MCPcopy Index your code
hub / github.com/LCBOWER33/StegoScan / elf_check

Function elf_check

StegoScan.py:1273–1307  ·  view source on GitHub ↗

Main function to check if the file is an ELF executable and detect malware traits.

(output_dir)

Source from the content-addressed store, hash-verified

1271
1272
1273def elf_check(output_dir):
1274 """Main function to check if the file is an ELF executable and detect malware traits."""
1275 for dirpath, dirnames, filenames in os.walk(output_dir):
1276 for filename in tqdm(filenames, desc="ELF test: "):
1277 file_path = os.path.join(dirpath, filename)
1278 # print(file_path)
1279 is_elf = (
1280 is_elf_using_magic(file_path) or
1281 is_elf_using_yara(file_path) or
1282 check_with_file_command(file_path)
1283 )
1284
1285 if is_elf:
1286 elf_dir = os.path.join(results_folder, "elf")
1287 os.makedirs(elf_dir, exist_ok=True)
1288
1289 shutil.copy(file_path, f"{elf_dir}/{filename}")
1290 # print(f"[+] {file_path} is an ELF file.")
1291
1292 # Check for suspicious traits
1293 if is_suspicious_elf(file_path):
1294 prGreen(f"[!] WARNING: {file_path} may contain suspicious traits (packed, obfuscated, or malicious).")
1295
1296 # Check entropy for potential obfuscation
1297 entropy = calculate_entropy(file_path)
1298 # print(f"[*] File entropy: {entropy:.2f}")
1299 if entropy > 7:
1300 pass
1301 # print("[!] High entropy detected – possible packing or encryption.")
1302 elif entropy > 7.5:
1303 pass
1304 # print("very high")
1305 else:
1306 prRed(f"[-] {file_path} is NOT an ELF file.")
1307 prGreen("ELF TEST DONE")
1308
1309
1310# --------------------------------------------------------------

Callers 1

mainFunction · 0.85

Calls 7

is_elf_using_magicFunction · 0.85
is_elf_using_yaraFunction · 0.85
check_with_file_commandFunction · 0.85
is_suspicious_elfFunction · 0.85
prGreenFunction · 0.85
calculate_entropyFunction · 0.85
prRedFunction · 0.85

Tested by

no test coverage detected