LSMS/scripts/search_dev_shm.py
2022-01-05 20:16:57 +01:00

74 lines
1.8 KiB
Python
Executable file

#!/usr/bin/env python3
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: https://h4des.org
# github: https://github.com/sqall01
#
# Licensed under the MIT License.
"""
Short summary:
Search for binaries and scripts in /dev/shm.
Malware that tries to hide is often stored there.
Requirements:
None
Reference:
https://twitter.com/CraigHRowland/status/1268863172825346050?s=20
https://twitter.com/CraigHRowland/status/1269196509079166976
"""
import os
from lib.util import output_finding
# Read configuration.
try:
from config.config import ALERTR_FIFO, FROM_ADDR, TO_ADDR
from config.search_dev_shm import ACTIVATED
except:
ALERTR_FIFO = None
FROM_ADDR = None
TO_ADDR = None
ACTIVATED = True
def search_suspicious_files():
# Decide where to output results.
print_output = False
if ALERTR_FIFO is None and FROM_ADDR is None and TO_ADDR is None:
print_output = True
if not ACTIVATED:
if print_output:
print("Module deactivated.")
return
# Get all suspicious ELF files.
fd = os.popen("find /dev/shm -type f -exec file -p '{}' \\; | grep ELF")
elf_raw = fd.read().strip()
fd.close()
# Get all suspicious script files.
fd = os.popen("find /dev/shm -type f -exec file -p '{}' \\; | grep script")
script_raw = fd.read().strip()
fd.close()
suspicious_files = []
if elf_raw.strip():
suspicious_files.extend(elf_raw.strip().split("\n"))
if script_raw.strip():
suspicious_files.extend(script_raw.strip().split("\n"))
if suspicious_files:
message = "File(s) in /dev/shm suspicious:\n\n"
message += "\n".join(suspicious_files)
output_finding(__file__, message)
if __name__ == '__main__':
search_suspicious_files()