{"id":13647496,"url":"https://github.com/NVISOsecurity/binsnitch","last_synced_at":"2025-04-22T02:31:57.096Z","repository":{"id":89494030,"uuid":"91020384","full_name":"NVISOsecurity/binsnitch","owner":"NVISOsecurity","description":"Detect silent (unwanted) changes to files on your system","archived":true,"fork":false,"pushed_at":"2020-05-04T15:44:26.000Z","size":18,"stargazers_count":159,"open_issues_count":1,"forks_count":25,"subscribers_count":18,"default_branch":"master","last_synced_at":"2024-11-09T21:36:52.371Z","etag":null,"topics":["infosec","integrity-monitoring","malware","malware-analysis"],"latest_commit_sha":null,"homepage":"https://blog.nviso.eu","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NVISOsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-05-11T20:25:20.000Z","updated_at":"2024-10-28T18:13:53.000Z","dependencies_parsed_at":"2024-01-14T10:11:47.232Z","dependency_job_id":"42831b3f-fc05-4f0a-84ce-9759c0bcd13f","html_url":"https://github.com/NVISOsecurity/binsnitch","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fbinsnitch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fbinsnitch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fbinsnitch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fbinsnitch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NVISOsecurity","download_url":"https://codeload.github.com/NVISOsecurity/binsnitch/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250163704,"owners_count":21385293,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["infosec","integrity-monitoring","malware","malware-analysis"],"created_at":"2024-08-02T01:03:36.143Z","updated_at":"2025-04-22T02:31:56.837Z","avatar_url":"https://github.com/NVISOsecurity.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# binsnitch.py\nbinsnitch can be used to detect silent unwanted changes to files on your system.\nIt will scan a given directory recursively for files and keep track of any changes it detects, based on the SHA256 hash of the file.\nYou have the option to either track executable files, or all files.\n\n### Requirements\n- python \u003e= 3\n\n### Running and usage\n```\nusage: binsnitch.py [-h] [-v] [-s] [-a] [-n] [-b] [-w] dir\n\npositional arguments:\n  dir               the directory to monitor\n\noptional arguments:\n  -h, --help        show this help message and exit\n  -v, --verbose     increase output verbosity\n  -s, --singlepass  do a single pass over all files\n  -a, --all         keep track of all files, not only executables\n  -n, --new         alert on new files too, not only on modified files\n  -b, --baseline    do not generate alerts (useful to create baseline)\n  -w, --wipe        start with a clean db.json and alerts.log file\n```\n\nExample: monitor all executable files on the system and enable verbose logging\n\n```\npython3.5 binsnitch.py -v / \n```\n\nExample: monitor all files in the current directory and enable verbose logging\n\n```\npython3.5 binsnitch.py -v -a . \n```\n\n### How it works\nOnce ``binsnitch.py`` is running, it will scan all files in ``dir`` (provided through a required command line argument) recursively, and create a SHA256 hash of each file it finds. It then does the following:\n- If a file is not known yet by ``binsnitch.py``, its details will be added to ``binsnitch_data/db.json`` (file name, file type and hash).\n- If a file is already known but the calculated hash is different from the one in ``binsnitch_data/db.json``, an alert will be logged to ``data/alert.log``. In addition, the new hash will be added to the appropriate entry in ``binsnitch_data/db.json``.\n- If a file is already known and the hash is identical to the one already in ``binsnitch_data/alert.log``, nothing happens.\n\n### Example output\n\n##### binsnitch_data/alerts.log\n```\n05/15/2017 02:46:17 AM - INFO - Scanning system for new and modified files, this can take a long time\n05/15/2017 02:53:38 AM - INFO - Modified file detected: /Applications/Cyberduck.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate - new hash: a897613ab9ecd8ead7b697012036b2ef683a9df7afe99d9013e5dd6c3e08af10\n05/15/2017 02:53:39 AM - INFO - Modified file detected: /Applications/Cyberduck.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop - new hash: cdad8d7b1cce37547223a198e9fbbe256aed3919b58e1b2305870aeaac33c966\n05/15/2017 02:53:41 AM - INFO - Modified file detected: /Applications/Cyberduck.app/Contents/MacOS/Cyberduck - new hash: 3941de0b9001c616c6fcfdb76108fa5da46bdcdd3089e1feb65578c2d251eeec\n```\n\n##### binsnitch_data/db.json\n\n```\n[\n    {\n        \"path\": \"/Applications/1Password 6.app/Contents/Frameworks/AgileLibrary.framework/Versions/A/Resources/pngquant\",\n        \"sha256\": [\n            \"47ecd7d9978a291de70aaf5e4392664d5c697cd0867bb59f3d6833671b83d448\"\n        ],\n        \"type\": \"Mach-O 64-bit executable x86_64\"\n    }\n]\n```\n\n### Internals\nChecking if a file is executable is done by checking it against a fixed list of dangerous file extensions (check ``binsnitch.py`` source for details).\n\nIn its current version, ``binsnitch.py`` eats up a lot of CPU. This is caused by the recursive walk through the filesystem and the calculation of SHA256 hashes for each and every file it encounters.\n\n### Ideas for improvement\n\n- ~~Include a switch to start with a new alerts and db file upon start~~ ☑\n- ~~Include a switch to also process new files~~ ☑\n- ~~Enable a switch to process all files instead of executables only~~ ☑\n- ~~Include a switch for a single pass instead of running forever~~ ☑\n- ~~Remove dependency on ``file`` command to check for file type information~~ ☑\n- Be nicer to system resources (IO and CPU)\n\n### Why binsnitch?\n\nMalware will often settle itself by overwriting existing executable applications in order to avoid detection.\nRecent malware cases (May 2017) do this, including HandBrake being hacked to drop new variant of the Proton malware and the WannaCry ransomware overwriting ``C:\\WINDOWS\\system32\\tasksche.exe``.\nThis triggered us to write a simple tool that could be used to detect this.\n\nbinsnitch can also be used during malware analysis, to detect silent changes to files (i.e. replacement of a trusted Windows executable by a trojaned version).\n\n### References and comparison to other tools\n\nSimilar tools:\n- Tripwire Open Source - https://github.com/Tripwire/tripwire-open-source\n- Microsoft File Checksum Integrity Verifier - https://www.microsoft.com/en-us/download/details.aspx?id=11533\n- Syscheck in OSSEC - http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/\n\nThese tools are either OS-dependent or require installation of libraries. In addition, ``binsnitch.py`` can be used to detect changes to the file system after an infection has taken place  (not depending on intercepting API calls during the infection itself) - for example, when analyzing a disk image against a \"known good\" baseline.\n\n``binsnitch.py`` has no dependencies other than ``python \u003e= 3``.\n\n### Community\n\nBug reports and feature requests are welcome in the issues tab!\n\nContact us: research@nviso.be.\n\nbinsnitch is developed and maintained by Daan Raman ([@daanraman](https://twitter.com/daanraman)).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNVISOsecurity%2Fbinsnitch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNVISOsecurity%2Fbinsnitch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNVISOsecurity%2Fbinsnitch/lists"}