{"id":995,"date":"2012-05-31T20:08:01","date_gmt":"2012-05-31T20:08:01","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=995"},"modified":"2018-12-15T00:52:01","modified_gmt":"2018-12-15T00:52:01","slug":"mft-scanning-for-fun-and-err-flame","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/05\/31\/mft-scanning-for-fun-and-err-flame\/","title":{"rendered":"$MFT scanning for fun and err… Flame"},"content":{"rendered":"

Update 2018-12-15<\/strong><\/p>\n

This tool was an experiment; please do not use it anymore as it produces unreliable reports; the tool has not been updated for many years. Use modern AV\/EDR software instead. Thanks!<\/p>\n

Update 2012-July<\/strong><\/p>\n

Expect this tool to grow over next couple of months.<\/p>\n

Old Post<\/strong><\/p>\n

I was toying around with $MFT parsing and came up with a simple demo tool that parses $MFT looking for remnants of malware. Tool is written in x86 assembly so I guess it is forensically sound \ud83d\ude09<\/p>\n

At the moment it only scans for flame malware (I used list from all the places I could find including my own research, CrySyS Lab, Kaspersky, BitDefender, malware.lu, kernelmode.info, etc. –\u00a0 list pasted below).<\/p>\n

It should find entries that are both live (existing files) and deleted entries.<\/p>\n

This is how it works – if it is bad news for you:<\/p>\n

\"\"<\/a><\/p>\n

Note: this is an experimental tool – DO NOT test it on production system. You can always use fls.exe from sleuthkit.<\/p>\n

The tool can be downloaded here<\/a>.<\/p>\n

This is a list of files it searches for:<\/p>\n