On 11/07/2011 11:40 AM, gene heskett wrote:
On Monday, November 07, 2011 11:30:45 AM Dave Angel did opine:
Back on the list..
On 11/07/2011 06:22 AM, gene heskett wrote:
On Monday, November 07, 2011 05:35:15 AM Peter Otten did opine:
<SNIP>
Are you talking about this one?
https://github.com/halsten/Duqu-detectors/blob/master/DuquDriverPatte
rns .py
Yes. My save as renamed it, still has about 30k of tabs in it. But I
pulled it again, using the 'raw' link, saved it, no extra tabs.
But it still doesn't work for linux. My python is 2.6.6
To start with, what's the md5 of the file you downloaded and are
testing? I get c4592a187f8f7880d3b685537e3bf9a5
[root@coyote Download]# md5sum DuquDriverPatterns.py
c4592a187f8f7880d3b685537e3bf9a5 DuquDriverPatterns.py, same as yours.
from md5sum. If you get something different, one of us changed the
file, or you got it before today.
The whole tab issue is a red-herring in this case. But I don't see how
you can find 30k tabs in a thousand lines. And if I were going to detab
it, I'd pick 4 spaces, so the code doesn't stretch across the page.
Down toward the bottom of the file, the tab indentations were as high as 33
leading tabs per line. Each stanza of the data was tab indented 2
additional tabs from the one above it in the original file. 30k was
perhaps a poor SWAG, but 10 to 15k seems an entirely reasonable guess.
What program are you using to read the file and support that claim?
Neither emacs nor gedit shows more than one leading tab on any line I
looked. And if you set tabs to 4 columns, the file looks quite
reasonable. Doing a quick scan I see max of 5 tabs on any single line,
and 1006 total.
maxtabs = 0
totaltabs = 0
f = open("DuquDriverPatterns.py", "r")
for line in f:
cline = line.replace("\t", "")
tabs = len(line) - len(cline)
if tabs:
print tabs
maxtabs = max(maxtabs, tabs)
totaltabs += tabs
print "max=", maxtabs
print "total=", totaltabs
<SNIP>
python DuquDriverPatterns.py ./directoryOfMalware
and the line you are quoting then puts the value
"./directoryOfMalware" into the rootdir variable.
If only it would... Using this version, the failure is silent and
instant.
The only way I've been able to make it "silent and instant" was to give
it the name of an empty directory, or a typo representing no directory
at all.
Besides, the malware could be anyplace on the system. But
it needs to skip /dev since it hangs on the midi tree, /mnt and
/media because they are not part of the running system even if disks
are mounted there.
First, run it on the current directory, and it should list the files in
that directory:
I ran it in the directory I unzipped it into, so there are two files,
the README and the source file itself.
$ python DuquDriverPatterns.py .
Scanning ./README:
No match for pattern #0 on file named: README
No match for pattern #1 on file named: README
No match for pattern #2 on file named: README
etc.
The only way I can see to get NO output is to run it on an empty
directory: $mkdir junk
$ python DuquDriverPatterns.py junk
As for skipping certain directories, we can deal with that as soon as
you get proper behavior for any subtree of directories.
Have you tried adding a print ("Hello World " + rootdir) just before the
for root, subFolders, files in os.walk(rootdir):
line ? Or putting a print len(files) just after it (indented, of
course) ?
No, I did try to print the value of rootdir though, indented the same, and
got a null printout, not even a line feed.
If you had put the print I suggested, it would at least print the words
"Hello World". Since it did not, you probably didn't actually add the
line where I suggested.
Thanks Dave.
Cheers, Gene
In another message you said it doesn't work on absolute file paths. But
it does. You can replace any relative directory name with the absolute
version, and it won't change the behavior. I suspect you were caught up
by a typo for the absolute path string.
--
DaveA
--
http://mail.python.org/mailman/listinfo/python-list
