├── README.md
├── Release
    └── malcheck.exe
├── ioc-generator.ps1
├── malcheck.sln
└── malcheck
    ├── FileInfo.cpp
    ├── decode.cpp
    ├── main.cpp
    ├── malcheck.vcxproj
    └── precomp.h


/README.md:
--------------------------------------------------------------------------------
 1 | # malcheck
 2 | Portable utility to check if a machine has been infected by Shamoon2
 3 | 
 4 | This utility uses a set of the Indicators of Compromise for the identified Shamoon variant released by FireEye [1]. As a GCC/Gulf based cyber security start-up, Comae recommends GCC private and public organizations to check their Windows environment using open-source utility malcheck.
 5 | 
 6 | This week, several security companies issued warnings regarding a new variation of Shamoon (W32.Disttrack), being found mid November 2016.
 7 | This utility available in *bin/malcheck.exe* contains a portable utility for simple check that your security team can use for quick assessment.
 8 | 
 9 | 
10 | ```
11 |   MalCheck v0.1 - Simple portable utility to search for Shamoon2 artifacts
12 |   Copyright (C) 2016, Matthieu Suiche <http://www.msuiche.net>
13 |   Copyright (C) 2016, Comae Technologies FZE <http://www.comae.io>
14 |       More information: support@comae.io
15 | 
16 | [+] No signs of Shamoon2 have been found.
17 | ```
18 | 
19 | ## TODO
20 | - [ ] Parse JSON files as input argument instead of hardcoding quick signatures.
21 | 
22 | ## References
23 | - [1] *FireEye* https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html
24 | - [2] *Symantec* https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever
25 | - [3] *McAfee* https://securingtomorrow.mcafee.com/mcafee-labs/shamoon-rebooted/
26 | - [4] *CrowdStrike* https://www.crowdstrike.com/blog/shamoon2/
27 | - [5] *Palo Alto* http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
28 | 


--------------------------------------------------------------------------------
/Release/malcheck.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/msuiche/malcheck/a3538b77c029c84104d6e117b01c1ab8725caa16/Release/malcheck.exe


--------------------------------------------------------------------------------
/ioc-generator.ps1:
--------------------------------------------------------------------------------
 1 | dir . | Foreach-Object{
 2 |     $file = $_
 3 |     $hash = Get-FileHash $file -Algorithm MD5
 4 |     $fileinfo = Get-Item $file
 5 | 
 6 |     New-Object -TypeName PSObject -Property @{
 7 |         VersionInfo = $fileinfo.VersionInfo
 8 |         LastWriteTime = $fileinfo.LastWriteTime
 9 |         Length = $fileinfo.Length
10 |         Algorithm = $hash.Algorithm
11 |         MD5 = $hash.Hash
12 |         Name = $fileinfo.Name
13 |     }
14 | } | Format-List
15 | 


--------------------------------------------------------------------------------
/malcheck.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 14
 4 | VisualStudioVersion = 14.0.25420.1
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shamoon2-check", "malcheck\malcheck.vcxproj", "{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}.Debug|x64.Build.0 = Debug|x64
18 | 		{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}.Debug|x86.Build.0 = Debug|Win32
20 | 		{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}.Release|x64.ActiveCfg = Release|x64
21 | 		{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}.Release|x64.Build.0 = Release|x64
22 | 		{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}.Release|x86.ActiveCfg = Release|Win32
23 | 		{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | EndGlobal
29 | 


--------------------------------------------------------------------------------
/malcheck/FileInfo.cpp:
--------------------------------------------------------------------------------
  1 | #include "precomp.h"
  2 | 
  3 | HCRYPTPROV g_hProv = 0;
  4 | HCRYPTHASH g_hHash = 0;
  5 | 
  6 | #define VERBOSE_FILE_INFO 0
  7 | 
  8 | LPWSTR
  9 | GetExpandedPath(
 10 |     LPCWSTR Path
 11 | )
 12 | {
 13 |     DWORD CharCount;
 14 |     LPWSTR ExpandedPath;
 15 | 
 16 |     CharCount = ExpandEnvironmentStringsW(Path, NULL, 0);
 17 |     ExpandedPath = (LPWSTR)malloc(CharCount * sizeof(WCHAR));
 18 |     if (!ExpandedPath) return NULL;
 19 | 
 20 |     // NOTE: ExpandEnvironmentStrings is not identical
 21 |     // between Unix and Windows
 22 |     ExpandEnvironmentStringsW(Path, ExpandedPath, CharCount);
 23 |     if (wcschr(ExpandedPath, L'%')) {
 24 |         free(ExpandedPath);
 25 |         return NULL;
 26 |     }
 27 |     return ExpandedPath;
 28 | }
 29 | 
 30 | BOOLEAN
 31 | IsFilePresent(
 32 |     LPCWSTR File
 33 | )
 34 | {
 35 |     HANDLE FileHandle;
 36 | 
 37 |     FileHandle = CreateFileW(File, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
 38 | 
 39 |     if (FileHandle == INVALID_HANDLE_VALUE) {
 40 |         return FALSE;
 41 |     } else {
 42 |         CloseHandle(FileHandle);
 43 |         return TRUE;
 44 |     }
 45 | }
 46 | 
 47 | BOOLEAN
 48 | InitCrypt(
 49 |     VOID
 50 | ) {
 51 |     DWORD dwStatus = ERROR_SUCCESS;
 52 | 
 53 |     // Get handle to the crypto provider
 54 |     if (!CryptAcquireContext(&g_hProv,
 55 |         NULL,
 56 |         NULL,
 57 |         PROV_RSA_FULL,
 58 |         CRYPT_VERIFYCONTEXT))
 59 |     {
 60 |         dwStatus = GetLastError();
 61 |         wprintf(L"CryptAcquireContext failed: %d\n", dwStatus);
 62 |         goto CleanUp;
 63 |     }
 64 | 
 65 |     if (!CryptCreateHash(g_hProv, CALG_MD5, 0, 0, &g_hHash))
 66 |     {
 67 |         dwStatus = GetLastError();
 68 |         wprintf(L"CryptAcquireContext failed: %d\n", dwStatus);
 69 |         CryptReleaseContext(g_hProv, 0);
 70 |         goto CleanUp;
 71 |     }
 72 | 
 73 | CleanUp:
 74 |     return (dwStatus == ERROR_SUCCESS) ? TRUE : FALSE;
 75 | }
 76 | 
 77 | VOID
 78 | DumpFileInfo(
 79 |     _In_ PFILE_INFORMATION_CHECK FileInfo
 80 | ) {
 81 |     wprintf(L"[?] FileInfo->FullPath:        %s\n", FileInfo->FullPath);
 82 |     wprintf(L"[?] FileInfo->IsPresentOnDisk: %s\n", FileInfo->IsPresentOnDisk ? L"Present" : L"Not Present");
 83 |     wprintf(L"[?] FileInfo->FileSize:        0x%llx (%I64d)\n", FileInfo->FileSize.QuadPart, FileInfo->FileSize.QuadPart);
 84 |     wprintf(L"[?] FileInfo->Md5Hash:         %s\n", FileInfo->Md5Hash);
 85 | }
 86 | 
 87 | BOOLEAN
 88 | DestroyCrypt(
 89 |     VOID
 90 | ) {
 91 |     CryptDestroyHash(g_hHash);
 92 |     CryptReleaseContext(g_hProv, 0);
 93 |     return TRUE;
 94 | }
 95 | 
 96 | 
 97 | BOOLEAN
 98 | GetFileInformationCheck(
 99 |     _In_ LPWSTR FullPath,
100 |     _Out_ PFILE_INFORMATION_CHECK FileInfo
101 | ) {
102 |     BOOLEAN Result = FALSE;
103 |     BYTE Buffer[1024] = { 0 };
104 |     BYTE rgbHash[16];
105 |     DWORD cbHash = 0;
106 | 
107 |     if (!FullPath || !FileInfo) {
108 |         wprintf(L"Error: invalid parameter.\n");
109 |         return FALSE;
110 |     }
111 | 
112 |     LPWSTR ExpandedPath = GetExpandedPath(FullPath);
113 |     if (!ExpandedPath) {
114 |         wprintf(L"Error: GetExpandedPath(FullPath = %s) failed.\n", FullPath);
115 |         return FALSE;
116 |     }
117 | 
118 |     wcscpy_s(FileInfo->FullPath, sizeof(FileInfo->FullPath), ExpandedPath);
119 |     free(ExpandedPath);
120 |     ExpandedPath = NULL;
121 | 
122 |     FileInfo->IsPresentOnDisk = FALSE;
123 |     Result = TRUE;
124 | 
125 |     HANDLE FileHandle;
126 | 
127 |     FileHandle = CreateFileW(FileInfo->FullPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
128 |     if (FileHandle == INVALID_HANDLE_VALUE) {
129 |         // wprintf(L"Error: CreateFileW(FullPath = %s) failed. (err = %d)\n", FullPath, GetLastError());
130 |         goto CleanUp;
131 |     }
132 | 
133 |     InitCrypt();
134 | 
135 |     BOOLEAN Ret = FALSE;
136 |     FileInfo->IsPresentOnDisk = TRUE;
137 |     FileInfo->FileSize.LowPart = GetFileSize(FileHandle, (LPDWORD)&FileInfo->FileSize.HighPart);
138 | 
139 |     size_t DataBufferSize = FileInfo->FileSize.LowPart;
140 |     DWORD cbRead = 0;
141 |     while (Ret = ReadFile(FileHandle, Buffer, sizeof(Buffer), &cbRead, NULL)) {
142 |         if (cbRead == 0) break;
143 | 
144 |         if (!CryptHashData(g_hHash, Buffer, cbRead, 0)) {
145 |             wprintf(L"CryptHashData failed: %d\n", GetLastError());
146 |         }
147 |     }
148 | 
149 |     cbHash = 16;
150 |     if (CryptGetHashParam(g_hHash, HP_HASHVAL, rgbHash, &cbHash, 0)) {
151 |         RtlZeroMemory(FileInfo->Md5Hash, sizeof(FileInfo->Md5Hash));
152 | 
153 |         for (UINT i = 0; i < cbHash; i++) {
154 |             WCHAR tmp[8] = { 0 };
155 |             swprintf_s(tmp, _countof(tmp), L"%02x", rgbHash[i]);
156 |             wcscat_s(FileInfo->Md5Hash, (size_t)_countof(FileInfo->Md5Hash), tmp);
157 |         }
158 |     }
159 |     else {
160 |         wprintf(L"CryptGetHashParam failed: %d\n", GetLastError());
161 |     }
162 | 
163 |     CloseHandle(FileHandle);
164 | 
165 | CleanUp:
166 |     DestroyCrypt();
167 | 
168 | #if VERBOSE_FILE_INFO
169 |     DumpFileInfo(FileInfo);
170 | #endif
171 | 
172 |     return Result;
173 | }


--------------------------------------------------------------------------------
/malcheck/decode.cpp:
--------------------------------------------------------------------------------
 1 | //
 2 | // Translation of string decoding routine used by Shamoon 2.0 droppers used against General Authority of Civil Aviation (GACA) in Saudi Arabia. Strings such as passwords, username etc.
 3 | // This can be used to identify similar categories or malwares from the same family.
 4 | //
 5 | // Translation done by Comae Technologies. www.comae.io / @comae.io
 6 | //
 7 | 
 8 | #include <windows.h>
 9 | #include <stdlib.h>
10 | #include <stdio.h>
11 | 
12 | LPWSTR
13 | Decode(LPBYTE InputStr, USHORT Delta)
14 | {
15 |     ULONG InputStrLen = wcslen((LPWSTR)InputStr);
16 |     ULONG OutputStrLen = sizeof(WCHAR) * (InputStrLen + 1);
17 |     LPWSTR OutputStr = (LPWSTR)malloc(OutputStrLen);
18 |     wcsncpy_s(OutputStr, OutputStrLen / sizeof(WCHAR), (LPWSTR)InputStr, (InputStrLen + 1));
19 |     ULONG Count = 0;
20 |     if (InputStrLen) {
21 |         do {
22 |             OutputStr[Count++] += (USHORT)Delta;
23 |         } while (Count < InputStrLen);
24 |     }
25 |     return OutputStr;
26 | }
27 | 
28 | VOID
29 | DecodeEx(
30 |     LPBYTE Input
31 | )
32 | {
33 |     LPWSTR Out = Decode(Input, -0x13);
34 | 
35 |     wprintf(L"\"%s\" -> \"%s\"\n", Input, Out);
36 | 
37 |     free(Out);
38 | }
39 | 
40 | int main(
41 |     int argc,
42 |     char **argv
43 | ) {
44 | #if 0
45 |     .text:00404989                 push    0FFFFFFEDh; __int16
46 |     .text:0040498B                 push    offset aZtvt; "ZTVT"
47 |     .text:00404990                 mov     dword_42DFB0, esi
48 |     .text:00404996                 call    decode_string
49 |     .text:0040499B                 push    0FFFFFFEDh; __int16
50 |     .text:0040499D                 push    offset aZtvttw; "ztvttw€"
51 |     .text:004049A2                 mov     dword_42DFB4, eax
52 |     .text:004049A7                 call    decode_string
53 |     .text:004049AC                 push    0FFFFFFEDh; __int16
54 |     .text:004049AE                 push    offset aZzNy; "{zz|[Ny‰"
55 |     .text:004049B3                 mov     dword_42DFB8, eax
56 |     .text:004049B8                 call    decode_string
57 | #endif
58 | 
59 |     DecodeEx((LPBYTE)"\x5a\x00\x54\x00\x56\x00\x54\x00\x13\x00"); // GACA
60 |     DecodeEx((LPBYTE)"\x7a\x00\x76\x00\x74\x00\x74\x00\x77\x00\x80\x00\x7c\x00\x81\x00\x44\x00\x48\x00\x13\x00"); // gcaadmin15
61 |     DecodeEx((LPBYTE)"\x7b\x00\x7a\x00\x7a\x00\x7c\x00\x5b\x00\x4e\x00\x79\x00\x89\x00\x44\x00\x44\x00\x45\x00\x45\x00\x13\x00");
62 | 
63 |     return FALSE;
64 | }
65 | 


--------------------------------------------------------------------------------
/malcheck/main.cpp:
--------------------------------------------------------------------------------
 1 | /*++
 2 | 
 3 |     Copyright (c) 2016, Matthieu Suiche
 4 |     Copyright (c) 2016, Comae Technologies FZE
 5 | 
 6 |     Module Name:
 7 | 
 8 |         main.cpp
 9 | 
10 |     Abstract:
11 |         https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html
12 |         TODO: Pass JSON file as input signatures.
13 | 
14 |     Author:
15 | 
16 |         Matthieu Suiche (m) 1-Dec-2016
17 | 
18 |     Revision History:
19 | 
20 | --*/
21 | 
22 | #include "precomp.h"
23 | 
24 | MALICIOUS_FILES g_Shamoon2[] = {
25 |     // https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html
26 |     {L"%SYSTEMROOT%\\System32\\ntssrvr64.exe", 717312, NULL},
27 |     {L"%SYSTEMROOT%\\System32\\ntssrvr32.exe", 1349632, NULL },
28 |     {L"%SYSTEMROOT%\\System32\\ntssrvr32.bat", 160, L"10de241bb7028788a8f278e27a4e335f"},
29 |     {L"%SYSTEMROOT%\\System32\\gpget.exe", 327680, L"c843046e54b755ec63ccb09d0a689674"},
30 |     {L"%SYSTEMROOT%\\System32\\drdisk.sys", 31632, L"76c643ab29d497317085e5db8c799960"},
31 |     {L"%SYSTEMROOT%\\System32\\key8854321.pub", 782, L"b5d2a4d8ba015f3e89ade820c5840639"},
32 |     {L"%SYSTEMROOT%\\System32\\netinit.exe", 183808, L"ac4d91e919a3ef210a59acab0dbb9ab5"},
33 |     {NULL, NULL, NULL }
34 | };
35 | 
36 | ULONG
37 | IsInfectedWithShamoon2(
38 |     VOID
39 | ) {
40 |     ULONG Matches = 0;
41 | 
42 |     for (ULONG i = 0; g_Shamoon2[i].Path; i += 1) {
43 |         FILE_INFORMATION_CHECK Info = { 0 };
44 |         if (GetFileInformationCheck(g_Shamoon2[i].Path, &Info)) {
45 |             if ((g_Shamoon2[i].FileSize && (g_Shamoon2[i].FileSize == Info.FileSize.LowPart)) ||
46 |                 (g_Shamoon2[i].MD5 && (wcscmp(g_Shamoon2[i].MD5, Info.Md5Hash) == 0)) ||
47 |                 (Info.IsPresentOnDisk)) {
48 |                 Matches += 1;
49 | 
50 |                 wprintf(L"[!] File detect: %s\n", Info.FullPath);
51 | 
52 |                 DumpFileInfo(&Info);
53 |             }
54 |         }
55 |     }
56 | 
57 |     return Matches;
58 | }
59 | 
60 | int
61 | wmain(
62 |     ULONG argc,
63 |     LPWSTR *argv) {
64 | 
65 |     LPWSTR FileName = NULL;
66 |     FILE_INFORMATION_CHECK FileInfo = { 0 };
67 | 
68 |     wprintf(L"  MalCheck v0.1 - Simple portable utility to search for Shamoon2 artifacts\n"
69 |             L"  Copyright (C) 2016, Matthieu Suiche <http://www.msuiche.net>\n"
70 |             L"  Copyright (C) 2016, Comae Technologies FZE <http://www.comae.io>\n"
71 |             L"      More information: support@comae.io\n\n");
72 | 
73 | 
74 | #if 0
75 |     // DEBUG
76 | 
77 |     if (argc >= 2) {
78 |         FileName = argv[1];
79 |     }
80 | 
81 |     if (FileName) {
82 |         wprintf(L"argv[1] = %s\n", FileName);
83 |         BOOLEAN Result = GetFileInformationCheck(FileName, &FileInfo);
84 |     }
85 | #endif
86 | 
87 |     ULONG Result = IsInfectedWithShamoon2();
88 |     if (Result) {
89 |         wprintf(L"[!] WARNING: Artifacts of Shamoon2 have been found. Please contact support@comae.io if your organization needs any assistance.\n");
90 |     } else {
91 |         wprintf(L"[+] No signs of Shamoon2 have been found.\n");
92 |     }
93 | 
94 |     return Result ? TRUE : FALSE;
95 | }


--------------------------------------------------------------------------------
/malcheck/malcheck.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{D4CEFD35-B370-4CBC-ADF3-9453D148BBF8}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>shamoon2check</RootNamespace>
 25 |     <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
 26 |     <ProjectName>malcheck</ProjectName>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v140</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v140</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v140</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v140</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 77 |     <LinkIncremental>true</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 80 |     <LinkIncremental>false</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <PrecompiledHeader>
 88 |       </PrecompiledHeader>
 89 |       <WarningLevel>Level3</WarningLevel>
 90 |       <Optimization>Disabled</Optimization>
 91 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |     </ClCompile>
 93 |     <Link>
 94 |       <SubSystem>Console</SubSystem>
 95 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 96 |     </Link>
 97 |   </ItemDefinitionGroup>
 98 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 99 |     <ClCompile>
100 |       <PrecompiledHeader>
101 |       </PrecompiledHeader>
102 |       <WarningLevel>Level3</WarningLevel>
103 |       <Optimization>Disabled</Optimization>
104 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <GenerateDebugInformation>true</GenerateDebugInformation>
109 |     </Link>
110 |   </ItemDefinitionGroup>
111 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
112 |     <ClCompile>
113 |       <WarningLevel>Level3</WarningLevel>
114 |       <PrecompiledHeader>
115 |       </PrecompiledHeader>
116 |       <Optimization>MaxSpeed</Optimization>
117 |       <FunctionLevelLinking>true</FunctionLevelLinking>
118 |       <IntrinsicFunctions>true</IntrinsicFunctions>
119 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
125 |       <OptimizeReferences>true</OptimizeReferences>
126 |       <GenerateDebugInformation>true</GenerateDebugInformation>
127 |     </Link>
128 |   </ItemDefinitionGroup>
129 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
130 |     <ClCompile>
131 |       <WarningLevel>Level3</WarningLevel>
132 |       <PrecompiledHeader>
133 |       </PrecompiledHeader>
134 |       <Optimization>MaxSpeed</Optimization>
135 |       <FunctionLevelLinking>true</FunctionLevelLinking>
136 |       <IntrinsicFunctions>true</IntrinsicFunctions>
137 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
138 |     </ClCompile>
139 |     <Link>
140 |       <SubSystem>Console</SubSystem>
141 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
142 |       <OptimizeReferences>true</OptimizeReferences>
143 |       <GenerateDebugInformation>true</GenerateDebugInformation>
144 |     </Link>
145 |   </ItemDefinitionGroup>
146 |   <ItemGroup>
147 |     <ClCompile Include="FileInfo.cpp" />
148 |     <ClCompile Include="main.cpp" />
149 |   </ItemGroup>
150 |   <ItemGroup>
151 |     <ClInclude Include="precomp.h" />
152 |   </ItemGroup>
153 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
154 |   <ImportGroup Label="ExtensionTargets">
155 |   </ImportGroup>
156 | </Project>


--------------------------------------------------------------------------------
/malcheck/precomp.h:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <stdio.h>
 3 | #include <stdlib.h>
 4 | 
 5 | typedef struct _FILE_INFORMATION_CHECK {
 6 |     WCHAR FullPath[MAX_PATH + 1];
 7 |     BOOLEAN IsPresentOnDisk;
 8 |     LARGE_INTEGER FileSize;
 9 |     WCHAR Md5Hash[32 + 1];
10 | } FILE_INFORMATION_CHECK, *PFILE_INFORMATION_CHECK;
11 | 
12 | typedef struct _MALICIOUS_FILES {
13 |     LPWSTR Path;
14 |     ULONG FileSize;
15 |     LPWSTR MD5;
16 | } MALICIOUS_FILES, *PMALICIOUS_FILES;
17 | 
18 | BOOLEAN
19 | GetFileInformationCheck(
20 |     _In_ LPWSTR FullPath,
21 |     _Out_ PFILE_INFORMATION_CHECK FileInfo
22 | );
23 | 
24 | VOID
25 | DumpFileInfo(
26 |     _In_ PFILE_INFORMATION_CHECK FileInfo
27 | );


--------------------------------------------------------------------------------