itayc0hen / apt-ecosystem Goto Github PK

Running on a Windows system C drive leads to an infinite recursion of error messages like this:

error scanning C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows<etc; path here is irrelevant>

The problem is that, in Win 7 and on, "Application Data" is neither a directory, link, or hard link, but a "juncture". This is another idiotic Microsoft innovation that causes Windows errors frequently and is unfixable because it's baked into the OS. It points at itself, and then "prevents" infinite loops from occurring by putting "deny all read privs" on itself. But since your code is reading directories in some more direct way, it gets past the Windows "deny", and gets the infinite loop.

Add basic check in detector.py for Linux / OSX.

#1 adds this basic functionality.

Please write some documentation on what this does, how to "install" it, and how to run it.
The only documentation is the README, which isn't included in the download RussianAPTDetector, doesn't list all the command line parameters, and doesn't explain the meaning of -r.
A key point not mentioned is that, after downloading the code from github, you need to open index.html in a web browser, download the file, unzip it, and then add its contents to the directory containing index.html.

As it is, non-programmers won't be able to run it at all.

The downloaded files include a web page, "index.html", which, when opened, downloads the file RussianAPTDetector.7z .
This file includes three executables.

Running any of the three files from Windows does nothing but open and then shut a window.
By first opening a Cygwin shell, and then running them from within that shell, I found that:

-- Running Detector.exe produces this output:

usage: Detector.exe [-h] -t TARGET [TARGET ...] [-r]
Detector.exe: error: argument -t/--target is required

No indication what "TARGET" means, or what the arguments -r or -h do.

Running yara64.exe like this:

./yara64 rules.yar C:

makes it appear to scan my C drive, but very quickly, and it generates only a list of warnings.

If you're using Linux, the python file detector.py assumes you already have compiled the executable "yara" and added its location to your PATH.

Reading detector.py reveals that:
-t gives the drive or directory to scan. (To pass this to yara, you need to just put that target directory immediately after the rules file; yara doesn't want parm flags.)
-r means do a recursive scan, which I would think should be the default but I don't know how ransomware behaves
-p 8 means that the computer has 8 CPUs, or maybe 8 cores