"Sell Me This Pen"
In case you haven't seen The Wolf of Wall Street yet, I'm about to tell you why you need to keep reading.Do you ever download a bunch of suspicious files from your favorite blacklist? Do you ever have to analyze suspected phishing e-mails a C-level executive received? Do you ever export a bunch of executables from an image that do not have MD5 matches on VirusTotal?
Best practice for DIY malware analysis is typically to copy the file/s into a network isolated virtual machine and go to town with static and dynamic analysis. Every once and a while though, we accidentally double click that EXE file that may or may not contain a backdoor. After all, how much time do you need to wait before a terrifying double click turns into the second click that allows you to rename the file's extension to ".mal"? What happens if you sneeze after a right click and your mouse accidentally jumps all the way up to Open and clicks that instead of Rename?
Accidents do happen. Realistically though, you probably just have a bunch of files and don't want to take the time to rename each one.
You Don't Need a Pen, You Need a Script
No matter what the problem was, I wanted a quicker, safer way to rename my suspicious files. I also wanted to write a little batch script because I had never written one before. Execution Protector.bat was born!Execution Protector.bat adds an underscore character ( _ ) to the extension of every file in the current directory. It simply loops through every file in the current directory and adds the underscore if the the file name in question does not match the batch file's name. You can download the script at https://github.com/davidpany/ExecutionProtector.
The easiest way to run this script in a Windows environment is to copy it to your malware repository and double click the file in Windows Explorer.
A black cmd.exe window will open and close quickly, and once Explorer refreshes, your files' extensions will have changed!
Now your files are safe from the dreaded accidental double click.
If you don't want several copies of the script hanging around in each case's malware directory, you can simply cd to the malware directory and just run the script from wherever it may be.
How Does This Keep Me Safe?
The Windows Registry keeps track of which program opens which file type by its extension. I don't know of any extensions ending in an underscore that Windows will natively execute. Since Windows willnot automatically execute the file with intended application, the malware will not be successful.
Would You Buy A Free Pen?
Could you just zip up all the suspicious files instead? Yes.Are there other similar tools out there? Probably.
Can the script's code be written with one line? Most Likely.
Was The Wolf of Wall Street a great movie that is in no way family friendly? Absolutely.
So not everyone may need this script, but I enjoyed writing it and this post. I plan on making bash, python, and powershell versions in the future just for fun. Thanks to the various Stack Overflow posts I referenced for parts of the script. Please let me know in the comments or @DavidPany if you have any questions or suggestions.
Thanks for reading!
-Dave
