├── .gitignore ├── LICENSE ├── README.md └── binsnitch.py /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | virtualenv2.7 3 | virtualenv3.5.1 4 | *.pyc 5 | .DS_Store 6 | binsnitch_data 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | {description} 294 | Copyright (C) {year} {fullname} 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | {signature of Ty Coon}, 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # binsnitch.py 2 | binsnitch can be used to detect silent unwanted changes to files on your system. 3 | It will scan a given directory recursively for files and keep track of any changes it detects, based on the SHA256 hash of the file. 4 | You have the option to either track executable files, or all files. 5 | 6 | ### Requirements 7 | - python >= 3 8 | 9 | ### Running and usage 10 | ``` 11 | usage: binsnitch.py [-h] [-v] [-s] [-a] [-n] [-b] [-w] dir 12 | 13 | positional arguments: 14 | dir the directory to monitor 15 | 16 | optional arguments: 17 | -h, --help show this help message and exit 18 | -v, --verbose increase output verbosity 19 | -s, --singlepass do a single pass over all files 20 | -a, --all keep track of all files, not only executables 21 | -n, --new alert on new files too, not only on modified files 22 | -b, --baseline do not generate alerts (useful to create baseline) 23 | -w, --wipe start with a clean db.json and alerts.log file 24 | ``` 25 | 26 | Example: monitor all executable files on the system and enable verbose logging 27 | 28 | ``` 29 | python3.5 binsnitch.py -v / 30 | ``` 31 | 32 | Example: monitor all files in the current directory and enable verbose logging 33 | 34 | ``` 35 | python3.5 binsnitch.py -v -a . 36 | ``` 37 | 38 | ### How it works 39 | Once ``binsnitch.py`` is running, it will scan all files in ``dir`` (provided through a required command line argument) recursively, and create a SHA256 hash of each file it finds. It then does the following: 40 | - If a file is not known yet by ``binsnitch.py``, its details will be added to ``binsnitch_data/db.json`` (file name, file type and hash). 41 | - If a file is already known but the calculated hash is different from the one in ``binsnitch_data/db.json``, an alert will be logged to ``data/alert.log``. In addition, the new hash will be added to the appropriate entry in ``binsnitch_data/db.json``. 42 | - If a file is already known and the hash is identical to the one already in ``binsnitch_data/alert.log``, nothing happens. 43 | 44 | ### Example output 45 | 46 | ##### binsnitch_data/alerts.log 47 | ``` 48 | 05/15/2017 02:46:17 AM - INFO - Scanning system for new and modified files, this can take a long time 49 | 05/15/2017 02:53:38 AM - INFO - Modified file detected: /Applications/Cyberduck.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate - new hash: a897613ab9ecd8ead7b697012036b2ef683a9df7afe99d9013e5dd6c3e08af10 50 | 05/15/2017 02:53:39 AM - INFO - Modified file detected: /Applications/Cyberduck.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop - new hash: cdad8d7b1cce37547223a198e9fbbe256aed3919b58e1b2305870aeaac33c966 51 | 05/15/2017 02:53:41 AM - INFO - Modified file detected: /Applications/Cyberduck.app/Contents/MacOS/Cyberduck - new hash: 3941de0b9001c616c6fcfdb76108fa5da46bdcdd3089e1feb65578c2d251eeec 52 | ``` 53 | 54 | ##### binsnitch_data/db.json 55 | 56 | ``` 57 | [ 58 | { 59 | "path": "/Applications/1Password 6.app/Contents/Frameworks/AgileLibrary.framework/Versions/A/Resources/pngquant", 60 | "sha256": [ 61 | "47ecd7d9978a291de70aaf5e4392664d5c697cd0867bb59f3d6833671b83d448" 62 | ], 63 | "type": "Mach-O 64-bit executable x86_64" 64 | } 65 | ] 66 | ``` 67 | 68 | ### Internals 69 | Checking if a file is executable is done by checking it against a fixed list of dangerous file extensions (check ``binsnitch.py`` source for details). 70 | 71 | In its current version, ``binsnitch.py`` eats up a lot of CPU. This is caused by the recursive walk through the filesystem and the calculation of SHA256 hashes for each and every file it encounters. 72 | 73 | ### Ideas for improvement 74 | 75 | - ~~Include a switch to start with a new alerts and db file upon start~~ ☑ 76 | - ~~Include a switch to also process new files~~ ☑ 77 | - ~~Enable a switch to process all files instead of executables only~~ ☑ 78 | - ~~Include a switch for a single pass instead of running forever~~ ☑ 79 | - ~~Remove dependency on ``file`` command to check for file type information~~ ☑ 80 | - Be nicer to system resources (IO and CPU) 81 | 82 | ### Why binsnitch? 83 | 84 | Malware will often settle itself by overwriting existing executable applications in order to avoid detection. 85 | Recent malware cases (May 2017) do this, including HandBrake being hacked to drop new variant of the Proton malware and the WannaCry ransomware overwriting ``C:\WINDOWS\system32\tasksche.exe``. 86 | This triggered us to write a simple tool that could be used to detect this. 87 | 88 | binsnitch can also be used during malware analysis, to detect silent changes to files (i.e. replacement of a trusted Windows executable by a trojaned version). 89 | 90 | ### References and comparison to other tools 91 | 92 | Similar tools: 93 | - Tripwire Open Source - https://github.com/Tripwire/tripwire-open-source 94 | - Microsoft File Checksum Integrity Verifier - https://www.microsoft.com/en-us/download/details.aspx?id=11533 95 | - Syscheck in OSSEC - http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/ 96 | 97 | These tools are either OS-dependent or require installation of libraries. In addition, ``binsnitch.py`` can be used to detect changes to the file system after an infection has taken place (not depending on intercepting API calls during the infection itself) - for example, when analyzing a disk image against a "known good" baseline. 98 | 99 | ``binsnitch.py`` has no dependencies other than ``python >= 3``. 100 | 101 | ### Community 102 | 103 | Bug reports and feature requests are welcome in the issues tab! 104 | 105 | Contact us: research@nviso.be. 106 | 107 | binsnitch is developed and maintained by Daan Raman ([@daanraman](https://twitter.com/daanraman)). 108 | 109 | -------------------------------------------------------------------------------- /binsnitch.py: -------------------------------------------------------------------------------- 1 | import time 2 | import argparse 3 | import hashlib 4 | import json 5 | import logging 6 | import os 7 | import signal 8 | import sys 9 | 10 | # Status Constants 11 | FILE_KNOWN_UNTOUCHED = "FILE_KNOWN_UNTOUCHED" 12 | FILE_KNOWN_TOUCHED = "FILE_KNOWN_TOUCHED" 13 | FILE_UNKNOWN = "FILE_UNKNOWN" 14 | 15 | # List of dangerous file extensions 16 | dangerous_extensions = set([ 17 | "DMG", "DLL", "ACTION", "APK", "APP", "BAT", "BIN", "CMD", "COM", 18 | "COMMAND", "CPL", "CSH", "EXE", "GADGET", "INF1", "INS", "INX", "IPA", 19 | "ISU", "JOB", "JSE", "KSH", "LNK", "MSC", "MSI", "MSP", "MST", "OSX", 20 | "OUT", "PAF", "PIF", "PRG", "PS1", "REG", "RGS", "RUN", "SCT", "SH", 21 | "SHB", "SHS", "U3P", "VB", "VBE", "VBS", "VBSCRIPT", "WORKFLOW", "WS", 22 | "WSF"]) 23 | 24 | # Global variables 25 | cached_db = None 26 | 27 | ########### 28 | #Utilities# 29 | ########### 30 | 31 | 32 | def shellquote(s): 33 | return "'" + s.replace("'", "'\\''") + "'" 34 | 35 | 36 | def sha256_checksum(filename, block_size=65536): 37 | sha256 = hashlib.sha256() 38 | with open(filename, 'rb') as f: 39 | for block in iter(lambda: f.read(block_size), b''): 40 | sha256.update(block) 41 | return sha256.hexdigest() 42 | 43 | 44 | def check_file_status(file_info): 45 | global cached_db 46 | 47 | known_path = False 48 | 49 | for db_file in cached_db: 50 | if db_file["path"] == file_info["path"]: 51 | known_path = True 52 | 53 | if file_info["sha256"] in db_file["sha256"]: 54 | return FILE_KNOWN_UNTOUCHED 55 | else: 56 | return FILE_KNOWN_TOUCHED 57 | 58 | if not known_path: 59 | return FILE_UNKNOWN 60 | 61 | 62 | def add_alert_to_db(file_info, status): 63 | global cached_db 64 | 65 | with open("binsnitch_data/db.json") as data_file: 66 | db_data = json.load(data_file) 67 | 68 | for db_file in db_data: 69 | if db_file["path"] == file_info["path"]: 70 | if file_info["sha256"] not in db_file["sha256"]: 71 | db_file["sha256"].append(file_info["sha256"]) 72 | 73 | if status == FILE_UNKNOWN: 74 | logging.info("New file detected: " + db_file["path"] + 75 | " - hash: " + file_info["sha256"]) 76 | 77 | if status == FILE_KNOWN_TOUCHED: 78 | logging.info("Modified file detected: " + db_file["path"] + 79 | " - new hash: " + file_info["sha256"]) 80 | 81 | cached_db = db_data 82 | write_to_db(cached_db) 83 | 84 | 85 | def write_to_db(db_data): 86 | s = signal.signal(signal.SIGINT, signal.SIG_IGN) 87 | json.dump( 88 | db_data, open("binsnitch_data/db.json", 'w'), sort_keys=False, 89 | indent=4, separators=(',', ': ')) 90 | signal.signal(signal.SIGINT, s) 91 | 92 | 93 | def add_file_to_db(file_info): 94 | global cached_db 95 | 96 | with open("binsnitch_data/db.json") as data_file: 97 | db_data = json.load(data_file) 98 | 99 | file_info_to_add = {"path": file_info["path"], "sha256": [file_info["sha256"]]} 100 | 101 | db_data.append(file_info_to_add) 102 | cached_db = db_data 103 | write_to_db(cached_db) 104 | 105 | 106 | def refresh_cache(): 107 | global cached_db 108 | try: 109 | file = open("binsnitch_data/db.json", 'r') 110 | cached_db = json.load(file) 111 | except Exception as exc: 112 | print(str(sys.exc_info())) 113 | 114 | 115 | def prepare_data_files(args): 116 | global cached_db 117 | 118 | # Wipe both alerts and db file in case the user wants to start fresh 119 | try: 120 | if args.wipe: 121 | os.remove("binsnitch_data/db.json") 122 | os.remove("binsnitch_data/alerts.log") 123 | except (IOError, OSError): 124 | pass # if the files are not there yet, then the wipe does not do anything anyway 125 | 126 | # Make sure the data folders exist 127 | if not os.path.exists("./binsnitch_data"): 128 | os.makedirs("./binsnitch_data") 129 | 130 | try: 131 | file = open("binsnitch_data/db.json", 'r') 132 | except IOError: 133 | json.dump([], open("binsnitch_data/db.json", 'w')) 134 | 135 | try: 136 | file = open("binsnitch_data/alerts.log", 'r') 137 | except IOError: 138 | open("binsnitch_data/alerts.log", 'a').close() 139 | 140 | refresh_cache() 141 | 142 | ############ 143 | #Entrypoint# 144 | ############ 145 | 146 | 147 | parser = argparse.ArgumentParser() 148 | parser.add_argument("dir", type=str, help="the directory to monitor") 149 | parser.add_argument("-v", "--verbose", action="store_true", 150 | help="increase output verbosity") 151 | parser.add_argument("-s", "--singlepass", action="store_true", 152 | help="do a single pass over all files") 153 | parser.add_argument("-a", "--all", action="store_true", 154 | help="keep track of all files, not only executables") 155 | parser.add_argument("-n", "--new", action="store_true", 156 | help="alert on new files too, not only on modified files") 157 | parser.add_argument("-b", "--baseline", action="store_true", 158 | help="do not generate alerts (useful to create baseline)") 159 | parser.add_argument("-w", "--wipe", action="store_true", 160 | help="start with a clean db.json and alerts.log file") 161 | 162 | args = parser.parse_args() 163 | prepare_data_files(args) 164 | 165 | logging.basicConfig(format='%(asctime)s - %(levelname)s - %(message)s', 166 | datefmt='%m/%d/%Y %I:%M:%S %p', 167 | filename="binsnitch_data/alerts.log", 168 | level=logging.INFO) 169 | logging.getLogger().addHandler(logging.StreamHandler()) 170 | 171 | logging.info("binsnitch.py started") 172 | 173 | if not os.path.isdir(args.dir): 174 | print("Error: " + args.dir + " could not be read, exiting.") 175 | exit() 176 | 177 | print("Loaded " + str(len(cached_db)) + " items from db.json into cache") 178 | 179 | keepRunning = True 180 | while keepRunning: 181 | logging.info("Scanning " + str(args.dir) + " for new and modified files, this can take a long time") 182 | 183 | for dirName, subdirList, fileList in os.walk(args.dir, topdown=False): 184 | try: 185 | if args.verbose: 186 | print('Scanning %s' % dirName) 187 | except UnicodeEncodeError as e: 188 | continue 189 | 190 | for filename in fileList: 191 | full_path = os.path.join(dirName, filename) 192 | file_extension = str.upper(os.path.splitext(full_path)[1][1:]) 193 | 194 | try: 195 | process_file = False 196 | 197 | if args.all: 198 | process_file = True 199 | else: 200 | if file_extension in dangerous_extensions: 201 | process_file = True 202 | 203 | if process_file: 204 | file_hash = sha256_checksum(full_path) 205 | 206 | file_info = dict() 207 | file_info["path"] = full_path 208 | file_info["sha256"] = file_hash 209 | 210 | status = check_file_status(file_info) 211 | 212 | if status == FILE_UNKNOWN: 213 | add_file_to_db(file_info) 214 | 215 | if args.new and not args.baseline: 216 | add_alert_to_db(file_info, FILE_UNKNOWN) 217 | 218 | elif status == FILE_KNOWN_TOUCHED: 219 | if not args.baseline: 220 | add_alert_to_db(file_info, FILE_KNOWN_TOUCHED) 221 | 222 | elif status == FILE_KNOWN_UNTOUCHED: 223 | pass 224 | 225 | except Exception as exc: 226 | print(str(sys.exc_info())) 227 | 228 | if not args.singlepass: 229 | logging.info("Finished! Sleeping for a minute before scanning " + args.dir + " for changes again") 230 | time.sleep(60) 231 | else: 232 | logging.info("Finished!") 233 | keepRunning = False 234 | --------------------------------------------------------------------------------