Paths Parser

Description: A comprehensive tool designed to analyze lists of file paths provided in specific .txt files (search results.txt, paths.txt, p.txt). It performs multiple checks on each valid path found, automating several analysis steps.

Features:

  • Path Parsing: Correctly handles and parses file paths, including those with the \\?\ prefix. Reads paths line by line from specified input text files.

  • File Existence Check: Determines if the file at the given path currently exists or has been deleted (reports "Deleted" status).

  • Digital Signature Verification: Checks both Authenticode and Catalog signatures. Reports status as "Signed", "Not signed", or specific error states. Includes special detection for known signed cheats like Slinky and Vape.

  • Generic Detections: Applies a suite of 27 different "generic" checks (heuristics) designed to flag suspicious characteristics often found in malicious software or cheats. Categories include checks for autoclickers (A), non-C# protection (B), C# protection (C/D/E), packed executables (F), injectors (G), and specific known cheats (Specific A/B).

  • Replacement Check: Queries the USN Journal for each existing file path to identify potential file replacement patterns (specifically looks for sequences related to Explorer moves, copy command usage, or type command overwrites).

  • YARA Integration: Allows users to integrate their own custom .yar rules for scanning.

  • Output: Displays analysis results (existence, signature, generics hits) for each path in the console. Writes a summary of any detected file replacements to replaces.txt in the program's directory.

Usage Notes & Caveats:

  • Generics A2 (DLL clickers) and the F-series (packed files) are noted as potentially causing occasional false positives but are kept active to maximize detection of actual cheats.

  • Carefully examine the timestamps associated with any detected replacements, as legitimate file updates can sometimes trigger these patterns.

  • Paths corresponding to deleted files might appear incomplete or "cut" due to how memory artifacts or the parsing process handles non-existent files.

Usage: A powerful tool for batch-analyzing file paths gathered from other tools (like System Informer string dumps) or logs, providing signature status, existence checks, heuristic-based suspicion levels, and detection of potential file replacements. Especially useful for quickly assessing lists of DLLs or EXEs found in memory.

Link: https://github.com/spokwn/PathsParser/releases

PreviousSpok's ToolsNextBAM parser

Last updated