核心功能模块
- 哈希计算模块:通过 SHA-256 算法计算文件的哈希值,用于唯一标识文件内容。
- 基线构建模块:遍历指定目录下的所有文件,计算哈希值并保存到 JSON 文件中,形成初始基线。
- 文件监控模块:使用
watchdog库监控文件系统事件,当文件被修改时触发相应处理。 - 篡改检测模块:对比当前文件哈希值与基线哈希值,发现不一致时判定为篡改。
- 日志记录模块:将篡改事件记录到日志文件中,同时在控制台输出警告信息
python代码展示
import os
import hashlib
import json
import time
import argparse
from datetime import datetime
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandlerdef calculate_hash(file_path):hasher = hashlib.sha256()try:with open(file_path, 'rb') as f:while chunk := f.read(8192):hasher.update(chunk)return hasher.hexdigest()except Exception as e:return Nonedef build_baseline(monitor_folder, hash_db_file):hash_dict = {}for root, _, files in os.walk(monitor_folder):for file in files:full_path = os.path.join(root, file)rel_path = os.path.relpath(full_path, monitor_folder)if os.path.abspath(full_path) == os.path.abspath(hash_db_file):continuefile_hash = calculate_hash(full_path)if file_hash:hash_dict[rel_path] = file_hashwith open(hash_db_file, 'w', encoding='utf-8') as f:json.dump(hash_dict, f, indent=4, ensure_ascii=False)print(f"✅ 哈希基线已建立:{hash_db_file}")def load_baseline(hash_db_file):if not os.path.exists(hash_db_file):return {}with open(hash_db_file, 'r', encoding='utf-8') as f:return json.load(f)class TamperAlertHandler(FileSystemEventHandler):def __init__(self, monitor_folder, hash_db_file):self.monitor_folder = monitor_folderself.hash_db_file = hash_db_fileself.log_file_path = os.path.join(monitor_folder, "篡改记录.txt")def log_tamper(self, rel_path):now = datetime.now().strftime("%Y-%m-%d %H:%M:%S")with open(self.log_file_path, "a", encoding="utf-8") as f:f.write(f"[{now}] 文件被篡改:{rel_path}\n")def on_modified(self, event):if event.is_directory:returnrel_path = os.path.relpath(event.src_path, self.monitor_folder)if os.path.abspath(event.src_path) == os.path.abspath(self.hash_db_file):returncurrent_hash = calculate_hash(event.src_path)baseline = load_baseline(self.hash_db_file)if rel_path in baseline:if current_hash and current_hash != baseline[rel_path]:print(f"🚨 警告:文件被篡改:{rel_path}")self.log_tamper(rel_path)else:print(f"🆕 新增或未知文件被修改:{rel_path}")def start_monitor(monitor_folder, hash_db_file):print(f"🚀 正在监控文件夹:{monitor_folder}")event_handler = TamperAlertHandler(monitor_folder, hash_db_file)observer = Observer()observer.schedule(event_handler, monitor_folder, recursive=True)observer.start()try:while True:time.sleep(1)except KeyboardInterrupt:observer.stop()observer.join()def main():parser = argparse.ArgumentParser(description="简单文件篡改监控工具")parser.add_argument('--folder', type=str, required=True, help='要监控的文件夹路径')parser.add_argument('--hash', type=str, default='hash_baseline.json', help='基线哈希记录文件名(可选)')args = parser.parse_args()monitor_folder = args.folderhash_db_file = os.path.join(monitor_folder, args.hash)if not os.path.exists(hash_db_file):build_baseline(monitor_folder, hash_db_file)start_monitor(monitor_folder, hash_db_file)if __name__ == "__main__":main()
执行条件:
1、使用parcham生成exe文件
2、wsxa_sign_v0.exe --folder "D:\WX\1" --hash "hash_baseline.json"
)
