防篡改小工具监测被该文件

核心功能模块

1. 哈希计算模块：通过 SHA-256 算法计算文件的哈希值，用于唯一标识文件内容。
2. 基线构建模块：遍历指定目录下的所有文件，计算哈希值并保存到 JSON 文件中，形成初始基线。
3. 文件监控模块：使用 watchdog 库监控文件系统事件，当文件被修改时触发相应处理。
4. 篡改检测模块：对比当前文件哈希值与基线哈希值，发现不一致时判定为篡改。
5. 日志记录模块：将篡改事件记录到日志文件中，同时在控制台输出警告信息

python代码展示

import os
import hashlib
import json
import time
import argparse
from datetime import datetime
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandlerdef calculate_hash(file_path):hasher = hashlib.sha256()try:with open(file_path, 'rb') as f:while chunk := f.read(8192):hasher.update(chunk)return hasher.hexdigest()except Exception as e:return Nonedef build_baseline(monitor_folder, hash_db_file):hash_dict = {}for root, _, files in os.walk(monitor_folder):for file in files:full_path = os.path.join(root, file)rel_path = os.path.relpath(full_path, monitor_folder)if os.path.abspath(full_path) == os.path.abspath(hash_db_file):continuefile_hash = calculate_hash(full_path)if file_hash:hash_dict[rel_path] = file_hashwith open(hash_db_file, 'w', encoding='utf-8') as f:json.dump(hash_dict, f, indent=4, ensure_ascii=False)print(f"✅ 哈希基线已建立：{hash_db_file}")def load_baseline(hash_db_file):if not os.path.exists(hash_db_file):return {}with open(hash_db_file, 'r', encoding='utf-8') as f:return json.load(f)class TamperAlertHandler(FileSystemEventHandler):def __init__(self, monitor_folder, hash_db_file):self.monitor_folder = monitor_folderself.hash_db_file = hash_db_fileself.log_file_path = os.path.join(monitor_folder, "篡改记录.txt")def log_tamper(self, rel_path):now = datetime.now().strftime("%Y-%m-%d %H:%M:%S")with open(self.log_file_path, "a", encoding="utf-8") as f:f.write(f"[{now}] 文件被篡改：{rel_path}\n")def on_modified(self, event):if event.is_directory:returnrel_path = os.path.relpath(event.src_path, self.monitor_folder)if os.path.abspath(event.src_path) == os.path.abspath(self.hash_db_file):returncurrent_hash = calculate_hash(event.src_path)baseline = load_baseline(self.hash_db_file)if rel_path in baseline:if current_hash and current_hash != baseline[rel_path]:print(f"🚨 警告：文件被篡改：{rel_path}")self.log_tamper(rel_path)else:print(f"🆕 新增或未知文件被修改：{rel_path}")def start_monitor(monitor_folder, hash_db_file):print(f"🚀 正在监控文件夹：{monitor_folder}")event_handler = TamperAlertHandler(monitor_folder, hash_db_file)observer = Observer()observer.schedule(event_handler, monitor_folder, recursive=True)observer.start()try:while True:time.sleep(1)except KeyboardInterrupt:observer.stop()observer.join()def main():parser = argparse.ArgumentParser(description="简单文件篡改监控工具")parser.add_argument('--folder', type=str, required=True, help='要监控的文件夹路径')parser.add_argument('--hash', type=str, default='hash_baseline.json', help='基线哈希记录文件名（可选）')args = parser.parse_args()monitor_folder = args.folderhash_db_file = os.path.join(monitor_folder, args.hash)if not os.path.exists(hash_db_file):build_baseline(monitor_folder, hash_db_file)start_monitor(monitor_folder, hash_db_file)if __name__ == "__main__":main()

执行条件：

1、使用parcham生成exe文件

2、wsxa_sign_v0.exe --folder "D:\WX\1" --hash "hash_baseline.json"