By default it scans the exe and fd/* symlinks, but you can add your own list too. The default Yara rule file is
YaraRules/index.yar.
cd ~
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install virtualenv git -y
git clone https://github.com/Saket-Upadhyay/ProcPuppy.git
cd ProcPuppy
virtualenv ProcPuppyEnv
source ProcPuppyEnv/bin/activate
pip install -r requirements.txt
deactivatecd ~/ProcPuppy
source ProcPuppyEnv/bin/activate
python ProcPuppy.pyYARARULEFILE = "<YOUR VALID YARA FILE HERE>"
NUMBEROFTHREADS = <NUMBER OF THREADS YOU WANT, must be integer>
ENABLEYARAINCLUDE= <True/False> (Enables or Disables 'include' capabilities of the yara compiler.)There are two ways to do it-
You can either add a import statement to "YaraRules/index.yar" like -
include "PhPinImages"
include "CustomExeSig"
include "<path to your custom rule>" (for this ENABLEYARAINCLUDE must be set to True)
Or you can also direct the YARARULEFILE variable to your custom file directly.
Suggestion: If you are using multiple rule files, the first option is better. If you are using single file with multiple rules defined in it, second option is better.
Tested on:
- Ubuntu 20.4
- WSL 2.0 on Windows 10 Pro for Workstations 21H1 BUILD:19043.1288
Will be discussed at PyCode Conference 2021 (Online). See Saket-Upadhyay/Talks_and_Presentation for presentation slides and credits.
exploit.png: 'in-image PhP' payload in "Test Malicious App" folder is created using CUPPS
Thanks to macrovector for the base puppy vector in the logo, I downloaded it from www.freepik.com, then edited it for my use.