Replace fixme and other by fucntion's documentation

dmknght · Oct 12, 2024 · 6208a45 · 6208a45
1 parent 9ae38b9
commit 6208a45
Showing 1 changed file with 13 additions and 9 deletions.
diff --git a/src/research/find_hidden_file.nim b/src/research/find_hidden_file.nim
@@ -3,25 +3,30 @@ import strutils
 
 
 proc find_hidden_files(find_dir: string) =
-  # FIXME: if there are 2 hidden files like aaaa, aaab -> likely this loop will miss aaab and skip to aaac. It's technical issue
-  # FIXME: if the node before malware has the name too long, this script can't get the name of next node hence can't detect
+  #[
+    Find hidden file / folder by node's d_name comparsion
+    1. Get name of current node
+    2. Get the name of next node in d_name (d_name[255] could contain next node's name depends on lenght)
+      # BUG: either 1 name is too long -> can't get the value -> bypass
+    3. Compare the name from d_name with current node's name (if hidden by malware -> different)
+      # BUG: if 2 hidden nodes are next to each other, the 2nd hidden won't be detected
+    4. If current node is nil (previous node was last node) then break. (next node's name from previous loop should be null)
+      # BUG:If current folder has too many node, it will show false positive at step 4.
+  ]#
   var
     f_dir = opendir(cstring(find_dir))
     save_node_name: string
-  
+
   while true:
     var
       r_dir: ptr Dirent = readdir(f_dir)
 
     if r_dir == nil:
-      # FIXED: missing hidden file in /dev/shm with perfctl linux rootkit. Reason: hidden file is the last link in node
-      # FIXME false positive (?) /usr/bin/make-first-existing-target (belong to package `make`)
       if not isEmptyOrWhiteSpace(save_node_name):
-        echo "Malware: ", save_node_name
+        echo "Malware (last): ", save_node_name
       break
 
     # Compare name of current node with save name from previous loop (which suppose to be name of this node if no function hooking)
-    # FIXED: if the name of next node is too long, only starts with is correct (which also can cause false positive). Parse using cast[cstring] fixed it (no NULL)
     if save_node_name != "" and save_node_name != $cast[cstring](addr(r_dir.d_name)):
       echo "Malware: ", save_node_name
 
@@ -31,9 +36,8 @@ proc find_hidden_files(find_dir: string) =
       save_node_name = ""
     else:
       # Parse name of next node using location
-      # FIXED: validate value if next node's name is very long so it doesnt end with NULL
       save_node_name = $cast[cstring](addr(r_dir.d_name[r_dir.d_reclen]))
 
   discard f_dir.closedir()
 
-find_hidden_files("/dev/shm/")
+find_hidden_files("/usr/lib/x86_64-linux-gnu/")