From fb18180b6cc5e815090c7fdcdc2c397377d13704 Mon Sep 17 00:00:00 2001 From: stnonguy Date: Wed, 22 Nov 2017 21:28:38 +0100 Subject: [PATCH 1/5] added simple boot sector analyzer --- fishy/ntfs/ntfs_boot.py | 74 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 fishy/ntfs/ntfs_boot.py diff --git a/fishy/ntfs/ntfs_boot.py b/fishy/ntfs/ntfs_boot.py new file mode 100644 index 0000000..eed9053 --- /dev/null +++ b/fishy/ntfs/ntfs_boot.py @@ -0,0 +1,74 @@ +import os +import hashlib + +class NTFSMeta: + + """ init: open ntfs image + file: saves file name + """ + def __init__(self, file): + self.file = file + + if os.path.isfile(self.file): + # test.is_ntfs() TODO is this needed? + + else: + print ("file does not exist.") + return 0 + + """ is_altered: + compare boot sector with the backup boot sector (via hash values) + true: the sector was altered + false: the sector was not altered + """ + def is_altered(self): + offset = 512 # sector size TODO needs to be determined dynamically + try: + # open file + file = open(self.file, "rb") + data = file.read(offset) + # create hash value for boot sector + hash_boot = hashlib.md5() + hash_boot.update(data) + + # determine file size + statinfo = os.stat(self.file) + # skip to last partition (backup boot sector) + file.seek(statinfo.st_size - offset) + backup = file.read(offset) + # create hash value for backup boot sector + hash_back = hashlib.md5() + hash_back.update(backup) + + # compare hash values + if hash_boot.hexdigest() == hash_back.hexdigest(): + # nothing to do here + print("boot sector was not compromised.") + return False + else: + # compromised, further action required + return True + except IOError: + return 0 + finally: + file.close() + + def scanBoot(self): + with open(filename, "rb") as f: + offset = 512 + current_pos = 0 + last = os.stat(filename).st_size - offset + while current_pos < offset: + # switch cursor between current position at boot & backup sector + f.seek(0 + current_pos) + c = f.read(1) + f.seek(last + current_pos) + d = f.read(1) + if not c: + print "End of file" + break + if not c == d: + # do something + print c + current_pos = current_pos + 1 + From a1b547631b6334168c9b5307a36de050a94243e5 Mon Sep 17 00:00:00 2001 From: stnonguy Date: Wed, 29 Nov 2017 11:33:53 +0100 Subject: [PATCH 2/5] minor corrections --- fishy/ntfs/ntfs_boot.py | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/fishy/ntfs/ntfs_boot.py b/fishy/ntfs/ntfs_boot.py index eed9053..d631379 100644 --- a/fishy/ntfs/ntfs_boot.py +++ b/fishy/ntfs/ntfs_boot.py @@ -3,32 +3,32 @@ class NTFSMeta: - """ init: open ntfs image - file: saves file name - """ - def __init__(self, file): + def __init__(self, file): + """ init: open ntfs image + file: saves file name + """ self.file = file if os.path.isfile(self.file): + print("ok") # test.is_ntfs() TODO is this needed? - else: print ("file does not exist.") return 0 - """ is_altered: - compare boot sector with the backup boot sector (via hash values) - true: the sector was altered - false: the sector was not altered - """ def is_altered(self): + """ is_altered: + compare boot sector with the backup boot sector (via hash values) + true: the sector was altered + false: the sector was not altered + """ offset = 512 # sector size TODO needs to be determined dynamically try: # open file file = open(self.file, "rb") data = file.read(offset) # create hash value for boot sector - hash_boot = hashlib.md5() + hash_boot = hashlib.sha256() hash_boot.update(data) # determine file size @@ -37,16 +37,17 @@ def is_altered(self): file.seek(statinfo.st_size - offset) backup = file.read(offset) # create hash value for backup boot sector - hash_back = hashlib.md5() + hash_back = hashlib.sha256() hash_back.update(backup) # compare hash values if hash_boot.hexdigest() == hash_back.hexdigest(): # nothing to do here - print("boot sector was not compromised.") + print ("boot sector was not compromised.") return False else: # compromised, further action required + print ("boot sector was compromised.") return True except IOError: return 0 @@ -54,21 +55,27 @@ def is_altered(self): file.close() def scanBoot(self): - with open(filename, "rb") as f: + """ scanBoot: scans the boot sector for hidden data + """ + with open(self.file, "rb") as f: offset = 512 + # f.seek(0) jump to start of file needed? + pos = f.tell() current_pos = 0 last = os.stat(filename).st_size - offset while current_pos < offset: # switch cursor between current position at boot & backup sector - f.seek(0 + current_pos) + f.seek(pos + current_pos) c = f.read(1) f.seek(last + current_pos) d = f.read(1) if not c: - print "End of file" + print ("End of file") break if not c == d: # do something - print c + print(c) current_pos = current_pos + 1 + f.seek(pos) + From e8823d1145bae9abbe688b1126a227e44f117903 Mon Sep 17 00:00:00 2001 From: stnonguy Date: Wed, 29 Nov 2017 11:39:21 +0100 Subject: [PATCH 3/5] fixed tab lengths --- fishy/ntfs/ntfs_boot.py | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/fishy/ntfs/ntfs_boot.py b/fishy/ntfs/ntfs_boot.py index d631379..7695166 100644 --- a/fishy/ntfs/ntfs_boot.py +++ b/fishy/ntfs/ntfs_boot.py @@ -3,12 +3,12 @@ class NTFSMeta: - def __init__(self, file): + def __init__(self, file): """ init: open ntfs image - file: saves file name + file: saves file name """ self.file = file - + if os.path.isfile(self.file): print("ok") # test.is_ntfs() TODO is this needed? @@ -18,9 +18,9 @@ def __init__(self, file): def is_altered(self): """ is_altered: - compare boot sector with the backup boot sector (via hash values) - true: the sector was altered - false: the sector was not altered + compare boot sector with the backup boot sector (via hash values) + true: the sector was altered + false: the sector was not altered """ offset = 512 # sector size TODO needs to be determined dynamically try: @@ -30,7 +30,7 @@ def is_altered(self): # create hash value for boot sector hash_boot = hashlib.sha256() hash_boot.update(data) - + # determine file size statinfo = os.stat(self.file) # skip to last partition (backup boot sector) @@ -39,7 +39,7 @@ def is_altered(self): # create hash value for backup boot sector hash_back = hashlib.sha256() hash_back.update(backup) - + # compare hash values if hash_boot.hexdigest() == hash_back.hexdigest(): # nothing to do here @@ -59,7 +59,7 @@ def scanBoot(self): """ with open(self.file, "rb") as f: offset = 512 - # f.seek(0) jump to start of file needed? + # f.seek(0) jump to start of file needed? pos = f.tell() current_pos = 0 last = os.stat(filename).st_size - offset @@ -70,12 +70,13 @@ def scanBoot(self): f.seek(last + current_pos) d = f.read(1) if not c: - print ("End of file") - break + print ("End of file") + break if not c == d: - # do something - print(c) + # do something + print(c) current_pos = current_pos + 1 f.seek(pos) + f.close() From a0a3d9d3d4ba01f7384e8b2e33aaaef6b19d3378 Mon Sep 17 00:00:00 2001 From: stnonguy Date: Wed, 29 Nov 2017 11:57:15 +0100 Subject: [PATCH 4/5] some code fixes --- fishy/ntfs/ntfs_boot.py | 61 ++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 31 deletions(-) diff --git a/fishy/ntfs/ntfs_boot.py b/fishy/ntfs/ntfs_boot.py index 7695166..86c8814 100644 --- a/fishy/ntfs/ntfs_boot.py +++ b/fishy/ntfs/ntfs_boot.py @@ -1,22 +1,24 @@ +""" +interface for ntfs boot sector +""" import os import hashlib -class NTFSMeta: - +class NTFSMeta: + """ class to analyze and scan boot sector of ntfs systems. + """ def __init__(self, file): """ init: open ntfs image file: saves file name - """ + """ self.file = file - - if os.path.isfile(self.file): + if os.path.isfile(self.file): print("ok") # test.is_ntfs() TODO is this needed? else: - print ("file does not exist.") - return 0 + print("file does not exist.") - def is_altered(self): + def is_altered(self): """ is_altered: compare boot sector with the backup boot sector (via hash values) true: the sector was altered @@ -30,7 +32,6 @@ def is_altered(self): # create hash value for boot sector hash_boot = hashlib.sha256() hash_boot.update(data) - # determine file size statinfo = os.stat(self.file) # skip to last partition (backup boot sector) @@ -39,44 +40,42 @@ def is_altered(self): # create hash value for backup boot sector hash_back = hashlib.sha256() hash_back.update(backup) - # compare hash values if hash_boot.hexdigest() == hash_back.hexdigest(): # nothing to do here - print ("boot sector was not compromised.") + print("boot sector was not compromised.") return False else: # compromised, further action required - print ("boot sector was compromised.") + print("boot sector was compromised.") return True except IOError: return 0 finally: file.close() - def scanBoot(self): - """ scanBoot: scans the boot sector for hidden data + def scan_boot_sector(self): + """ scan_boot_sector: scans the boot sector for hidden data """ - with open(self.file, "rb") as f: + with open(self.file, "rb") as file: offset = 512 - # f.seek(0) jump to start of file needed? - pos = f.tell() + # file.seek(0) jump to start of file needed? + pos = file.tell() current_pos = 0 - last = os.stat(filename).st_size - offset + last = os.stat(self.file).st_size - offset while current_pos < offset: # switch cursor between current position at boot & backup sector - f.seek(pos + current_pos) - c = f.read(1) - f.seek(last + current_pos) - d = f.read(1) - if not c: - print ("End of file") - break - if not c == d: - # do something - print(c) + file.seek(pos + current_pos) + boot_c = file.read(1) + file.seek(last + current_pos) + back_c = file.read(1) + if not boot_c: + print("End of file") + break + if boot_c != back_c: + # do something + print(boot_c) current_pos = current_pos + 1 - f.seek(pos) - f.close() - + file.seek(pos) + file.close() From 4a84189791a73ddd09989bd200ab4972b5f42354 Mon Sep 17 00:00:00 2001 From: stnonguy Date: Wed, 29 Nov 2017 12:40:01 +0100 Subject: [PATCH 5/5] more changes --- fishy/ntfs/ntfs_boot.py | 142 ++++++++++++++++++++-------------------- 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/fishy/ntfs/ntfs_boot.py b/fishy/ntfs/ntfs_boot.py index 86c8814..ecd95f9 100644 --- a/fishy/ntfs/ntfs_boot.py +++ b/fishy/ntfs/ntfs_boot.py @@ -5,77 +5,77 @@ import hashlib class NTFSMeta: - """ class to analyze and scan boot sector of ntfs systems. - """ - def __init__(self, file): - """ init: open ntfs image - file: saves file name - """ - self.file = file - if os.path.isfile(self.file): - print("ok") - # test.is_ntfs() TODO is this needed? - else: - print("file does not exist.") + """ class to analyze and scan boot sector of ntfs systems. + """ + def __init__(self, stream): + """ init: open ntfs image + file: saves file name + """ + self.stream = stream + if os.path.isfile(self.stream): + print("ok") + # test.is_ntfs() TODO is this needed? + else: + print("file does not exist.") - def is_altered(self): - """ is_altered: - compare boot sector with the backup boot sector (via hash values) - true: the sector was altered - false: the sector was not altered - """ - offset = 512 # sector size TODO needs to be determined dynamically - try: - # open file - file = open(self.file, "rb") - data = file.read(offset) - # create hash value for boot sector - hash_boot = hashlib.sha256() - hash_boot.update(data) - # determine file size - statinfo = os.stat(self.file) - # skip to last partition (backup boot sector) - file.seek(statinfo.st_size - offset) - backup = file.read(offset) - # create hash value for backup boot sector - hash_back = hashlib.sha256() - hash_back.update(backup) - # compare hash values - if hash_boot.hexdigest() == hash_back.hexdigest(): - # nothing to do here - print("boot sector was not compromised.") - return False - else: - # compromised, further action required - print("boot sector was compromised.") - return True - except IOError: - return 0 - finally: - file.close() + def is_altered(self): + """ is_altered: + compare boot sector with the backup boot sector (via hash values) + true: the sector was altered + false: the sector was not altered + """ + offset = 512 # sector size TODO needs to be determined dynamically + try: + # open file + file = open(self.stream, "rb") + data = file.read(offset) + # create hash value for boot sector + hash_boot = hashlib.sha256() + hash_boot.update(data) + # determine file size + statinfo = os.stat(self.stream) + # skip to last partition (backup boot sector) + file.seek(statinfo.st_size - offset) + backup = file.read(offset) + # create hash value for backup boot sector + hash_back = hashlib.sha256() + hash_back.update(backup) + # compare hash values + if hash_boot.hexdigest() == hash_back.hexdigest(): + # nothing to do here + print("boot sector was not compromised.") + return False + else: + # compromised, further action required + print("boot sector was compromised.") + return True + except IOError: + return 0 + finally: + file.close() - def scan_boot_sector(self): - """ scan_boot_sector: scans the boot sector for hidden data - """ - with open(self.file, "rb") as file: - offset = 512 - # file.seek(0) jump to start of file needed? - pos = file.tell() - current_pos = 0 - last = os.stat(self.file).st_size - offset - while current_pos < offset: - # switch cursor between current position at boot & backup sector - file.seek(pos + current_pos) - boot_c = file.read(1) - file.seek(last + current_pos) - back_c = file.read(1) - if not boot_c: - print("End of file") - break - if boot_c != back_c: - # do something - print(boot_c) - current_pos = current_pos + 1 - file.seek(pos) - file.close() + def scan_boot_sector(self): + """ scan_boot_sector: scans the boot sector for hidden data + """ + with open(self.stream, "rb") as file: + offset = 512 + # file.seek(0) jump to start of file needed? + pos = file.tell() + current_pos = 0 + last = os.stat(self.stream).st_size - offset + while current_pos < offset: + # switch cursor between current position at boot & backup sector + file.seek(pos + current_pos) + boot_c = file.read(1) + file.seek(last + current_pos) + back_c = file.read(1) + if not boot_c: + print("End of file") + break + if boot_c != back_c: + # do something + print(boot_c) + current_pos = current_pos + 1 + file.seek(pos) + file.close()