Search Bytes in specified directory

• Download source - 4.11 Kb

Introduction

If you want to find text, you can use "do find..." command in console. You can also use vs.net IDE to find it. in IDE, you can use regexps to find what you are interested in, it is very handy. But if you want to find binary bytes, then you will write a little app like this.

Background

I was finding an interface sometime before I got its iid; I searched the web and I used methods mentioned above. But I failed, so I guessed, maybe it existed in binary format in some application in my local disk. So I decided to write this app.

Using the code

For example, if you want to find in disk D, you should do like the following, assign the byte array as you like.

TCHAR szDir[] = L"d:\\";
BYTE bt[16];
// assign bt
ZeroMemory(bt,sizeof(bt));
nRet = FindFile(szDir,bt,sizeof(bt)/sizeof(bt[0]));

FindFile function will find the bytes you specified in all files recursively for you.

int FindFile(LPTSTR szDir,BYTE* bt,UINT cch)
{
  WIN32_FIND_DATA ds; 
  TCHAR szAim[MAX_PATH];
  lstrcpy(szAim,szDir);
  lstrcat(szAim,L"*");
  HANDLE hDir = FindFirstFile(szAim,&ds);
  if(hDir==INVALID_HANDLE_VALUE) 
    return (1);
  do 
  {
    if(ds.dwFileAttributes & FILE_ATTRIBUTE_ARCHIVE)
    {
      TCHAR szFile[MAX_PATH];
      lstrcpy(szFile,szDir);
      lstrcat(szFile,ds.cFileName);
      //TraceOutPut(L"%s...\r",szFile);
      
      HANDLE hFile = ::CreateFile(szFile,
       GENERIC_READ,FILE_SHARE_WRITE,NULL,OPEN_EXISTING,NULL,NULL);
      if (hFile == INVALID_HANDLE_VALUE)
        continue;

      ULARGE_INTEGER liFileSize;
      liFileSize.LowPart = ::GetFileSize(hFile, &liFileSize.HighPart);
      if (liFileSize.LowPart == 0xFFFFFFFF)
      {
        ::CloseHandle(hFile);
        continue;
      }

      ULONGLONG ullSum = 0;
      while(ullSum < liFileSize.QuadPart)
      {
        BYTE* lpBytes = new BYTE[0x40000];
        DWORD pdwRead = 0;
        if(::ReadFile(hFile, lpBytes, 0x40000,&pdwRead,NULL))
        {
          ULONG i = 0;
          while(pdwRead>cch&&i < pdwRead-cch)
          {
            for(UINT j=0;j<cch;j++)
              if(lpBytes[i+j]!=bt[j])
                break;
            if(j==cch)
              TraceOutPut(L"Found one %s Position 0x%016x\n", szFile,ullSum+i);

            i++;
          }
          // slide in lpBytes first read out 4 bytes and compare with iid.data1
        }
        delete [] lpBytes;
        if(pdwRead==0)
          break;
        ullSum += pdwRead;
      }
      ::CloseHandle(hFile);
    }
    else if(ds.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
    {
      if(lstrcmp(ds.cFileName,L".")!=0&&lstrcmp(ds.cFileName,L"..")!=0)
      {
        TCHAR szSubDir[MAX_PATH];
        lstrcpy(szSubDir,szDir);
        lstrcat(szSubDir,ds.cFileName);
        lstrcat(szSubDir,L"\\");
        FindFile(szSubDir,bt,cch);
      }
    }

  } while(FindNextFile(hDir,&ds)==TRUE);
  FindClose(hDir);
  return 0;
}        

If you want to monitoring the searching process, you can uncomment out the TraceOutPut function. it just sends output to console.

void TraceOutPut(const WCHAR *pszFormat, ...)
{
  va_list arglist;
  va_start(arglist, pszFormat);

  const int nCount = 4096;
  WCHAR szBuf[nCount] = {L'\0'};
  _vsnwprintf(szBuf, nCount, pszFormat, arglist);
  OutputDebugStringW(szBuf);
}

Points of Interest

I am curious about how those virus-protection applications work, but I am really dislike them because they always decrease performance of my box. I can find suspicious application in task manager. If I found one, I can regedit the run key or some key like that, and erase them easily.

Maybe somebody will say that the suggested search cannot detect email attachment, my answer is the outlook express will prevent those application from starting up. Any comments are appreciated.