How it works?
The purpose of this tool is to detect process name impersonation using Damerau-Levenshtein algorithm. For example, a malware process could run under the name chr0me (note the 0 not o), thus observing that it’s a possibly malicious process becomes harder.
To detect a process that tries to become stealth by process name impersonation, bonomen reads all the running processes on your system and compares their names with the processes(that you) provided in a file.
The processes you trust should be included in a file provided to bonomen at runtime with -f command line option, otherwise bonomen searches for the default file default_procs.txt. Every process should be written on a separate line, following the format:
process name;threshold;executable path
Bonomen Version:0.1.1
Requirements
+ Unix OS (developed and tested on Debian GNU/Linux 8 32/64-bit, Ubuntu 14.04-16.04 LTS).
+ Rust programming language(developed with Rust 1.13.0), if you want to compile yourself the code.
+ File containing system critical processes using the following format:
process name;threshold;process executable absolute path
Usage and install from source:
Install rust language: curl https://sh.rustup.rs -sSf | sh git clone https://github.com/ner0x652/bonomen && cd bonomen cargo build cd target/debug ./bonomen BONOMEN needs root privileges to read process executable path
Source: https://github.com/ner0x652