From 03c49c5af565d158477e8c24ebc7ff7d531bff70 Mon Sep 17 00:00:00 2001 From: Nong Hoang Tu Date: Mon, 14 Oct 2024 11:04:54 +0700 Subject: [PATCH 1/2] Add condition to detect miss case --- src/research/find_hidden_file.nim | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/research/find_hidden_file.nim b/src/research/find_hidden_file.nim index 7c5f1d7..b6966d3 100644 --- a/src/research/find_hidden_file.nim +++ b/src/research/find_hidden_file.nim @@ -41,7 +41,8 @@ proc find_hidden_files(find_dir: string) = # From output of d_name, last node in folder that has so many nodes will has d_reclen > actual value # This is a fast method to check this logic happen. # Need to check carefully with multiple systems because input value is unpredictable - wrong_reclen = ($cast[cstring](addr(r_dir.d_name[r_dir.d_reclen - 1]))).endswith(save_node_name) + let tmp_string_from_chunk = $cast[cstring](addr(r_dir.d_name[r_dir.d_reclen - 1])) + wrong_reclen = tmp_string_from_chunk.endswith(save_node_name) and tmp_string_from_chunk != save_node_name discard f_dir.closedir() From 573034769b3b6a6cefbfbd9b8dc14bd4fada344e Mon Sep 17 00:00:00 2001 From: Nong Hoang Tu Date: Mon, 14 Oct 2024 15:32:19 +0700 Subject: [PATCH 2/2] Do not check for hidden file in last node since all solutions can't fix false positive --- src/research/find_hidden_file.nim | 41 +++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/src/research/find_hidden_file.nim b/src/research/find_hidden_file.nim index b6966d3..409ffc3 100644 --- a/src/research/find_hidden_file.nim +++ b/src/research/find_hidden_file.nim @@ -2,6 +2,26 @@ import posix import strutils +# {.emit: """ + +# #include + + +# unsigned short calculate_reclen(char *filename) { +# // Calculate normal size +# size_t reclen = offsetof(struct dirent, d_name) + strlen(filename) + 1; + +# // Calculate the real size based on system's arch +# reclen = (reclen + sizeof(void*) - 1) & ~(sizeof(void*) - 1); + +# return (unsigned short)reclen; +# } +# """.} + + +# proc calculate_reclen(file_name: cstring): cushort {.importc: "calculate_reclen".} + + proc find_hidden_files(find_dir: string) = #[ Find hidden file / folder by node's d_name comparsion @@ -16,18 +36,22 @@ proc find_hidden_files(find_dir: string) = var f_dir = opendir(cstring(find_dir)) save_node_name: string - wrong_reclen = false + # wrong_reclen = false + # actual_reclen: cushort while true: var r_dir: ptr Dirent = readdir(f_dir) if r_dir == nil: - if not isEmptyOrWhiteSpace(save_node_name) and not wrong_reclen: - echo "Malware (last): ", save_node_name + # if not isEmptyOrWhiteSpace(save_node_name): # and not wrong_reclen: + # echo "Malware (last): ", save_node_name break # Compare name of current node with save name from previous loop (which suppose to be name of this node if no function hooking) + # let str_file_name = $cast[cstring](addr(r_dir.d_name)) + + # if save_node_name != "" and save_node_name != str_file_name: if save_node_name != "" and save_node_name != $cast[cstring](addr(r_dir.d_name)): echo "Malware: ", save_node_name @@ -36,14 +60,11 @@ proc find_hidden_files(find_dir: string) = if r_dir.d_reclen >= 256: save_node_name = "" else: - # Parse name of next node using location save_node_name = $cast[cstring](addr(r_dir.d_name[r_dir.d_reclen])) - # From output of d_name, last node in folder that has so many nodes will has d_reclen > actual value - # This is a fast method to check this logic happen. - # Need to check carefully with multiple systems because input value is unpredictable - let tmp_string_from_chunk = $cast[cstring](addr(r_dir.d_name[r_dir.d_reclen - 1])) - wrong_reclen = tmp_string_from_chunk.endswith(save_node_name) and tmp_string_from_chunk != save_node_name + # actual_reclen = calculate_reclen(cstring(str_file_name)) + # wrong_reclen = actual_reclen != r_dir.d_reclen + # save_node_name = if wrong_reclen: $cast[cstring](addr(r_dir.d_name[actual_reclen])) else: $cast[cstring](addr(r_dir.d_name[r_dir.d_reclen])) discard f_dir.closedir() -find_hidden_files("/usr/bin/") +find_hidden_files("/dev/shm")