Parse a LanchAgent plist and hash its program argument. Also look for suspicious keywords in the plist itself
(AgentsPath)
| 444 | PrintAndLog(StartupItemsPath.decode('utf-8') + u' is empty', 'INFO') |
| 445 | |
| 446 | def ParseLaunchAgents(AgentsPath): |
| 447 | ''' Parse a LanchAgent plist and hash its program argument. Also look for suspicious keywords in the plist itself ''' |
| 448 | |
| 449 | SuspiciousPlist = ['exec', 'socket' ,'open', 'connect', '/dev/tcp/', '/bin/sh'] |
| 450 | LaunchAgentPlist = False |
| 451 | |
| 452 | NbLaunchAgents = 0 |
| 453 | for LaunchAgent in os.listdir(AgentsPath): |
| 454 | LaunchAgentPlistpath = os.path.join(AgentsPath, LaunchAgent) |
| 455 | |
| 456 | PrintAndLog(LaunchAgentPlistpath, 'DEBUG') |
| 457 | LaunchAgentPlist = UniversalReadPlist(LaunchAgentPlistpath) |
| 458 | |
| 459 | if LaunchAgentPlist: |
| 460 | if 'Program' in LaunchAgentPlist and 'Label' in LaunchAgentPlist: |
| 461 | FilePath = LaunchAgentPlist['Program'] |
| 462 | Md5 = BigFileMd5(FilePath) |
| 463 | if Md5: |
| 464 | if Md5 not in HASHES: |
| 465 | HASHES.append(Md5) |
| 466 | PrintAndLog(Md5 + u' '+ FilePath.decode('utf-8') + u' - ' + time.ctime(os.path.getmtime(FilePath)) + u' - ' + time.ctime(os.path.getctime(FilePath)) + u'\n', 'INFO') |
| 467 | continue |
| 468 | if 'ProgramArguments' in LaunchAgentPlist and 'Label' in LaunchAgentPlist: |
| 469 | FilePath = LaunchAgentPlist['ProgramArguments'][0] |
| 470 | Md5 = BigFileMd5(FilePath) |
| 471 | if Md5: |
| 472 | if Md5 not in HASHES: |
| 473 | HASHES.append(Md5) |
| 474 | PrintAndLog(Md5 + u' '+ FilePath.decode('utf-8') + u' - ' + time.ctime(os.path.getctime(FilePath)) + u' - ' + time.ctime(os.path.getmtime(FilePath)) + u'\n', 'INFO') |
| 475 | if len(LaunchAgentPlist['ProgramArguments']) >= 3: |
| 476 | if any(x in LaunchAgentPlist['ProgramArguments'][2] for x in SuspiciousPlist): |
| 477 | PrintAndLog(LaunchAgentPlist['ProgramArguments'][2].decode('utf-8')+ u' in ' + LaunchAgentPlistpath.decode('utf-8') + u' looks suspicious', 'WARNING') |
| 478 | NbLaunchAgents += 1 |
| 479 | |
| 480 | if NbLaunchAgents == 0: |
| 481 | PrintAndLog(AgentsPath.decode('utf-8') + u' is empty', 'INFO') |
| 482 | |
| 483 | def ParseStartup(): |
| 484 | ''' Parse the different LauchAgents and LaunchDaemons ''' |
no test coverage detected