def knocknock(): #results results = [] try: #init # ->logging, plugin manager, etc if not initKK(): #dgb msg utils.logMessage(utils.MODE_ERROR, 'initialization(s) failed') #bail return False #dbg msg utils.logMessage(utils.MODE_INFO, 'initialization complete') #list plugins and bail if args.list: #display plugins listPlugins() #bail return True #scan for thingz results = scan(args.plugin) #make sure scan succeeded if None == results: #dbg msg utils.logMessage(utils.MODE_ERROR, 'scan failed') #bail return False #depending on args # filter out apple signed binaries, or whitelisted binaries, etc if not args.apple or not args.whitelist: #or args.signed: #iterate over all results # ->one for each startup item type for result in results: #ignored/whitelisted items ignoredItems = [] #scan each startup object # ->if it should be ingored, add to ignore list for startupObj in result['items']: #filter out files # ->depending on args, singed by apple, whitelisted, etc if isinstance(startupObj, file.File): #by default, ignore signed by Apple if not args.apple and startupObj.signedByApple: #add to list ignoredItems.append(startupObj) #ignore white listed items if not args.whitelist and startupObj.isWhitelisted: #add to list ignoredItems.append(startupObj) #now that we are done iterating # ->subtract out all ignored/whitelisted items result['items'] = list( set(result['items']) - set(ignoredItems)) #filter out dups in unclassified plugin # ->needed since it just looks at the proc list removeUnclassDups(results) #get vt results if not args.disableVT: #dbg msg utils.logMessage(utils.MODE_INFO, 'querying VirusTotal - sit tight!') #process # ->will query VT and add VT info to all files virusTotal.processResults(results) #format output # ->normal output or JSON formattedResults = output.formatResults(results, args.json) #show em print formattedResults.encode('ascii', 'xmlcharrefreplace') #top level exception handler except Exception, e: #dbg msg utils.logMessage( utils.MODE_ERROR, '\n EXCEPTION, %s() threw: %s' % (sys._getframe().f_code.co_name, e)) #stack trace traceback.print_exc() #bail return False
def knocknock(): #results results = [] try: #init # ->logging, plugin manager, etc if not initKK(): #dgb msg utils.logMessage(utils.MODE_ERROR, 'initialization(s) failed') #bail return False #dbg msg utils.logMessage(utils.MODE_INFO, 'initialization complete') #list plugins and bail if args.list: #display plugins listPlugins() #bail return True #scan for thingz results = scan(args.plugin) #make sure scan succeeded if None == results: #dbg msg utils.logMessage(utils.MODE_ERROR, 'scan failed') #bail return False #depending on args # filter out apple signed binaries, or whitelisted binaries, etc if not args.apple or not args.whitelist: #or args.signed: #iterate over all results # ->one for each startup item type for result in results: #ignored/whitelisted items ignoredItems = [] #scan each startup object # ->if it should be ingored, add to ignore list for startupObj in result['items']: #filter out files # ->depending on args, singed by apple, whitelisted, etc if isinstance(startupObj, file.File): #by default, ignore signed by Apple if not args.apple and startupObj.signedByApple(): #add to list ignoredItems.append(startupObj) #ignore white listed items if not args.whitelist and startupObj.isWhitelisted: #add to list ignoredItems.append(startupObj) #now that we are done iterating # ->subtract out all ignored/whitelisted items result['items'] = list(set(result['items']) - set(ignoredItems)) #filter out dups in unclassified plugin # ->needed since it just looks at the proc list removeUnclassDups(results) #format output # ->normal output or JSON formattedResults = output.formatResults(results, args.json) #show em print formattedResults.encode('ascii', 'xmlcharrefreplace') #top level exception handler except Exception, e: #dbg msg utils.logMessage(utils.MODE_ERROR, '\n EXCEPTION, %s() threw: %s' % (sys._getframe().f_code.co_name, e)) #stack trace traceback.print_exc() #bail return False
def knocknock(): #results results = [] try: #init # ->logging, plugin manager, etc if not initKK(): #dgb msg utils.logMessage(utils.MODE_ERROR, 'initialization(s) failed') #bail return False #dbg msg utils.logMessage(utils.MODE_INFO, 'initialization complete') #list plugins and bail if args.list: #display plugins listPlugins() #bail return True #scan for thingz results = scan(args.plugin) #make sure scan succeeded if None == results: #dbg msg utils.logMessage(utils.MODE_ERROR, 'scan failed') #bail return False #depending on args # filter out apple signed binaries, or whitelisted binaries, etc if not args.apple or not args.whitelist: #or args.signed: #iterate over all results # ->one for each startup item type for result in results: #list of files to be ignored ignoredFiles = [] #list of commands to be ignored ignoredCommands = [] #scan each startup object # ->if it should be ingored, add to ignore list for startupObj in result['items']: #filter out files # ->depending on args, singed by apple, whitelisted, etc if isinstance(startupObj, file.File): #by default, ignore signed by Apple if not args.apple and startupObj.signedByApple(): #save ignoredFiles.append(startupObj) #by default, ignore whitelisted binaries # ->ignore if already saved though elif not args.whitelist and startupObj.isWhitelisted: #save ignoredFiles.append(startupObj) #filter out commands # ->just whitelisted ones if isinstance(startupObj, command.Command): #by default, ignore whitelisted commands if not args.whitelist and startupObj.isWhitelisted: #save ignoredCommands.append(startupObj) #now that we are done iterating # ->subtract out all ignored files and command result['items'] = list(set(result['items']) - set(ignoredFiles) - set(ignoredCommands)) #format output # ->normal output or JSON formattedResults = output.formatResults(results, args.json, args.post) #show em, if we need to if formattedResults != "": print formattedResults #top level exception handler except Exception, e: #dbg msg utils.logMessage(utils.MODE_ERROR, '\n EXCEPTION, %s() threw: %s' % (sys._getframe().f_code.co_name, e)) #stack trace traceback.print_exc() #bail return False