Tag Archives: windows

Python Downloaded File Helper

I still see way to many people who don’t know the difference between a .exe and a .jpeg. I mean, you downloaded that cute cat picture, right? You only get viruses by torrenting illegal stuff, right?

NOPE. These so-called ‘extensions’ define what type a file is and what it does. A .jpeg is an image and needs to be opened by an image viewer. A .exe is an executable file and will be executed by Windows.

If you download a file which should not be a .exe, then you’re probably dealing with something dark and scary. But how can you prevent these kinds of accidents from happening?

I made a Python script which monitors your Downloads folder for new files and checks their extensions.

import os
import win32file
import win32con
from os.path import expanduser

from tkinter import *
from tkinter import messagebox

root = Tk().withdraw()

neverRun = {
	".BAT" : "Interpreted script",
	".CMD" : "Interpreted script",
	".COM" : "MS-DOS executable",
	".CPL" : "Control Panel executable",
	".PIF" : "Link to MS-DOS executable which can contain executable code",
	".APPLICATION" : "MS ClickOnce executable",
	".MSI" : "Application installer",
	".MSP" : "Application patcher",
	".SCR" : "Screensaver, rename of .EXE",
	".HTA" : "Unsandboxed browser executable",
	".MSC" : "Management Console executable",
	".VB" : "Interpreted script",
	".VBS" : "Interpreted script",
	".VBE" : "Encrypted script",
	".JS" : "Unsandboxed Javascript",
	".JSE" : "Unsandboxed encrypted Javascript",
	".WS" : "Interpreted script",
	".WSF" : "Interpreted script",
	".WSC" : "WS component",
	".WSH" : "WS host control",
	".PS1" : "Interpreted script",
	".PS1XML" : "Interpreted script",
	".PS2" : "Interpreted script",
	".PS2XML" : "Interpreted script",
	".PSC1" : "Interpreted script",
	".PSC2" : "Interpreted script",
	".MSH" : "Interpreted script",
	".MSH1" : "Interpreted script",
	".MSH2" : "Interpreted script",
	".MSHXML" : "Interpreted script",
	".MSH1XML" : "Interpreted script",
	".MSH2XML" : "Interpreted script",
	".SCF" : "Explorer shortcut, can contain malicious arguments",
	".LNK" : "Link to an executable, can execute",
	".INF" : "Autorun script, can execute",
	".REG" : "Registry changing file"
}

possibleDanger = {
	".EXE" : "Most used executable",
	".GADGET" : "Executable, installed as Windows Gadget",
	".APPLICATION" : "MS ClickOnce executable",
	".MSI" : "Application installer",
	".MSP" : "Application patcher",
	".SCR" : "Screensaver, rename of .EXE"
}

#ACTIONS = {
#  1 : "Created",
#  2 : "Deleted",
#  3 : "Updated",
#  4 : "Renamed from something",
#  5 : "Renamed to something"
#}

path_to_watch = os.path.join(expanduser("~"), "Downloads")
hDir = win32file.CreateFile (
  path_to_watch,
  0x0001,
  win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE | win32con.FILE_SHARE_DELETE,
  None,
  win32con.OPEN_EXISTING,
  win32con.FILE_FLAG_BACKUP_SEMANTICS,
  None
)

messagebox.showinfo(message = "Now monitoring " + path_to_watch + " in the background. Have fun.", title = "Downloaded File Helper running!")

while True:
	results = win32file.ReadDirectoryChangesW (
		hDir,
		1024,
		True,
		win32con.FILE_NOTIFY_CHANGE_FILE_NAME |
		win32con.FILE_NOTIFY_CHANGE_DIR_NAME |
		win32con.FILE_NOTIFY_CHANGE_ATTRIBUTES |
		win32con.FILE_NOTIFY_CHANGE_SIZE |
		win32con.FILE_NOTIFY_CHANGE_LAST_WRITE |
		win32con.FILE_NOTIFY_CHANGE_SECURITY,
		None,
		None
	)
	for action, file in results:
		if action == 1:
			full_filename = os.path.join(path_to_watch, file)
			_, file_extension = os.path.splitext(file)
			file_extension = file_extension.upper()
			
			if file_extension in neverRun:
				messagebox.showwarning(message = "YOU DOWNLOADED AN EXECUTABLE FILE:\n" +
				       full_filename + " : " + neverRun[file_extension] +
					   "\nDO NOT run this file if you're not 100% certain why you need this and what it does.",
					   ok_button = "I understand.",
					   title = "High risk download")
			
			elif file_extension in possibleDanger:
				messagebox.showwarning(message = "YOU DOWNLOADED AN EXECUTABLE FILE:\n" +
				       full_filename + " : " + possibleDanger[file_extension] +
					   "\nThis filetype is really common, so there's a good chance nothing is wrong.\nJust check if what you're doing needs anything to be executed or installed.\n99% of the malware is shipped as .exe, so still be careful.",
					   ok_button = "I understand.",
					   title = "Possible risk download")

I use the win32 api to monitor for changes. The extensions I marked as dangerous only include the ones that will run without any other software. For ex. ‘.jar’ will run when Java is installed – but is not listed.

Download a compiled version HERE. Note that this file is a .exe! I created a self-extracting archive with 7zip to save some space.