search_dev_shm.py

#!/usr/bin/env python3

# written by sqall
# twitter: https://twitter.com/sqall01
# blog: https://h4des.org
# github: https://github.com/sqall01
#
# Licensed under the MIT License.

"""
Short summary:
Search for binaries and scripts in /dev/shm.
Malware that tries to hide is often stored there.

Requirements:
None

Reference:
https://twitter.com/CraigHRowland/status/1268863172825346050
https://twitter.com/CraigHRowland/status/1269196509079166976
"""

import os
import sys

from lib.util import output_finding

# Read configuration.
try:
    from config.config import ALERTR_FIFO, FROM_ADDR, TO_ADDR
    from config.search_dev_shm import ACTIVATED
except:
    ALERTR_FIFO = None
    FROM_ADDR = None
    TO_ADDR = None
    ACTIVATED = True


def search_suspicious_files():

    # Decide where to output results.
    print_output = False
    if ALERTR_FIFO is None and FROM_ADDR is None and TO_ADDR is None:
        print_output = True

    if not ACTIVATED:
        if print_output:
            print("Module deactivated.")
        return

    # Get all suspicious ELF files.
    fd = os.popen("find /dev/shm -type f -exec file -p '{}' \\; | grep ELF")
    elf_raw = fd.read().strip()
    fd.close()

    # Get all suspicious script files.
    fd = os.popen("find /dev/shm -type f -exec file -p '{}' \\; | grep script")
    script_raw = fd.read().strip()
    fd.close()

    suspicious_files = []
    if elf_raw.strip():
        suspicious_files.extend(elf_raw.strip().split("\n"))
    if script_raw.strip():
        suspicious_files.extend(script_raw.strip().split("\n"))

    if suspicious_files:
        message = "File(s) in /dev/shm suspicious:\n\n"
        message += "\n".join(suspicious_files)

        output_finding(__file__, message)


if __name__ == '__main__':
    is_init_run = False
    if len(sys.argv) == 2:
        if sys.argv[1] == "--init":
            is_init_run = True

    # Script does not need to establish a state.
    if not is_init_run:
        search_suspicious_files()