From 376816e96bcb5a91f4297e7cd47b351aec89b373 Mon Sep 17 00:00:00 2001 From: grayddq Date: Thu, 25 Apr 2019 17:09:21 +0800 Subject: [PATCH] bug --- lib/Backdoor_Analysis.py | 2 +- lib/File_Analysis.py | 21 ++++++++++++++++----- lib/Proc_Analysis.py | 2 +- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/lib/Backdoor_Analysis.py b/lib/Backdoor_Analysis.py index d859069..0a48bea 100644 --- a/lib/Backdoor_Analysis.py +++ b/lib/Backdoor_Analysis.py @@ -264,7 +264,7 @@ def get_malware_info(self): # 分析文件是否包含恶意特征或者反弹shell问题 def analysis_file(self, file): try: - time.sleep(0.01) + time.sleep(0.05) if not os.path.exists(file): return "" if os.path.isdir(file): return "" if " " in file: return "" diff --git a/lib/File_Analysis.py b/lib/File_Analysis.py index 18e9f9d..901cd74 100644 --- a/lib/File_Analysis.py +++ b/lib/File_Analysis.py @@ -29,15 +29,26 @@ def __init__(self): def check_system_integrity(self): suspicious, malice = False, False + system_file = ["depmod", "fsck", "fuser", "ifconfig", "ifdown", "ifup", "init", "insmod", "ip", "lsmod", + "modinfo", "modprobe", "nologin", "rmmod", "route", "rsyslogd", "runlevel", "sulogin", "sysctl", + "awk", "basename", "bash", "cat", "chmod", "chown", "cp", "cut", "date", "df", "dmesg", "echo", + "egrep", "env", "fgrep", "find", "grep", "kill", "logger", "login", "ls", "mail", "mktemp", + "more", "mount", "mv", "netstat", "ping", "ps", "pwd", "readlink", "rpm", "sed", "sh", "sort", + "su", "touch", "uname", "gawk", "mailx", "adduser", "chroot", "groupadd", "groupdel", "groupmod", + "grpck", "lsof", "pwck", "sestatus", "sshd", "useradd", "userdel", "usermod", "vipw", "chattr", + "curl", "diff", "dirname", "du", "file", "groups", "head", "id", "ipcs", "killall", "last", + "lastlog", "ldd", "less", "lsattr", "md5sum", "newgrp", "passwd", "perl", "pgrep", "pkill", + "pstree", "runcon", "sha1sum", "sha224sum", "sha256sum", "sha384sum", "sha512sum", "size", "ssh", + "stat", "strace", "strings", "sudo", "tail", "test", "top", "tr", "uniq", "users", "vmstat", "w", + "watch", "wc", "wget", "whereis", "which", "who", "whoami"] + binary_list = ['/bin/', '/sbin/', '/usr/bin/', '/usr/sbin/', '/usr/local/sbin/', '/usr/local/bin/'] try: for dir in binary_list: if not os.path.exists(dir): continue for file in gci(dir): - if not os.path.exists(file): continue - if os.path.isdir(file): continue - if (os.path.getsize(file) == 0) or ( - round(os.path.getsize(file) / float(1024 * 1024)) > 10): continue + filename = os.path.basename(file) + if not filename in system_file: continue malware = self.analysis_file(file) if malware: self.file_malware.append( @@ -135,7 +146,7 @@ def check_contents_ip(self, contents): # 分析文件是否包含恶意特征、反弹shell特征、境外ip类信息 def analysis_file(self, file): try: - time.sleep(0.01) + time.sleep(0.05) if not os.path.exists(file): return "" if os.path.isdir(file): return "" if " " in file: return "" diff --git a/lib/Proc_Analysis.py b/lib/Proc_Analysis.py index 7c584f0..727ddac 100644 --- a/lib/Proc_Analysis.py +++ b/lib/Proc_Analysis.py @@ -57,7 +57,7 @@ def check_contents_ip(self, contents): # 分析文件是否包含恶意特征、反弹shell特征、境外ip类信息 def analysis_file(self, file): try: - time.sleep(0.01) + time.sleep(0.05) if not os.path.exists(file): return "" if os.path.isdir(file): return "" if " " in file: return ""