Hamato-Yoshi is a malware detection system for linux.
It runs as a daemon process and monitors /proc
for suspicious activity.
Clone the repository from Bitbucket:
$ git clone http://mrs-magenta:7990/scm/turtles/hamato-yoshi.gitCreate a local virtual environment:
$ virtualenv -p /usr/bin/python3 venvActivate the virtual environment with:
$ source venv/bin/activate
(venv)$Install requirements.txt using pip:
(venv)$ pip install -r requirements.txt(venv)$ python main.py- Hamato-Yoshi continuously takes snapshots of files in
/proc/*and analyzes their changes. - When it detects a snapshot has changed, Hamato-Yoshi follows a set of rules defined in rules.csv and proc_rules.
- Each rule defines actions to perform if the detected changes meet certain conditions.
- In order to analyze these changes, Hamato-Yoshi is equipped with tailor-made parsers for each of the (currently partial list of) files in
/proc/*. - These parsers yield a comparable structured data (usually a
dict) from the contents of the file they parse.