NAME

HoneyClient::Agent::Integrity::Filesystem - Perl extension to perform static checks of the Windows OS filesystem.

VERSION

This documentation refers to HoneyClient::Agent::Integrity::Filesystem version 0.98.

SYNOPSIS

  use HoneyClient::Agent::Integrity::Filesystem;
  use Data::Dumper;

  # Create the filesystem object.  Upon creation, the object will
  # be initialized, by performing a baseline of the filesystem.
  my $filesystem = HoneyClient::Agent::Integrity::Filesystem->new();

  # ... Some time elapses ...

  # Check the filesystem, for any violations.
  my $changes = $filesystem->check();

  if (!defined($changes)) {
      print "No filesystem changes have occurred.\n";
  } else {
      print "Filesystem has changed:\n";
      print Dumper($changes);
  }

  # $changes refers to an array of hashtable references, where
  # each hashtable has the following format:
  #
  # $changes = [ {
  #     # Indicates if the filesystem entry was deleted,
  #     # added, or changed.
  #     'status' => $STATUS_DELETED | $STATUS_ADDED | $STATUS_MODIFIED,
  #     'name'  => 'C:\WINDOWS\SYSTEM32...',
  #     'mtime' => 'YYYY-MM-DD HH:MM:SS', # new mtime for added/modified files;
  #                                       # old mtime for deleted files
  #
  #     # content will only exist for added/modified files
  #     'content' => {
  #         'size' => 1263,                                       # size of new content 
  #         'type' => 'application/octect-stream',                # type of new content
  #         'md5'  => 'b1946ac92492d2347c6235b4d2611184',         # md5  of new content
  #         'sha1' => 'f572d396fae9206628714fb2ce00f72e94f2258f', # sha1 of new content
  #     },
  # }, ]

DESCRIPTION

This library allows the Integrity module to easily baseline and check the Windows OS filesystem for any changes that may occur, while instrumenting a target application.

DEFAULT PARAMETER LIST

When a Filesystem $object is instantiated using the new() function, the following parameters are supplied default values. Each value can be overridden by specifying the new (key => value) pair into the new() function, as arguments.

bypass_baseline

When set to 1, the object will forgo any type of initial baselining process, upon initialization. Otherwise, baselining will occur as normal, upon initialization.

baseline_analysis

An array of hashtables used to hold the file analysis information, for the baseline filesystem operation.

monitored_directories

The base list of drives, directories, and/or files to monitor.

ignored_entries

The list of regular expressions that match drives, directories, and/or files to exclude from analysis.

METHODS IMPLEMENTED

The following functions have been implemented by any Filesystem object.

HoneyClient::Agent::Integrity::Filesystem->new($param => $value, ...)

Creates a new Filesystem object, which contains a hashtable containing any of the supplied "param => value" arguments. Upon creation, the Filesystem object performs a baseline of the Windows filesystem.

Inputs: $param is an optional parameter variable. $value is $param's corresponding value.

Note: If any $param(s) are supplied, then an equal number of corresponding $value(s) must also be specified.

Output: The instantiated Filesystem $object, fully initialized.

$object->check(no_prepare => $no_prepare)

Checks the filesystem for various changes, based upon the filesystem baseline, when the new() method was invoked.

Inputs: $no_prepare is an optional parameter, specifying the output format of the changes found.

Output: $changes, which is an array of hashtable references, where each hashtable has the following format:

  If $no_prepare == 1, then the format will be:

  $changes = [ {
      # Indicates if the filesystem entry was deleted,
      # added, or changed.
      'status' => $STATUS_DELETED | $STATUS_ADDED | $STATUS_MODIFIED,

      # If the entry has been added/changed, then this 
      # hashtable contains the file/directory's new information.
      'new' => {
          'name'  => 'C:\WINDOWS\SYSTEM32...',
          'size'  => 1263, # in bytes
          'mtime' => 1178135092, # modification time, seconds since epoch
      },

      # If the entry has been deleted/changed, then this
      # hashtable contains the file/directory's old information.
      'old' => {
          'name'  => 'C:\WINDOWS\SYSTEM32...',
          'size'  => 802, # in bytes
          'mtime' => 1178135028, # modification time, seconds since epoch
      },
  }, ]

  Otherwise, the format will be:

  $changes = [ {
      # Indicates if the filesystem entry was deleted,
      # added, or changed.
      'status' => $STATUS_DELETED | $STATUS_ADDED | $STATUS_MODIFIED,
      'name'  => 'C:\WINDOWS\SYSTEM32...',
      'mtime' => 'YYYY-MM-DD HH:MM:SS', # new mtime for added/modified files;
                                        # old mtime for deleted files

      # content will only exist for added/modified files
      'content' => {
          'size' => 1263,                                       # size of new content 
          'type' => 'application/octet-stream',                 # type of new content
          'md5'  => 'b1946ac92492d2347c6235b4d2611184',         # md5  of new content
          'sha1' => 'f572d396fae9206628714fb2ce00f72e94f2258f', # sha1 of new content
      },
  }, ]

Notes: If $no_prepare != 1 or $no_prepare == undef, then the outputted changes will NEVER refer to any directories. All the changes will correspond to individual files.

BUGS & ASSUMPTIONS

This library performs STATIC checks of the Windows filesystem. If malware modifies the filesystem between the time the $object->new() and $object->check() methods are called, then this library may FAIL to detect those changes if:

Malware writes itself to one of the regions of the filesystem that is excluded. See the <HoneyClient/><Agent/><Integrity/><exclude_list/> element, in the etc/honeyclient.xml file.
Malware writes itself to a monitored region of the filesystem but reverses all its activity (including self-deletion).

This library also only monitors FILE changes. Thus, if malware manipulates EMPTY DIRECTORIES or SYMLINKS on the system, then this library will NOT report those changes.

REPORTING BUGS

http://www.honeyclient.org/trac/newticket

ACKNOWLEDGEMENTS

Mark-Jason Dominus <mjd-perl-diff@plover.com>, Ned Konz <perl@bike-nomad.com>, and Tye McQueen, for using their Algorithm::Diff code.

AUTHORS

Xeno Kovah, <xkovah@mitre.org>

Darien Kindlund, <kindlund@mitre.org>

Brad Stephenson, <stephenson@mitre.org>

COPYRIGHT & LICENSE

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, using version 2 of the License.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

To install HoneyClient::Agent, copy and paste the appropriate command in to your terminal.

cpanm

cpanm HoneyClient::Agent

CPAN shell

perl -MCPAN -e shell
install HoneyClient::Agent

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)