From a4add863a45672fe72b19777c8c7b7276a4871bb Mon Sep 17 00:00:00 2001 From: Andre Pawlowski Date: Tue, 15 Aug 2023 08:47:47 +0200 Subject: [PATCH] sync internal repo --- scripts/monitor_systemd_units.py | 2 +- scripts/search_deleted_exe.py | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/scripts/monitor_systemd_units.py b/scripts/monitor_systemd_units.py index a2cba5d..dbe7c5a 100755 --- a/scripts/monitor_systemd_units.py +++ b/scripts/monitor_systemd_units.py @@ -50,7 +50,7 @@ except: "/usr/lib/systemd/user", "/usr/lib/systemd/network", "/usr/local/lib/systemd/system", - "/usr/local/lib/systemd/user" + "/usr/local/lib/systemd/user", "/usr/local/lib/systemd/network", "/lib/systemd/system", "/lib/systemd/user", diff --git a/scripts/search_deleted_exe.py b/scripts/search_deleted_exe.py index c3eed78..c20096b 100755 --- a/scripts/search_deleted_exe.py +++ b/scripts/search_deleted_exe.py @@ -16,6 +16,7 @@ None """ import os +import re import sys from lib.util import output_finding @@ -54,7 +55,17 @@ def search_deleted_exe_files(): if suspicious_exes: message = "Deleted executable file(s) found:\n\n" - message += "\n".join(suspicious_exes) + for suspicious_exe in suspicious_exes: + match = re.search(r" (/proc/(\d+)/exe -> .*)$", suspicious_exe) + exe = match.group(1) + pid = match.group(2) + message += "\n%s" % exe + with open("/proc/%s/cmdline" % pid, "rb") as fp: + cmdline = fp.read() + # Replace 0-bytes with whitespaces for readability + cmdline = cmdline.replace(b"\x00", b" ") + message += "\n/proc/%s/cmdline -> %s" % (pid, cmdline.decode("utf-8")) + message += "\n" output_finding(__file__, message)