Skip to content

Instantly share code, notes, and snippets.

@et0x
Created August 8, 2016 17:32
Show Gist options
  • Save et0x/ef50ad86243ee226a0e9bbf0c1e60dc5 to your computer and use it in GitHub Desktop.
Save et0x/ef50ad86243ee226a0e9bbf0c1e60dc5 to your computer and use it in GitHub Desktop.
Get the hashes of all exe / dll files downloaded from the internet. Checks for the Zone.Identifier ADS and ensures the value is 3.
function Get-DownloadedPEHashes
{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, Position=0)]
[String]$Path,
[Switch]$Recursive = $true
)
if (!$Path.EndsWith('\'))
{
$Path += '\*'
} else {
$Path += '*'
}
if ($Recursive)
{
Get-ChildItem -path $Path -Recurse -Include *.exe, *.dll `
| Where-Object { Get-Item $_.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue } `
| Where-Object { (Get-Content "$($_.FullName):Zone.Identifier") -like "ZoneId=3" } `
| % { `
if (![String]::IsNullOrEmpty($_.FullName)) `
{ `
Get-FileHash -Path $_.FullName -Algorithm MD5 `
} `
}
} else {
Get-ChildItem -path $Path -Include *.exe, *.dll `
| Where-Object { Get-Item $_.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue } `
| Where-Object { (Get-Content "$($_.FullName):Zone.Identifier") -like "ZoneId=3" } `
| % { `
if (![String]::IsNullOrEmpty($_.FullName)) `
{ `
Get-FileHash -Path $_.FullName -Algorithm MD5 `
} `
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment