-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathprocessextract.py
123 lines (117 loc) · 3.68 KB
/
processextract.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
import psutil
from dbhandler import *
from win32com.client import Dispatch
from test import *
from filehandler import *
from multiprocessing import Process,Manager
import time
import os
def getversioninfo(path):
ver_parser = Dispatch('Scripting.FileSystemObject')
info = ver_parser.GetFileVersion(path)
#print(vars(ver_parser))
if info == 'No Version Information Available':
info = None
return info
if __name__ == '__main__':
dbCreate()
wl=[]
with open('whitelist.txt', 'r+') as f:
wl = [line.rstrip('\n') for line in open('whitelist.txt')]
#print(wl)
proc_dict={p.pid: p for p in psutil.process_iter()}
print("Total no.of prpocess : "+str(len(proc_dict.keys())))
for id in proc_dict.keys():
hash_temp=""
try:
#print("Checking for process"+proc_dict[id].name())
hash_temp=md5Checksum(proc_dict[id].exe())
if getVT(hash_temp) == -1:
dbInsertp_q(hash_temp)
if check_exe(proc_dict[id].exe()) == False:
print("Unsigned process running"+(proc_dict[id].name()))
if dbsearch(hash_temp) == True and getVT(hash_temp) > 4:
print("Killing process"+proc_dict[id].name())#gzip
proc_dict[id].kill()
else:
#print("-->"+proc_dict[id].name()+" : "+getversioninfo(proc_dict[id].exe()))
getversioninfo(proc_dict[id].exe())
if proc_dict[id].exe() not in wl and proc_dict[id].name() not in wl:
print("process not in white list : "+proc_dict[id].name())
except Exception as e:
pass
#print(e)
#print(proc_dict[id].name())
print("Process parse complete")
pdat = getpdata()
if pdat == False:
print("No unknown applications found on system")
else:
l=[h[0] for h in pdat]
print("Statrting the hash calculation process total hashes in the queue"+str(len(l)))
checkvt(l,0)
proc_list=[]
paths=[]
try:
with open('paths.txt', 'r+') as f:
paths = [line.rstrip('\n') for line in open('paths.txt')]
for p in paths:
p1=Process(target=scan_path, args=(os.path.abspath(p),))
p1.start()
proc_list.append(p1)
print(proc_list)
except KeyboardInterrupt:
for i in proc_list:
i.terminate()
plist = [p for p in psutil.process_iter()]
while True:
pdat = getfdata()
if pdat == False:
pass
else:
l=[h[0] for h in pdat]
print(l)
print("Statrting the hash calculation process total hashes in the queue"+str(len(l)))
checkvt(l,1)
plist1 = [p for p in psutil.process_iter()]
diff = list(set(plist1)-set(plist))
if len(diff) > 0:
print("addedd"+str([p.name() for p in diff]))
try:
for p in diff:
hash_temp=md5Checksum(p.exe())
if getVT(hash_temp) == -1:
dbInsertp_q(hash_temp)
if check_exe(proc_dict[id].exe()) == False:
print("Unsigned process running"+(proc_dict[id].name()))
if dbsearch(hash_temp) == True and getVT(hash_temp) > 4:
print("Killing process"+p.name())
proc_dict[id].kill() #gzip
if p.exe() not in wl and p.name() not in wl:
print("process not in white list : "+p.name())
except Exception as e:
print(e)
print("Process parse complete")
pdat = getpdata()
if pdat == False:
pass
else:
try:
l=[h[0] for h in pdat]
print("Statrting the hash calculation process total hashes in the queue"+str(len(l)))
checkvt(l,0)
except:
pass
#check net connections
proc_dict={p.pid: p for p in psutil.process_iter()}
pnet = psutil.net_connections()
for data in pnet:
if len(data[4]) <= 0:
continue
ip = data[4][0]
pid = data[6]
dbcheckip(str(ip))
if dbcheckip(str(ip)) == True:
print("Malicious remote Connection "+proc_dict[pid].name())
proc_dict[pid].kill()
plist = plist1