-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathscanner.py
More file actions
101 lines (92 loc) · 4.09 KB
/
Copy pathscanner.py
File metadata and controls
101 lines (92 loc) · 4.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
import os
import hashlib
import threading
RED = "\033[91m"
BLUE = "\033[94m"
RESET = "\033[0m"
SUSPICIOUS_INDICATORS = [
"win32crypt", "Crypto.Cipher", "base64.b64decode", "shutil.copyfile",
"requests.post", "getpass.getuser", "subprocess.Popen", "os.system",
"eval(", "exec(", "pickle.loads", "marshal.loads", "input(",
"smtplib.SMTP", "http.server", "socket.socket", "paramiko.SSHClient",
"pyautogui", "pynput.mouse", "pynput.keyboard", "os.remove", "os.rename",
"delete", "destroy", "format", "wmi.WMI", "TaskScheduler.TaskScheduler",
"powershell", "cmd.exe", "Taskkill", "os.popen", "sys.exit", "atexit",
"cryptography.fernet", "crypt.crypt", "Crypto.Random", "random.seed",
"os.urandom", "UUID.uuid4", "hashlib.md5", "hashlib.sha1",
"hashlib.sha256", "hashlib.blake2b", "hashlib.blake2s", "base64.b64encode",
"base64.urlsafe_b64encode", "codecs.encode", "codecs.decode", "os.mkdir",
"os.makedirs", "os.rmdir", "os.chmod", "os.chown", "os.fork", "os.kill",
"os.fsync", "ctypes.windll", "ctypes.CDLL", "ctypes.create_string_buffer"
]
SUSPICIOUS_HASHES = [
11a9062134094750d5a0bfbe72a16f6f,
ea7e72cb5473b6c921341ca5a1215a76,
de1988620b66c8db8aafaefb19418553,
0d53e016907a7498dd0697d2f0ab70b1,
1af0e8a74ffbd2ae1799e76f35d440bc,
5cab10a7eb4d0aef70247b3d2c5ba80a,
f8ef270871bbe4ec92d38150ac137c88,
1daa4606a06ab5397453b16fa96cc0b7,
6dad232793f64aafd2341bb9805fbc0d,
55e10b726a92f90445c7f2c3665e29c7,
b6410bfd339e440b17161b09709de019,
6f397e1f9823a1252e0e230ed6b5ae04,
7702fecf5fe741df2b50584277b3d09e,
3575e9173eb10da9ac537b3e6633050f,
4076b65c324258cb706ee0dc630ddbbe,
13a1a369441990d36f29b8fe453883ab,
d2cf9ebaf0408adde5ef95ea997b5503,
]
def check_file_content(file_path):
try:
if file_path.endswith(".exe") and "WindowsApps" not in file_path:
with open(file_path, 'rb') as file:
content = file.read().decode('latin-1')
for indicator in SUSPICIOUS_INDICATORS:
if indicator in content:
print(f"{RED}[ALERT] Found suspicious indicator in {file_path}: {indicator}{RESET}")
return True
except Exception as e:
print(f"{BLUE}[ERROR]{RESET}Failed to check file content: {e}")
return False
def get_file_hash(file_path):
try:
if file_path.endswith(".exe") and "WindowsApps" not in file_path:
hasher = hashlib.sha256()
with open(file_path, 'rb') as file:
buffer = file.read()
hasher.update(buffer)
return hasher.hexdigest()
except Exception as e:
print(f"{BLUE}[ERROR]{RESET}Failed to calculate hash: {e}")
return None
def monitor_files(directory):
suspicious_files = []
for dirpath, _, filenames in os.walk(directory):
for filename in filenames:
file_path = os.path.join(dirpath, filename)
if filename.endswith(".exe"):
if check_file_content(file_path):
suspicious_files.append(file_path)
print(f"{RED}[ALERT] Suspicious file detected: {file_path}{RESET}")
file_hash = get_file_hash(file_path)
if file_hash in SUSPICIOUS_HASHES:
suspicious_files.append(file_path)
print(f"{RED}[ALERT] File with suspicious hash detected: {file_path}{RESET}")
return suspicious_files
def start_monitoring():
print("Starting antivirus monitoring...")
suspicious_files = []
try:
suspicious_files.extend(monitor_files(os.environ["USERPROFILE"]))
finally:
if suspicious_files:
print(f"{RED}\nScan completed. Suspicious files detected:{RESET}")
for file in suspicious_files:
print(f"{RED}{file}{RESET}")
else:
print(f"{BLUE}\nScan completed. No viruses detected.{RESET}")
input(f"\n{BLUE}Press any key to exit.{RESET}")
if __name__ == "__main__":
start_monitoring()