Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Sigcheck and virustotal-search InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sigcheck and virustotal-search

Published: 2015-08-06
Last Updated: 2015-08-06 11:28:53 UTC
by Didier Stevens (Version: 1)
3 comment(s)

In my last diary entry I mentioned offline use of Sysinternal tools with my tool virustotal-search.

So you want to use sigcheck but you can't connect the machine to the Internet. Then you can use sigcheck's option -h to calculate cryptographic hashes of the files it checks, and option -c to produce a CSV output (-ct for CSV with a tab separator). If you want, you can limit sigcheck's scanning to executable files only with option -e.

To extract a unique list of MD5 hashes, you can use this pipe of awk, tail, sed and sort (for a tab separated CSV file):

awk -F '\t' '{print $10}' sigcheck-system32.csv | tail -n +2 | sed 's/"//g' | sort -u

And then you can use virustotal-search to submit the hashes.

If you suspect the machine is infected with malware that has rootkit features, then don't boot from the suspect disk, but mount the disk on another machine or boot from a Live CD and use sigcheck to scan the disk.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

3 comment(s)
Diary Archives