What is pevFind?
pevFind is a windows system enumeration and filtering utility, as well as a collection of other useful applications suitable for batch tools.
pevFind is similar to the BusyBox tool popular on POSIX systems. That is, it contains several smaller programs (called "subprograms" here and elsewhere), each of which accomplish more specific tasks. The main subprogram (which will be the one chosen if you don't supply a subprogram name some other way) is the general SQL-for-the-filesystem-and-registry-and-process-list style enumeration tool, which is given the subprogram name "VFIND".
Each subprogram deserves it's own specific documentation, which you can find by going to each subprogram's page.
There are two ways to specify a subprogram. The first, and most common, way, is to pass the name of the subprogram as the first argument to pevFind on the command line. The second way is to rename the executable itself to have the name of the sub program you wish to use. Note that renaming the executable can be overridden by simply using the first method.
Index of SubPrograms
- VFIND - A general system information enumeration tool.
- VOLUME - Generates a list of volumes currently mounted on the system.
- CLSID - A CLSID compressor. On the list of CLSIDs in ComboFix, this compressor achieves much better than those achievable using any known general compression algorithm.
- TIME - Outputs the current system time.
- EXEC - Process starter. Allows special considerations such as starting the process as NT AUTHORITY\SYSTEM.
- UZIP - Unzipper.
- MOVEEX - Move-on-reboot and delete-on-reboot tool.
- LINK - Creates hard links.
- SC - Vastly simplified sc.exe (the one that comes with windows). Useful for use on systems where sc.exe itself is damaged.
- RIMPORT - Registry script importer.
- LINKRESOLVE - Resolves the target of shell links (that is, .lnk files).
- VERSION - Displays version information for the current copy of pevFind.
- WAIT - A simple delay function.
Return codes, or ERRORLEVELs, for pevFind are documented in each individual sub program. For more information, see the Index of ErrorLevels.
pevFind is covered by several licenses. All of the code written specifically for pevFind is released under the Boost Software License 1.0. This is a very liberal license, which allows use of my code in both source and binary forms, and doesn't even require attribution for binary forms. However, if you use the library, I would strongly appreciate it if you would drop me a line and let me know it's being used; that's why I'm working on it, after all.
pevFind uses code from InfoZIP for it's zipping functions. (Actually, it uses the ZipUtils library). Therefore, distribution of pevFind requires complying with the InfoZip License. You could build your own copy of pevFind without zipping functions which would exempt you from this, but the author isn't going to support such configurations directly.
pevFind uses David Tribble's original fpattern for some of the string matching algorithms.
pevFind uses Crypto++. Components from Crypto++ are in the public domain.