(imported topic written by SteveC91)
Hello all.
I’m trying to write an analysis to find an executable on systems. From poking into different systems I’ve seen the executable exist in c:, %systemroot%\system32, %systemroot%\system32\dllcache, etc. What would be a good relevance script to hunt this out.
Thanks,
Steve
(imported comment written by Doug_Coburn)
Hi Steve,
Try this:
q: pathname of file “test.txt” of folders of system folder
A: C:\WINDOWS\system32\dllcache\test.txt
Also:
q: exists file “test.txt” of folders of system folder
A: True
(imported comment written by SteveC91)
Thanks Doug, this works great. Another question: how do I define a folder name that would have a space in it - such as Program Files?
Steve
(imported comment written by jessewk)
Steve,
You don’t need to do anything special. For example:
Q: exists file “BESClient.exe” of folder "C:\Program Files\BigFix Enterprise\BES Client"
A: True
(imported comment written by SteveC91)
That is true Jesse, if I know the subdirectory under Program Files is always consistent. I have been finding these little buggers (trojan executables, etc) in directories under Windows, Program Files, etc where the directory name varies from system to system, but the executable name is the same.
(imported comment written by jessewk)
Ah, I think maybe you misunderstood my answer… i was trying to address your question about folders with ‘spaces’.
To search your file system for a particular file, you have a number of options. The key thing to consider is that the search gets more costly with the number of locations you are trying to search. The more you can narrow your target the better.
If you can narrow it down to a couple of locations, you could use an expression like this:
exists file “badguy.dll” of (system folder; windows folder; folder “C:\Program Files”; folders of system folder)
This would search 3 known folders (system folder, windows folder, and C:\Program Files), and also search any folders of the system folder. It will not go deeper than one level of folders below the system folder.
You can also use the ‘descendants’ inspector. This will do a full depth search through all child folders of the folder you pass to the inspector.
This one will look through the entire C:\ drive. You do NOT want to make a fixlet that has this relevance. It’s okay to make a property, but you should set it to evaluate once per day or even less frequently:
exists descendant whose (name of it = “badguy.dll”) of root folders of drive “c:”
Similar caveats for this one, but it’s not quite as bad since you’re only looking through program files and the windows folder (which includes the system folder):
exists descendant whose (name of it = “badguy.dll”) of (windows folder; folder “C:\Program Files”; folders of system folder)
(imported comment written by SteveC91)
You got me, I did misunderstand. I’ve incorporated some of your and Doug’s info into analyses I’ve set up. Similar question - I’ve seen some objects “morph”, change names ever so slightly. I know I can do something like (exists file whose (name of it contains “objectname”) of windows folder. But what if the object changes from objectname.exe to objectname[1].exe. I’m wondering if I could use the "
" or “?” wildcard to look for objectname
.exe, for example. That way I could possibly cut out some false positives.
(imported comment written by rharmer91)
I have another similar, but different situation. Our DBAs have installed Oracle all over the place (C drive, D drive, different folder names for same versions, etc) and I’m looking for The VERSION of “TIMEZONE.DAT” so we can locate all the Oracle problem DST issues in our enviornment.
I don’t want to scan a machine unless I have to… Looking in installed applications doesn’t yield like “Oracle 10” or anything that easy. The services have a long name which contains the word Oracle (OracleServiceO101 (OracleServiceO101) - Running), but nothing easily pulled out without some extra relevance.
One thing remains true, the pathname before the file is \oracore\zoneinfo
Suggestions?
(imported comment written by Marjan23)
SteveC
You got me, I did misunderstand. I’ve incorporated some of your and Doug’s info into analyses I’ve set up. Similar question - I’ve seen some objects “morph”, change names ever so slightly. I know I can do something like (exists file whose (name of it contains “objectname”) of windows folder. But what if the object changes from objectname.exe to objectname[1].exe. I’m wondering if I could use the “” or “?” wildcard to look for objectname.exe, for example. That way I could possibly cut out some false positives.
SteveC,
Try this:
exists find files “objectname*.exe” of windows folder
Hope that helps,
Marjan
(imported comment written by Shembop91)
If you could find the uninstall key in the Registry, it should have an Install Location value