1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
import argparse
import os
import glob
import imp
import sys
import logging
import time
logging.basicConfig(level=logging.INFO)
import modules.grep_count as grep_module
import modules.entropy as entropy_module
import modules.whitelist as whitelist_module
import modules.libfuzzy as fuzzy_module
parser = argparse.ArgumentParser(description='Fuzzy matching for malwares')
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('--save', '-s', help='Path to save the databases', default=None)
group.add_argument('--filenames', '-f', nargs='*', help='Files to check')
parser.add_argument('--sleep', '-t', type=int, default=0, help='Sleep between files processing')
args = parser.parse_args()
grep = grep_module.GrepCount()
entropy = entropy_module.Entropy()
whitelist = whitelist_module.HashWhitelist()
fuzzy = fuzzy_module.FuzzyMatcher()
if args.save: # Save the computed database
for m in [whitelist, fuzzy]:
m.save(args.save + '.' + m.name)
else:
for f in args.filenames:
for root, _, filenames in os.walk(f):
for filename in filenames:
fpath = os.path.join(root, filename)
grep_results = grep.is_malware(fpath)
entropy_results = entropy.is_malware(fpath)
fuzzy_results = fuzzy.is_malware(fpath)
if grep_results or entropy_results or fuzzy_results:
if whitelist.is_malware(fpath) and '/.git/' not in fpath: # Not in whitelist
logging.info('MALWARE: ' + fpath)
time.sleep(args.sleep)
|
