Created
November 26, 2021 21:38
-
-
Save macmule/ce39e4e896bac3e4092800199a79475f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| """ | |
| License: https://macmule.com/license/ | |
| """ | |
| import logging | |
| import os | |
| import shutil | |
| import signal | |
| import subprocess | |
| from datetime import date, datetime, timedelta | |
| from distutils.version import LooseVersion | |
| from glob import glob | |
| from CoreFoundation import CFPreferencesAppSynchronize, \ | |
| CFPreferencesCopyAppValue, \ | |
| CFPreferencesSetAppValue | |
| def first_run(): | |
| """ Checks for log file, if not found updates XProtect""" | |
| if os.path.isfile(LOG_FILE_PATH): | |
| CFPreferencesSetAppValue('AutomaticCheckEnabled', True, \ | |
| '/Library/Preferences/com.apple.SoftwareUpdate') | |
| CFPreferencesAppSynchronize('/Library/Preferences/com.apple.SoftwareUpdate') | |
| with open(os.devnull, 'w') as devnull: | |
| subprocess.call(['/usr/sbin/softwareupdate', '--background-critical'], stdout=devnull) | |
| def user_kernel_time(): | |
| """ Checks for /Users/*/Library/.kernel_time, if found gets encryption time | |
| Logs if encrypted, deletes files after running""" | |
| kernel_time_list = [] | |
| kernel_time_list.extend(glob('/Users/*/Library/.kernel_time')) | |
| if len(kernel_time_list) > 0: | |
| for index, kernel_time_file in enumerate(kernel_time_list): | |
| with open(kernel_time_file) as read_file: | |
| epoch_time = read_file.readlines() | |
| encrypt_time = (datetime.fromtimestamp(int(epoch_time[0])) \ | |
| + timedelta(3)).strftime('%Y-%m-%d %H:%M:%S') | |
| encrypt_time_compare = datetime.strptime(encrypt_time, '%Y-%m-%d %H:%M:%S') | |
| if encrypt_time_compare > RUN_TIME: | |
| logging.warning('ENCRYPTED: %s - %s' % (encrypt_time, kernel_time_file)) | |
| logging.warning('DELETED: %s' % kernel_time_file) | |
| os.remove(kernel_time_file) | |
| def user_kernel_pid(): | |
| """ Check for /Users/*/Library/.kernel_pid, if found gets the pid & kills the process""" | |
| kernel_pid_list = [] | |
| kernel_pid_list.extend(glob('/Users/*/Library/.kernel_pid')) | |
| if len(kernel_pid_list) > 0: | |
| for index, kernel_pid_file in enumerate(kernel_pid_list): | |
| with open(kernel_pid_file) as read_file: | |
| kernel_pid = read_file.readlines() | |
| try: | |
| os.kill(kernel_pid, signal.SIGTERM) | |
| logging.warning('KILLED: %s ' % kernel_pid) | |
| os.remove(kernel_pid_file) | |
| logging.warning('DELETED: %s' % kernel_pid_file) | |
| except: | |
| os.remove(kernel_pid_file) | |
| logging.warning('DELETED: %s' % kernel_pid_file) | |
| def get_transmission_apps(): | |
| """Checks for all Transmission apps, gets version & if 2.90. | |
| If 2.90 checks for General.rtf file & if found deletes app bundle""" | |
| apps = subprocess.check_output(['/usr/bin/mdfind', 'kind:app']).splitlines() | |
| general_rtf = '/Contents/Resources/General.rtf' | |
| for app in apps: | |
| if 'Transmission.app' in app: | |
| vers = CFPreferencesCopyAppValue('CFBundleShortVersionString', \ | |
| app + '/Contents/Info.plist') | |
| # If version 2.90 | |
| if LooseVersion(vers) == LooseVersion('2.90'): | |
| if os.path.exists(app + general_rtf): | |
| # Delete the app bundle | |
| shutil.rmtree(app) | |
| logging.warning('DELETED: %s' % app) | |
| def get_transmission_dmgs(): | |
| """ Checks for Transmission DMG's & re-quarantines""" | |
| dmgs = subprocess.check_output(['/usr/bin/mdfind', \ | |
| ('kMDItemFSName=Transmission*.dmg')]).splitlines() | |
| for dmg in dmgs: | |
| subprocess.check_output(['/usr/bin/xattr', '-w', 'com.apple.quarantine', \ | |
| '0000;4b3a40d0;Safari;|com.apple.Safari', dmg]) | |
| logging.warning('QUARANTINED: %s' % dmg) | |
| if __name__ == '__main__': | |
| RUN_TIME = datetime.now() | |
| LOG_FILE_PATH = '/Library/Logs/KeRanger-Remove.log' | |
| logging.basicConfig(filename=LOG_FILE_PATH, level=logging.WARNING,\ | |
| format='%(asctime)s %(message)s') | |
| os.system('killall -9 kernel_service') | |
| first_run() | |
| user_kernel_time() | |
| user_kernel_pid() | |
| get_transmission_apps() | |
| get_transmission_dmgs() | |
| MOD_DATE = datetime.fromtimestamp(os.stat(LOG_FILE_PATH).st_mtime) | |
| if date.today() == MOD_DATE.date(): | |
| with open(LOG_FILE_PATH) as read_log: | |
| print '<result>%s</result>' % read_log.read() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment