This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 59
/
tools.py
84 lines (58 loc) · 2.39 KB
/
tools.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
import os
import subprocess
import shutil
class Tool(object):
''' used for long-running external tools such as yara or chkrootkit '''
def __init__(self):
self._proc_object = None
self._proc_cmdline = []
self._output_path = os.path.join(os.path.dirname(__file__),
self.__class__.__name__.lower() + '.log')
if not self._is_installed():
raise Exception('error: %s not installed' % self.__class__.__name__)
def _is_installed(self):
raise NotImplementedError()
def set_cmdline(self):
raise NotImplementedError()
def run(self):
if not len(self._proc_cmdline):
raise Exception('error: please use set_cmdline first!')
if self.status() != 'running':
self._proc_object = subprocess.Popen(self._proc_cmdline, stdout=open(self._output_path, 'wb'),
stderr=subprocess.STDOUT)
def status(self):
if not self._proc_object:
return 'not started'
# set returncode attr
self._proc_object.poll()
return 'running' if self._proc_object.returncode == None else self._parse_status(self._proc_object.returncode)
def _parse_status(self, status):
''' override this function to handle different exit codes '''
return 'done(%d)' % status
def results(self):
if not os.path.isfile(self._output_path):
return '-'
with open(self._output_path, 'rb') as fh:
data = fh.read()
return data[:10 * 1024] # handle this limit
def stop(self):
if self._proc_object:
self._proc_object.kill()
class YARA(Tool):
def _is_installed(self):
return shutil.which('yara')
def set_cmdline(self, rule_file, dir='/', recursive=True, pid=None):
if pid:
self._proc_cmdline = [shutil.which('yara'), rule_file, pid]
else:
self._proc_cmdline = [shutil.which('yara')] + ['-r', rule_file, dir] if recursive else [rule_file, dir]
class Chkrootkit(Tool):
def _is_installed(self):
return shutil.which('chkrootkit')
def set_cmdline(self):
self._proc_cmdline = [shutil.which('chkrootkit')]
class Find(Tool):
def _is_installed(self):
return True
def set_cmdline(self, dir, name):
self._proc_cmdline = ['/usr/bin/find', dir, '-name', name]