1

How can I grep a block of zeroes (wiped area with zeroes) in a file?

I have a malicious Word document with macros inside. An Antivirus solution wiped out a block with zeroes in this Word document. I would like to detect this in the future before analyzing...that the file is modified.

I tried this:

xxd -u -p /your/maldoc | tr -d '\n' | grep -c '44656C65746564204279204B6173706572736B79'

It detects "Deleted By Kaspersky Lab AV", but I would like to detect also other av solutions and grep for a block of zeroes.

Thanks for your help in advance!

user3022917
  • 579
  • 2
  • 8
  • 20

1 Answers1

0

Sounds a lot like you should fix the actual problem (likely your "analyzing" program crashes on invalid input). Your proposed method will not work streaming and will have false positives.

That said, you can probably just dump blocks in a loop and check for the sha1sum or md5sum of it.

Update I tried to find an elegant way to use e.g. dd in a loop to handle chunks, but I couldn't make it work elegantly without manual offset calculations.

Here's a link to another answer that seems helpful in this direction, though:

Community
  • 1
  • 1
sehe
  • 374,641
  • 47
  • 450
  • 633
  • No analyzing program is crashing...your reasoning makes no sense. – user3022917 Jul 06 '15 at 21:40
  • Then I don't see why the analyzing process cannot detect the fact that the file had malicious content removed by the virus checker. Perhaps you could clarify that part in the question. Cheers – sehe Jul 06 '15 at 21:42