MCPcopy
hub / github.com/jipegit/OSXAuditor / ParseStartupItems

Function ParseStartupItems

osxauditor.py:422–444  ·  view source on GitHub ↗

Parse the StartupItems plist and hash its program argument

(StartupItemsPath)

Source from the content-addressed store, hash-verified

420 DbConnection.close()
421
422def ParseStartupItems(StartupItemsPath):
423 ''' Parse the StartupItems plist and hash its program argument '''
424
425 StartupItemsPlist = False
426 NbStartupItems = 0
427
428 for StartupItems in os.listdir(StartupItemsPath):
429 StartupItemsPlistPath = os.path.join(StartupItemsPath, StartupItems, 'StartupParameters.plist')
430
431 PrintAndLog(StartupItemsPlistPath, 'DEBUG')
432 StartupItemsPlist = UniversalReadPlist(StartupItemsPlistPath)
433
434 if StartupItemsPlist:
435 if 'Provides' in StartupItemsPlist:
436 FilePath = os.path.join(StartupItemsPath, StartupItems, StartupItemsPlist['Provides'][0])
437 Md5 = BigFileMd5(FilePath)
438 if Md5:
439 if Md5 not in HASHES:
440 HASHES.append(Md5)
441 PrintAndLog(Md5 + u' '+ FilePath.decode('utf-8') + u' - ' + time.ctime(os.path.getmtime(FilePath)) + u' - ' + time.ctime(os.path.getctime(FilePath))+ u'\n', 'INFO')
442 NbStartupItems += 1
443 if NbStartupItems == 0:
444 PrintAndLog(StartupItemsPath.decode('utf-8') + u' is empty', 'INFO')
445
446def ParseLaunchAgents(AgentsPath):
447 ''' Parse a LanchAgent plist and hash its program argument. Also look for suspicious keywords in the plist itself '''

Callers 1

ParseStartupFunction · 0.85

Calls 3

PrintAndLogFunction · 0.85
UniversalReadPlistFunction · 0.85
BigFileMd5Function · 0.85

Tested by

no test coverage detected