execap is an information security tool for capturing Windows executables as they are transmitted or received. This is somewhat inspired by Driftnet which captures images in transmission. The goal is to be able to run execap in a similar manner as an IDS/IPS to monitor and discover malware being transmitted or loaded onto client machines.

execap is written to be much faster than similar code such as Driftnet. On a modern CPU it can easily keep up at 1 Gbps. For example, execap was run for ~60 days on a 10 Gbps link that averages ~1 Gbps and during the day often bursts to 6+ Gbps. execap processed 550 TB of network traffic and extracted 300,000 executables with a packet loss of 0.00062 (0.062%). Minor tweaks and improvements can (and will) be made to further improve performance and reduce packet loss.

To compile execap you'll want to run './configure' and then 'make'. A static makefile 'Makefile.static' is included which may make it easier to build execap on a system with odd library paths.