Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added simple boot sector analyzer #6

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions fishy/ntfs/ntfs_boot.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
"""
interface for ntfs boot sector
"""
import os
import hashlib

class NTFSMeta:
""" class to analyze and scan boot sector of ntfs systems.
"""
def __init__(self, stream):
""" init: open ntfs image
file: saves file name
"""
self.stream = stream
if os.path.isfile(self.stream):
print("ok")
# test.is_ntfs() TODO is this needed?
else:
print("file does not exist.")

def is_altered(self):
""" is_altered:
compare boot sector with the backup boot sector (via hash values)
true: the sector was altered
false: the sector was not altered
"""
offset = 512 # sector size TODO needs to be determined dynamically
try:
# open file
file = open(self.stream, "rb")
data = file.read(offset)
# create hash value for boot sector
hash_boot = hashlib.sha256()
hash_boot.update(data)
# determine file size
statinfo = os.stat(self.stream)
# skip to last partition (backup boot sector)
file.seek(statinfo.st_size - offset)
backup = file.read(offset)
# create hash value for backup boot sector
hash_back = hashlib.sha256()
hash_back.update(backup)
# compare hash values
if hash_boot.hexdigest() == hash_back.hexdigest():
# nothing to do here
print("boot sector was not compromised.")
return False
else:
# compromised, further action required
print("boot sector was compromised.")
return True
except IOError:
return 0
finally:
file.close()

def scan_boot_sector(self):
""" scan_boot_sector: scans the boot sector for hidden data
"""
with open(self.stream, "rb") as file:
offset = 512
# file.seek(0) jump to start of file needed?
pos = file.tell()
current_pos = 0
last = os.stat(self.stream).st_size - offset
while current_pos < offset:
# switch cursor between current position at boot & backup sector
file.seek(pos + current_pos)
boot_c = file.read(1)
file.seek(last + current_pos)
back_c = file.read(1)
if not boot_c:
print("End of file")
break
if boot_c != back_c:
# do something
print(boot_c)
current_pos = current_pos + 1
file.seek(pos)
file.close()