Skip to content

Commit

Permalink
Fix can't detect the last node. Add fixme for further research
Browse files Browse the repository at this point in the history
  • Loading branch information
dmknght authored Oct 10, 2024
1 parent e8d8afe commit 223348d
Showing 1 changed file with 8 additions and 4 deletions.
12 changes: 8 additions & 4 deletions src/research/find_hidden_file.nim
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
import posix
import strutils


proc find_hidden_files(find_dir: string) =
# FIXME: if there are 2 hidden files like aaaa, aaab -> likely this loop will miss aaab and skip to aaac. It's technical issue
# FIXME: missing hidden file in /dev/shm with perfctl linux rootkit
# FIXME: if the node before malware has the name too long, this script can't get the name of next node hence can't detect
var
f_dir = opendir(cstring(find_dir))
save_node_name: string
Expand All @@ -13,11 +14,14 @@ proc find_hidden_files(find_dir: string) =
r_dir: ptr Dirent = readdir(f_dir)

if r_dir == nil:
# FIXED: missing hidden file in /dev/shm with perfctl linux rootkit. Reason: hidden file is the last link in node
# FIXME false positive (?) /usr/bin/make-first-existing-target (belong to package `make`)
if not isEmptyOrWhiteSpace(save_node_name):
echo "Malware: ", save_node_name
break

# Compare name of current node with save name from previous loop (which suppose to be name of this node if no function hooking)
# FIXME: if the name of next node is too long, only starts with is correct (which also can cause false positive)
# FIXED BY PARSING
# FIXED: if the name of next node is too long, only starts with is correct (which also can cause false positive). Parse using cast[cstring] fixed it (no NULL)
if save_node_name != "" and save_node_name != $cast[cstring](addr(r_dir.d_name)):
echo "Malware: ", save_node_name

Expand All @@ -27,7 +31,7 @@ proc find_hidden_files(find_dir: string) =
save_node_name = ""
else:
# Parse name of next node using location
# FIXME: validate value if next node's name is very long so it doesnt end with NULL
# FIXED: validate value if next node's name is very long so it doesnt end with NULL
save_node_name = $cast[cstring](addr(r_dir.d_name[r_dir.d_reclen]))

discard f_dir.closedir()
Expand Down

0 comments on commit 223348d

Please sign in to comment.