GDI Scan
http://isc.sans.org/gdiscan.php
GDI Scan

gdiscan.exe was written for Windows 2000 and higher. It scans the drive containing the Windows %system% directory and Looks for vulnerable versions of gdiplus.dll, sxs.dll, wsxs.dll, mso.dll.

The scan starts upon execution. It will signal completion of scan in text box with "Done."

Vulnerable versions of the .dll files are listed in RED.

The path where a vulnerable .dll file is found is important. Remember that dlls are loaded in the following order (note: this is a VAST simplification):
  • The directory from which the application loaded.
  • The (application's) current directory.
  • Windows 95/98: The Windows system directory (default: C:\Windows\system)
  • Windows NT+: The 32-bit Windows system directory (default: C:\WinNT\System32)
  • Windows NT+: The 16-bit Windows system directory (default: C:\WinNT\System)
  • The Windows directory (default: C:\WinNT or C:\Windows)
  • The directories that are listed in the PATH environment variable
download GUI version (Ver. 2.1) (updated. Version 2 will allow you to scan arbitrary drives) (MD5: 2157e5553c7e00173de3c2bbb1caef37) PGP Signature

command line version (MD5: 23125875967a5b6be86eed79af9bcd74) PGP Signature (Ver. 2.1 now includes scanning on arbitrary drives)
(Thanks to Tom Liston for writing this program)

FAQ
  • Ignore files in directories like Windows\$NtUniinstallKBxxxxx\ and Windows\WinSxS. These are old versions left behind for uninstal purposes.
  • There are no command line options for the gui version.
  • the only parameter for the command line option is the log filename (usage: gdiclscan.exe logfile). It will exit with a return code of 1 if it can not open the log file. The command line version will not overwrite the log file.
Note: You can force the command line version (gdiclscan.exe) to send the output to the screen instead of a log file by using the word "con" (not the quotes) for the log file name. For example:
  • gdiclscan c: con
--

GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability
http://www.bleepingcomputer.com/forums/topict3077.html

--

GDI Scan questions
http://isc.sans.org/diary.php?date=2004-09-29
GDIScan questions

We are still receiving some questions about Tom Liston΄s tool GDIScan. In yesterday΄s diary, Donald Smith included a good link with a FAQ for the tool (http://www.bleepingcomputer.com/forums/topict3077.html). One interesting question is about the tool in Windows 98.
Donald Smith answer explains it well:
  • "...it means the application was designed to run on win2k and higher. I have successfully run it on an old 98 machine. The reporting was a little messed up because my 98 system didn't render the ansi sequences correctly BUT it did find vulnerable dlls. The report just wasn't in red/black and had ansi sequences in the text."


--

GDI Vulnerabilities: An open letter to Microsoft
http://isc.sans.org/diary.php?date=2004-09-26