-
-
Save neuronsoverflow/537d6ea5f018e35ec8e887b57b7e4c3c to your computer and use it in GitHub Desktop.
Detect if your applications contains possible hidden datas (see https://medium.com/@sabrihaddouche/how-a-malware-can-infects-digitally-signed-files-without-altering-hashes-on-macos-c7dc9e391a8e for more infos)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "Please wait..." | |
| # Look for suspect files | |
| /usr/bin/find -E {,~}/Applications -iregex '.*\.app\/(.*\.DS_Store|Icon.{1})$' > /tmp/.suspectfiles | |
| # Check suspect files | |
| appsCounter=0 | |
| while read path; do | |
| pathWithNoCRLF="$(echo -e "${path}" | /usr/bin/tr -d '[\r\n]')" | |
| appName="$(echo -e "${path}" | /usr/bin/sed -e "s/^.*\/\(.*\)\.app.*$/\1/").app" | |
| # Check if the file contains datas | |
| if [ -s "$path" ] | |
| then | |
| appsCounter=$[$appsCounter +1] | |
| echo "[${appName}] Contains hidden datas (see ${pathWithNoCRLF})" | |
| fi | |
| # Check if the file contains a ResourceFork attribute | |
| { | |
| /usr/bin/xattr -pv com.apple.ResourceFork "${path//Icon*//Icon$(printf "\r")}" | |
| result=$? | |
| } &> /dev/null | |
| if [[ $result == 0 ]] | |
| then | |
| appsCounter=$[$appsCounter +1] | |
| echo "[${appName}] Contains a ResourceFork attribute (see ${pathWithNoCRLF})" | |
| fi | |
| done </tmp/.suspectfiles | |
| if [ $appsCounter -eq 0 ] | |
| then | |
| echo "No applications with hidden files/datas found." | |
| fi | |
| # Remove the tmp file | |
| rm -f /tmp/.suspectfiles |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment