hackers-grep is a tool that enables you to search for strings in PE files. The tool is capable of searching strings, imports, exports, and public symbols (like woah) using regular expressions.
I have used this tool to find functionality across Windows that I want to investigate further. It has allowed me to answer questions like "How many libraries process XML?".
It's also fun to poke around with.
- Install comtypes (https://pypi.python.org/pypi/comtypes)
- Install pywin32 (http://sourceforge.net/projects/pywin32/files/pywin32/)
- Install Microsoft debugging symbols (https://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx)
The options for hackers-grep are listed below. Keep in mind that all regular expression strings should use pythons "re" module sytax and are case insensitive. For more information please see https://docs.python.org/2/library/re.html.
Z:\hackers-grep>hackers-grep.py -h
Usage: hackers-grep.py [options] <search path> <file regex> <string regex>
Options:
-h, --help show this help message and exit
-d MAX_DEPTH, --max-depth=MAX_DEPTH
Maximum directory recursion depth (default: 1)
-x, --exports-only Only search Export section strings
-n, --imports-only Only search Import section strings
-a, --all-the-things Search strings, import, exports
-s, --symbols Include symbols in search
-p SYMBOL_PATH, --symbol-path=SYMBOL_PATH
Symbol path (default: C:\Windows\Symbols)
-e EXPORT_FILTER, --export-filter=EXPORT_FILTER
Search modules matching this Export regex
-i IMPORT_FILTER, --import-filter=IMPORT_FILTER
Search modules matching this Import regex
-f, --show-info Display file details size and modification time
-v, --verbose Verbose output
This example demonstrates how to search imports. It will search C:\Windows\System32 for any file ending in .dll that imports InternetOpenA or InternetOpenW.
Z:\hackers-grep>hackers-grep.py -n c:\windows\system32 .*.dll "InternetOpen[A,W]"
c:\windows\system32\msidcrl30.dll WININET.dll!InternetOpenA
c:\windows\system32\msscp.dll WININET.dll!InternetOpenA
c:\windows\system32\mssign32.dll WININET.dll!InternetOpenA
c:\windows\system32\msnetobj.dll WININET.dll!InternetOpenA
c:\windows\system32\oleprn.dll WININET.dll!InternetOpenW
c:\windows\system32\urlmon.dll WININET.dll!InternetOpenW
c:\windows\system32\winethc.dll WININET.dll!InternetOpenW
c:\windows\system32\wuwebv.dll WININET.dll!InternetOpenW
By using the option "-f" we can also print information about the file, including the useful "File description" property.
Z:\hackers-grep>hackers-grep.py -f -n c:\windows\system32 .*.dll "InternetOpen[A,W]"
c:\windows\system32\msidcrl30.dll [ 468 KB] [07/14/2009] [Microsoft Corporation] [IDCRL Dynamic Link Library] WININET.dll!InternetOpenA
c:\windows\system32\msscp.dll [ 492 KB] [02/03/2015] [Microsoft Corporation] [Windows Media Secure Content Provider] WININET.dll!InternetOpenA
c:\windows\system32\mssign32.dll [ 38 KB] [07/14/2009] [Microsoft Corporation] [Microsoft Trust Signing APIs] WININET.dll!InternetOpenA
c:\windows\system32\msnetobj.dll [ 259 KB] [02/03/2015] [Microsoft Corporation] [DRM ActiveX Network Object] WININET.dll!InternetOpenA
c:\windows\system32\oleprn.dll [ 104 KB] [07/14/2009] [Microsoft Corporation] [Oleprn DLL] WININET.dll!InternetOpenW
c:\windows\system32\urlmon.dll [1280 KB] [07/16/2015] [Microsoft Corporation] [OLE32 Extensions for Win32] WININET.dll!InternetOpenW
c:\windows\system32\winethc.dll [ 81 KB] [07/14/2009] [Microsoft Corporation] [WinInet Helper Class] WININET.dll!InternetOpenW
c:\windows\system32\wuwebv.dll [ 169 KB] [07/20/2015] [Microsoft Corporation] [Windows Update Vista Web Control] WININET.dll!InternetOpenW
This example demonstrates how to search exports. It will search C:\Windows\System32 for any file ending in .dll that exports the OLE function DllGetClassObject
Z:\hackers-grep>hackers-grep.py -x c:\windows\system32 .*.dll DllGetClassObject
c:\windows\system32\accessibilitycpl.dll <export>!DllGetClassObject
c:\windows\system32\ActionCenterCPL.dll <export>!DllGetClassObject
c:\windows\system32\activeds.dll <export>!DllGetClassObject
c:\windows\system32\AdmTmpl.dll <export>!DllGetClassObject
c:\windows\system32\adsldp.dll <export>!DllGetClassObject
c:\windows\system32\adsmsext.dll <export>!DllGetClassObject
c:\windows\system32\amstream.dll <export>!DllGetClassObject
...
This example will search C:\Windows\System32 for every occurance of the string "xmlns" in a dll.
Z:\hackers-grep>hackers-grep.py c:\windows\system32 .*.dll xmlns.*
...
c:\windows\system32\mscms.dll xmlns:wcs='http://schemas.microsoft.com/windows/2005/02/color/WcsCommonProfileTypes'
c:\windows\system32\mscms.dll xmlns:gmm='http://schemas.microsoft.com/windows/2005/02/color/GamutMapModel'
c:\windows\system32\mscms.dll xmlns:cam='http://schemas.microsoft.com/windows/2005/02/color/ColorAppearanceModel'
<snip>
c:\windows\system32\msmpeg2vdec.dll xmlns:c
c:\windows\system32\msmpeg2vdec.dll xmlns:c
c:\windows\system32\mstscax.dll xmlns:psf='http://schemas.microsoft.com/windows/2003/08/printing/printschemaframework'
c:\windows\system32\mstscax.dll xmlns:psf='http://schemas.microsoft.com/windows/2003/08/printing/printschemaframework'
<snip>
c:\windows\system32\wlanpref.dll xmlns:p='http://www.microsoft.com/networking/WLAN/profile/v1' xmlns:wps='http://www.microsoft.com/networking/WPSSettings/v1'
c:\windows\system32\wlanpref.dll xmlns:p='http://www.microsoft.com/networking/WLAN/profile/v1' xmlns:wps='http://www.microsoft.com/networking/WPSSettings/v1'
c:\windows\system32\WlanMM.dll xmlns:an='http://www.microsoft.com/AvailableNetwork/Info'
c:\windows\system32\WlanMM.dll xmlns:an='http://www.microsoft.com/AvailableNetwork/Info'
<snip>
This example shows how to use the import filter "-i" option. In this case, we want to find any dll that imports CreateFile, but filter only those that import RpcServerListen as well.
Z:\hackers-grep>hackers-grep.py -n -i RpcServerListen c:\windows\system32 .*.dll CreateFile
c:\windows\system32\authui.dll KERNEL32.dll!CreateFileW
c:\windows\system32\certprop.dll KERNEL32.dll!CreateFileW
c:\windows\system32\FXSAPI.dll KERNEL32.dll!CreateFileW
c:\windows\system32\FXSAPI.dll KERNEL32.dll!CreateFileMappingW
c:\windows\system32\bthserv.dll KERNEL32.dll!CreateFileW
c:\windows\system32\iscsiexe.dll KERNEL32.dll!CreateFileW
c:\windows\system32\msdtcprx.dll KERNEL32.dll!CreateFileW
c:\windows\system32\RpcEpMap.dll API-MS-Win-Core-File-L1-1-0.dll!CreateFileW
c:\windows\system32\rpcss.dll KERNEL32.dll!CreateFileMappingW
c:\windows\system32\bdesvc.dll KERNEL32.dll!CreateFileW
c:\windows\system32\SCardSvr.dll KERNEL32.dll!CreateFileW
c:\windows\system32\tapisrv.dll KERNEL32.dll!CreateFileMappingW
c:\windows\system32\tapisrv.dll KERNEL32.dll!CreateFileW
c:\windows\system32\termsrv.dll KERNEL32.dll!CreateFileW
c:\windows\system32\wbiosrvc.dll API-MS-Win-Core-File-L1-1-0.dll!CreateFileW
c:\windows\system32\wiaservc.dll KERNEL32.dll!CreateFileW
c:\windows\system32\wiaservc.dll KERNEL32.dll!CreateFileMappingW
c:\windows\system32\tbssvc.dll KERNEL32.dll!CreateFileA
c:\windows\system32\wscsvc.dll KERNEL32.dll!CreateFileW
c:\windows\system32\wscsvc.dll KERNEL32.dll!CreateFileMappingW
c:\windows\system32\rdpcore.dll KERNEL32.dll!CreateFileW
c:\windows\system32\wlansvc.dll KERNEL32.dll!CreateFileW
c:\windows\system32\wwansvc.dll KERNEL32.dll!CreateFileW
This example shows my favorite use of hackers-grep. The ability to combine some of the previously shown features and the verbose symbol information makes this a nice tool for finding that next bug :)
In this example we want to use debugging symbols (.pdb) to search for every occurance of hfont.
Z:\hackers-grep>hackers-grep.py -s c:\windows\system32 .*.dll ".*HFONT.*"
c:\windows\system32\advpack.dll struct HFONT__ * g_hFont
c:\windows\system32\advpack.dll struct HFONT__ * g_hFont
<snip>
c:\windows\system32\dxtrans.dll public: virtual long __stdcall CDXTLabel::GetFontHandle(struct HFONT__ * *)
c:\windows\system32\dxtrans.dll public: virtual long __stdcall CDXTLabel::SetFontHandle(struct HFONT__ *)
c:\windows\system32\dxtrans.dll public: virtual long __stdcall CDX2D::GetFont(struct HFONT__ * *)
c:\windows\system32\dxtrans.dll public: virtual long __stdcall CDX2D::SetFont(struct HFONT__ *)
c:\windows\system32\dxtrans.dll public: virtual long __stdcall CDXTLabel::GetFontHandle(struct HFONT__ * *)
c:\windows\system32\dxtrans.dll public: virtual long __stdcall CDXTLabel::SetFontHandle(struct HFONT__ *)
c:\windows\system32\dxtrans.dll public: virtual long __stdcall CDX2D::GetFont(struct HFONT__ * *)
c:\windows\system32\dxtrans.dll public: virtual long __stdcall CDX2D::SetFont(struct HFONT__ *)
<snip>
c:\windows\system32\XpsGdiConverter.dll protected: void __thiscall std::list<struct std::pair<struct tagLOGFONTW cons
t ,class std::tr1::shared_ptr<struct xgc::GDIResource<struct HFONT__ *> > >,class std::allocator<struct std::pair<struct
tagLOGFONTW const ,class std::tr1::shared_ptr<struct xgc::GDIResource<struct HFONT__ *> > > > >::_Incsize(unsigned int)
c:\windows\system32\XpsGdiConverter.dll public: virtual void * __thiscall std::tr1::_Ref_count<struct xgc::GDIResourc
e<struct HFONT__ *> >::`vector deleting destructor'(unsigned int)
<snip>
This example searches symbols for IStream::Read
Z:\hackers-grep>hackers-grep.py -s c:\windows\system32 .*.dll ".*IStream::Read.*"
c:\windows\system32\apss.dll public: virtual long __stdcall CStream::CImpIStream::Read(void *,unsigned long,unsigned long *)
c:\windows\system32\apss.dll public: virtual long __stdcall CStream::CImpIStream::Read(void *,unsigned long,unsigned long *)
c:\windows\system32\avifil32.dll public: virtual long __stdcall CPrxAVIStream::Read(long,long,void *,long,long *,long *)
c:\windows\system32\avifil32.dll public: virtual long __stdcall CPrxAVIStream::ReadFormat(long,void *,long *)
c:\windows\system32\avifil32.dll public: virtual long __stdcall CPrxAVIStream::ReadData(unsigned long,void *,long *)
c:\windows\system32\avifil32.dll public: virtual long __stdcall CPrxAVIStream::Read(long,long,void *,long,long *,long *)
c:\windows\system32\avifil32.dll public: virtual long __stdcall CPrxAVIStream::ReadFormat(long,void *,long *)
c:\windows\system32\avifil32.dll public: virtual long __stdcall CPrxAVIStream::ReadData(unsigned long,void *,long *)
c:\windows\system32\cdosys.dll public: virtual long __stdcall CMMIStream::Read(void *,unsigned long,unsigned long *)
c:\windows\system32\cdosys.dll public: virtual long __stdcall MemIStream::Read(void *,unsigned long,unsigned long *)
c:\windows\system32\cdosys.dll public: virtual long __stdcall CMMIStream::Read(void *,unsigned long,unsigned long *)
c:\windows\system32\cdosys.dll public: virtual long __stdcall MemIStream::Read(void *,unsigned long,unsigned long *)
c:\windows\system32\imapi2fs.dll CFsiStream::Read
c:\windows\system32\imapi2fs.dll CFsiStream::Read
<snip>
Its written in Python, so it can be slow, especially if you try and search the entire system drive while processing symbols
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent