time_search_file

grayddq · May 7, 2019 · d00c344 · d00c344
1 parent 40cdc25
commit d00c344
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -245,6 +245,7 @@
 | 【WEBShell检测】Jenkins服务WebShell检测 | √ |  |  |  |
 | 【WEBShell检测】其他默认web目录WebShell检测 | √ |  |  |  |
 | 【漏洞类检查】服务漏洞或配置错误检查 |  |  |  | √ |
+| 【自动攻击路径追溯】攻击路径追溯 |  |  |  |  |
 
 
 

diff --git a/lib/core/option.py b/lib/core/option.py
@@ -2,20 +2,21 @@
 
 import os, optparse, time
 from lib.core.option import *
+from lib.core.globalvar import *
+from lib.core.common import *
 from lib.plugins.Host_Info import *
 from lib.plugins.File_Analysis import *
 from lib.plugins.History_Analysis import *
 from lib.plugins.Proc_Analysis import *
 from lib.plugins.Network_Analysis import *
 from lib.plugins.Backdoor_Analysis import *
 from lib.plugins.User_Analysis import *
-from lib.core.common import *
 from lib.plugins.Config_Analysis import *
 from lib.plugins.Log_Analysis import *
 from lib.plugins.Rootkit_Analysis import *
 from lib.plugins.Webshell_Analysis import *
 from lib.plugins.Sys_Init import *
-from lib.core.globalvar import *
+from lib.plugins.Search_File import *
 
 
 def main(path):
@@ -26,40 +27,49 @@ def main(path):
     group.add_option("--overseas", dest="overseas", default=False, action='store_true', help=u"境外模式，此参数将不进行境外ip的匹配")
     group.add_option("--full", dest="full_scan", default=False, action='store_true', help=u"完全模式，此参数将启用完全扫描")
     group.add_option("--debug", dest="debug", default=False, action='store_true', help=u"调试模式，进行程序的调试数据输出")
-
     parser.add_option_group(group)
 
     group = optparse.OptionGroup(parser, "Optimization", "Optimization options")
-    group.add_option("--job", dest="job", default=False, action='store_true', help=u"添加定时任务，用于定时执行程序")
+    group.add_option("--time", dest="time", type='string',
+                     help=u"搜索指定时间内主机改动过的所有文件，demo: --time='2019-05-07 00:00:00~2019-05-07 23:00:00'")
+    group.add_option("--job", dest="job", default=False, action='store_true', help=u"添加定时任务，用于定时执行程序（暂不支持）")
     group.add_option("--log", dest="logdir", default=False, action='store_true', help=u"打包当前系统的所有安全日志（暂不支持）")
-    group.add_option("--time", dest="time", help=u"搜索指定时间内主机改动的所有文件")
     parser.add_option_group(group)
 
     options, _ = parser.parse_args()
 
+    options.time = '2019-05-07 12:00:00~2019-05-07 17:00:00'
+
+    # 初始化全局模块
+    init()
+    # 设置调试模式
+    set_value('DEBUG', True if options.debug else False)
+    # 设置国内ip模式
+    set_value('Overseas', True if options.overseas else False)
+    # 设置扫描模式为完全扫描
+    set_value('SCAN_TYPE', 2 if options.full_scan else 1)
+    set_value('SYS_PATH', path)
+    set_value('LOG_PATH', path + "/log/gscan.log")
+
+
     if options.logdir:
         print(u'\033[1;32m开始备份整个系统安全日志...\033[0m\n')
+        print(u'\033[1;32m此功能暂不支持\033[0m\n')
     elif options.job:
         print(u'\033[1;32m开始添加定时任务...\033[0m\n')
+        print(u'\033[1;32m此功能暂不支持\033[0m\n')
+    elif options.time:
+        print(u'\033[1;32m开始进行文件搜索...\033[0m\n')
+        Search_File(options.time).run()
     elif options.version:
         parser.print_help()
     else:
-        # 初始化全局模块
-        init()
-        # 设置调试模式
-        set_value('DEBUG', True if options.debug else False)
-        # 设置国内ip模式
-        set_value('Overseas', True if options.overseas else False)
-        # 设置扫描模式为完全扫描
-        set_value('SCAN_TYPE', 2 if options.full_scan else 1)
-        set_value('SYS_PATH', path)
-        set_value('LOG_PATH', path + "/log/gscan.log")
-        # 获取恶意特征信息
-        get_malware_info(path)
         # 创建日志文件
         mkfile()
         file_write(u'开始扫描当前系统安全状态...\n')
         print(u'\033[1;32m开始扫描当前系统安全状态...\033[0m')
+        # 获取恶意特征信息
+        get_malware_info(path)
         # 主机信息获取
         Host_Info().run()
         # 系统初始化检查

diff --git a/lib/plugins/Search_File.py b/lib/plugins/Search_File.py
@@ -0,0 +1,38 @@
+# coding:utf-8
+from __future__ import print_function
+import os, optparse, time, sys, json
+from lib.core.globalvar import *
+
+
+# 作者：咚咚呛
+# 搜索指定时间内主机改动过的所有文件
+
+class Search_File:
+    def __init__(self, time):
+        # self.time = time.strip()
+        self.time = '2019-05-07 12:00:00~2019-05-07 17:00:00'
+
+    def run(self):
+        try:
+            stime, etime = self.time.split('~')
+            log_path = get_value('SYS_PATH') + "/log/search.log"
+            DEBUG = get_value('DEBUG')
+            files = os.popen("find / -newermt '%s' ! -newermt '%s' 2>/dev/null" % (stime, etime)).read().splitlines()
+            print(u'时间周期：%s \n搜索结果：共发现 %d 处文件或者目录的创建和改动' % (self.time, len(files)))
+
+            if os.path.exists(log_path):
+                f = open(log_path, "r+")
+                f.truncate()
+                f.close()
+            with open(log_path, 'a+') as f:
+                for file in files:
+                    f.write(file + '\n')
+                    if DEBUG: print(file)
+            print(u'结果详情：%s' % log_path)
+
+        except:
+            print(u'查询发生错误。')
+
+
+if __name__ == '__main__':
+    Search_File('2019-05-07 00:00:00~2019-05-07 12:00:00').run()