GDI Scan - SANS Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Handler on Duty: Didier Stevens

Threat Level: green

Back to Tools | Summary | Frequently Asked Questions (FAQ) | Download | License

Summary

Thanks to Tom Liston for writing this program

gdiscan.exe was written for Windows 2000 and higher. It scans the drive containing the Windows %system% directory and Looks for vulnerable versions of gdiplus.dll, sxs.dll, wsxs.dll, mso.dll and vgx.dll.

The scan starts upon execution. It will signal completion of scan in text box with "Done."

Vulnerable versions of the .dll files are listed in RED.

The path where a vulnerable .dll file is found is important. Remember hat dlls are loaded in the following order (note: this is a VAST simplification):

The directory from which the application loaded.
The (application's) current directory.
Windows 95/98: The Windows system directory (default: C:\Windows\system)
Windows NT+: The 32-bit Windows system directory (default: C:\WinNT\System32)
Windows NT+: The 16-bit Windows system directory (default: C:\WinNT\System)
The Windows directory (default: C:\WinNT or C:\Windows)
The directories that are listed in the PATH environment variable

Top of page

Frequently Asked Questions (FAQ)

Q: Are there any files I should ignore?
A: Ignore files in directories like Windows\$NtUniinstallKBxxxxx\. These are old versions left behind for uninstal purposes.

Q: What command line options are there?
A: The only parameter for the command line option is the log filename (usage: gdiclscan.exe logfile). It will exit with a return code of 1 if it can not open the log file. The command line version will not overwrite the log file.

Q: Can I use options with the GUI?
A: There are no options for the GUI version. Please use the command line version.

Top of page

Download

Note: we do keep this tool here for historic purposes. It is WAY out of date and was used for one specific issues many years ago.

GUI version (Ver. 2.1)

(updated. Version 2 will allow you to scan arbitrary drives)
(MD5: 5524d63ee1dec5e5d3f1dda064de6494)
. People keep asking for a stronger hash. So here is a SHA512 hash of the file: 245ba1666c7dd3facac649e39dd71b0fdfe3ba9ca467eb53bfd2c16c040dda1eac039970fe080d8259e96eea0e78f9c8f971fa2f31382e2f4201266cf2c36190 . But note, that it is as useless as the MD5 hash above. Note how it comes from the same server as the .exe ? What do you think someone can do if they can modify the file? They will modify this page too... There is a PGP signature below as well, which should be used instead if you actually care about the file's integrity.
PGP Signature

Command Line Version (Ver. 2.1)

(Ver. 2.1 now includes scanning on arbitrary drives)
(MD5: c560ebf72da0bf2b66043556baf2e14a)
(SHA512: c34468bab193471782ab4c9afadaee7adab5f1284e6de2c0549aa27775c263e0e319a6b73dcc2d28956cc3ddd5c07d7a8f12c878501b734909a6fcb17aeb9da1)
PGP Signature

Top of page

License

License: You may freely copy and use this binary. Please do not mirror the file, as updates may be made available at any time without notice. If you link to this tool, link to http://isc.sans.edu/gdiscan.php.

THIS APPLICATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.

Top of page