Skip to content

Instantly share code, notes, and snippets.

@pavel-odintsov

pavel-odintsov/gist:7252183

Created October 31, 2013 15:58
Show Gist options
  • Save pavel-odintsov/7252183 to your computer and use it in GitHub Desktop.
Save pavel-odintsov/7252183 to your computer and use it in GitHub Desktop.
Download ZIP
Script for scanning files loaded in memory
Raw
gistfile1.txt
#/usr/bin/perl
# Author Pavel Odintsov
# pavel.odintsov@gmail.com
use strict;
use warnings;
opendir my $dir, '/proc' or die "Can't open procfs";
my @folders = readdir($dir);
my $opened_files = {};
my @pids = ();
for (@folders) {
next unless /^\d+$/;
next if /^\.\.?/;
push @pids, $_;
# binary
my $target = readlink "/proc/$_/exe";
if ($target) {
$opened_files->{$target} = 1;
} else {
#TODO: определить процессорв ядра добавить
#warn "Can't open /proc/$_/exe";
}
}
for my $pid (@pids) {
opendir my $dir, "/proc/$pid/fd" or die "Can't open procfs";
my @folders = grep { !/^\.\.?/ } readdir($dir);
for my $folder (@folders) {
my $target = readlink "/proc/$pid/fd/$folder";
if ($target =~ m/(socket|pipe):\[\d+\]/) {
next;
}
$opened_files->{$target} = 1;
}
}
open my $fl, ">", "files_to_scan" or die "Can't";
for(keys %$opened_files) {
#system("maldet -a $_");
#system("clamscan $_|grep infected -i");
print {$fl} "$_\n";
}
system("clamscan --file-list=files_to_scan --infected -d /usr/local/maldetect/sigs/rfxn.ndb -d /usr/local/maldetect/sigs/rfxn.hdb -d /var/lib/clamav");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment