX|SYS

cabview.dll ACM

cabview.dll AX

cabview.dll CPL

cabview.dll FON

cabview.dll OCX

cabview.dll OLB

cabview.dll SCR

cabview.dll VBX

cabview.dll VXD|386

cabview.dll API

cabview.dll AX

cabview.dll FLT

cabview.dll &

Computer Info

Tuesday, April 26, 2016

PowerShell v2 Function Get FileSignature

0 comments to “PowerShell v2 Function Get FileSignature”

Post a Comment

Blog archive