hashlookup-forensic-analyser version 1.0 released
A new version of the hashlookup-forensic-analyser has been released including a new --live-linux
option to verify running process on a Linux machine if these are known or unknown binaries on hashlookup service.
This version 1.0 is considered as stable following the feedback received by the different users. Don't hesitate to provide feedback or ideas by opening issues.
New --live-linux
option
python3 hashlookup-analyser.py --cache --print-unknown --live-linux
. The option is actually reading the /proc
directory to find all running processes and due to the fact the ./exe file in proc directory is the actual file, you can quickly find the known/unkown files from the running processes.
Complete changelog available below:
v1.0 (2022-05-07)
New
-
[progress] disable progress option
--disable-progress
as progress is by default nowadays. [Alexandre Dulaunoy] -
[live_linux] new --live-linux option to display known and unknown processes running from a running linux instance. [Alexandre Dulaunoy]
The process hashes are read from the
/proc/PID/exe
which is the actual
file running before being loaded in memory.
Changes
-
[lint] increase code complexity. [Alexandre Dulaunoy]
-
[code]
black -S
[Alexandre Dulaunoy] -
[hash] skip bandit check on weak hash. [Alexandre Dulaunoy]
-
[hashlib] the library is not used for security per se but for forensic and use SHA1 as the lookup service gives more potential results in SHA1 (due to old NSRL dataset) [Alexandre Dulaunoy]
-
[file]
black -S
[Alexandre Dulaunoy] -
[doc] updated with new options. [Alexandre Dulaunoy]
Fix
- [action] remove mypy too many FP ref -> python/mypy#12246. [Alexandre Dulaunoy]