From b122c0446914ce5613e7a01fc9ffb548fb907399 Mon Sep 17 00:00:00 2001 From: Nong Hoang Tu Date: Sun, 13 Oct 2024 17:08:46 +0700 Subject: [PATCH] Try a method to fix false postive --- src/research/find_hidden_file.nim | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/research/find_hidden_file.nim b/src/research/find_hidden_file.nim index 4028bf5..7c5f1d7 100644 --- a/src/research/find_hidden_file.nim +++ b/src/research/find_hidden_file.nim @@ -16,13 +16,14 @@ proc find_hidden_files(find_dir: string) = var f_dir = opendir(cstring(find_dir)) save_node_name: string + wrong_reclen = false while true: var r_dir: ptr Dirent = readdir(f_dir) if r_dir == nil: - if not isEmptyOrWhiteSpace(save_node_name): + if not isEmptyOrWhiteSpace(save_node_name) and not wrong_reclen: echo "Malware (last): ", save_node_name break @@ -37,7 +38,11 @@ proc find_hidden_files(find_dir: string) = else: # Parse name of next node using location save_node_name = $cast[cstring](addr(r_dir.d_name[r_dir.d_reclen])) + # From output of d_name, last node in folder that has so many nodes will has d_reclen > actual value + # This is a fast method to check this logic happen. + # Need to check carefully with multiple systems because input value is unpredictable + wrong_reclen = ($cast[cstring](addr(r_dir.d_name[r_dir.d_reclen - 1]))).endswith(save_node_name) discard f_dir.closedir() -find_hidden_files("/usr/lib/x86_64-linux-gnu/") +find_hidden_files("/usr/bin/")