Last active
January 2, 2020 18:37
-
-
Save junkblocker/58a26dd5bac335dc730fee20c2103a94 to your computer and use it in GitHub Desktop.
Detect if your applications contains possible hidden datas (see https://medium.com/@sabrihaddouche/how-a-malware-can-infects-digitally-signed-files-without-altering-hashes-on-macos-c7dc9e391a8e for more infos)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "Please wait..." | |
| # Look for suspect files | |
| /usr/bin/find -E {,~}/Applications -iregex '.*\.app\/(.*\.DS_Store|Icon.{1})$' > /tmp/.suspectfiles | |
| # Check suspect files | |
| appsCounter=0 | |
| while read path; do | |
| pathWithNoCRLF="$(echo -e "${path}" | /usr/bin/tr -d '[\r\n]')" | |
| appName="$(echo -e "${path}" | /usr/bin/sed -e "s/^.*\/\(.*\)\.app.*$/\1/").app" | |
| # Check if the file contains datas | |
| if [ -s "$path" ] | |
| then | |
| appsCounter=$[$appsCounter +1] | |
| echo "[${appName}] Contains hidden datas (see ${pathWithNoCRLF})" | |
| fi | |
| # Check if the file contains a ResourceFork attribute | |
| { | |
| /usr/bin/xattr -pv com.apple.ResourceFork "${path//Icon*//Icon$(printf "\r")}" | |
| result=$? | |
| } &> /dev/null | |
| if [[ $result == 0 ]] | |
| then | |
| appsCounter=$[$appsCounter +1] | |
| echo "[${appName}] Contains a ResourceFork attribute (see ${pathWithNoCRLF})" | |
| fi | |
| done </tmp/.suspectfiles | |
| if [ $appsCounter -eq 0 ] | |
| then | |
| echo "No applications with hidden files/datas found." | |
| fi | |
| # Remove the tmp file | |
| rm -f /tmp/.suspectfiles |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment