Aldebaran has asked for the wisdom of the Perl Monks concerning the following question:
Hello Monks,
The context for this question is that I think I had something that tried to get onto my windows 10 laptop by means of my android phone. I'd been warned that an app had malware, and I should go to google play to get it fixed. I decided to factory reset the phone instead, but I was losing power, and without thinking about it, hooked it up to my computer. 2 ms-dos windows appeared and then disappeared. Oops.
So I wrote a script that finds the newest files in my User namespace and then scrutinized anything new. It was a much different listing back then, with so much appdata that I had to filter it. I cleared out all kinds of stuff for varying reasons, and what remains is pretty close to what they give you for an identity with windows 10. I want to show the terminal output first. It's verbose, so I'm gonna throw it between readmore tags and suggest reading it last or not at all if output makes you grumpy.
C:\Users\Fred>perl virus4.pl >>text1.txt Use of uninitialized value $access_age in numeric gt (>) at virus4.pl +line 29. Use of uninitialized value $access_age in printf at virus4.pl line 31. Can't opendir(C:/Users/Fred/AppData/Local/Application Data): Invalid a +rgument at virus4.pl line 18. Can't opendir(C:/Users/Fred/AppData/Local/ElevatedDiagnostics): Invali +d argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/AppData/Local/History): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/AppData/Local/Microsoft/Windows/INetCache/ +Content.IE5): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/AppData/Local/Microsoft/Windows/INetCache/ +Low/Content.IE5): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/AppData/Local/Microsoft/Windows/Temporary +Internet Files): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/AppData/Local/Temp/msdtadmin): Invalid arg +ument at virus4.pl line 18. Can't opendir(C:/Users/Fred/AppData/Local/Temporary Internet Files): I +nvalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/AppData/LocalLow/Oracle/Java/jre1.8.0_91/j +ava_sp): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/Application Data): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/Cookies): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/Documents/My Music): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/Documents/My Pictures): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/Documents/My Videos): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/Local Settings): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/My Documents): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/NetHood): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/PrintHood): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/Recent): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/SendTo): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/Start Menu): Invalid argument at virus4.pl line 18. Can't opendir(C:/Users/Fred/Templates): Invalid argument at virus4.pl line 18. C:\Users\Fred>dir Volume in drive C is Windows8_OS Volume Serial Number is 3052-CD20 Directory of C:\Users\Fred 12/18/2016 10:54 PM <DIR> . 12/18/2016 10:54 PM <DIR> .. 11/05/2016 09:28 PM <DIR> .android 07/27/2015 10:35 PM <DIR> .gem 11/27/2016 04:15 PM <DIR> .gimp-2.8 10/14/2016 04:38 PM 153 .gitconfig 06/08/2016 07:05 PM <DIR> .LSC 06/01/2016 09:07 PM <DIR> .oracle_jre_usage 05/02/2015 12:44 AM 0 .perlcriticrc 06/08/2016 07:05 PM <DIR> .QtWebEngineProcess 07/01/2016 02:17 AM <DIR> .ssh 04/28/2015 11:10 PM <DIR> .thumbnails 12/15/2016 10:41 PM <DIR> Contacts 12/16/2016 12:14 AM <DIR> Desktop 12/16/2016 06:55 PM <DIR> Documents 12/16/2016 06:55 PM <DIR> Downloads 12/15/2016 10:41 PM <DIR> Favorites 12/15/2016 10:41 PM <DIR> Links 12/15/2016 10:41 PM <DIR> Music 12/15/2016 03:58 PM <DIR> OneDrive 06/15/2016 12:57 PM <DIR> perl5 12/15/2016 10:41 PM <DIR> Pictures 12/15/2016 10:41 PM <DIR> Saved Games 12/15/2016 10:41 PM <DIR> Searches 12/18/2016 10:58 PM 293 text1.txt 06/21/2015 06:09 PM <DIR> Tracing 12/15/2016 10:41 PM <DIR> Videos 12/15/2016 11:24 PM 523 virus1.pl 12/15/2016 11:29 PM 519 virus2.pl 12/16/2016 09:16 PM 484 virus3.pl 12/18/2016 10:36 PM 543 virus4.pl 7 File(s) 2,515 bytes 24 Dir(s) 42,966,175,744 bytes free C:\Users\Fred>type text1.txt C:/Users/Fred Fred: M age in days: 0.0000 C:/Users/Fred/NTUSER.DAT NTUSER.DAT: M age in days: 0.0026 C:/Users/Fred/text1.txt text1.txt: M age in days: 0.0000 C:/Users/Fred/virus4.pl virus4.pl: M age in days: 0.0122 C:/Users/Fred/Pictures/2016-12/z z: M age in days: 0.0986 C:\Users\Fred>type virus4.pl #!/usr/bin/perl use warnings; use strict; use File::Find; use Cwd; =pod =head1 DESCRIPTION returns files within a hard-coded M time =cut my $current = cwd; find( \&pm_beneath, $current, ); sub pm_beneath { use File::Basename; my $file=$File::Find::name; my $days = .1; #hard-coded my $basename = basename($file); return if $file =~ /.*AppData.*/; my $access_age = -M $basename; return if ($access_age > $days); print "$file\n"; printf "$basename: M age in days: %.4f\n\n", $access_age; } __END__ C:\Users\Fred>
Now I'd like to pick that apart and ask some questions. The script is a simple find routine:
use File::Find; use Cwd; my $current = cwd; find( \&pm_beneath, $current, ); sub pm_beneath { use File::Basename; my $file = $File::Find::name; my $days = .1; #hard-coded my $basename = basename($file); return if $file =~ /.*AppData.*/; my $access_age = -M $basename; return if ( $access_age > $days ); print "$file\n"; printf "$basename: M age in days: %.4f\n\n", $access_age; }
The first thing I'd like to do is clear the warnings. A typical warning looks like this:
Can't opendir(C:/Users/Fred/AppData/Local/Microsoft/Windows/Temporary +Internet Files): Invalid argument at virus4.pl line 18.
I don't understand how this even made it past the return statement, but that aside, I'm to believe that I have an invalid argument in my find statement. I can only speculate what it might be. It could be my OS saying, "it's none of your business." Let's look at another example:
Can't opendir(C:/Users/Fred/Documents/My Pictures): Invalid argument at virus4.pl line 18.
This one confuses me more, because, in my output, it shows the only directory I created in My Pictures in this time frame:
C:/Users/Fred/Pictures/2016-12/z z: M age in days: 0.0986
My first question how to handle the warnings in a way that leaves no quarter for a trojan.
I learned a few things about my system. Am I correct to think that these are the drivers for my android phone?
C:\Users\Fred>cd .android C:\Users\Fred\.android>dir Volume in drive C is Windows8_OS Volume Serial Number is 3052-CD20 Directory of C:\Users\Fred\.android 11/05/2016 09:28 PM <DIR> . 11/05/2016 09:28 PM <DIR> .. 11/05/2016 09:26 PM 1,704 adbkey 11/05/2016 09:26 PM 716 adbkey.pub 01/04/2012 04:06 PM 354 adb_usb.ini 11/05/2016 09:28 PM 137 androidwin.cfg 11/05/2016 09:26 PM <DIR> avd 11/05/2016 09:26 PM 114 ddms.cfg 5 File(s) 3,025 bytes 3 Dir(s) 42,990,264,320 bytes free C:\Users\Fred\.android>
Can anyone speculate why I have this hidden file with nothing in it?
05/02/2015 12:44 AM 0 .perlcriticrcFinally, as I post a program to fight software attackers, I have this ginormous sense of re-inventing the wheel. What perl tools already exist?
Thank you for your comment, and happy holidays,
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re: how to handle the warnings in a find statement
by Corion (Patriarch) on Dec 19, 2016 at 10:17 UTC | |
by Aldebaran (Curate) on Dec 19, 2016 at 11:46 UTC | |
by huck (Prior) on Dec 19, 2016 at 11:54 UTC | |
by Aldebaran (Curate) on Dec 20, 2016 at 09:12 UTC | |
by huck (Prior) on Dec 20, 2016 at 09:55 UTC | |
| |
|
Re: how to handle the warnings in a find statement
by huck (Prior) on Dec 19, 2016 at 10:50 UTC | |
by Aldebaran (Curate) on Dec 19, 2016 at 11:21 UTC | |
by huck (Prior) on Dec 19, 2016 at 12:15 UTC |