Once a hacker gained entry to a network using a physical pc on company premises, one of the first things she would do is steal important documents and data then save it to a usb drive. I know that big corporations have rules to strictly not to insert a usb drive on any network connected pc on their premises but barely do not do anything to impose it, so employees and guests are still able to freely do it.
Today, I have created 2 python programs to at least detect a flash drive(or any removable drive) being plugged and unplugged and detect any changes in the file system(create, delete or modified).
These two programs are very basic, it can be enhanced further to include more sophisticated features.
Here are the codes:
1. File System Changes Detection program:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | import time from watchdog.observers import Observer from watchdog.events import FileSystemEventHandler class OnMyWatch: # Set the directory on watch watchDirectory = '.' def __init__(self): self.observer = Observer() def run(self): event_handler = Handler() self.observer.schedule(event_handler, self.watchDirectory, recursive = True) self.observer.start() try: while True: time.sleep(5) except: self.observer.stop() print("Observer Stopped") self.observer.join() class Handler(FileSystemEventHandler): @staticmethod def on_any_event(event): if event.is_directory: return None elif event.event_type == 'created': # Event is created, you can process it now print("Watchdog received created event - % s." % event.src_path) elif event.event_type == 'modified': # Event is modified, you can process it now print("Watchdog received modified event - % s." % event.src_path) if __name__ == '__main__': watch = OnMyWatch() watch.run() |
2. Detect Plugging/Unplugging of Removable Dirves:
/pre> | import os import sys import time from datetime import datetime os.system("color") while True: now = datetime.now() #print ("%s/%s/%s %s:%s:%s" % (now.month,now.day,now.year,now.hour,now.minute,now.second)) #print("\r", end="", flush=True) Usb = os.popen("wmic logicaldisk where drivetype=2 get description ,deviceid ,volumename").read() print(Usb) if Usb.find("DeviceID") != -1: print("Usb is plugged") #input("") print("\r", end="", flush=True) else: print("Usb is not plugged") #input("") print("\r", end="", flush=True) time.sleep(1) |
I combined the 2 programs:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | import os import sys import time from datetime import datetime from watchdog.observers import Observer from watchdog.events import FileSystemEventHandler os.system("color") class Handler(FileSystemEventHandler): @staticmethod def on_any_event(event): if event.is_directory: return None elif event.event_type == 'created': # Event is created, you can process it now print("Watchdog received created event - % s." % event.src_path) print("\r", end="", flush=True) elif event.event_type == 'modified': # Event is modified, you can process it now print("Watchdog received modified event - % s." % event.src_path) print("\r", end="", flush=True) exit watchDirectory = '.' observer = Observer() event_handler = Handler() observer.schedule(event_handler, watchDirectory, recursive = True) observer.start() while True: now = datetime.now() print ("%s/%s/%s %s:%s:%s" % (now.month,now.day,now.year,now.hour,now.minute,now.second)) print("\r", end="", flush=True) Usb = os.popen("wmic logicaldisk where drivetype=2 get description ,deviceid ,volumename").read() print(Usb) if Usb.find("DeviceID") != -1: print("Usb is plugged") #input("") print("\r", end="", flush=True) else: print("Usb is not plugged") #input("") print("\r", end="", flush=True) time.sleep(1) |
No comments:
Post a Comment