Friday, April 10, 2020

Compare Malware Strings of Multiple Files for Matches

# run strings on all malware *.bin files in the directory and output strings to .bin.txt files
get-childitem \ -filter *.bin |select name,fullname|foreach-object {$cmd = "/c strings64.exe -n 8 `""+$_.fullname +"`" > `""+$".txt`""; start-process -filepath "cmd.exe" -argumentlist $cmd}

# compare every .bin.txt files and return only strings that are in ALL of them
$counter=0; $matches = @(); $lines1 = @(); get-childitem \ -filter *.bin.txt |select name,fullname|foreach-object {if($counter -eq 0){$counter++; $lines1=get-content  -path $_.fullname; $lines1=$lines1|sort;}else{$matches=@();$counter++;$lines2=get-content -path $_.fullname;$lines2=$lines2|sort;foreach($str in $lines1){if($lines2 -contains $str) {$matches += $str}};$lines1=$matches;}};$matches|get-unique

find matches in multiple malware files
find matches in multiple lists
find matches in multiple arrays

Sample output
!This program cannot be run in DOS mode.

1 comment:

