Python Forum

I'm not a python programmer (or a programmer for that matter). But a python programmer wanted to try out something he coded, and without thinking I let him use my work laptop.

I need to make sure it won't have installed anything or left residue or, more importantly, given away continued remote access to the laptop through screen images, keylogging or other means (I don't think he'd do that, but... need to be sure!)

If you're able to help I can send you the file, which is about two pages in word (yeah, that's what non-programmers use to look at things!) I don't know if that's too much to post here.

I'm (almost) sure it's ok - but want to be safe. Help appreciated.

You can post it here in python tags. Please, use proper tags when post code, traceback, output, etc. See BBcode help for more info. Also windows for example doesn't have python installed, so if you are on windows, the may have installed python, etc.
Don't want to trouble your mind, but how do you know that this is only thing they tried? i.e. they may have installed something malicious (it may be not even python related at all)

Thanks so much - late here. I'll have a look tomorrow and work out how to post the code on here properly.

(Feb-23-2019, 10:06 AM)abstraction Wrote: [ -> ]Thanks so much - late here. I'll have a look tomorrow and work out how to post the code on here properly.

Not too hard you just wrap the code in tags [ python ]CODE_HERE[ /python ] without spaces.

import socket
import sys, os
hostname = socket.gethostname()    
IPAddr = socket.gethostbyname(hostname)
print(IPAddr)
from socket import socket
from threading import Thread
from zlib import compress
import pyautogui
from mss import mss
WIDTH, HEIGHT = pyautogui.size()
global input_action
input_action=0
actions= {1:"none",2:"move_mouse_to",3:"message_box",4:"quit_server",5:"right_click",6:"left_click",}
global par1
global par2
par1=0
par2=0
global parameter1
global parameter2
parameter1=0
parameter2=0
global Conn
Conn=0
global testvar
testvar=0
def starting_vars_height():
    global WIDTH
    global HEIGHT
    WIDTH, HEIGHT = pyautogui.size()
    WIDTH = WIDTH
    HEIGHT = HEIGHT
    return HEIGHT
def starting_vars_width():
    global WIDTH
    global HEIGHT
    WIDTH, HEIGHT = pyautogui.size()
    WIDTH = WIDTH
    HEIGHT = HEIGHT
    return WIDTH
global repear_times
repeat_times=0
global action_to_send
action_to_send=0
def retreive_screenshot(conn):
    global input_action
    global repeat_times
    global parameter1
    global parameter2
    global testvar
    
    HEIGHT=starting_vars_height()
    WIDTH=starting_vars_width()
    sock = socket()
    with mss() as sct:
        # The region to capture
        rect = {'top': 0, 'left': 0, 'width': WIDTH, 'height': HEIGHT}
        test_var = (WIDTH.bit_length() + 7) // 8
        print(WIDTH)
        WIDTH=str(WIDTH)
        HEIGHT=str(HEIGHT)
        test_var= bytes(WIDTH.encode())
        HEIGHT=bytes(HEIGHT.encode())
        
        
        while 'recording':
            input_action = conn.recv(1).decode()
            paramter1 = conn.recv(1).decode()
            paramter2 = conn.recv(1).decode()
            # Capture the screen
            img = sct.grab(rect)
            # Tweak the compression level here (0-9)
            pixels = compress(img.rgb, 6)
            
            # Send the size of the pixels length
            size = len(pixels)
            size_len = (size.bit_length() + 7) // 8
            conn.send(bytes([size_len]))

            # Send the actual pixels length
            size_bytes = size.to_bytes(size_len, 'big')
            conn.send(size_bytes)

            # Send pixels
            conn.sendall(pixels)
            conn.send(test_var)
            conn.send(HEIGHT)
            
            repeat_times+=0
            def act(a):
                if a == 1:
                    pass
                elif a == 2:
                    pass
                elif a == 3:
                    pass
                elif a == 4:
                    os._exit(0)
def main(host=IPAddr, port=5000):
    sock = socket()
    sock.bind((host, port))
    try:
        sock.listen(5)
        global conn
        while 'connected':
            conn, addr = sock.accept()
            thread = Thread(target=retreive_screenshot, args=(conn,))
            thread.start()
    finally:
        sock.close()


if __name__ == '__main__':

main()

---

So there's the program. What does it do? My quick look - i'm not a programmer, just googling - I think it can gain remote access to my laptop and take snapshots(?) of the screen. It seems to be importing other stuff...

The second question is -
Is there a way I can tell if there are any other python-coded programs on my laptop? eg, does it require python as you mentioned or other programs to be installed? And how do I detect python if it is installed?

Appreciate the help.

(Feb-23-2019, 09:23 PM)abstraction Wrote: [ -> ]What does it do? My quick look - i'm not a programmer, just googling - I think it can gain remote access to my laptop and take snapshots(?) of the screen. It seems to be importing other stuff...

i have very little experience with the socket module. So i am not saying it is doing this, but only what i think its doing. It looks like its taking a full screenshot and sending it to a remote location.

But then this makes you think there is more to it than that

actions= {1:"none",2:"move_mouse_to",3:"message_box",4:"quit_server",5:"right_click",6:"left_click",}

But this script never uses that variable "actions". But that doesnt mean another script importing this module doesnt.

Everything imported is a standard library or 3rd party library. But that doesnt mean another file is not importing this one.

mss is a screenshot library
https://pypi.org/project/mss/

The rest are standard python libraries for handling connections (sockets) and system (os, sys). Although it never uses sys module in this script.

pyautogui library controls mouse/keyboard
https://pypi.org/project/PyAutoGUI/

however this script only uses it to obtain the window size

Quote:

    WIDTH, HEIGHT = pyautogui.size()

(Feb-23-2019, 09:23 PM)abstraction Wrote: [ -> ]Is there a way I can tell if there are any other python-coded programs on my laptop? eg, does it require python as you mentioned or other programs to be installed? And how do I detect python if it is installed?

The simplest idea would be to just search for .py .pyc .pyd .pyo files.

Quote:.py - Regular script
.py3 - (rarely used) Python3 script. Python3 scripts usually end with ".py" not ".py3", but I have seen that a few times
.pyc - compiled script (Bytecode)
.pyo - optimized pyc file (As of Python3.5, Python will only use pyc rather than pyo and pyc)
.pyw - Python script to run in Windowed mode, without a console; executed with pythonw.exe
.pyx - Cython src to be converted to C/C++
.pyd - Python script made as a Windows DLL
.pxd - Cython script which is equivalent to a C/C++ header
.pxi - MyPy stub
.pyi - Stub file (PEP 484)
.pyz - Python script archive (PEP 441); this is a script containing compressed Python scripts (ZIP) in binary form after the standard Python script header
.pywz - Python script archive for MS-Windows (PEP 441); this is a script containing compressed Python scripts (ZIP) in binary form after the standard Python script header

I would first check to see if python is a program installed (if you have the option to uninstall it)
https://www.pcworld.com/article/2954296/...ws-10.html

Then i would check the path and see if it has python anywhere in it. Essentially you would be undoing this tutorial
https://python-forum.io/Thread-Basic-Set...-directory

But files doesnt need to have any TLD at all. You dont even have to have python installed to run them. He "could of" built it into an exe with python embedded into it. In that case python would be essentially invisible to the system. If python is not installed system wide it would be harder to find. For example portable python options. I would just search systemwide for python or just py even. Try not to update the system until afterwords (to avoid changing files yourself). Then note the time he had the laptop. Then search modified/created files.

Personally i would be cautious with that computer for sensitive data until you either wipe it clean or find and remove all trace of that program.

@metulburr explained more or less everything.
Couple of additional thoughts
1. Just having this script just sitting on your laptop (i.e. if it is not running in background) is not a problem.
2. The code structure, having globals all over the place, using if/esle block with pass (lines 90-98), inconsistent variable naming, etc. suggest whoever made this script is not very experienced. I would take this as confirmation for their claim they want ed to test something. Probably they wanted to run the server (this script) on different machine. Although to test client/server connection both client and server can be on same machine (i.e. they didn't need to take your computer for that, but maybe they didn'y know).

Nevertheless better remove the script and look for any suspicious software, that you don't know why it's there or who installed it

Thanks for your replies - really appreciated. Your instincts are very good.

He's young and experimenting - I don't think he'd do anything malicious. He said he just wanted to test it and it was a way of 'seeing a monitor on a different computer.' He started to install it and then said, 'oh, you don't have the program I need.' So in theory nothing happened.

POSSIBILITIES
1. It's exactly what he said. No harm done.
2. But when I was a teenager, if I could install something on someone's laptop to spy on it whenever I wanted, it would have been tempting. So I would have said the same thing to make them think it isn't installed. On that basis I assumed it's possible that it has installed, and it might even be able to do more than he said.

HOW TO TELL
If I run windows explorer search on the date and time that he installed it, I assume I should be able to identify any files? Or could it have gone behind the vision of explorer?

(Feb-25-2019, 04:10 AM)abstraction Wrote: [ -> ]HOW TO TELL
If I run windows explorer search on the date and time that he installed it, I assume I should be able to identify any files? Or could it have gone behind the vision of explorer?

I would definitely enable showing hidden files.
https://www.howtogeek.com/howto/windows-...ows-vista/