# Using Hash to identify changes in critical directories

Stealthy malware can infect a critical directory such as drivers using forged certificates and no one would be much the wiser. This piece of code aims to alert the user if there have been changes in any critical directory, for example drivers
so the user can decide if there was an authorized update scheduled. In case there was no update, there's a good change that a malicious driver has made its way on to the victim's computer.  

Attribution for utility functions: 

get_digest() taken from user Mitar @ https://stackoverflow.com/questions/22058048/hashing-a-file-in-python

repeated code execution code taken from user Dave Rove @ https://stackoverflow.com/questions/474528/what-is-the-best-way-to-repeatedly-execute-a-function-every-x-seconds



In [2]:
import hashlib #Importing the hashlib library 

def get_digest(file_path):  #This function takes a file path and converts it into a hash. Attribution above.
    h = hashlib.sha256()

    with open(file_path, 'rb') as file:
        while True:
            # Reading is buffered, so we can read smaller chunks.
            chunk = file.read(h.block_size)
            if not chunk:
                break
            h.update(chunk)

    return h.hexdigest()

In [3]:
import time    # Time library 
starttime = time.time()
hash_list = [] # Stores the current and the previous hashes in order to ascertain where a file was changed. 
               # Can be cleared at periodic intervals to prevent it from taking extra space. 
i=-1           # Counter variable
while True:
    file_path = 'drivers_test/driver.txt' # Path to file
    file_hash=get_digest(file_path)       # Hash of file
    print(f"Hash of file: {file_path} is {file_hash}") #For demonstration
    hash_list.append(file_hash) #Storing current hash in list
    i+=1 #Update counter
    print(i) #Display counter
    if(len(hash_list)<2): #For the first two hashes before comparison starts. 
        continue            
    else:
        if(hash_list[i]!=hash_list[i-1]):           
            print("Change in drivers detected. Was an authorized update scheduled? ") #Alerts if hashes of current and previous file don't match
            break
        else:
            time.sleep(1.0 - ((time.time() - starttime) % 1.0)) #If they match, the function repeats itself after 1 second delay. This
                                                                # value can be adjusted based on time. Attributed above. 



Hash of file: drivers_test/driver.txt is 666c6b5281657a2167439a1e3d994fdb86a71becd3e34f65296f91e70b4b9e0b
0
Hash of file: drivers_test/driver.txt is 666c6b5281657a2167439a1e3d994fdb86a71becd3e34f65296f91e70b4b9e0b
1
Hash of file: drivers_test/driver.txt is 666c6b5281657a2167439a1e3d994fdb86a71becd3e34f65296f91e70b4b9e0b
2
Hash of file: drivers_test/driver.txt is 666c6b5281657a2167439a1e3d994fdb86a71becd3e34f65296f91e70b4b9e0b
3
Hash of file: drivers_test/driver.txt is 666c6b5281657a2167439a1e3d994fdb86a71becd3e34f65296f91e70b4b9e0b
4
Hash of file: drivers_test/driver.txt is 666c6b5281657a2167439a1e3d994fdb86a71becd3e34f65296f91e70b4b9e0b
5
Hash of file: drivers_test/driver.txt is 666c6b5281657a2167439a1e3d994fdb86a71becd3e34f65296f91e70b4b9e0b
6
Hash of file: drivers_test/driver.txt is 666c6b5281657a2167439a1e3d994fdb86a71becd3e34f65296f91e70b4b9e0b
7
Hash of file: drivers_test/driver.txt is 666c6b5281657a2167439a1e3d994fdb86a71becd3e34f65296f91e70b4b9e0b
8
Hash of file: drivers_test/d

### End of File

