security_software.sh | Incostent output produced when multiple args are passed

[darmado]

Expected behavior

• Regardless of the arg and arg=opt sequence, they must return an output for each function call.

Actual behavior

─➤  sh security_software.sh  --av=ps --ost=ps

---
Antivirus Check (ps):
---
25500 ??        39:44.52 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon -i Malwarebytes-Mac-5.6.0.1748.pkg
65821 ??         0:24.12 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/FrontendAgent.app/Contents/MacOS/FrontendAgent
65830 ??         5:03.71 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/SettingsDaemon.app/Contents/MacOS/SettingsDaemon
---
OST Check (ps):
---
41934 ??         0:00.38 /System/Library/PrivateFrameworks/DoNotDisturbServer.framework/Support/donotdisturbd
╭─darmado@LAB02-DA001 ~/Opensource/darmado/attack-macOS/TTP/Discovery  ‹main*›
╰─➤  sh security_software.sh  --av=ps --ost=ps --av=dir

---
Antivirus Check (dir):
---
/Applications/Malwarebytes.app
---
OST Check (ps):
---
41934 ??         0:00.38 /System/Library/PrivateFrameworks/DoNotDisturbServer.framework/Support/donotdisturbd
╭─darmado@LAB02-DA001 ~/Opensource/darmado/attack-macOS/TTP/Discovery  ‹main*›
╰─➤  sh security_software.sh  --av=ps --ost=ps --edr=ps

---
Antivirus Check (ps):
---
25500 ??        39:58.99 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon -i Malwarebytes-Mac-5.6.0.1748.pkg
65821 ??         0:24.16 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/FrontendAgent.app/Contents/MacOS/FrontendAgent
65830 ??         5:04.05 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/SettingsDaemon.app/Contents/MacOS/SettingsDaemon
---
OST Check (ps):
---
41934 ??         0:00.38 /System/Library/PrivateFrameworks/DoNotDisturbServer.framework/Support/donotdisturbd
╭─darmado@LAB02-DA001 ~/Opensource/darmado/attack-macOS/TTP/Discovery  ‹main*›
╰─➤
╭─darmado@LAB02-DA001 ~/Opensource/darmado/attack-macOS/TTP/Discovery  ‹main*›
╰─➤  sh security_software.sh  --av=ps --ost=ps --ost=dir

---
Antivirus Check (ps):
---
25500 ??        40:07.06 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon -i Malwarebytes-Mac-5.6.0.1748.pkg
65821 ??         0:24.17 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/FrontendAgent.app/Contents/MacOS/FrontendAgent
65830 ??         5:04.26 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/SettingsDaemon.app/Contents/MacOS/SettingsDaemon
---
OST Check (ps):
---
41934 ??         0:00.38 /System/Library/PrivateFrameworks/DoNotDisturbServer.framework/Support/donotdisturbd
---
OST Check (dir):
---
/Applications/KnockKnock.app
╭─darmado@LAB02-DA001 ~/Opensource/darmado/attack-macOS/TTP/Discovery  ‹main*›
╰─➤  sh security_software.sh  --av=ps --ost=ps --ost=dir --av=dir

---
Antivirus Check (dir):
---
/Applications/Malwarebytes.app
---
OST Check (ps):
---
41934 ??         0:00.38 /System/Library/PrivateFrameworks/DoNotDisturbServer.framework/Support/donotdisturbd
---
OST Check (dir):
---
/Applications/KnockKnock.app
╭─darmado@LAB02-DA001 ~/Opensource/darmado/attack-macOS/TTP/Discovery  ‹main*›
╰─➤
╭─darmado@LAB02-DA001 ~/Opensource/darmado/attack-macOS/TTP/Discovery  ‹main*›
╰─➤  sh security_software.sh  --av=dir --av=ps  --ost=ps --ost=dir

---
Antivirus Check (ps):
---
25500 ??        40:15.99 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon -i Malwarebytes-Mac-5.6.0.1748.pkg
65821 ??         0:24.19 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/FrontendAgent.app/Contents/MacOS/FrontendAgent
65830 ??         5:04.49 /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/SettingsDaemon.app/Contents/MacOS/SettingsDaemon
---
OST Check (ps):
---
41934 ??         0:00.38 /System/Library/PrivateFrameworks/DoNotDisturbServer.framework/Support/donotdisturbd
---
OST Check (dir):
---
/Applications/KnockKnock.app

[darmado]

Root Cause: T Was in the check_antivirus function,

• I appended \n, within each function call before it's sentr to $output which overwrote the $output var strings before main() . The intent was to make it look a little pretty.

  the fix: For each funct ion, we modified the output accumulation from

output+=$'\n\n'$(command) to result=$(command); if [ -n "$result" ];

to:

output+="$result"$'\n'; fi,

NOTE:

• to preserve the prettiness without f*ing up --encode and --encrypt args, I passed the \n over to main() and Also, the separate loops for each check type were replaced with a single loop that processes all arguments in a fixed order.

  `for check in "$@"; do
  case "$check" in
      --av=*)
          tool="${check#*=}"
          output+="${separator}Antivirus Check ($tool):${separator}"
          output+=$(check_antivirus "$tool")
          ;;
      --ost=*)
          tool="${check#*=}"
          output+="${separator}OST Check ($tool):${separator}"
          output+=$(check_ost "$tool")
          ;;
      # ... (other check types)
  esac
  done`

• see screen shots