Skip to content
/ CheckPlz Public

Scan files for potential threats while leveraging AMSI (Antimalware Scan Interface) and Windows Defender. By isolating malicious content.

License

GPL-3.0 license
13 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

BlackSnufkin/CheckPlz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CheckPlz

CheckPlz is an Rust adaptation of the populars ThreatCheck & GoCheck tools, designed to scan files for potential threats while leveraging AMSI (Antimalware Scan Interface) and Windows Defender. By isolating malicious content with precision and providing comprehensive analysis, CheckPlz offers an enhanced and efficient file scanning experience.

Key Features

  • AMSI Integration: Perform accurate buffer scans for threat detection.
  • Binary Search Threat Isolation: Precisely locate the section of a file causing detection.
  • Hex Dump Analysis: Visualize malicious content with a detailed hexadecimal and ASCII dump.
  • Debugging Support: Enable verbose output for deeper insights.
  • Customizable Output: Choose between raw or colorful, human-friendly terminal outputs.

How It Works

  1. AMSI Scanning:

    • Initializes an AMSI context.
    • Scans the file content and buffers for threats.
    • If a threat is detected, performs a binary search to isolate the malicious segment.

  2. Windows Defender Scanning:

    • Invokes MpCmdRun.exe to scan the file.
    • Analyzes the output for threat detection.
    • Performs a binary search if a threat is found.

  3. Binary Search:

    • Recursively scans segments of the file to locate malicious content.
    • Produces detailed logs and results.

Installation

  1. Clone the repository: 
    git clone https://github.com/your-username/CheckPlz.git
cd CheckPlz
  2. Compile the project: 
    cargo build --release
  3. The executable will be available at target/release/checkplz.exe.

Usage Instructions

Run CheckPlz with the desired options:

Usage: CheckPlz.exe [OPTIONS] --file <FILE>

Options:
  -f, --file <FILE>  Path to the file to scan
  -d, --debug        Enable debug mode
  -a, --amsi         Use AMSI scan
  -m, --msdefender   Use Windows Defender scan
  -r, --raw          Raw output without ANSI colors
  -h, --help         Print help
  -V, --version      Print version

Example Commands

  • Scan a file using AMSI:

    checkplz --file malicious.exe --amsi

  • Scan a file with Windows Defender:

    checkplz --file suspicious.exe --msdefender

  • Perform a scan using both AMSI and Windows Defender with debug output enabled:

    checkplz --file unknown.exe --amsi --msdefender --debug

  • Perform a scan with raw output formatting:

    checkplz --file unknown.exe --amsi --raw

Output Overview

  • Scan Results: Displays detection status, potential malicious offsets, and the time taken for scanning.
  • Hex Dump Analysis: Detailed views of the suspicious sections, highlighting malicious bytes. Screenshot 2024-12-27 163057

About

Scan files for potential threats while leveraging AMSI (Antimalware Scan Interface) and Windows Defender. By isolating malicious content.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

13 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages