-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpydeapi.py
89 lines (46 loc) · 2.34 KB
/
pydeapi.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
import os
import re
import subprocess
debian = '/etc/debian_version'
redhat = '/etc/redhat-release'
for processPid in os.listdir("/proc"):
maps = '/proc/'+processPid+'/maps'
if os.path.exists(maps) :
file = open(maps, "r")
for libs in file.readlines():
match = re.search(r'\s[\w-][\w-]([\w-])[\w-].*\s\s\s\s*([\w\/].*)' , libs)
if match and match.group(1) == 'x':
isdeleted = re.search(r'\(deleted\)' , match.group(2))
if not isdeleted:
if os.path.exists(redhat) :
command = 'rpm -Vf "'+match.group(2)+'"'
processrpm = subprocess.Popen([command], stdout=subprocess.PIPE,shell=True)
outputrpm = processrpm.communicate()[0]
if outputrpm :
thisfile = re.search(match.group(2) , outputrpm)
if thisfile:
print "Suspicious lib or process %s in PID %s" % (match.group(2), processPid)
if os.path.exists(debian) :
commandDPKG = 'dpkg -S "'+match.group(2)+'"'
DEVNULL = open(os.devnull, 'wb')
processdpkg = subprocess.Popen([commandDPKG], stdout=subprocess.PIPE,shell=True, stderr=DEVNULL)
outputdpkg = processdpkg.communicate()[0]
if processdpkg.returncode == 1:
#dpkg is buggy to find package files
fixdpkgbug= re.sub('/usr', '', match.group(2))
commandDPKG2 = 'dpkg -S "'+fixdpkgbug+'"'
DEVNULL = open(os.devnull, 'wb')
processdpkg2 = subprocess.Popen([commandDPKG2], stdout=subprocess.PIPE,shell=True, stderr=DEVNULL)
outputdpkg2 = processdpkg2.communicate()[0]
outputdpkg = outputdpkg2
if processdpkg2.returncode == 1:
print "Suspicious lib or process %s in PID %s" % (match.group(2), processPid)
else:
packagename = outputdpkg.split(":")
commandDEBSUM = 'dpkg --verify "'+packagename[0]+'"'
processdebsum = subprocess.Popen([commandDEBSUM], stdout=subprocess.PIPE,shell=True)
outputdebsum = processdebsum.communicate()[0]
if outputdebsum :
thisfile = re.search(match.group(2) , outputdebsum)
if thisfile:
print "Suspicious lib or process %s in PID %s" % (match.group(2), processPid)