PURPOSE OPERATION OPTIONS ITS ABOUT TIME COMMAND LINES VALIDATION RELATED PROGRAMS
Author: Dan Mares, dmares @ maresware . com (you will be asked for e-mail address confirmation)
Portions Copyright © 1998-2021 by Dan Mares and Mares and Company, LLC
Phone: 678-427-3275
All programs are command line programs.
MUST be run within a command window as administrator.
Crckit may be used for a number of different purposes depending on the user's needs.
It provides a 32 bit CCITT checksum of a file or files. The 32 bit value is identical to one created by the PKZIP® program for its internal file integrity checks. This allows for a cross verification of any value that Crckit produces.
The output record produced by Crckit is a fixed length record capable of being imported into a database if desired.
This program can be used to verify that a file has not been changed since a reference CRC was created.
It can also be used in a batch file to check the integrity of a program before execution. If the program has been corrupted by a virus it can abort operation.
The program produces a columner output with a heading. A sample output is:
FILE: CRC-32 Size Date Time CRCKIT.EXE: 974B9057 123456 09/18/1995 18:18:04w (GMT)
Under the heading the data reflects the appropriate items including the file date and time.
If the 32 bit NT version is run, the file time type is also indicated by either a ‘w’, ‘c’, or ‘a’ indicating the last write time, create time, or last access time.
If you run the program on NTFS or WIN9x file systems the last access time will be changed. So use caution when doing this for forensic purposes.
If you don’t want the access time to be changed see the -R option. Or, you can use an environment variable RESET, which the program sees and attempts to RESET the last access time back to its original value before the program was run. This operation( or use of the -R option) alters the disk, but makes no significant changes. You must use your own judgment. (Verify this alteration for yourself before running the program. The 32 bit version of Mdir can be used to verify file times.) See ITS ABOUT TIME in the HASH.exe documentation.
You can also use Crckit to validate an exe or com file before running a program. See VALIDATE at end of this section. Crckit can “Brand” a program file (.exe or .com) with an internal CRC. At a later time using a batch file, the integrity of the program can be verified on the fly before the program is run, thus performing a runtime check for virus alterations.
-p + path(s) If more than one directory needs to be looked at, then add the paths here as appropriate. (-p c:\windows d:\work) [PATH=path]
-f + filespec If more than one file type is needed, add them here. (-f *.c *.obj *.dll) [FILES=filetype]
If these options are used the program builds a matrix of paths and file types. It searches all the requested directories for all the requested file types, thus giving a total of all the files in all the paths requested. These options are added to any default command line provided. (C:>mdir c:\work\*.c -f *.dll -p d:\windows)
-x + filespec E(x)clude these file types from listing. (same format as -f option) (-x thesefiles.txt) [EXCLUDE=filetype]
-oO + filename Output file name. Place the output to a filename. If uppercase ‘O’ then existing output is appended to. The -O (append options) is default and cannot be turned off. [OUTPUT=filename]
-1 + filename (that's a one, not ell) The filename here is a file which will contain accounting/log information about the run. It is always appended to, and contains the command line plus statistics about how many files and the time of run. The file can later be used as a batch file for duplicating the runs. The ACCT environment variable can also be set. (SET ACCT=logfilename). Or use the .INI option [ACCT=filename] The order of priority is: Environment, INI file, Command Line option. To explicitly turn off use a +1.
-a Append output to filename provided in -o option. Serves same purpose as using an upper case O. (-a) The append option is actually defaulted and cannot be turned off.
[APPEND=[ON|OFF]]
-w + width Default file name width is 30 characters, including path. to change that value use the -w (width) option for longer or shorter paths.
-g + # Where the # is replaced by a number indicating, list all files ‘g’reater than # days old. You can use a -gl pair to bracket file ages. [OLDER=xxx]
-1 + # Where the # is replaced by a number indicating: list all files ‘l’ess than # days old. You can use a -gl pair to bracket file ages. To get todays files, use (-l 1) [NEWER=xxx]
-g + mm-dd-yyyy
-l + mm-dd-yyyy: (that's and ell, not a one). Process only those files (g)reater (older) than or (l)ess than (newer) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date given mm-dd-yyyy is NOT included in the calculation. Ie. if today was 01-10-2003 and you entered -l 01-09-2003 you would only process todays files. If you wanted to include those on 01-09, you should have entered -l 01-08-2003.
-g + # Where the # is replaced by a number indicating: list all files ‘g’reater than # days old. You can use a -gl pair to bracket file ages. [OLDER]=50
-l + # (ell, not one) Where the # is replaced by a number indicating: list all files ‘l’ess than # days old. You can use a -gl pair to bracket file ages. To get todays files, use (-l 1) [NEWER]=10
-g + mm-dd-yyyy[acw]
Process only those files (g)reater (older) than this mm-dd-yyyy date. The date MUST be in
the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and
it MUST have a 4 digit year. The date calculation is calculated as of midnite on
the date given for the -g option of mm-dd-yyyy. For this reason, the day provided is NOT
included in the calculation. Ie. if you entered -g 01-01-2006 you would only process
dates PRIOR to 1/1/2006. This means all of 2005 and before. See below for the [acw]
meanings.
-l + mm-dd-yyyy[acw]: (that's and ell, not a one). Process only those files (l)ess than (newer) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date calculation is calculated as of midnite on the date given for the -l option of mm-dd-yyyy. For this reason, the day provided IS included in the calculation. Ie. if you entered -l 01-01-2006 you would process all of 2006 to the current date.
If no 'acw' modifier is used, the default time used to check the age is the current write or last modification time.
You can however, alter which time is used in the age calculation. To do this, add any or all of the acw indicators. For instance, if you wanted the date checking to respond to the access date, you would add an 'a'. ie: -l 10-10-2005a would show all files accessed on or after 10-10-2005.
If you added more letters, to the date, ie: -g 10-10-2005cw you would get all files with EITHER an access or a last modified date older than 10-10-2005. The added [acw] times are logically OR'd. So any date meeting the criteria will cause it to be selected for processing.
The use of all three -g 10-10-2005acw allow the program to simultaneously check and evaluate all three dates.
Caution should be exercised in using all three dates, as in most cases, almost every file may fit the criteria.
-L + # Where the # is replaced by a number indicating: list all files less than # bytes in size. (-L 100000) [LESSTHAN=xxx]
-G + # Where the # is replaced by a number indicating: list all files greater than # bytes in size. You can use a -GL pair to bracket file sizes. (-G 10000) (-G 10000 -L 100000) [GREATER=10000]
-b Automatically passes the 512 byte header of an FDI created file.
-dD + displacement Start processing the file this many bytes from beginning. Useful if examining a file created with the FDI program, which leaves a 512 bytes header.
-C (upper case C)Creates in the .exe or .com file a signature or crc that can later be verified with -V option. This option does NOT alter the file date and time when it adds the signature. Do NOT use this option with programs that alter themselves every time a setup option is modified.
-V Verifies that the file has not been tampered with. Must have been prepared with -C option prior to using -V. If the file has been altered, the display indicates incorrect CRC.
-E ‘E’rases/Removes the signature created by -c option.
-r Recurse through the directory structure. Starting at the top level of the -p option given.
-s Silent run. Do not print normal column headings above numbers. This provides cleaner screen output for redirection to a file. This can also be accomplished by settting an environment variable called silent to ON. (set SILENT=ON). The SILENT environment variable is used by Hash also.
-[Tt][acw3] use ‘a’, ‘c’ or ‘w’ with the 32 bit NT/95 version to show an NTFS time for one of the following: ‘a’ == last access time, ‘w’ == last write time, ‘c’ == create time. See NORESET environment variable in HASH.exe ITS ABOUT TIME. If the -T (uppercase) is used, the dates are printed in YYYY/MM/DD format for easier sorting.
-R This option tells the 32 bit programs to attempt to reset the last access time of the file to what it was prior to the program operation. This alters the disk, but makes no significant changes. The setting of environment variable RESET (set RESET=1) will serve the same purpose. (Was -b in Crckit software versions prior to 1/98.)
-S If the file system is NTFS, this option causes all Alternate Data Stream files to be processed also. [STREAM=[ON|OFF]]
-u Display time using (U)niversal GMT time format. This is useful for keeping file times consistent. (Be certain that CMOS, TZ, and time zone settings are correct. set TZ=EST5EDT).
You must use a filetype on the command line. A directory will not suffice.
Sample command lines:
C:> CRCKIT file(s) -options[cvr t[acw]]]
C:> CRCKIT file(s) -c
/* create/Brand the file with internal CRC*/
C:> CRCKIT file(s) -v
/* verify internal CRC validity */
C:> CRCKIT file(s) -E
/* remove internal CRC branding */
C:> CRCKIT file(s) -ta -z
/* for 32 bit version, show last time of access in GMT format */
C:> CRCKIT -p c:\ -f *.exe -o a:output.fle
The idea behind program validation at the time of running is to detect any alterations between the time the program was “Branded” and the current time. The Crckit program will validate the .exe or .com before letting it run.
If an error occurs, a message is provided to the user.
To do this the .exe or .com file needs to be prepared in advance. To prepare the file run Crckit on the file with the -c option to create a checksum. Then follow these steps:
Step 1:Take the program out of the PATH of the system.
Step 2:Create a batch file with the name of the program.
Step 3:Place the batch file in the PATH of the system.
Step 4:The contents of the batch file are as follows:
CRCKIT c:\directory\path\to\program\filename.exe -v
if errorlevel 1 goto bad
c:\directory\path\to\program\filename %1 %2 %3 %4 %5
goto end
:bad
echo %1.exe may be corrupted
:end
This batch file will only allow a max of 5 items passed to the program to run. In most cases this is sufficient.
Some related programs that also deal with CRC’s and Hashing are: