(imported topic written by jpeppers91)
Can someone help me with this? I want to get the sha1 of a certain file on any fixed drive on a machine located in any directory. I understand it is an intensive search. For example I want to find abc.exe located on C:\ and return the sha1 value of that file.
(imported comment written by jpeppers91)
Anyone?
(imported comment written by Tim.Rice)
I’m not sure I understand what you are asking.
Are you wanting to generate a SHA1 hash of all files on all of your computers so you can compare them later? Something like Tripwire?
Or are you looking for a way to ‘query’ a remote computer for the SHA1 of a file somewhere on the system?
(imported comment written by jpeppers91)
I want to search any fixed drive on a computer for a file called xyz.exe. If it finds xyz.exe I want the sha1 of that file.
(imported comment written by Tim.Rice)
This is a non-trivial question and the IEM/TEM client really isn’t suited to answer it. It can be done with a combination of a Task (to find the files and generate the SHA1) and a Custom Analysis (used to gather the results of the Task).
I’m using the example of “firefox.exe” since it’s what I used when I tested the commands.
Write a Task to find the file(s) you are interested in. I used the built-in Win7 FCIV.exe utility to generate the SHA1. One drawback here is that it generates extra output you might not want. You could use any other utility of your choice (I’m sure you can find one via GOOGLE that will produce cleaner output). You would need to DOWNLOAD it in the Task before you used it.
Now use an Analysis to pickup the contents of the AllSHA1.txt file if it exists.
Is this what you were looking for? If so, be careful what you look for. When you want to look for a different file, update the Task and re-run it to gather the information on the target file.
(imported comment written by jpeppers91)
I actually found the relevance…
(pathname
of
it,
sha1
of
it
)
of
descendants
whose
(name
of
it
as
lowercase
is
“xyz.exe”
)
of
folders
“”
of
drives
whose
(type
of
it=
“DRIVE_FIXED”
)
It gives the ouput like this…
C:\xyz.exe, da39a3ee5e6b4b0d3255bfef95601890afd80709
C:\Program Files (x86)\xyz.exe, da39a3ee5e6b4b0d3255bfef95601890afd80709
C:\unzip\xyz.exe, da39a3ee5e6b4b0d3255bfef95601890afd80709
My delima now is running it as a task. I have this task below that I tried to modify and writing what it finds to a txt file and later use a property to pull the data but it fails. Anyone see what is wrong with my task?
delete __appendfile
delete procdump_exefiles.bat
appendfile @echo off
appendfile del “{pathname of parent folder of regapp “BESClient.exe”}\procdump_exefiles.txt”
appendfile echo “{”" & concatenation "" of
(pathname of it, sha1 of it) of descendants whose (name of it as lowercase is “xyz.exe”) of folders “” of drives whose (type of it=“DRIVE_FIXED”)
& “**”}" >> “{pathname of parent folder of regapp “BESClient.exe”}\procdump_exefiles.txt”
move __appendfile procdump_exefiles.bat
wait “{pathname of client folder of site “BESSupport”}\RunQuiet.exe” procdump_exefiles.bat 1>NUL 2>NUL
(imported comment written by jpeppers91)
When I run it through the action debugger it says relevance clauses must be surrounded by { and }. So where i have parentheses do i substitute with curly brackets?
appendfile echo “{”" & concatenation "" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is “xyz.exe”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & “**”}" >> “{pathname of parent folder of regapp “BESClient.exe”}\procdump_exefiles.txt”
(imported comment written by jpeppers91)
Anyone? I’ve been at thos all day, and I am more confused than when i started?
(imported comment written by MattPeterson)
The expression below will be much more efficient to run:
concatenation
" - "
of
sha1s
of
it
of
(files
“abc.txt”
of
folders
“”
of
drives
whose
(type
of
it=
“DRIVE_FIXED”
))
If you wanted to write out to a file using a task your action line would look like this:
appendfile {concatenation " - " of sha1s of it of (files “abc.txt” of folders “” of drives whose (type of it=“DRIVE_FIXED”))}
(imported comment written by jpeppers91)
That doesn’t recurse the folder. That is why I was using descendants of folder…
Somewhere in here I have my escaping all wrong.
appendfile echo “{”" & concatenation "" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is “xyz.exe”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & “**”}" >> “{pathname of parent folder of regapp “BESClient.exe”}\procdump_exefiles.txt”
(imported comment written by jgstew)
I’m not sure where an escaping or similar issue is, but you are trying to combine an echo and an appendfile, which will not give the result you are looking for.
Try this:
dos
echo “{”" & concatenation "" of (pathname of it, sha1 of it) of descendants whose (name of it as lowercase is “xyz.exe”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & “**”}" >> “{pathname of parent folder of regapp “BESClient.exe”}\procdump_exefiles.txt”
In general this is not a great idea, especially if the target computer does not have an SSD. Do you really have to search ALL folders, or is it a set of particular folders you want to search that may or may not exist?
Are you trying to do a sort of virus scan? If so, then I would recommend taking a look at this:
http://bigfix.me/fixlet/details/3721
I also have an analysis I’m working on to report on the findings of the virus scan. I thought I published it, but I’m having trouble finding it.
(imported comment written by jpeppers91)
its not a virus scan I’m looking for certain executables and they can be anywhere. I have the relevance that finds the files but when I added the pathanme of sha1 of it to the mix it gave me errors. Thanks for your reply but unfortunately that did not work either.
Thanks
(imported comment written by jpeppers91)
I understand this is not ideal but it is necessary in some cases. I found the relevance after working on it all weekend. Turns out I needed a semicolon
pathnames of it ; sha1s of it
delete __appendfile
delete rf_exefiles.bat
appendfile @echo off
appendfile del “{pathname of parent folder of regapp “BESClient.exe”}\rf_exefiles.txt”
appendfile echo “{”" & concatenation “,” of (pathnames of it ; sha1s of it) of descendants whose (name of it as lowercase is “jamie.txt”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & ""}" >> “{pathname of parent folder of regapp “BESClient.exe”}\rf_exefiles.txt”
move __appendfile rf_exefiles.bat
(imported comment written by jgstew)
ah, I missed that. I hate it when it is something like that, it is so hard to track down.
You do not need to do this with a .bat file, you could instead just do this with 2 lines of actionscript:
delete “{pathname of parent folder of regapp “BESClient.exe”}\rf_exefiles.txt”
dos echo “{”" & concatenation “,” of (pathnames of it ; sha1s of it) of descendants whose (name of it as lowercase is “jamie.txt”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & ""}" >> “{pathname of parent folder of regapp “BESClient.exe”}\rf_exefiles.txt”
Instead of “dos” you could also use “waithidden cmd /C” which is preferred, particularly in the case of WinXP:
waithidden cmd /C echo “{”" & concatenation “,” of (pathnames of it ; sha1s of it) of descendants whose (name of it as lowercase is “jamie.txt”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & ""}" >> “{pathname of parent folder of regapp “BESClient.exe”}\rf_exefiles.txt”