├── .gitignore ├── README.md ├── build.bat ├── cmd ├── AvHunt.go ├── all.go ├── root.go ├── scan.go └── uninstall.go ├── go.mod ├── go.sum ├── main.go ├── pkg ├── avRecon │ ├── collect.go │ ├── directory.go │ ├── drivers_windows.go │ ├── edrdata.go │ ├── filechecker_windows.go │ ├── privilege.go │ ├── process_windows.go │ ├── registry.go │ └── services_windows.go ├── resources │ ├── edrRecon.go │ ├── scan_edr.go │ └── systemdata.go ├── scanners │ ├── cn_scan_360.go │ ├── cn_scan_Panda.go │ ├── cn_scan_Tencentguanjia.go │ ├── cn_scan_aliyundun.go │ ├── cn_scan_antian.go │ ├── cn_scan_baidu.go │ ├── cn_scan_d99net.go │ ├── cn_scan_huorong.go │ ├── cn_scan_hws.go │ ├── cn_scan_jiangmin.go │ ├── cn_scan_jinshan.go │ ├── cn_scan_mozhe.go │ ├── cn_scan_rising.go │ ├── cn_scan_safedog.go │ ├── cn_scan_tianqing.go │ ├── cn_scan_topsecedr.go │ ├── cn_scan_yaxin.go │ ├── cn_scan_yunsuo.go │ ├── scan_bitdefender.go │ ├── scan_carbonblack.go │ ├── scan_checkpoint.go │ ├── scan_crowdstrike.go │ ├── scan_cybereason.go │ ├── scan_cylance.go │ ├── scan_cynet.go │ ├── scan_deepinstinct.go │ ├── scan_elastic.go │ ├── scan_eset.go │ ├── scan_fireeye.go │ ├── scan_fortinet.go │ ├── scan_kaspersky.go │ ├── scan_limacharlie.go │ ├── scan_malwarebytes.go │ ├── scan_mcafee.go │ ├── scan_qualys.go │ ├── scan_sentinelone.go │ ├── scan_sophos.go │ ├── scan_symantec.go │ ├── scan_trendmicro.go │ ├── scan_win_defender.go │ └── scanner.go └── util │ └── util.go └── release ├── AvHunt.exe └── AvHunt32.exe /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | TEMP.txt -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AvHunt-杀毒软件识别 2 | [AvHunt](https://github.com/Goqi/AvHunt)是[EDRHunt](https://github.com/FourCoreLabs/EDRHunt)的修改版,添加多个杀毒软件的识别,更容易识别中国的杀毒软件! 3 | 4 | ## Usage 5 | 6 | - Find installed EDRs 7 | 8 | ``` 9 | $ AvHunt.exe scan 10 | [EDR] 11 | Detected EDR: Windows Defender 12 | Detected EDR: 奇虎360 Defender 13 | Detected EDR: 金山毒霸 Defender 14 | Detected EDR: 安全狗 Defender 15 | ``` 16 | 17 | - Scan Everything 18 | 19 | ``` 20 | $ AvHunt.exe all 21 | ``` 22 | 23 | - Find services matching EDR keywords 24 | 25 | ``` 26 | $ AvHunt.exe -s 27 | ``` 28 | 29 | - Find drivers matching EDR keywords 30 | 31 | ``` 32 | $ AvHunt.exe -d 33 | ``` 34 | 35 | - Find registry keys matching EDR keywords 36 | 37 | ``` 38 | $ AvHunt.exe -r 39 | ``` 40 | 41 | ## AvHunt 42 | 43 | AvHunt Detections Currently Available 44 | 45 | - 火绒 46 | - 天擎 47 | - 360 48 | - 金山毒霸 49 | - 安全狗 50 | - 云锁椒图 51 | - 腾讯电脑管家 52 | - 天融信EDR 53 | - 瑞星杀毒 54 | - 江民杀毒 55 | - 安天杀毒 56 | - 百度杀毒 57 | - D盾 58 | - 护卫神 59 | - 墨者安全 60 | - 亚信安全 61 | - 阿里云盾 62 | - 熊猫卫士 63 | 64 | 以下待更新 65 | 66 | - 深信服EDR 67 | - 绿盟EDR 68 | 69 | ## EDRHunt 70 | 71 | EDRHunt Detections Currently Available 72 | 73 | - Windows Defender 74 | - Kaspersky Security 75 | - Symantec Security 76 | - Crowdstrike Security 77 | - Mcafee Security 78 | - Cylance Security 79 | - Carbon Black 80 | - SentinelOne 81 | - FireEye 82 | - Elastic EDR 83 | - Qualys EDR 84 | - Trend Micro EDR 85 | - ESET EDR 86 | - Cybereason EDR 87 | - BitDefender EDR 88 | - Checkpoint EDR 89 | - Cynet EDR 90 | - DeepInstinct EDR 91 | - Sophos EDR 92 | - Fortinet EDR 93 | - MalwareBytes EDR 94 | - LimaCharlie Agent 95 | 96 | ## Todo 97 | 98 | - https://github.com/wwl012345/AVCheck -------------------------------------------------------------------------------- /build.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | go build -ldflags "-w -s" -o release/AvHunt.exe main.go 3 | 4 | @echo off 5 | SET CGO_ENABLED=0 6 | SET GOOS=windows 7 | SET GOARCH=386 8 | go build -ldflags "-w -s" -o release/AvHunt32.exe main.go 9 | -------------------------------------------------------------------------------- /cmd/AvHunt.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "AvHunt/pkg/avRecon" 5 | "AvHunt/pkg/resources" 6 | "AvHunt/pkg/scanners" 7 | "context" 8 | "fmt" 9 | "os" 10 | 11 | "github.com/Gogods/cobra" 12 | ) 13 | 14 | var ( 15 | drivers bool 16 | processes bool 17 | services bool 18 | registry bool 19 | all bool 20 | versionStr = "1.0" 21 | versionCheck bool 22 | ) 23 | 24 | func AvHunt() { 25 | fmt.Println("作者:0e0w | 版本:", versionStr, "\n网址:https://github.com/Goqi/AvHunt\n说明:一款简单好用的杀毒软件识别程序,暂时支持39个杀软的识别!\n") 26 | if err := rootCmd.Execute(); err != nil { 27 | fmt.Println(err) 28 | os.Exit(1) 29 | } 30 | } 31 | 32 | func scanEDRCommand(cmd *cobra.Command, args []string) { 33 | //fmt.Println("[AV]") 34 | systemData, _ := avRecon.GetSystemData(context.Background()) 35 | 36 | for _, scanner := range scanners.Scanners { 37 | _, ok := scanner.Detect(systemData) 38 | if ok { 39 | fmt.Printf("发现杀软: %s\n", scanner.Name()) 40 | } 41 | } 42 | } 43 | 44 | func edrCommand(cmd *cobra.Command, args []string) { 45 | if avRecon.CheckIfAdmin() { 46 | fmt.Println("目前在管理员权限模式下运行.\nAvHunt.exe -h 查看帮助文档.") 47 | } else { 48 | fmt.Println("目前在普通用户模式下运行,用管理员权限运行可以获得更多详细信息.\nAvHunt.exe -h 查看帮助文档.") 49 | } 50 | 51 | if all { 52 | processes = true 53 | drivers = true 54 | services = true 55 | registry = true 56 | fmt.Println("Scanning processes, services, drivers, and registry...") 57 | } 58 | 59 | if processes { 60 | fmt.Println("[PROCESSES]") 61 | summary, _ := avRecon.CheckProcesses() 62 | printProcess(summary) 63 | fmt.Println() 64 | } 65 | if drivers { 66 | fmt.Println("[DRIVERS]") 67 | summary, _ := avRecon.CheckDrivers() 68 | printDrivers(summary) 69 | fmt.Println() 70 | } 71 | if services { 72 | fmt.Println("[SERVICES]") 73 | summary, _ := avRecon.CheckServices() 74 | printServices(summary) 75 | fmt.Println() 76 | } 77 | if registry { 78 | fmt.Println("[REGISTRY]") 79 | summary, _ := avRecon.CheckRegistry(context.Background()) 80 | printRegistry(summary) 81 | fmt.Println() 82 | } 83 | } 84 | 85 | func printProcess(summary []resources.ProcessMetaData) { 86 | for _, process := range summary { 87 | fmt.Printf("Suspicious Process Name: %s\n", process.ProcessName) 88 | fmt.Printf("Description: %s\n", process.ProcessDescription) 89 | fmt.Printf("Caption: %s\n", process.ProcessCaption) 90 | fmt.Printf("Binary: %s\n", process.ProcessPath) 91 | fmt.Printf("ProcessID: %s\n", process.ProcessPID) 92 | fmt.Printf("Parent Process: %s\n", process.ProcessParentPID) 93 | fmt.Printf("Process CmdLine: %s\n", process.ProcessCmdLine) 94 | fmt.Printf("File Metadata: \t%s\n", avRecon.FileMetaDataParser(process.ProcessExeMetaData)) 95 | fmt.Printf("Matched Keyword: %s\n", process.ScanMatch) 96 | fmt.Println() 97 | } 98 | } 99 | 100 | func printServices(summary []resources.ServiceMetaData) { 101 | for _, service := range summary { 102 | fmt.Printf("Suspicious Service Name: %s\n", service.ServiceName) 103 | fmt.Printf("Display Name: %s\n", service.ServiceDisplayName) 104 | fmt.Printf("Caption: %s\n", service.ServiceCaption) 105 | fmt.Printf("CommandLine: %s\n", service.ServicePathName) 106 | fmt.Printf("Status: %s\n", service.ServiceState) 107 | fmt.Printf("ProcessID: %s\n", service.ServiceProcessId) 108 | fmt.Printf("File Metadata: \t%s\n", avRecon.FileMetaDataParser(service.ServiceExeMetaData)) 109 | fmt.Printf("Matched Keyword: %s\n", service.ScanMatch) 110 | fmt.Println() 111 | } 112 | } 113 | 114 | func printRegistry(summary resources.RegistryMetaData) { 115 | fmt.Println("Scanning registry: ") 116 | for _, match := range summary.ScanMatch { 117 | fmt.Printf("\t%s\n", match) 118 | } 119 | fmt.Println() 120 | } 121 | 122 | func printDrivers(summary []resources.DriverMetaData) { 123 | for _, driver := range summary { 124 | fmt.Printf("Suspicious Driver Module: %s\n", driver.DriverBaseName) 125 | fmt.Printf("Driver FilePath: %s\n", driver.DriverFilePath) 126 | fmt.Printf("Driver File Metadata: \t%s\n", avRecon.FileMetaDataParser(driver.DriverSysMetaData)) 127 | fmt.Printf("Matched Keyword: %s\n", driver.ScanMatch) 128 | fmt.Println() 129 | } 130 | } 131 | -------------------------------------------------------------------------------- /cmd/all.go: -------------------------------------------------------------------------------- 1 | /* 2 | 0 error(s),0 warning(s) 3 | Team:0e0w Security Team 4 | Author:0e0wTeam[at]gmail.com 5 | Datetime:2022/12/24 8:49 6 | */ 7 | 8 | package cmd 9 | 10 | import "github.com/Gogods/cobra" 11 | 12 | var allCmd = &cobra.Command{ 13 | Use: "all", 14 | Short: "scan installed antivirus", 15 | Long: `scan edrs and show system data`, 16 | Run: allCommand, 17 | } 18 | 19 | func allCommand(cmd *cobra.Command, args []string) { 20 | all = true 21 | edrCommand(cmd, args) 22 | scanEDRCommand(cmd, args) 23 | } 24 | -------------------------------------------------------------------------------- /cmd/root.go: -------------------------------------------------------------------------------- 1 | /* 2 | 0 error(s),0 warning(s) 3 | Team:0e0w Security Team 4 | Author:0e0wTeam[at]gmail.com 5 | Datetime:2022/12/24 8:58 6 | */ 7 | 8 | package cmd 9 | 10 | import "github.com/Gogods/cobra" 11 | 12 | var rootCmd = &cobra.Command{ 13 | Use: "AvHunt", 14 | Short: "scans EDR/AV", 15 | Long: `EDRHunt scans and finds the installed EDR/AV by scanning services, processes, registry, and drivers.`, 16 | Run: edrCommand, 17 | } 18 | 19 | func init() { 20 | rootCmd.PersistentFlags().BoolVarP(&drivers, "drivers", "d", drivers, "Scan installed drivers") 21 | rootCmd.PersistentFlags().BoolVarP(&processes, "processes", "p", processes, "Scan installed processes") 22 | rootCmd.PersistentFlags().BoolVarP(&services, "services", "s", services, "Scan installed services") 23 | rootCmd.PersistentFlags().BoolVarP(®istry, "registry", "r", registry, "Scan installed registry") 24 | //rootCmd.PersistentFlags().BoolVarP(&versionCheck, "version", "v", versionCheck, "Output version information and exit") 25 | 26 | rootCmd.AddCommand(uninstallCmd) 27 | rootCmd.AddCommand(scanCmd) 28 | rootCmd.AddCommand(allCmd) 29 | } 30 | -------------------------------------------------------------------------------- /cmd/scan.go: -------------------------------------------------------------------------------- 1 | /* 2 | 0 error(s),0 warning(s) 3 | Team:0e0w Security Team 4 | Author:0e0wTeam[at]gmail.com 5 | Datetime:2022/12/24 8:51 6 | */ 7 | 8 | package cmd 9 | 10 | import ( 11 | "github.com/Gogods/cobra" 12 | ) 13 | 14 | var scanCmd = &cobra.Command{ 15 | Use: "scan", 16 | Short: "scan installed antivirus", 17 | Long: `scan edrs`, 18 | Run: scanEDRCommand, 19 | } 20 | -------------------------------------------------------------------------------- /cmd/uninstall.go: -------------------------------------------------------------------------------- 1 | /* 2 | 0 error(s),0 warning(s) 3 | Team:0e0w Security Team 4 | Author:0e0wTeam[at]gmail.com 5 | Datetime:2022/12/24 8:57 6 | */ 7 | 8 | package cmd 9 | 10 | import ( 11 | "fmt" 12 | "github.com/Gogods/cobra" 13 | ) 14 | 15 | var uninstallCmd = &cobra.Command{ 16 | Use: "uninstall", 17 | Short: "Uninstall antivirus software", 18 | Long: `avRecon uninstall`, 19 | Run: uninstallCommand, 20 | } 21 | 22 | func uninstallCommand(cmd *cobra.Command, args []string) { 23 | fmt.Printf("待更新发布!\n") 24 | } 25 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module AvHunt 2 | 3 | go 1.19 4 | 5 | require ( 6 | github.com/Gogods/cobra v1.6.2 7 | github.com/bi-zone/go-fileversion v1.0.0 8 | github.com/hashicorp/go-multierror v1.1.1 9 | github.com/inconshreveable/mousetrap v1.1.0 10 | github.com/spf13/pflag v1.0.5 11 | github.com/yusufpapurcu/wmi v1.2.2 12 | ) 13 | 14 | require ( 15 | github.com/Gogods/pflag v0.0.0-20221115102352-9c9ef4b61b14 // indirect 16 | github.com/go-ole/go-ole v1.2.6 // indirect 17 | github.com/hashicorp/errwrap v1.0.0 // indirect 18 | golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 // indirect 19 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 // indirect 20 | ) 21 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/Gogods/cobra v1.6.2 h1:XkQKVZfspOz+w7zTNt5FNSqZXRZarvL8vS0Z0tjaevo= 2 | github.com/Gogods/cobra v1.6.2/go.mod h1:jo7DGsCB1TEMXdLpT5HvZ/U7HmtpEJnvlPquhfC6bpQ= 3 | github.com/Gogods/pflag v0.0.0-20221115102352-9c9ef4b61b14 h1:LKF++9IQ52FMA4FrG7MPmjrWs3KJu3CZr2wZaHmEwzg= 4 | github.com/Gogods/pflag v0.0.0-20221115102352-9c9ef4b61b14/go.mod h1:Du7Wff2ULmvrrVtqXpYyGhCRigUKsyE1Ow78ZFG4oWs= 5 | github.com/bi-zone/go-fileversion v1.0.0 h1:N/sorBKYfWDjT5ySlUOxSJvG3g9XiaBKxXgHGfH5Wf8= 6 | github.com/bi-zone/go-fileversion v1.0.0/go.mod h1:evMpx4TA/iTAtufWYK271/Mbr5JAL24vlu1WNjVef6s= 7 | github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= 8 | github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= 9 | github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= 10 | github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= 11 | github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= 12 | github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= 13 | github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= 14 | github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= 15 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 16 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 17 | github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= 18 | github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= 19 | golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 h1:7TYNF4UdlohbFwpNH04CoPMp1cHUZgO1Ebq5r2hIjfo= 20 | golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 21 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc= 22 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 23 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | /* 2 | 0 error(s),0 warning(s) 3 | Team:0e0w Security Team 4 | Author:0e0wTeam[at]gmail.com 5 | Datetime:2022/12/20 9:55 6 | */ 7 | 8 | package main 9 | 10 | import "AvHunt/cmd" 11 | 12 | func main() { 13 | cmd.AvHunt() 14 | } 15 | -------------------------------------------------------------------------------- /pkg/avRecon/collect.go: -------------------------------------------------------------------------------- 1 | package avRecon 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | 7 | "AvHunt/pkg/resources" 8 | ) 9 | 10 | // GetSystemData collects the parsed list of processes, services, drivers and registry keys to be used for EDR heuristics. 11 | func GetSystemData(ctx context.Context) (resources.SystemData, error) { 12 | var err error 13 | var systemData resources.SystemData 14 | 15 | systemData.Processes, err = CheckProcesses() 16 | if err != nil { 17 | return systemData, fmt.Errorf("failed to check processes: %w", err) 18 | } 19 | 20 | systemData.Services, err = CheckServices() 21 | if err != nil { 22 | return systemData, fmt.Errorf("failed to check services: %w", err) 23 | } 24 | 25 | systemData.Registry, err = CheckRegistry(ctx) 26 | if err != nil { 27 | return systemData, fmt.Errorf("failed to check registry: %w", err) 28 | } 29 | 30 | systemData.Drivers, err = CheckDrivers() 31 | if err != nil { 32 | return systemData, fmt.Errorf("failed to check drivers: %w", err) 33 | } 34 | 35 | return systemData, nil 36 | } 37 | -------------------------------------------------------------------------------- /pkg/avRecon/directory.go: -------------------------------------------------------------------------------- 1 | package avRecon 2 | 3 | import "fmt" 4 | 5 | func CheckDirectory() (string, error) { 6 | return "", fmt.Errorf("directory scan is not implemented: unnecessarily slow, genrates false positives, also, monitoring command line so, reduntant, again") 7 | } 8 | -------------------------------------------------------------------------------- /pkg/avRecon/drivers_windows.go: -------------------------------------------------------------------------------- 1 | package avRecon 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | "strings" 7 | "syscall" 8 | "unicode/utf16" 9 | "unsafe" 10 | 11 | "AvHunt/pkg/resources" 12 | "github.com/hashicorp/go-multierror" 13 | ) 14 | 15 | var ( 16 | // Library 17 | libpsapi uintptr 18 | // Functions 19 | enumDeviceDrivers uintptr 20 | getDeviceDriverBaseName uintptr 21 | getDeviceDriverFileName uintptr 22 | numberOfDrivers uint 23 | driverAddrs []uintptr 24 | ) 25 | 26 | type DWORD uint32 27 | type LPVOID uintptr 28 | type LPVOIDARR []byte 29 | type LPWSTR *uint16 30 | 31 | type UTF16Slice struct { 32 | Data unsafe.Pointer 33 | Len int 34 | Cap int 35 | } 36 | 37 | func init() { 38 | // Library 39 | libpsapi = doLoadLibrary("psapi.dll") 40 | // Functions 41 | enumDeviceDrivers = doGetProcAddress(libpsapi, "EnumDeviceDrivers") 42 | getDeviceDriverBaseName = doGetProcAddress(libpsapi, "GetDeviceDriverBaseNameW") 43 | getDeviceDriverFileName = doGetProcAddress(libpsapi, "GetDeviceDriverFileNameW") 44 | } 45 | 46 | func doLoadLibrary(name string) uintptr { 47 | lib, _ := syscall.LoadLibrary(name) 48 | return uintptr(lib) 49 | } 50 | 51 | func doGetProcAddress(lib uintptr, name string) uintptr { 52 | addr, _ := syscall.GetProcAddress(syscall.Handle(lib), name) 53 | return uintptr(addr) 54 | } 55 | 56 | func syscall3(trap, nargs, a1, a2, a3 uintptr) uintptr { 57 | ret, _, _ := syscall.Syscall(trap, nargs, a1, a2, a3) 58 | return ret 59 | } 60 | 61 | // func syscall6(trap, nargs, a1, a2, a3, a4, a5, a6 uintptr) uintptr { 62 | // ret, _, _ := syscall.Syscall6(trap, nargs, a1, a2, a3, a4, a5, a6) 63 | // return ret 64 | // } 65 | 66 | // dodgy function: may cause BOF 67 | func UTF16PtrToString(p *uint16) string { 68 | defer func() { 69 | if r := recover(); r != nil { 70 | return 71 | } 72 | }() 73 | 74 | if p == nil { 75 | return "" 76 | } 77 | if *p == 0 { 78 | return "" 79 | } 80 | 81 | // Find NUL terminator. 82 | n := 0 83 | for ptr := unsafe.Pointer(p); *(*uint16)(ptr) != 0; n++ { 84 | ptr = unsafe.Pointer(uintptr(ptr) + unsafe.Sizeof(*p)) 85 | } 86 | 87 | var s []uint16 88 | h := (*UTF16Slice)(unsafe.Pointer(&s)) 89 | h.Data = unsafe.Pointer(p) 90 | h.Len = n 91 | h.Cap = n 92 | 93 | return string(utf16.Decode(s)) 94 | } 95 | 96 | func EnumDeviceDrivers(lpImageBase []uintptr, cb DWORD, lpcbNeeded *uint32) bool { 97 | ret1 := syscall3(enumDeviceDrivers, 3, 98 | uintptr(unsafe.Pointer(&lpImageBase[0])), 99 | uintptr(cb), 100 | uintptr(unsafe.Pointer(lpcbNeeded))) 101 | return ret1 != 0 102 | } 103 | 104 | func GetDeviceDriverBaseName(imageBase LPVOID, lpBaseName []uint16, nSize DWORD) DWORD { 105 | ret1 := syscall3(getDeviceDriverBaseName, 3, 106 | uintptr(unsafe.Pointer(imageBase)), 107 | uintptr(unsafe.Pointer(&lpBaseName[0])), 108 | uintptr(nSize)) 109 | return DWORD(ret1) 110 | } 111 | 112 | func GetDeviceDriverFileName(imageBase uintptr, lpFilename []uint16, nSize DWORD) DWORD { 113 | defer func() { 114 | if err := recover(); err != nil { 115 | fmt.Println("failure in GetDeviceDriverFilename") 116 | fmt.Println(err) 117 | return 118 | } 119 | }() 120 | 121 | ret1 := syscall3(getDeviceDriverFileName, 3, 122 | imageBase, 123 | uintptr(unsafe.Pointer(&lpFilename[0])), 124 | uintptr(nSize)) 125 | return DWORD(ret1) 126 | } 127 | 128 | func GetSizeOfDriversArray() (uint32, error) { 129 | var bytesNeeded uint32 130 | // Golang null structs. 131 | nullBase := make([]uintptr, 1) 132 | success := EnumDeviceDrivers(nullBase, 0, &bytesNeeded) 133 | if !success { 134 | return 0, fmt.Errorf("failed to get size of Driver Array, errorcode : %v", syscall.GetLastError()) 135 | } 136 | return bytesNeeded, nil 137 | } 138 | 139 | func GetDriverFileName(driverAddrs uintptr) (string, error) { 140 | data := make([]uint16, 1024) 141 | 142 | if driverAddrs == 0 { 143 | return "", errors.New("nil driver address uintptr") 144 | } 145 | 146 | result := GetDeviceDriverFileName(driverAddrs, data, DWORD(1000)) 147 | if result == 0 { 148 | return "", fmt.Errorf("failed to get device driver file name: %v", syscall.GetLastError()) 149 | } 150 | 151 | return syscall.UTF16ToString(data), nil 152 | } 153 | 154 | func GetDriverBaseName(driverAddrs uintptr) (string, error) { 155 | data := make([]uint16, 1024) 156 | 157 | if driverAddrs == 0 { 158 | return "", errors.New("nil driver address uintptr") 159 | } 160 | 161 | result := GetDeviceDriverBaseName(LPVOID(driverAddrs), data, DWORD(1000)) 162 | if result == 0 { 163 | return "", fmt.Errorf("failed to get device driver file name: %v", syscall.GetLastError()) 164 | } 165 | 166 | return syscall.UTF16ToString(data), nil 167 | } 168 | 169 | func IterateOverDrivers(numberOfDrivers uint, driverAddrs []uintptr) ([]resources.DriverMetaData, error) { 170 | var ( 171 | multiErr error 172 | summary []resources.DriverMetaData = make([]resources.DriverMetaData, 0) 173 | ) 174 | 175 | for _, addr := range driverAddrs { 176 | driverFileName, err := GetDriverFileName(addr) 177 | if err != nil { 178 | multiErr = multierror.Append(multiErr, err) 179 | continue 180 | } 181 | 182 | driverBaseName, err := GetDriverBaseName(addr) 183 | if err != nil { 184 | multiErr = multierror.Append(multiErr, err) 185 | continue 186 | } 187 | 188 | if driverBaseName == "" { 189 | continue 190 | } 191 | 192 | output, err := AnalyzeDriver(driverFileName, driverBaseName) 193 | if err != nil { 194 | multiErr = multierror.Append(multiErr, err) 195 | } 196 | 197 | if len(output.ScanMatch) > 0 { 198 | summary = append(summary, output) 199 | } 200 | } 201 | 202 | return summary, multiErr 203 | } 204 | 205 | func AnalyzeDriver(driverFileName string, driverBaseName string) (resources.DriverMetaData, error) { 206 | fixedDriverPath := strings.ToLower(driverFileName) 207 | fixedDriverPath = strings.Replace(fixedDriverPath, `\systemroot\`, `c:\windows\`, -1) 208 | if strings.HasPrefix(fixedDriverPath, `\windows\`) { 209 | fixedDriverPath = strings.Replace(fixedDriverPath, `\windows\`, `c:\windows\`, -1) 210 | } else if strings.HasPrefix(fixedDriverPath, `\??\`) { 211 | fixedDriverPath = strings.Replace(fixedDriverPath, `\??\`, ``, -1) 212 | } 213 | 214 | analysis := resources.DriverMetaData{ 215 | DriverBaseName: driverBaseName, 216 | DriverFilePath: fixedDriverPath, 217 | ScanMatch: make([]string, 0), 218 | } 219 | 220 | analysis.DriverSysMetaData, _ = GetFileMetaData(fixedDriverPath) 221 | 222 | for _, edr := range EdrList { 223 | // regexp as alternate but saving another import. No bully. 224 | if strings.Contains( 225 | strings.ToLower(fmt.Sprint(analysis)), 226 | strings.ToLower(edr)) { 227 | analysis.ScanMatch = append(analysis.ScanMatch, edr) 228 | } 229 | } 230 | 231 | return analysis, nil 232 | } 233 | 234 | // CheckDrivers return a list of drivers matching any suspicious driver names present in edrdata.go. 235 | func CheckDrivers() ([]resources.DriverMetaData, error) { 236 | var drivers []resources.DriverMetaData = make([]resources.DriverMetaData, 0) 237 | 238 | sizeOfDriverArrayInBytes, err := GetSizeOfDriversArray() 239 | if err != nil { 240 | return drivers, err 241 | } 242 | 243 | sizeOfOneDriverAddress := uint(unsafe.Sizeof(uintptr(0))) 244 | 245 | numberOfDrivers = uint(sizeOfDriverArrayInBytes) / sizeOfOneDriverAddress 246 | driverAddrs = make([]uintptr, numberOfDrivers) 247 | 248 | success := EnumDeviceDrivers(driverAddrs, DWORD(sizeOfDriverArrayInBytes), &sizeOfDriverArrayInBytes) 249 | if !success { 250 | return drivers, fmt.Errorf("failed to enumerate device drivers, error code: %w", syscall.GetLastError()) 251 | } 252 | 253 | drivers, err = IterateOverDrivers(numberOfDrivers, driverAddrs) 254 | if err != nil { 255 | return drivers, err 256 | } 257 | 258 | return drivers, nil 259 | } 260 | -------------------------------------------------------------------------------- /pkg/avRecon/edrdata.go: -------------------------------------------------------------------------------- 1 | package avRecon 2 | 3 | // var ( 4 | // EdrList = []string{} 5 | // RegistryReconList = []string{} 6 | // RegistrySearchList = []string{} 7 | // key = []byte("obscurityisablessing") 8 | // ) 9 | 10 | // var obfEdrList = []string{ 11 | // "0e01070a03170a1b171a1c0d07", 12 | // "0e0f000a5b160518", 13 | // "0e0c070a551f08180e080104", 14 | // "0e0c070a581f08180e080104", 15 | // "0e0c070a18130503181b16", 16 | // "0e0c070a550400060c1a", 17 | // "0e0c070a580400060c1a", 18 | // "0e0c070a031b1b010a", 19 | // "0e120310101c1a11", 20 | // "0e17070b011319", 21 | // "0e14121001", 22 | // "0e141600011d", 23 | // "0c031d02070b", 24 | // "0c0301011a1c0b18180a18", 25 | // "0c0301011a1c49161508100a", 26 | // "0c005d060d17", 27 | // "0c0b00001a130404", 28 | // "0c0b00001a52081909", 29 | // "0c0d060d01171b171c1907", 30 | // "0c0d060d01171b00180a18", 31 | // "0c10120e0100080d", 32 | // "0c1000100311", 33 | // "0c101c1411011d06100216", 34 | // "0c111204101c1d", 35 | // "0c1115021911061a", 36 | // "0c11000b101e05", 37 | // "0c1b1106071708071607", 38 | // "0c1b100f1a00081918", 39 | // "0c1b1f021b110c", 40 | // "0c1b1c13011b0a07", 41 | // "0c1b061311131d11", 42 | // "0c1b05060713", 43 | // "0c1b000607040c06", 44 | // "0c1b0711140b", 45 | // "0b030108010008171c", 46 | // "0b0715061b16191b100707", 47 | // "0b0715061b160c06", 48 | // "0a071017071e", 49 | // "0a0e1210011b0a", 50 | // "0a0c1704141f0c", 51 | // "094f000616071b11", 52 | // "090d01001002061d171d", 53 | // "090b0106100b0c", 54 | // "08101c161b16051d170e", 55 | // "2830211010001f1d1a", 56 | // "060c001310111d1b0b", 57 | // "0614120d011b", 58 | // "0403001310001a1f00", 59 | // "030310161b13", 60 | // "030d14111d0b1d1c14", 61 | // "02031f1414000c", 62 | // "02031d071c130700", 63 | // "020112051017", 64 | // "020d01131d1b1a111a", 65 | // "0211121016070018", 66 | // "02111e13101c0e", 67 | // "010b00100704", 68 | // "000f1d0a", 69 | // "000f1d0a14150c1a0d", 70 | // "00110216100010", 71 | // "3f031f0c5533050016493d04161b0a01181a", 72 | // "1f0516131a010c060f001004", 73 | // "1f05001a06060c190d1b1218", 74 | // "1f101a151c1e0c131c0e06001008", 75 | // "1f101c0002130518", 76 | // "1f101c1710111d1b0b1a1613140506", 77 | // "1e1012071400", 78 | // "1d071700191d081f", 79 | // "1c07101607171e1b0b0200", 80 | // "1c071016071b1d0d110c120d16041616011f07040a", 81 | // "1c071e0f14070717111a05", 82 | // "1c071d171c1c0c18", 83 | // "1c07030f1c040c01090d1215", 84 | // "1c0b000a11011a110b1f1a0207", 85 | // "1c0b000a05011a110b1f1a0207", 86 | // "1c0b000a05011c001005", 87 | // "1c0f104d100a0c", 88 | // "1c0f1004001b", 89 | // "1c0c12004346", 90 | // "1c0d030b1a01", 91 | // "1c121f161b19", 92 | // "1c10071005", 93 | // "1c1b1e021b060c17", 94 | // "1c1b1e001a001901", 95 | // "1c1b1e0613131a1d", 96 | // "1c1b000a1b060c0617081f", 97 | // "1c1b000e1a1c", 98 | // "1b031d0a001f", 99 | // "1b06124d100a0c", 100 | // "1b0612141a0002", 101 | // "1b120a171d1d07", 102 | // "190710170713", 103 | // "180b1d001a1e05111a1d", 104 | // "180b1d071a051a071c07000e10", 105 | // "180b0106061a080612", 106 | // "1b0a01061406", 107 | // "170314175b171111", 108 | // "170314171b1d1d1d1f47161907", 109 | // } 110 | 111 | // var obfRegistryReconList = []string{ 112 | // "3c071d171c1c0c18592512031130", 113 | // "3c071d171c1c0c18592814040c1839", 114 | // "0a1a0706071c0818302d", 115 | // "290b0106300b0c", 116 | // "2c1b1f021b110c28", 117 | // "2c1b1f021b110c44", 118 | // "2c1b1f021b110c45", 119 | // "2c1b1f021b110c46", 120 | // "2c101c1411211d061002163d", 121 | // "4a312a3021372426362627443e1f1c00070c03545d3e17111c040c060a3510130d1b0100071b070c0a3e301031171f1d1a0c300e0c18171c1f47070909", 122 | // "4a312a3021372426362627443e1f1c00070c03545d3e17111c040c060a3510130d1b0100071b070c0a3e3010331b1b190e0801042302041f0a1a0714410b1d05", 123 | // "22011205101735", 124 | // "22013205101728131c07073d", 125 | // "2e32230c191b0a0d37081e04", 126 | // "2a32230c191b0a0d37081e04", 127 | // "202320331a1e00170027120c07", 128 | // "3c1b1e021b060c17", 129 | // "3c1b1e021b060c17592c1d0512030c1d07493e1500161600011b061a25", 130 | // "380b1d071a051a543d0c15040c080001", 131 | // "2b1212271c010816150c17", 132 | // "2b0b0002171e0c261c081f350b01003e1c07071300101a0d12", 133 | // "2c0301011a1c2b18180a183d", 134 | // "2c003706131707071c35", 135 | // "3c071d101a003f110b1a1a0e0c", 136 | // } 137 | 138 | // var obfRegistrySearchList = []string{ 139 | // "1d07144304070c06004951292920282f20303d332a2f2f2000001b11171d300e0c18171c1f3a0b1333311611031b0a110a3527021205152f23081c060207070607014b", 140 | // "1d07144304070c06004951292920282f3b283c233823212629362c273a3b3a3136252a3d2f3a17141b071e3f373b26275b", 141 | // "1d07144304070c0600493b2a2e2139203c2f3a302e30363f381b0a06161a1c071630321a1d0d01101c3e301607000c1a0d3f161311050a1d2f3c000e01110702191e", 142 | // "1d07144304070c0600493b2a2e2139203c2f3a302e30363f381b0a06161a1c071630321a1d0d01101c3e301607000c1a0d3f161311050a1d2f39010b06011a06062e3a0d0a1d160c", 143 | // "1d07144304070c060049512929293c2c3f262d26233d3e22363a203a3c3520383138203e2f2a1b151d071d17361d07000b061f32071839301c071a15000e2f2f26334b", 144 | // "1d07144304070c06004951292920282f200608131803010629220618100a1a041130281a101b01140004073f221b0710161e003d2609131a100c29120e101741", 145 | // "1d07144304070c060049512929293c2c3f262d26233d3e22363a203a3c35202e24383232212c322a0601010c061d0f00253e1a0f06031200532d0b010a0c1706072e3b1118055e350b010053231b01130a01070a1a1c4b", 146 | // "1d07144304070c060049512929293c2c3f262d26233d3e22363a203a3c35202e24383232212c322a0601010c061d0f00253e1a0f0603120053280a110e0c100611523d1c0b0c1215423c171c070c0d13060d1d3f260608000c1a51", 147 | // "1d07144304070c0600493b2a2e2139201c0f1a100e10163f381128121c0c2f240c08151c1a071a3b2e34", 148 | // "1d07144304070c0600493b2a2e2139201c0f1a100e10163f260b0415171d1602", 149 | // "1d07144304070c0600493b2a2e2139201c0f1a100e10163f360b0515170a163d2609161807061e", 150 | // "1d07144304070c0600493b2a2e2139201c0f1a100e10163f36102d111f0c1d1207", 151 | // "1d07144304070c0600493b2a2e2139201c0f1a100e10163f360006031d3a07130b07002f3a0708230d", 152 | // "1d07144304070c06004951292920282f200608131803010629210c1a0d001d040e4c2912111a4c", 153 | // "1d07144304070c06004951292920282f200608131803010629210c1a0d001d040e4c2912111a322608071d1757", 154 | // } 155 | 156 | // func init() { 157 | 158 | // encodedLists := [][]string{ 159 | // obfEdrList, 160 | // obfRegistryReconList, 161 | // obfRegistrySearchList, 162 | // } 163 | // decodedLists := []*[]string{ 164 | // &EdrList, 165 | // &RegistryReconList, 166 | // &RegistrySearchList, 167 | // } 168 | 169 | // for i, encodedList := range encodedLists { 170 | // decodedList := decodedLists[i] 171 | // for _, index := range encodedList { 172 | // deHex, _ := hex.DecodeString(index) 173 | // decoded := xorObf(deHex, key) 174 | // *decodedList = append(*decodedList, string(decoded)) 175 | // } 176 | // } 177 | // } 178 | 179 | // func xorObf(input, key []byte) []byte { 180 | // ret := make([]byte, len(input)) 181 | // for i := 0; i < len(input); i++ { 182 | // ret[i] = input[i] ^ key[i%len(key)] 183 | // } 184 | // return ret 185 | // } 186 | 187 | // Edrlist is a list of edrs. 188 | var EdrList = []string{ 189 | "activeconsole", 190 | "amsi.dll", 191 | "anti malware", 192 | "anti-malware", 193 | "antimalware", 194 | "anti virus", 195 | "anti-virus", 196 | "antivirus", 197 | "appsense", 198 | "authtap", 199 | "avast", 200 | "avecto", 201 | "canary", 202 | "carbonblack", 203 | "carbon black", 204 | "cb.exe", 205 | "ciscoamp", 206 | "cisco amp", 207 | "countercept", 208 | "countertack", 209 | "cramtray", 210 | "crssvc", 211 | "crowdstrike", 212 | "csagent", 213 | "csfalcon", 214 | "csshell", 215 | "cybereason", 216 | "cyclorama", 217 | "cylance", 218 | "cyoptics", 219 | "cyupdate", 220 | "cyvera", 221 | "cyserver", 222 | "cytray", 223 | "darktrace", 224 | "defendpoint", 225 | "defender", 226 | "huorong", 227 | "eectrl", 228 | "elastic", 229 | "endgame", 230 | "f-secure", 231 | "forcepoint", 232 | "fireeye", 233 | "groundling", 234 | "GRRservic", 235 | "inspector", 236 | "ivanti", 237 | "kaspersky", 238 | "lacuna", 239 | "logrhythm", 240 | "malware", 241 | "mandiant", 242 | "mcafee", 243 | "morphisec", 244 | "msascuil", 245 | "msmpeng", 246 | "nissrv", 247 | "omni", 248 | "omniagent", 249 | "osquery", 250 | "Palo Alto Networks", 251 | "pgeposervice", 252 | "pgsystemtray", 253 | "privilegeguard", 254 | "procwall", 255 | "protectorservic", 256 | "qradar", 257 | "redcloak", 258 | "secureworks", 259 | "securityhealthservice", 260 | "semlaunchsv", 261 | "sentinel", 262 | "sepliveupdat", 263 | "sisidsservice", 264 | "sisipsservice", 265 | "sisipsutil", 266 | "smc.exe", 267 | "smcgui", 268 | "snac64", 269 | "sophos", 270 | "splunk", 271 | "srtsp", 272 | "symantec", 273 | "symcorpu", 274 | "symefasi", 275 | "sysinternal", 276 | "sysmon", 277 | "tanium", 278 | "tda.exe", 279 | "tdawork", 280 | "tpython", 281 | "vectra", 282 | "wincollect", 283 | "windowssensor", 284 | "wireshark", 285 | "threat", 286 | "xagt.exe", 287 | "xagtnotif.exe", 288 | "Elastic Agent", 289 | "elastic-agent.exe", 290 | "elastic-endpoint.exe", 291 | "elastic-endpoint-driver", 292 | "ElasticEndpoint", 293 | //以下为自定义 294 | "360sd", 295 | "360tray", 296 | "ZhuDongFangYu", 297 | "360rp", 298 | "360safe", 299 | "360safebox", 300 | "QHActiveDefense", 301 | "360skylarsvc", 302 | "LiveUpdate360", 303 | "Endpoint Security Management System", 304 | "攻击发现与风险控制系统", 305 | "FcTray", 306 | "QAXEntClient", 307 | "QAXEntClient", 308 | "QAXTray", 309 | "QaxEngManager", 310 | "QAX", 311 | "hipstray", 312 | "wsctrl", 313 | "usysdiag", 314 | "HipsDaemon", 315 | "HipsLog", 316 | "HipsMain", 317 | "usysdiag", 318 | "huorong", 319 | "kxescore", 320 | "kupdata", 321 | "kxetray", 322 | "kwsprotect64", 323 | "SafeDog", 324 | "SafeDogGuardHelper", 325 | "SafeDogServerUI", 326 | "SafeDogTray", 327 | "Safedog Update Center", 328 | "SafeDogCloudHelper", 329 | "SafeDogGuardCenter", 330 | "wsssr_defence_daemon", 331 | "wsssr_defence_service", 332 | "yunsuo_agent_service", 333 | "yunsuo_agent_daemon", 334 | "YSBugReport", 335 | "YSUpdate", 336 | "QMDL", 337 | "QMDLP", 338 | "QMExtraPackageSetup", 339 | "QMInterfaceExe", 340 | "QMLaunch", 341 | "QMLoginAssistant", 342 | "QMLspPing", 343 | "QMNetProxyClient", 344 | "QMNetProxyHost", 345 | "QMPersonalCenter", 346 | "QMProviderUpdate", 347 | "QMSignScan", 348 | "QMSmbAssistor", 349 | "QMStateCheck", 350 | "QMSuperScan", 351 | "QMUpload", 352 | "QMUsbGuard", 353 | "Topsec", 354 | "TopsecMain", 355 | "TopsecTray", 356 | "TopsecDaemon", 357 | "TopsecConfig", 358 | "TopsecLog", 359 | "TopsecUpdate", 360 | "TopsecWSCtrl", 361 | "rsmain", 362 | "rstray", 363 | "rstray64", 364 | "rsupdatertool", 365 | "rslogup", 366 | "KvPad", 367 | "KVMonXP", 368 | "KVHistory", 369 | "KVInfoBarUI", 370 | "KVPreScan", 371 | "AtTray", 372 | "AtDocSecurity", 373 | "AtUsbScan", 374 | "atmain", 375 | "AtUpdate", 376 | "BaiduSdSvc", 377 | "BaiduSdTray", 378 | "BaiduSd", 379 | "bddownloader", 380 | "baiduansvx", 381 | "D_Safe_Manage", 382 | "d_manage", 383 | "HwsPanel", 384 | "hws_ui", 385 | "hws", 386 | "hwsd", 387 | "ananwidget", 388 | } 389 | 390 | var ReconList = []string{ 391 | "ProductName", 392 | "CSDVersion", 393 | "CurrentVersion", 394 | "CurrentBuild", 395 | "SystemRoot", 396 | "RegisteredOrganization", 397 | "Domain", 398 | "DhcpNameServer", 399 | "DhcpDomain", 400 | "SystemManufacturer", 401 | "SystemProductName", 402 | "LocalAccountTokenFilterPolicy", 403 | "LsaCfgFlags", 404 | "elastic", 405 | } 406 | 407 | var McafeeList = []string{ 408 | "Mcafee\\", 409 | "McAfeeAgent\\", 410 | "APPolicyName", 411 | "EPPolicyName", 412 | "OASPolicyName", 413 | } 414 | 415 | var SymantecList = []string{ 416 | "Symantec", 417 | "Symantec Endpoint Protection\\", 418 | } 419 | 420 | // var WinDefender = []string{ 421 | // "Windows Defender", 422 | // "DpaDisabled", 423 | // "DisableRealTimeMonitoring", 424 | // } 425 | 426 | var WinDefenderATP = []string{} 427 | 428 | var CarbonBlack = []string{ 429 | "CarbonBlack\\", 430 | "CbDefense\\", 431 | "SensorVersion", 432 | } 433 | 434 | var CrowdStrike = []string{ 435 | "CrowdStrike\\", 436 | "%SYSTEMROOT%\\system32\\drivers\\crowdstrike\\CsDeviceControl.inf", 437 | "%SYSTEMROOT%\\system32\\drivers\\crowdstrike\\CsFirmwareAnalysis.inf", 438 | } 439 | 440 | var Cylance = []string{ 441 | "Cylance\\", 442 | "Cylance0", 443 | "Cylance1", 444 | "Cylance2", 445 | } 446 | 447 | var FireEye = []string{ 448 | "FireEye", 449 | } 450 | 451 | var SentinelOne = []string{ 452 | "Sentinel Labs\\", 453 | "Sentinel Agent\\", 454 | "externalID", 455 | } 456 | 457 | var RegistryReconList = []string{ 458 | "Sentinel Labs\\", 459 | "Sentinel Agent\\", 460 | "externalID", 461 | "FireEye", 462 | "Cylance\\", 463 | "Cylance0", 464 | "Cylance1", 465 | "Cylance2", 466 | "CrowdStrike\\", 467 | "%SYSTEMROOT%\\system32\\drivers\\crowdstrike\\CsDeviceControl.inf", 468 | "%SYSTEMROOT%\\system32\\drivers\\crowdstrike\\CsFirmwareAnalysis.inf", 469 | "Mcafee\\", 470 | "McAfeeAgent\\", 471 | "APPolicyName", 472 | "EPPolicyName", 473 | "OASPolicyName", 474 | "Symantec", 475 | "Symantec Endpoint Protection\\", 476 | "Windows Defender", 477 | "DpaDisabled", 478 | "DisableRealTimeMonitoring", 479 | "CarbonBlack\\", 480 | "CbDefense\\", 481 | "SensorVersion", 482 | } 483 | 484 | var RegistrySearchList = []string{ 485 | `reg query "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"`, 486 | `reg query "HKLM\HARDWARE\DESCRIPTION\System\BIOS"`, 487 | `reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`, 488 | `reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`, 489 | `reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA"`, 490 | `reg query "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard"`, 491 | `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection"`, 492 | `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status"`, 493 | `reg query HKLM\Software\McAfee\Endpoint\AV`, 494 | `reg query HKLM\Software\Symantec`, 495 | `reg query HKLM\Software\Cylance\Desktop`, 496 | `reg query HKLM\Software\CbDefense`, 497 | `reg query HKLM\Software\CrowdStrike\InfDb`, 498 | `reg query "HKLM\Software\Sentinel Labs"`, 499 | `reg query "HKLM\Software\Sentinel Labs\Agent"`, 500 | } 501 | 502 | //encoder 503 | // for _, index := range EdrList { 504 | // input := []byte(index) 505 | // encoded := hex.EncodeToString(xorObf(input, key)) 506 | // ObfEdrList = append(ObfEdrList, fmt.Sprintf("\"%s\",\n", encoded)) 507 | -------------------------------------------------------------------------------- /pkg/avRecon/filechecker_windows.go: -------------------------------------------------------------------------------- 1 | package avRecon 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | "strings" 7 | 8 | "AvHunt/pkg/resources" 9 | "github.com/bi-zone/go-fileversion" 10 | ) 11 | 12 | var ( 13 | file fileversion.Info 14 | ) 15 | 16 | // GetFileMetaData retuns the metadata of a file at filepath from the windows version information resources using the go-fileversion library. 17 | // TODO: crashes at line 334 sometimes. 18 | func GetFileMetaData(filepath string) (resources.FileMetaData, error) { 19 | defer func() { 20 | if r := recover(); r != nil { 21 | return 22 | } 23 | }() 24 | 25 | var err error 26 | 27 | filepath = strings.Replace(filepath, "\"", "", -1) 28 | 29 | if filepath == "" { 30 | return resources.FileMetaData{}, errors.New("empty filepath") 31 | } 32 | 33 | file, err = fileversion.New(filepath) 34 | if err != nil { 35 | if strings.HasPrefix(filepath, `c:\windows\system32\`) { 36 | filepathMod := strings.Replace(filepath, `c\windows\system32`, `c:\Windows\Sysnative`, -1) 37 | file, err = fileversion.New(filepathMod) 38 | if err != nil { 39 | return resources.FileMetaData{}, fmt.Errorf("cannot find resource: %s", filepath) 40 | } 41 | } 42 | } 43 | 44 | // fileInfoStr := fmt.Sprintf("\n\tProductName: %s\n\tOriginalFileName: %s\n\tInternalFileName: %s\n\tCompany Name: %s\n\tFileDescription: %s\n\tProductVersion: %s\n\tComments: %s\n\tLegalCopyright: %s\n\tLegalTrademarks: %s", file.ProductName(), file.OriginalFilename(), file.InternalName(), file.CompanyName(), file.FileDescription(), file.ProductVersion(), file.Comments(), file.LegalCopyright(), file.LegalTrademarks()) 45 | 46 | return resources.FileMetaData{ 47 | ProductName: file.ProductName(), 48 | OriginalFilename: file.OriginalFilename(), 49 | InternalFileName: file.InternalName(), 50 | CompanyName: file.CompanyName(), 51 | FileDescription: file.FileDescription(), 52 | ProductVersion: file.ProductVersion(), 53 | Comments: file.Comments(), 54 | LegalCopyright: file.LegalCopyright(), 55 | LegalTrademarks: file.LegalTrademarks(), 56 | }, nil 57 | } 58 | 59 | func FileMetaDataParser(file resources.FileMetaData) string { 60 | if file.ProductName == "" { 61 | return "" 62 | } 63 | return fmt.Sprintf("\n\tProductName: %s\n\tOriginalFileName: %s\n\tInternalFileName: %s\n\tCompany Name: %s\n\tFileDescription: %s\n\tProductVersion: %s\n\tComments: %s\n\tLegalCopyright: %s\n\tLegalTrademarks: %s", file.ProductName, file.OriginalFilename, file.InternalFileName, file.CompanyName, file.FileDescription, file.ProductVersion, file.Comments, file.LegalCopyright, file.LegalTrademarks) 64 | } 65 | -------------------------------------------------------------------------------- /pkg/avRecon/privilege.go: -------------------------------------------------------------------------------- 1 | package avRecon 2 | 3 | import ( 4 | "os" 5 | ) 6 | 7 | // CheckIfAdmin checks if the process has administrator privileges by trying to open the PHYSICALDRIVE0 (C:\\) raw device on Windows. 8 | func CheckIfAdmin() bool { 9 | f, err := os.Open("\\\\.\\PHYSICALDRIVE0") 10 | if err != nil { 11 | return false 12 | } 13 | f.Close() 14 | return true 15 | } 16 | 17 | // func ElevateAdmin() error { 18 | // verb := "runas" 19 | // exe, _ := os.Executable() 20 | // cwd, _ := os.Getwd() 21 | // args := strings.Join(os.Args[1:], " ") 22 | 23 | // verbPtr, _ := syscall.UTF16PtrFromString(verb) 24 | // exePtr, _ := syscall.UTF16PtrFromString(exe) 25 | // cwdPtr, _ := syscall.UTF16PtrFromString(cwd) 26 | // argPtr, _ := syscall.UTF16PtrFromString(args) 27 | 28 | // var showCmd int32 = 1 //SW_NORMAL 29 | 30 | // if err := windows.ShellExecute(0, verbPtr, exePtr, argPtr, cwdPtr, showCmd); err != nil { 31 | // return err 32 | // } 33 | 34 | // return nil 35 | // } 36 | -------------------------------------------------------------------------------- /pkg/avRecon/process_windows.go: -------------------------------------------------------------------------------- 1 | package avRecon 2 | 3 | import ( 4 | "fmt" 5 | "strings" 6 | 7 | "AvHunt/pkg/resources" 8 | "github.com/hashicorp/go-multierror" 9 | "github.com/yusufpapurcu/wmi" 10 | ) 11 | 12 | type Win32_Process struct { 13 | Name string 14 | ExecutablePath string 15 | Description string 16 | Caption string 17 | CommandLine string 18 | ProcessId uint32 19 | ParentProcessId uint32 20 | 21 | // Status string 22 | // StartMode string 23 | } 24 | 25 | // CheckProcesses returns a list of processes matching any suspicious running process names present in edrdata.go. 26 | func CheckProcesses() ([]resources.ProcessMetaData, error) { 27 | var ( 28 | processList []Win32_Process 29 | multiErr error 30 | summary []resources.ProcessMetaData = make([]resources.ProcessMetaData, 0) 31 | ) 32 | 33 | query := wmi.CreateQuery(&processList, "") 34 | 35 | if err := wmi.Query(query, &processList); err != nil { 36 | return summary, err 37 | } 38 | 39 | for _, process := range processList { 40 | if process.Name == "" { 41 | continue 42 | } 43 | 44 | output, err := AnalyzeProcess(process) 45 | if err != nil { 46 | multiErr = multierror.Append(multiErr, err) 47 | continue 48 | } 49 | 50 | if len(output.ScanMatch) > 0 { 51 | summary = append(summary, output) 52 | } 53 | } 54 | 55 | return summary, multiErr 56 | } 57 | 58 | func AnalyzeProcess(process Win32_Process) (resources.ProcessMetaData, error) { 59 | analysis := resources.ProcessMetaData{ 60 | ProcessName: process.Name, 61 | ProcessPath: process.ExecutablePath, 62 | ProcessDescription: process.Description, 63 | ProcessCaption: process.Caption, 64 | ProcessCmdLine: process.CommandLine, 65 | ProcessPID: fmt.Sprint(process.ProcessId), 66 | ProcessParentPID: fmt.Sprint(process.ParentProcessId), 67 | } 68 | 69 | if analysis.ProcessPath != "" { 70 | analysis.ProcessExeMetaData, _ = GetFileMetaData(analysis.ProcessPath) 71 | } 72 | 73 | for _, edr := range EdrList { 74 | if strings.Contains( 75 | strings.ToLower(fmt.Sprint(analysis)), 76 | strings.ToLower(edr)) { 77 | analysis.ScanMatch = append(analysis.ScanMatch, edr) 78 | } 79 | } 80 | 81 | return analysis, nil 82 | } 83 | -------------------------------------------------------------------------------- /pkg/avRecon/registry.go: -------------------------------------------------------------------------------- 1 | package avRecon 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "os/exec" 7 | "strings" 8 | "sync" 9 | "syscall" 10 | 11 | "AvHunt/pkg/resources" 12 | ) 13 | 14 | var ( 15 | outputLock sync.Mutex 16 | paramWg sync.WaitGroup 17 | output []string 18 | ) 19 | 20 | func runCMDCommand(ctx context.Context, command string) ([]byte, error) { 21 | params := []string{"/c", command} 22 | cmd, err := makeCmd(ctx, params...) 23 | if err != nil { 24 | return nil, err 25 | } 26 | return cmd.CombinedOutput() 27 | } 28 | 29 | func makeCmd(ctx context.Context, param ...string) (*exec.Cmd, error) { 30 | path, err := exec.LookPath("cmd") 31 | if err != nil { 32 | return nil, err 33 | } 34 | var cmdline string 35 | for _, s := range param { 36 | cmdline += s + " " 37 | } 38 | cmdline = strings.TrimSpace(cmdline) 39 | cmd := exec.CommandContext(ctx, path) 40 | cmd.SysProcAttr = &syscall.SysProcAttr{CmdLine: cmdline} 41 | return cmd, nil 42 | } 43 | 44 | func EnumRegistry(ctx context.Context) []string { 45 | for _, x := range RegistrySearchList { 46 | paramWg.Add(1) 47 | 48 | go func(args string) { 49 | defer paramWg.Done() 50 | 51 | stdout, err := runCMDCommand(ctx, args) 52 | if err != nil { 53 | return 54 | } 55 | 56 | outputLock.Lock() 57 | defer outputLock.Unlock() 58 | 59 | if len(stdout) != 0 { 60 | output = append(output, string(stdout)) 61 | } 62 | }(x) 63 | } 64 | 65 | paramWg.Wait() 66 | return output 67 | } 68 | 69 | func CheckRegistry(ctx context.Context) (resources.RegistryMetaData, error) { 70 | var analysis resources.RegistryMetaData = resources.RegistryMetaData{ScanMatch: make([]string, 0)} 71 | 72 | output := strings.Join(EnumRegistry(ctx), " ") 73 | if output != "" { 74 | processedOutput := strings.ToLower(output) 75 | for _, match := range RegistryReconList { 76 | if strings.Contains( 77 | processedOutput, 78 | strings.ToLower(match)) { 79 | analysis.ScanMatch = append(analysis.ScanMatch, match) 80 | } 81 | } 82 | } 83 | 84 | if len(analysis.ScanMatch) == 0 { 85 | return analysis, fmt.Errorf("nothing found in registry") 86 | } 87 | 88 | return analysis, nil 89 | } 90 | -------------------------------------------------------------------------------- /pkg/avRecon/services_windows.go: -------------------------------------------------------------------------------- 1 | package avRecon 2 | 3 | import ( 4 | "fmt" 5 | "strings" 6 | 7 | "AvHunt/pkg/resources" 8 | "github.com/hashicorp/go-multierror" 9 | "github.com/yusufpapurcu/wmi" 10 | ) 11 | 12 | type Win32_Service struct { 13 | Name string 14 | DisplayName string 15 | Description string 16 | Caption string 17 | PathName string 18 | State string 19 | ProcessId uint32 20 | // Status string 21 | // StartMode string 22 | } 23 | 24 | // CheckServices return a list of installed services matching any suspicious service names present in edrdata.go. 25 | func CheckServices() ([]resources.ServiceMetaData, error) { 26 | var ( 27 | serviceList []Win32_Service 28 | multiErr error 29 | summary []resources.ServiceMetaData 30 | ) 31 | 32 | query := wmi.CreateQuery(&serviceList, "") 33 | 34 | if err := wmi.Query(query, &serviceList); err != nil { 35 | return summary, err 36 | } 37 | 38 | for _, service := range serviceList { 39 | if service.Name == "" { 40 | continue 41 | } 42 | 43 | output, err := AnalyzeService(service) 44 | if err != nil { 45 | multiErr = multierror.Append(multiErr, err) 46 | } 47 | 48 | if len(output.ScanMatch) > 0 { 49 | summary = append(summary, output) 50 | } 51 | } 52 | 53 | return summary, multiErr 54 | } 55 | 56 | func AnalyzeService(service Win32_Service) (resources.ServiceMetaData, error) { 57 | analysis := resources.ServiceMetaData{ 58 | ServiceName: service.Name, 59 | ServiceDisplayName: service.DisplayName, 60 | ServiceDescription: service.Description, 61 | ServiceCaption: service.Caption, 62 | ServicePathName: service.PathName, 63 | ServiceState: service.State, 64 | ServiceProcessId: fmt.Sprint(service.ProcessId), 65 | } 66 | 67 | if analysis.ServicePathName != "" { 68 | trim := strings.Index(analysis.ServicePathName, ".exe") 69 | if trim > 0 { 70 | servicePath := analysis.ServicePathName[:trim] + ".exe" 71 | analysis.ServiceExeMetaData, _ = GetFileMetaData(servicePath) 72 | } 73 | } 74 | 75 | for _, edr := range EdrList { 76 | if strings.Contains( 77 | strings.ToLower(fmt.Sprint(analysis)), 78 | strings.ToLower(edr)) { 79 | analysis.ScanMatch = append(analysis.ScanMatch, edr) 80 | } 81 | } 82 | 83 | return analysis, nil 84 | } 85 | -------------------------------------------------------------------------------- /pkg/resources/edrRecon.go: -------------------------------------------------------------------------------- 1 | package resources 2 | 3 | type Recon interface { 4 | CheckProcesses() ([]ProcessMetaData, error) 5 | CheckServices() ([]ServiceMetaData, error) 6 | CheckDrivers() ([]DriverMetaData, error) 7 | CheckRegistry() (RegistryMetaData, error) 8 | CheckDirectory() (string, error) 9 | } 10 | 11 | type FileMetaData struct { 12 | ProductName string 13 | OriginalFilename string 14 | InternalFileName string 15 | CompanyName string 16 | FileDescription string 17 | ProductVersion string 18 | Comments string 19 | LegalCopyright string 20 | LegalTrademarks string 21 | } 22 | 23 | type ServiceMetaData struct { 24 | ServiceName string 25 | ServiceDisplayName string 26 | ServiceDescription string 27 | ServiceCaption string 28 | ServicePathName string 29 | ServiceState string 30 | ServiceProcessId string 31 | ServiceExeMetaData FileMetaData 32 | ScanMatch []string 33 | } 34 | 35 | type ProcessMetaData struct { 36 | ProcessName string 37 | ProcessPath string 38 | ProcessDescription string 39 | ProcessCaption string 40 | ProcessCmdLine string 41 | ProcessPID string 42 | ProcessParentPID string 43 | ProcessExeMetaData FileMetaData 44 | ScanMatch []string 45 | } 46 | 47 | type DriverMetaData struct { 48 | DriverBaseName string 49 | DriverSysMetaData FileMetaData 50 | DriverFilePath string 51 | ScanMatch []string 52 | } 53 | 54 | type RegistryMetaData struct { 55 | ScanMatch []string 56 | } 57 | -------------------------------------------------------------------------------- /pkg/resources/scan_edr.go: -------------------------------------------------------------------------------- 1 | package resources 2 | 3 | type EDRDetection interface { 4 | Detect(data SystemData) (EDRType, bool) 5 | Name() string 6 | Type() EDRType 7 | } 8 | 9 | type EDRType string 10 | 11 | var ( 12 | WinDefenderEDR EDRType = "defender" 13 | KaskperskyEDR EDRType = "kaspersky" 14 | CrowdstrikeEDR EDRType = "crowdstrike" 15 | McafeeEDR EDRType = "mcafee" 16 | SymantecEDR EDRType = "symantec" 17 | CylanceEDR EDRType = "cylance" 18 | CarbonBlackEDR EDRType = "carbon_black" 19 | SentinelOneEDR EDRType = "sentinel_one" 20 | FireEyeEDR EDRType = "fireeye" 21 | ElasticAgentEDR EDRType = "elastic_agent" 22 | HuorongEDR EDRType = "huorong" 23 | SLL360EDR EDRType = "360" 24 | TianQingEDR EDRType = "tianqing" 25 | JinshanEDR EDRType = "jinshan" 26 | SafedogEDR EDRType = "safedog" 27 | YunsuoEDR EDRType = "yunsuo" 28 | TencentguanjiaEDR EDRType = "guanjia" 29 | TopsecedrEDR EDRType = "topsecedr" 30 | RisingEDR EDRType = "rising" 31 | JiangminEDR EDRType = "jiangmin" 32 | AntianEDR EDRType = "antian" 33 | BaiduEDR EDRType = "baidu" 34 | D99netEDR EDRType = "d99net" 35 | HwsEDR EDRType = "hws" 36 | MozheEDR EDRType = "mozhe" 37 | YaxinEDR EDRType = "Yaxin" 38 | AliYunDunEDR EDRType = "aliyundun" 39 | PandaEDR EDRType = "Panda" 40 | 41 | //v1.4.4 42 | QualysEDR EDRType = "qualys" 43 | TrendMicroEDR EDRType = "trend_micro" 44 | ESETEDR EDRType = "eset" 45 | CybereasonEDR EDRType = "cybereason" 46 | BitDefenderEDR EDRType = "bitdefender" 47 | CheckPointEDR EDRType = "checkpoint" 48 | CynetEDR EDRType = "cynet" 49 | DeepInstinctEDR EDRType = "deepinstinct" 50 | SophosEDR EDRType = "sophos" 51 | FortinetEDR EDRType = "fortinet" 52 | MalwareBytesEDR EDRType = "malwarebytes" 53 | LimacharlieEDR EDRType = "limacharlie" 54 | ) 55 | -------------------------------------------------------------------------------- /pkg/resources/systemdata.go: -------------------------------------------------------------------------------- 1 | package resources 2 | 3 | import ( 4 | "AvHunt/pkg/util" 5 | ) 6 | 7 | type SystemData struct { 8 | Processes []ProcessMetaData 9 | Registry RegistryMetaData 10 | Services []ServiceMetaData 11 | Drivers []DriverMetaData 12 | } 13 | 14 | // CountMatchesAll collects all the scanned matches of suspicious names and checks for passed keywords in the matches. 15 | func (s *SystemData) CountMatchesAll(keywords ...[]string) (int, bool) { 16 | var match bool 17 | var count int 18 | 19 | scanMatchList := make([]string, 0) 20 | 21 | for _, v := range s.Processes { 22 | scanMatchList = append(scanMatchList, v.ScanMatch...) 23 | } 24 | 25 | for _, v := range s.Services { 26 | scanMatchList = append(scanMatchList, v.ScanMatch...) 27 | } 28 | 29 | for _, v := range s.Drivers { 30 | scanMatchList = append(scanMatchList, v.ScanMatch...) 31 | } 32 | 33 | scanMatchList = append(scanMatchList, s.Registry.ScanMatch...) 34 | 35 | var totalLen int 36 | for _, v := range keywords { 37 | totalLen += len(v) 38 | } 39 | keywordList := make([]string, 0, totalLen) 40 | 41 | for _, v := range keywords { 42 | keywordList = append(keywordList, v...) 43 | } 44 | 45 | for _, v := range keywordList { 46 | contains := util.StrSliceContains(scanMatchList, v) 47 | if contains { 48 | match = true 49 | count++ 50 | } 51 | } 52 | 53 | return count, match 54 | } 55 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_360.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type SLL360Detection struct{} 6 | 7 | func (w *SLL360Detection) Name() string { 8 | return "奇虎360 Defender" 9 | } 10 | 11 | func (w *SLL360Detection) Type() resources.EDRType { 12 | return resources.SLL360EDR 13 | } 14 | 15 | var SLL360ProcessHeuristic = []string{ 16 | "360sd", 17 | "360tray", 18 | "ZhuDongFangYu", 19 | "360rp", 20 | "360safe", 21 | "360safebox", 22 | "QHActiveDefense", 23 | "360skylarsvc", 24 | "LiveUpdate360", 25 | "safeboxTray", 26 | "scrscan", 27 | } 28 | 29 | var SLL360ServicesHeuristic = []string{ 30 | "360sd", 31 | "360tray", 32 | "ZhuDongFangYu", 33 | "360rp", 34 | "360safe", 35 | "360safebox", 36 | "QHActiveDefense", 37 | "360skylarsvc", 38 | "LiveUpdate360", 39 | "safeboxTray", 40 | } 41 | 42 | var SLL360DriverHeuristic = []string{ 43 | "360sd", 44 | "360tray", 45 | "ZhuDongFangYu", 46 | "360rp", 47 | "360safe", 48 | "360safebox", 49 | "QHActiveDefense", 50 | "360skylarsvc", 51 | "LiveUpdate360", 52 | "safeboxTray", 53 | } 54 | 55 | var SLL360RegistryHeuristic = []string{ 56 | "360sd", 57 | "360tray", 58 | "ZhuDongFangYu", 59 | "360rp", 60 | "360safe", 61 | "360safebox", 62 | "QHActiveDefense", 63 | "360skylarsvc", 64 | "LiveUpdate360", 65 | "safeboxTray", 66 | } 67 | 68 | func (w *SLL360Detection) Detect(data resources.SystemData) (resources.EDRType, bool) { 69 | _, ok := data.CountMatchesAll(SLL360DriverHeuristic, SLL360ProcessHeuristic, SLL360RegistryHeuristic, SLL360ServicesHeuristic) 70 | if !ok { 71 | return "", false 72 | } 73 | 74 | return resources.SLL360EDR, true 75 | } 76 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_Panda.go: -------------------------------------------------------------------------------- 1 | /* 2 | 0 error(s),0 warning(s) 3 | Team:0e0w Security Team 4 | Author:0e0wTeam[at]gmail.com 5 | Datetime:2022/12/20 11:20 6 | */ 7 | 8 | package scanners 9 | 10 | import "AvHunt/pkg/resources" 11 | 12 | type PandaDetection struct{} 13 | 14 | func (w *PandaDetection) Name() string { 15 | return "熊猫卫士 Defender" 16 | } 17 | 18 | func (w *PandaDetection) Type() resources.EDRType { 19 | return resources.PandaEDR 20 | } 21 | 22 | var PandaProcessHeuristic = []string{ 23 | "PAVFIRES.exe", 24 | "PAVFNSVR.exe", 25 | "PAVKRE.exe", 26 | "PAVPROT.exe", 27 | "PAVPROXY.exe", 28 | "PAVPRSRV.exe", 29 | "PAVSRV51.exe", 30 | "PAVSS.exe", 31 | } 32 | 33 | var PandaServicesHeuristic = []string{ 34 | "PAVFIRES.exe", 35 | "PAVFNSVR.exe", 36 | "PAVKRE.exe", 37 | "PAVPROT.exe", 38 | "PAVPROXY.exe", 39 | "PAVPRSRV.exe", 40 | "PAVSRV51.exe", 41 | "PAVSS.exe", 42 | } 43 | 44 | var PandaDriverHeuristic = []string{ 45 | "PAVFIRES.exe", 46 | "PAVFNSVR.exe", 47 | "PAVKRE.exe", 48 | "PAVPROT.exe", 49 | "PAVPROXY.exe", 50 | "PAVPRSRV.exe", 51 | "PAVSRV51.exe", 52 | "PAVSS.exe", 53 | } 54 | 55 | var PandaRegistryHeuristic = []string{ 56 | "PAVFIRES.exe", 57 | "PAVFNSVR.exe", 58 | "PAVKRE.exe", 59 | "PAVPROT.exe", 60 | "PAVPROXY.exe", 61 | "PAVPRSRV.exe", 62 | "PAVSRV51.exe", 63 | "PAVSS.exe", 64 | } 65 | 66 | func (w *PandaDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 67 | _, ok := data.CountMatchesAll(PandaDriverHeuristic, PandaProcessHeuristic, PandaRegistryHeuristic, PandaServicesHeuristic) 68 | if !ok { 69 | return "", false 70 | } 71 | 72 | return resources.PandaEDR, true 73 | } 74 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_Tencentguanjia.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type TencentguanjiaDetection struct{} 6 | 7 | func (w *TencentguanjiaDetection) Name() string { 8 | return "腾讯电脑管家 Defender" 9 | } 10 | 11 | func (w *TencentguanjiaDetection) Type() resources.EDRType { 12 | return resources.TencentguanjiaEDR 13 | } 14 | 15 | var TencentguanjiaProcessHeuristic = []string{ 16 | "QMDL", 17 | "QMDLP", 18 | "QMExtraPackageSetup", 19 | "QMInterfaceExe", 20 | "QMLaunch", 21 | "QMLoginAssistant", 22 | "QMLspPing", 23 | "QMNetProxyClient", 24 | "QMNetProxyHost", 25 | "QMPersonalCenter", 26 | "QMProviderUpdate", 27 | "QMSignScan", 28 | "QMSmbAssistor", 29 | "QMStateCheck", 30 | "QMSuperScan", 31 | "QMUpload", 32 | "QMUsbGuard", 33 | "QQPCTray", 34 | } 35 | 36 | var TencentguanjiaServicesHeuristic = []string{ 37 | "QMDL", 38 | "QMDLP", 39 | "QMExtraPackageSetup", 40 | "QMInterfaceExe", 41 | "QMLaunch", 42 | "QMLoginAssistant", 43 | "QMLspPing", 44 | "QMNetProxyClient", 45 | "QMNetProxyHost", 46 | "QMPersonalCenter", 47 | "QMProviderUpdate", 48 | "QMSignScan", 49 | "QMSmbAssistor", 50 | "QMStateCheck", 51 | "QMSuperScan", 52 | "QMUpload", 53 | "QMUsbGuard", 54 | "QQPCTray", 55 | } 56 | 57 | var TencentguanjiaDriverHeuristic = []string{ 58 | "QMDL", 59 | "QMDLP", 60 | "QMExtraPackageSetup", 61 | "QMInterfaceExe", 62 | "QMLaunch", 63 | "QMLoginAssistant", 64 | "QMLspPing", 65 | "QMNetProxyClient", 66 | "QMNetProxyHost", 67 | "QMPersonalCenter", 68 | "QMProviderUpdate", 69 | "QMSignScan", 70 | "QMSmbAssistor", 71 | "QMStateCheck", 72 | "QMSuperScan", 73 | "QMUpload", 74 | "QMUsbGuard", 75 | "QQPCTray", 76 | } 77 | 78 | var TencentguanjiaRegistryHeuristic = []string{ 79 | "QMDL", 80 | "QMDLP", 81 | "QMExtraPackageSetup", 82 | "QMInterfaceExe", 83 | "QMLaunch", 84 | "QMLoginAssistant", 85 | "QMLspPing", 86 | "QMNetProxyClient", 87 | "QMNetProxyHost", 88 | "QMPersonalCenter", 89 | "QMProviderUpdate", 90 | "QMSignScan", 91 | "QMSmbAssistor", 92 | "QMStateCheck", 93 | "QMSuperScan", 94 | "QMUpload", 95 | "QMUsbGuard", 96 | "QQPCTray", 97 | } 98 | 99 | func (w *TencentguanjiaDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 100 | _, ok := data.CountMatchesAll(TencentguanjiaDriverHeuristic, TencentguanjiaProcessHeuristic, TencentguanjiaRegistryHeuristic, TencentguanjiaServicesHeuristic) 101 | if !ok { 102 | return "", false 103 | } 104 | 105 | return resources.TencentguanjiaEDR, true 106 | } 107 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_aliyundun.go: -------------------------------------------------------------------------------- 1 | /* 2 | 0 error(s),0 warning(s) 3 | Team:0e0w Security Team 4 | Author:0e0wTeam[at]gmail.com 5 | Datetime:2022/12/20 11:16 6 | */ 7 | 8 | package scanners 9 | 10 | import "AvHunt/pkg/resources" 11 | 12 | type AliYunDunDetection struct{} 13 | 14 | func (w *AliYunDunDetection) Name() string { 15 | return "阿里云盾 Defender" 16 | } 17 | 18 | func (w *AliYunDunDetection) Type() resources.EDRType { 19 | return resources.AliYunDunEDR 20 | } 21 | 22 | var AliYunDunProcessHeuristic = []string{ 23 | "AliSecGuard", 24 | "AliYunDunUpdate", 25 | "AliYunDun", 26 | "CmsGoAgent.windows-amd64", 27 | } 28 | 29 | var AliYunDunServicesHeuristic = []string{ 30 | "AliSecGuard", 31 | "AliYunDunUpdate", 32 | "AliYunDun", 33 | "CmsGoAgent.windows-amd64", 34 | } 35 | 36 | var AliYunDunDriverHeuristic = []string{ 37 | "AliSecGuard", 38 | "AliYunDunUpdate", 39 | "AliYunDun", 40 | "CmsGoAgent.windows-amd64", 41 | } 42 | 43 | var AliYunDunRegistryHeuristic = []string{ 44 | "AliSecGuard", 45 | "AliYunDunUpdate", 46 | "AliYunDun", 47 | "CmsGoAgent.windows-amd64", 48 | } 49 | 50 | func (w *AliYunDunDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 51 | _, ok := data.CountMatchesAll(AliYunDunDriverHeuristic, AliYunDunProcessHeuristic, AliYunDunRegistryHeuristic, AliYunDunServicesHeuristic) 52 | if !ok { 53 | return "", false 54 | } 55 | 56 | return resources.AliYunDunEDR, true 57 | } 58 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_antian.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type AntianDetection struct{} 6 | 7 | func (w *AntianDetection) Name() string { 8 | return "安天杀毒 Defender" 9 | } 10 | 11 | func (w *AntianDetection) Type() resources.EDRType { 12 | return resources.AntianEDR 13 | } 14 | 15 | var AntianProcessHeuristic = []string{ 16 | "AtTray", 17 | "AtDocSecurity", 18 | "AtUsbScan", 19 | "atmain", 20 | "AtUpdate", 21 | "AGB", 22 | "AHPROCMONSERVER", 23 | } 24 | 25 | var AntianServicesHeuristic = []string{ 26 | "AtTray", 27 | "AtDocSecurity", 28 | "AtUsbScan", 29 | "atmain", 30 | "AtUpdate", 31 | "AGB", 32 | "AHPROCMONSERVER", 33 | } 34 | 35 | var AntianDriverHeuristic = []string{ 36 | "AtTray", 37 | "AtDocSecurity", 38 | "AtUsbScan", 39 | "atmain", 40 | "AtUpdate", 41 | "AGB", 42 | "AHPROCMONSERVER", 43 | } 44 | 45 | var AntianRegistryHeuristic = []string{ 46 | "AtTray", 47 | "AtDocSecurity", 48 | "AtUsbScan", 49 | "atmain", 50 | "AtUpdate", 51 | "AGB", 52 | "AHPROCMONSERVER", 53 | } 54 | 55 | func (w *AntianDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 56 | _, ok := data.CountMatchesAll(AntianDriverHeuristic, AntianProcessHeuristic, AntianRegistryHeuristic, AntianServicesHeuristic) 57 | if !ok { 58 | return "", false 59 | } 60 | 61 | return resources.AntianEDR, true 62 | } 63 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_baidu.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type BaiduDetection struct{} 6 | 7 | func (w *BaiduDetection) Name() string { 8 | return "百度杀毒 Defender" 9 | } 10 | 11 | func (w *BaiduDetection) Type() resources.EDRType { 12 | return resources.BaiduEDR 13 | } 14 | 15 | var BaiduProcessHeuristic = []string{ 16 | "BaiduSdSvc", 17 | "BaiduSdTray", 18 | "BaiduSd", 19 | "bddownloader", 20 | "baiduansvx", 21 | } 22 | 23 | var BaiduServicesHeuristic = []string{ 24 | "BaiduSdSvc", 25 | "BaiduSdTray", 26 | "BaiduSd", 27 | "bddownloader", 28 | "baiduansvx", 29 | } 30 | 31 | var BaiduDriverHeuristic = []string{ 32 | "BaiduSdSvc", 33 | "BaiduSdTray", 34 | "BaiduSd", 35 | "bddownloader", 36 | "baiduansvx", 37 | } 38 | 39 | var BaiduRegistryHeuristic = []string{ 40 | "BaiduSdSvc", 41 | "BaiduSdTray", 42 | "BaiduSd", 43 | "bddownloader", 44 | "baiduansvx", 45 | } 46 | 47 | func (w *BaiduDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 48 | _, ok := data.CountMatchesAll(BaiduDriverHeuristic, BaiduProcessHeuristic, BaiduRegistryHeuristic, BaiduServicesHeuristic) 49 | if !ok { 50 | return "", false 51 | } 52 | 53 | return resources.BaiduEDR, true 54 | } 55 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_d99net.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type D99netDetection struct{} 6 | 7 | func (w *D99netDetection) Name() string { 8 | return "D盾 Defender" 9 | } 10 | 11 | func (w *D99netDetection) Type() resources.EDRType { 12 | return resources.D99netEDR 13 | } 14 | 15 | var D99netProcessHeuristic = []string{ 16 | "D_Safe_Manage", 17 | "d_manage", 18 | } 19 | 20 | var D99netServicesHeuristic = []string{ 21 | "D_Safe_Manage", 22 | "d_manage", 23 | } 24 | 25 | var D99netDriverHeuristic = []string{ 26 | "D_Safe_Manage", 27 | "d_manage", 28 | } 29 | 30 | var D99netRegistryHeuristic = []string{ 31 | "D_Safe_Manage", 32 | "d_manage", 33 | } 34 | 35 | func (w *D99netDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 36 | _, ok := data.CountMatchesAll(D99netDriverHeuristic, D99netProcessHeuristic, D99netRegistryHeuristic, D99netServicesHeuristic) 37 | if !ok { 38 | return "", false 39 | } 40 | 41 | return resources.D99netEDR, true 42 | } 43 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_huorong.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type HuorongDetection struct{} 6 | 7 | func (w *HuorongDetection) Name() string { 8 | return "火绒 Defender" 9 | } 10 | 11 | func (w *HuorongDetection) Type() resources.EDRType { 12 | return resources.HuorongEDR 13 | } 14 | 15 | var HuorongProcessHeuristic = []string{ 16 | "hipstray", 17 | "wsctrl", 18 | "usysdiag", 19 | "HipsDaemon", 20 | "HipsLog", 21 | "HipsMain", 22 | "usysdiag", 23 | "huorong", 24 | } 25 | 26 | var HuorongServicesHeuristic = []string{ 27 | "hipstray", 28 | "wsctrl", 29 | "usysdiag", 30 | "HipsDaemon", 31 | "HipsLog", 32 | "HipsMain", 33 | "usysdiag", 34 | "huorong", 35 | } 36 | 37 | var HuorongDriverHeuristic = []string{ 38 | "hipstray", 39 | "wsctrl", 40 | "usysdiag", 41 | "HipsDaemon", 42 | "HipsLog", 43 | "HipsMain", 44 | "usysdiag", 45 | "huorong", 46 | } 47 | 48 | var HuorongRegistryHeuristic = []string{ 49 | "hipstray", 50 | "wsctrl", 51 | "usysdiag", 52 | "HipsDaemon", 53 | "HipsLog", 54 | "HipsMain", 55 | "usysdiag", 56 | "huorong", 57 | } 58 | 59 | func (w *HuorongDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 60 | _, ok := data.CountMatchesAll(HuorongDriverHeuristic, HuorongProcessHeuristic, HuorongRegistryHeuristic, HuorongServicesHeuristic) 61 | if !ok { 62 | return "", false 63 | } 64 | 65 | return resources.HuorongEDR, true 66 | } 67 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_hws.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type HwsDetection struct{} 6 | 7 | func (w *HwsDetection) Name() string { 8 | return "护卫神 Defender" 9 | } 10 | 11 | func (w *HwsDetection) Type() resources.EDRType { 12 | return resources.HwsEDR 13 | } 14 | 15 | var HwsProcessHeuristic = []string{ 16 | "HwsPanel", 17 | "hws_ui", 18 | "hws", 19 | "hwsd", 20 | } 21 | 22 | var HwsServicesHeuristic = []string{ 23 | "HwsPanel", 24 | "hws_ui", 25 | "hws", 26 | "hwsd", 27 | } 28 | 29 | var HwsDriverHeuristic = []string{ 30 | "HwsPanel", 31 | "hws_ui", 32 | "hws", 33 | "hwsd", 34 | } 35 | 36 | var HwsRegistryHeuristic = []string{ 37 | "HwsPanel", 38 | "hws_ui", 39 | "hws", 40 | "hwsd", 41 | } 42 | 43 | func (w *HwsDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 44 | _, ok := data.CountMatchesAll(HwsDriverHeuristic, HwsProcessHeuristic, HwsRegistryHeuristic, HwsServicesHeuristic) 45 | if !ok { 46 | return "", false 47 | } 48 | 49 | return resources.HwsEDR, true 50 | } 51 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_jiangmin.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type JiangminDetection struct{} 6 | 7 | func (w *JiangminDetection) Name() string { 8 | return "江民杀毒 Defender" 9 | } 10 | 11 | func (w *JiangminDetection) Type() resources.EDRType { 12 | return resources.JiangminEDR 13 | } 14 | 15 | var JiangminProcessHeuristic = []string{ 16 | "KvPad", 17 | "KVMonXP", 18 | "KVHistory", 19 | "KVInfoBarUI", 20 | "KVPreScan", 21 | } 22 | 23 | var JiangminServicesHeuristic = []string{ 24 | "KvPad", 25 | "KVMonXP", 26 | "KVHistory", 27 | "KVInfoBarUI", 28 | "KVPreScan", 29 | } 30 | 31 | var JiangminDriverHeuristic = []string{ 32 | "KvPad", 33 | "KVMonXP", 34 | "KVHistory", 35 | "KVInfoBarUI", 36 | "KVPreScan", 37 | } 38 | 39 | var JiangminRegistryHeuristic = []string{ 40 | "KvPad", 41 | "KVMonXP", 42 | "KVHistory", 43 | "KVInfoBarUI", 44 | "KVPreScan", 45 | } 46 | 47 | func (w *JiangminDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 48 | _, ok := data.CountMatchesAll(JiangminDriverHeuristic, JiangminProcessHeuristic, JiangminRegistryHeuristic, JiangminServicesHeuristic) 49 | if !ok { 50 | return "", false 51 | } 52 | 53 | return resources.JiangminEDR, true 54 | } 55 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_jinshan.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type JinshanDetection struct{} 6 | 7 | func (w *JinshanDetection) Name() string { 8 | return "金山毒霸 Defender" 9 | } 10 | 11 | func (w *JinshanDetection) Type() resources.EDRType { 12 | return resources.JinshanEDR 13 | } 14 | 15 | var JinshanProcessHeuristic = []string{ 16 | "kxescore", 17 | "kupdata", 18 | "kxetray", 19 | "kwsprotect64", 20 | "ksafe", 21 | "KSafeTray", 22 | "KSafeSvc", 23 | "KWatch", 24 | "KMAILMON", 25 | } 26 | 27 | var JinshanServicesHeuristic = []string{ 28 | "kxescore", 29 | "kupdata", 30 | "kxetray", 31 | "kwsprotect64", 32 | "ksafe", 33 | "KSafeTray", 34 | "KSafeSvc", 35 | "KWatch", 36 | "KMAILMON", 37 | } 38 | 39 | var JinshanDriverHeuristic = []string{ 40 | "kxescore", 41 | "kupdata", 42 | "kxetray", 43 | "kwsprotect64", 44 | "ksafe", 45 | "KSafeTray", 46 | "KSafeSvc", 47 | "KWatch", 48 | "KMAILMON", 49 | } 50 | 51 | var JinshanRegistryHeuristic = []string{ 52 | "kxescore", 53 | "kupdata", 54 | "kxetray", 55 | "kwsprotect64", 56 | "ksafe", 57 | "KSafeTray", 58 | "KSafeSvc", 59 | "KWatch", 60 | "KMAILMON", 61 | } 62 | 63 | func (w *JinshanDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 64 | _, ok := data.CountMatchesAll(JinshanDriverHeuristic, JinshanProcessHeuristic, JinshanRegistryHeuristic, JinshanServicesHeuristic) 65 | if !ok { 66 | return "", false 67 | } 68 | 69 | return resources.JinshanEDR, true 70 | } 71 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_mozhe.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type MozheDetection struct{} 6 | 7 | func (w *MozheDetection) Name() string { 8 | return "墨者安全 Defender" 9 | } 10 | 11 | func (w *MozheDetection) Type() resources.EDRType { 12 | return resources.MozheEDR 13 | } 14 | 15 | var MozheProcessHeuristic = []string{ 16 | "ananwidget", 17 | } 18 | 19 | var MozheServicesHeuristic = []string{ 20 | "ananwidget", 21 | } 22 | 23 | var MozheDriverHeuristic = []string{ 24 | "ananwidget", 25 | } 26 | 27 | var MozheRegistryHeuristic = []string{ 28 | "ananwidget", 29 | } 30 | 31 | func (w *MozheDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 32 | _, ok := data.CountMatchesAll(MozheDriverHeuristic, MozheProcessHeuristic, MozheRegistryHeuristic, MozheServicesHeuristic) 33 | if !ok { 34 | return "", false 35 | } 36 | 37 | return resources.MozheEDR, true 38 | } 39 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_rising.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type RisingDetection struct{} 6 | 7 | func (w *RisingDetection) Name() string { 8 | return "瑞星杀毒 Defender" 9 | } 10 | 11 | func (w *RisingDetection) Type() resources.EDRType { 12 | return resources.RisingEDR 13 | } 14 | 15 | var RisingProcessHeuristic = []string{ 16 | "rsmain", 17 | "RavMonD", 18 | "rstray", 19 | "rstray64", 20 | "rsupdatertool", 21 | "rslogup", 22 | } 23 | 24 | var RisingServicesHeuristic = []string{ 25 | "rsmain", 26 | "RavMonD", 27 | "rstray", 28 | "rstray64", 29 | "rsupdatertool", 30 | "rslogup", 31 | } 32 | 33 | var RisingDriverHeuristic = []string{ 34 | "rsmain", 35 | "RavMonD", 36 | "rstray", 37 | "rstray64", 38 | "rsupdatertool", 39 | "rslogup", 40 | } 41 | 42 | var RisingRegistryHeuristic = []string{ 43 | "rsmain", 44 | "RavMonD", 45 | "rstray", 46 | "rstray64", 47 | "rsupdatertool", 48 | "rslogup", 49 | } 50 | 51 | func (w *RisingDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 52 | _, ok := data.CountMatchesAll(RisingDriverHeuristic, RisingProcessHeuristic, RisingRegistryHeuristic, RisingServicesHeuristic) 53 | if !ok { 54 | return "", false 55 | } 56 | 57 | return resources.RisingEDR, true 58 | } 59 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_safedog.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type SafedogDetection struct{} 6 | 7 | func (w *SafedogDetection) Name() string { 8 | return "安全狗 Defender" 9 | } 10 | 11 | func (w *SafedogDetection) Type() resources.EDRType { 12 | return resources.SafedogEDR 13 | } 14 | 15 | var SafedogProcessHeuristic = []string{ 16 | "SafeDog", 17 | "SafeDogGuardHelper", 18 | "SafeDogServerUI", 19 | "SafeDogTray", 20 | "Safedog Update Center", 21 | "SafeDogCloudHelper", 22 | "SafeDogGuardCenter", 23 | "safedogupdatecenter", 24 | "SafeDogSiteIIS", 25 | } 26 | 27 | var SafedogServicesHeuristic = []string{ 28 | "SafeDog", 29 | "SafeDogGuardHelper", 30 | "SafeDogServerUI", 31 | "SafeDogTray", 32 | "Safedog Update Center", 33 | "SafeDogCloudHelper", 34 | "SafeDogGuardCenter", 35 | "safedogupdatecenter", 36 | "SafeDogSiteIIS", 37 | } 38 | 39 | var SafedogDriverHeuristic = []string{ 40 | "SafeDog", 41 | "SafeDogGuardHelper", 42 | "SafeDogServerUI", 43 | "SafeDogTray", 44 | "Safedog Update Center", 45 | "SafeDogCloudHelper", 46 | "SafeDogGuardCenter", 47 | "safedogupdatecenter", 48 | "SafeDogSiteIIS", 49 | } 50 | 51 | var SafedogRegistryHeuristic = []string{ 52 | "SafeDog", 53 | "SafeDogGuardHelper", 54 | "SafeDogServerUI", 55 | "SafeDogTray", 56 | "Safedog Update Center", 57 | "SafeDogCloudHelper", 58 | "SafeDogGuardCenter", 59 | "safedogupdatecenter", 60 | "SafeDogSiteIIS", 61 | } 62 | 63 | func (w *SafedogDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 64 | _, ok := data.CountMatchesAll(SafedogDriverHeuristic, SafedogProcessHeuristic, SafedogRegistryHeuristic, SafedogServicesHeuristic) 65 | if !ok { 66 | return "", false 67 | } 68 | 69 | return resources.SafedogEDR, true 70 | } 71 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_tianqing.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type TianQingDetection struct{} 6 | 7 | func (w *TianQingDetection) Name() string { 8 | return "奇安信天擎 Defender" 9 | } 10 | 11 | func (w *TianQingDetection) Type() resources.EDRType { 12 | return resources.TianQingEDR 13 | } 14 | 15 | var TianQingProcessHeuristic = []string{ 16 | "Endpoint Security Management System", 17 | "攻击发现与风险控制系统", 18 | "FcTray", 19 | "QAXEntClient", 20 | "QAXEntClient", 21 | "QAXTray", 22 | "QaxEngManager", 23 | "QAX", 24 | } 25 | 26 | var TianQingServicesHeuristic = []string{ 27 | "Endpoint Security Management System", 28 | "攻击发现与风险控制系统", 29 | "FcTray", 30 | "QAXEntClient", 31 | "QAXEntClient", 32 | "QAXTray", 33 | "QaxEngManager", 34 | "QAX", 35 | } 36 | 37 | var TianQingDriverHeuristic = []string{ 38 | "Endpoint Security Management System", 39 | "攻击发现与风险控制系统", 40 | "FcTray", 41 | "QAXEntClient", 42 | "QAXEntClient", 43 | "QAXTray", 44 | "QaxEngManager", 45 | "QAX", 46 | } 47 | 48 | var TianQingRegistryHeuristic = []string{ 49 | "Endpoint Security Management System", 50 | "攻击发现与风险控制系统", 51 | "FcTray", 52 | "QAXEntClient", 53 | "QAXEntClient", 54 | "QAXTray", 55 | "QaxEngManager", 56 | "QAX", 57 | } 58 | 59 | func (w *TianQingDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 60 | _, ok := data.CountMatchesAll(TianQingDriverHeuristic, TianQingProcessHeuristic, TianQingRegistryHeuristic, TianQingServicesHeuristic) 61 | if !ok { 62 | return "", false 63 | } 64 | 65 | return resources.TianQingEDR, true 66 | } 67 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_topsecedr.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type TopsecedrDetection struct{} 6 | 7 | func (w *TopsecedrDetection) Name() string { 8 | return "天融信EDR Defender" 9 | } 10 | 11 | func (w *TopsecedrDetection) Type() resources.EDRType { 12 | return resources.TopsecedrEDR 13 | } 14 | 15 | var TopsecedrProcessHeuristic = []string{ 16 | "Topsec", 17 | "TopsecMain", 18 | "TopsecTray", 19 | "TopsecDaemon", 20 | "TopsecConfig", 21 | "TopsecLog", 22 | "TopsecUpdate", 23 | "TopsecWSCtrl", 24 | } 25 | 26 | var TopsecedrServicesHeuristic = []string{ 27 | "Topsec", 28 | "TopsecMain", 29 | "TopsecTray", 30 | "TopsecDaemon", 31 | "TopsecConfig", 32 | "TopsecLog", 33 | "TopsecUpdate", 34 | "TopsecWSCtrl", 35 | } 36 | 37 | var TopsecedrDriverHeuristic = []string{ 38 | "Topsec", 39 | "TopsecMain", 40 | "TopsecTray", 41 | "TopsecDaemon", 42 | "TopsecConfig", 43 | "TopsecLog", 44 | "TopsecUpdate", 45 | "TopsecWSCtrl", 46 | } 47 | 48 | var TopsecedrRegistryHeuristic = []string{ 49 | "Topsec", 50 | "TopsecMain", 51 | "TopsecTray", 52 | "TopsecDaemon", 53 | "TopsecConfig", 54 | "TopsecLog", 55 | "TopsecUpdate", 56 | "TopsecWSCtrl", 57 | } 58 | 59 | func (w *TopsecedrDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 60 | _, ok := data.CountMatchesAll(TopsecedrDriverHeuristic, TopsecedrProcessHeuristic, TopsecedrRegistryHeuristic, TopsecedrServicesHeuristic) 61 | if !ok { 62 | return "", false 63 | } 64 | 65 | return resources.TopsecedrEDR, true 66 | } 67 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_yaxin.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type YaxinDetection struct{} 6 | 7 | func (w *YaxinDetection) Name() string { 8 | return "亚信安全 Defender" 9 | } 10 | 11 | func (w *YaxinDetection) Type() resources.EDRType { 12 | return resources.YaxinEDR 13 | } 14 | 15 | var YaxinProcessHeuristic = []string{ 16 | "Deep Security Notified", 17 | "Deep Security Monitor", 18 | "Deep Security Agent", 19 | "Notifier.exe", 20 | "ds_monitor.exe", 21 | "dsa.exe", 22 | } 23 | 24 | var YaxinServicesHeuristic = []string{ 25 | "Deep Security Notified", 26 | "Deep Security Monitor", 27 | "Deep Security Agent", 28 | "Notifier.exe", 29 | "ds_monitor.exe", 30 | "dsa.exe", 31 | } 32 | 33 | var YaxinDriverHeuristic = []string{ 34 | "Deep Security Notified", 35 | "Deep Security Monitor", 36 | "Deep Security Agent", 37 | "Notifier.exe", 38 | "ds_monitor.exe", 39 | "dsa.exe", 40 | } 41 | 42 | var YaxinRegistryHeuristic = []string{ 43 | "Deep Security Notified", 44 | "Deep Security Monitor", 45 | "Deep Security Agent", 46 | "Notifier.exe", 47 | "ds_monitor.exe", 48 | "dsa.exe", 49 | } 50 | 51 | func (w *YaxinDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 52 | _, ok := data.CountMatchesAll(YaxinDriverHeuristic, YaxinProcessHeuristic, YaxinRegistryHeuristic, YaxinServicesHeuristic) 53 | if !ok { 54 | return "", false 55 | } 56 | 57 | return resources.YaxinEDR, true 58 | } 59 | -------------------------------------------------------------------------------- /pkg/scanners/cn_scan_yunsuo.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type YunsuoDetection struct{} 6 | 7 | func (w *YunsuoDetection) Name() string { 8 | return "云锁椒图 Defender" 9 | } 10 | 11 | func (w *YunsuoDetection) Type() resources.EDRType { 12 | return resources.YunsuoEDR 13 | } 14 | 15 | var YunsuoProcessHeuristic = []string{ 16 | "wsssr_defence_daemon", 17 | "wsssr_defence_service", 18 | "YSBugReport", 19 | "YSUpdate", 20 | "yunsuo_agent_service", 21 | "yunsuo_agent_daemon", 22 | "gov_defence_service", 23 | "gov_defence_daemon", 24 | } 25 | 26 | var YunsuoServicesHeuristic = []string{ 27 | "wsssr_defence_daemon", 28 | "wsssr_defence_service", 29 | "YSBugReport", 30 | "YSUpdate", 31 | "yunsuo_agent_service", 32 | "yunsuo_agent_daemon", 33 | "gov_defence_service", 34 | "gov_defence_daemon", 35 | } 36 | 37 | var YunsuoDriverHeuristic = []string{ 38 | "wsssr_defence_daemon", 39 | "wsssr_defence_service", 40 | "YSBugReport", 41 | "YSUpdate", 42 | "yunsuo_agent_service", 43 | "yunsuo_agent_daemon", 44 | "gov_defence_service", 45 | "gov_defence_daemon", 46 | } 47 | 48 | var YunsuoRegistryHeuristic = []string{ 49 | "wsssr_defence_daemon", 50 | "wsssr_defence_service", 51 | "YSBugReport", 52 | "YSUpdate", 53 | "yunsuo_agent_service", 54 | "yunsuo_agent_daemon", 55 | "gov_defence_service", 56 | "gov_defence_daemon", 57 | } 58 | 59 | func (w *YunsuoDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 60 | _, ok := data.CountMatchesAll(YunsuoDriverHeuristic, YunsuoProcessHeuristic, YunsuoRegistryHeuristic, YunsuoServicesHeuristic) 61 | if !ok { 62 | return "", false 63 | } 64 | 65 | return resources.YunsuoEDR, true 66 | } 67 | -------------------------------------------------------------------------------- /pkg/scanners/scan_bitdefender.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type BitDefenderDetection struct{} 6 | 7 | func (w *BitDefenderDetection) Name() string { 8 | return "BitDefender" 9 | } 10 | 11 | func (w *BitDefenderDetection) Type() resources.EDRType { 12 | return resources.BitDefenderEDR 13 | } 14 | 15 | var BitDefenderHeuristic = []string{ 16 | "BitDefender", 17 | "bdagent.exe", 18 | "AntiphishingAgent.dll", 19 | "bdcloud.dll", 20 | "bdmltusrsrv.dll", 21 | "bdnc.dll", 22 | "bdfndisf6.sys", 23 | "bdfwcore.dll", 24 | "bdfwfpf.sys", 25 | "bdpredir.dll", 26 | "bdquar.dll", 27 | "avc3.sys", 28 | "avckf.sys", 29 | "alertvs10u.http.dll", 30 | "amvs10u.http.dll", 31 | "aphvs10u.http.dll", 32 | "bdch.dll", 33 | "bdchsubmit.dll", 34 | "BdFirewallSDK.dll", 35 | "bdreinit.exe", 36 | "bdpredir_ssl.dl", 37 | "pdscan.exe", 38 | "pdiface.exe", 39 | "pdiface.exe", 40 | "bdnc.dll", 41 | "BDSubmit.dll", 42 | "BDSubWiz.exe", 43 | "bdch.dll", 44 | "bdec.dll", 45 | "bdreinit.exe", 46 | } 47 | 48 | func (w *BitDefenderDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 49 | _, ok := data.CountMatchesAll(BitDefenderHeuristic) 50 | if !ok { 51 | return "", false 52 | } 53 | 54 | return resources.BitDefenderEDR, true 55 | } 56 | -------------------------------------------------------------------------------- /pkg/scanners/scan_carbonblack.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type CarbonBlackDetection struct{} 6 | 7 | func (w *CarbonBlackDetection) Name() string { 8 | return "Carbon Black" 9 | } 10 | 11 | func (w *CarbonBlackDetection) Type() resources.EDRType { 12 | return resources.CarbonBlackEDR 13 | } 14 | 15 | var CarbonBlackHeuristic = []string{ 16 | "CarbonBlack\\", 17 | "CbDefense\\", 18 | "CarbonBlackClientSetup.exe", 19 | } 20 | 21 | func (w *CarbonBlackDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 22 | _, ok := data.CountMatchesAll(CarbonBlackHeuristic) 23 | if !ok { 24 | return "", false 25 | } 26 | 27 | return resources.CarbonBlackEDR, true 28 | } 29 | -------------------------------------------------------------------------------- /pkg/scanners/scan_checkpoint.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type CheckPointDetection struct{} 6 | 7 | func (w *CheckPointDetection) Name() string { 8 | return "Carbon Black" 9 | } 10 | 11 | func (w *CheckPointDetection) Type() resources.EDRType { 12 | return resources.CheckPointEDR 13 | } 14 | 15 | var CheckPointHeuristic = []string{ 16 | "Checkpoint", 17 | "tracsrvwrapper.exe", 18 | "TrGUI.exe", 19 | "TracCAPI.exe", 20 | "dtplat.dll", 21 | "epcgina.dll", 22 | "epcgina_user64.dll", 23 | "LogonISReg.dll", 24 | "OsMonitor.dll", 25 | "ProcessMonitor.dll", 26 | "proxystub.dll", 27 | "ScriptRun.dll", 28 | "SCVMonitor.dll", 29 | "scvprod_lang_pack.dll", 30 | "SCUIAPI.dll", 31 | "cpmsi_tool.exe", 32 | "DataStruct.dll", 33 | "FileHash_DYN.dll", 34 | "TrAPI.dll", 35 | "vna_coinstall.dll - vna", 36 | "vna_install64.exe", 37 | "vna_utils.exe", 38 | "TracSrvWrapper.exe", 39 | "TrGUI.exe", 40 | "TracSrvWrapper.exe", 41 | "TrueVector", 42 | "p95tray.exe", 43 | } 44 | 45 | func (w *CheckPointDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 46 | _, ok := data.CountMatchesAll(CheckPointHeuristic) 47 | if !ok { 48 | return "", false 49 | } 50 | 51 | return resources.CheckPointEDR, true 52 | } 53 | -------------------------------------------------------------------------------- /pkg/scanners/scan_crowdstrike.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type CrowdstrikeDetection struct{} 6 | 7 | func (w *CrowdstrikeDetection) Name() string { 8 | return "Crowdstrike EDR Solution" 9 | } 10 | 11 | func (w *CrowdstrikeDetection) Type() resources.EDRType { 12 | return resources.CrowdstrikeEDR 13 | } 14 | 15 | var CrowdstrikeHeuristic = []string{ 16 | "CrowdStrike", 17 | "%SYSTEMROOT%\\system32\\drivers\\crowdstrike\\CsDeviceControl.inf", 18 | "%SYSTEMROOT%\\system32\\drivers\\crowdstrike\\CsFirmwareAnalysis.inf", 19 | "windowssensor.x64.exe", 20 | "C:\\Windows\\System32\\drivers\\crowdstrike", 21 | "csagent.sys", 22 | "csim.sys", 23 | "csimn.sys", 24 | "csimu.sys", 25 | } 26 | 27 | func (w *CrowdstrikeDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 28 | _, ok := data.CountMatchesAll(CrowdstrikeHeuristic) 29 | if !ok { 30 | return "", false 31 | } 32 | 33 | return resources.CrowdstrikeEDR, true 34 | } 35 | -------------------------------------------------------------------------------- /pkg/scanners/scan_cybereason.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type CybereasonDetection struct{} 6 | 7 | func (w *CybereasonDetection) Name() string { 8 | return "Cybereason" 9 | } 10 | 11 | func (w *CybereasonDetection) Type() resources.EDRType { 12 | return resources.CybereasonEDR 13 | } 14 | 15 | var CybereasonHeuristic = []string{ 16 | "CybereasonRansomFreeServiceHost.exe", 17 | "Cybereason", 18 | "Cybereason ActiveProbe\\", 19 | "CrAmTray.exe", 20 | "Cybereason", 21 | "crsdll.dll", 22 | "CoreMinion.dll", 23 | "CoreMinion", 24 | "minionhost.exe", 25 | "Cybereason Sensor", 26 | "CybereasonSensor.exe", 27 | } 28 | 29 | func (w *CybereasonDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 30 | _, ok := data.CountMatchesAll(CybereasonHeuristic) 31 | if !ok { 32 | return "", false 33 | } 34 | 35 | return resources.CybereasonEDR, true 36 | } 37 | -------------------------------------------------------------------------------- /pkg/scanners/scan_cylance.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type CylanceDetection struct{} 6 | 7 | func (w *CylanceDetection) Name() string { 8 | return "Cylance Smart Antivirus" 9 | } 10 | 11 | func (w *CylanceDetection) Type() resources.EDRType { 12 | return resources.CylanceEDR 13 | } 14 | 15 | var CylanceHeuristic = []string{ 16 | "Cylance", 17 | "CylanceProtectSetup.exe", 18 | "cylancesvc.exe", 19 | "CylanceUI.exe", 20 | "CylanceProtect", 21 | "CylanceProtectSetup.exe", 22 | "cylance.updatemgr.interfaces.dll", 23 | "cylancesvc.exe", 24 | "cylance.host.updater.dll", 25 | "cylance.host.versions.dll", 26 | "cylance.host.analysis.dll", 27 | "cylance.host.ccui.interfaces.dll", 28 | "cylance.host.commandcontrolui.dll", 29 | "cylance.host.controller.dll", 30 | "cylance.host.cylancevenue.dll", 31 | "cylance.host.infinitymodel.dll", 32 | "cylance.host.windowseventlogwriter.dll", 33 | "cylance.interfaces.dll", 34 | "cymemdef.dll", 35 | "cyprotectdrv64.sys", 36 | "cyupdate.exe", 37 | "cyhelper64.dl", 38 | "cylanceui.exe", 39 | "cymemdef64.dll", 40 | "cylance.host.cylancevenuemodule.dll", 41 | "cylance.host.memdefps_gac.dll", 42 | "cylance.host.systeminformation.dll", 43 | "cymemdefps.dll", 44 | "cymemdefps64.dll", 45 | "cylance.host.wmiprovider_gac.dll", 46 | "cylance.host.infinitymodelole.dll", 47 | "cylance.host.infinitymodelpdf.dll", 48 | } 49 | 50 | func (w *CylanceDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 51 | _, ok := data.CountMatchesAll(CylanceHeuristic) 52 | if !ok { 53 | return "", false 54 | } 55 | 56 | return resources.CylanceEDR, true 57 | } 58 | -------------------------------------------------------------------------------- /pkg/scanners/scan_cynet.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type CynetDetection struct{} 6 | 7 | func (w *CynetDetection) Name() string { 8 | return "Cynet" 9 | } 10 | 11 | func (w *CynetDetection) Type() resources.EDRType { 12 | return resources.CynetEDR 13 | } 14 | 15 | var CynetHeuristic = []string{ 16 | "Cynet", 17 | "Cyops", 18 | "Cynet EPS", 19 | } 20 | 21 | func (w *CynetDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 22 | _, ok := data.CountMatchesAll(CynetHeuristic) 23 | if !ok { 24 | return "", false 25 | } 26 | 27 | return resources.CynetEDR, true 28 | } 29 | -------------------------------------------------------------------------------- /pkg/scanners/scan_deepinstinct.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type DeepInstictDetection struct{} 6 | 7 | func (w *DeepInstictDetection) Name() string { 8 | return "Deep Instinct Security" 9 | } 10 | 11 | func (w *DeepInstictDetection) Type() resources.EDRType { 12 | return resources.DeepInstinctEDR 13 | } 14 | 15 | var DeepInstinctHeuristic = []string{ 16 | "DeepInstinct", 17 | "Deep Instinct Agent", 18 | "Deep Instinct Prevention Platform", 19 | "HKEY_LOCAL_MACHINE\\SOFTWARE\\Deep Instinct", 20 | } 21 | 22 | func (w *DeepInstictDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 23 | _, ok := data.CountMatchesAll(DeepInstinctHeuristic) 24 | if !ok { 25 | return "", false 26 | } 27 | 28 | return resources.DeepInstinctEDR, true 29 | } 30 | -------------------------------------------------------------------------------- /pkg/scanners/scan_elastic.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type ElasticAgentDetection struct{} 6 | 7 | func (w *ElasticAgentDetection) Name() string { 8 | return "Elastic Endpoint Security" 9 | } 10 | 11 | func (w *ElasticAgentDetection) Type() resources.EDRType { 12 | return resources.ElasticAgentEDR 13 | } 14 | 15 | var ElasticAgentHeuristic = []string{ 16 | "elastic-agent.exe", 17 | "elastic-endpoint.exe", 18 | "elastic-endpoint-driver", 19 | "ElasticEndpoint", 20 | } 21 | 22 | func (w *ElasticAgentDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 23 | _, ok := data.CountMatchesAll(ElasticAgentHeuristic) 24 | if !ok { 25 | return "", false 26 | } 27 | 28 | return resources.ElasticAgentEDR, true 29 | } 30 | -------------------------------------------------------------------------------- /pkg/scanners/scan_eset.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type ESETEDRDetection struct{} 6 | 7 | func (w *ESETEDRDetection) Name() string { 8 | return "ESET Endpoint Security" 9 | } 10 | 11 | func (w *ESETEDRDetection) Type() resources.EDRType { 12 | return resources.ESETEDR 13 | } 14 | 15 | var ESETHeuristic = []string{ 16 | "ESET", 17 | "egui.exe", 18 | "ekrn.exe", 19 | "minodlogin.exe", 20 | "minodlogin", 21 | "emu-rep.exe", 22 | "emu_install.exe", 23 | "emu-cci.exe", 24 | "emu-gui.exe", 25 | "emu-uninstall.exe", 26 | "emu-gui.exe", 27 | "ESET MSP Utilities", 28 | "C:\\Program Files\\ESET\\ESET NOD32 Antivirus\\ecmd.exe", 29 | "eguiAmon.dll", 30 | "eguiDevmon.dll", 31 | "eguiDmon.dll", 32 | "eguiEmon.dll", 33 | "eguiEpfw.dll", 34 | "eguiHips.dll", 35 | "eguiMailPlugins.dll", 36 | "eguiParental.dll", 37 | "eguiProduct.dll", 38 | "eguiProductRcd.dll", 39 | "eguiScan.dll", 40 | "eguiSmon.dll", 41 | "eguiUpdate.dll", 42 | "EHttpSrv.exe", 43 | "eplgHooks.dll", 44 | "eplgOE.dll", 45 | "eclsLang.dll", 46 | "eguiAmonLang.dll", 47 | "eguiEpfwLang.dll", 48 | "eguiHipsLang.dll", 49 | "eguiLang.dll", 50 | "eguiOnlineHelp.dll", 51 | "eguiOnlineHelpLang.dll", 52 | "eguiScanLang.dll", 53 | "eguiSmonLang.dll", 54 | "eguiUpdateLang.dll", 55 | "eguiWebControl.dll", 56 | "ekrnDevmonLang.dll", 57 | "ekrnEpfwLang.dll", 58 | "ekrnHipsLang.dll", 59 | } 60 | 61 | func (w *ESETEDRDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 62 | _, ok := data.CountMatchesAll(ESETHeuristic) 63 | if !ok { 64 | return "", false 65 | } 66 | 67 | return resources.QualysEDR, true 68 | } 69 | -------------------------------------------------------------------------------- /pkg/scanners/scan_fireeye.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type FireEyeDetection struct{} 6 | 7 | func (w *FireEyeDetection) Name() string { 8 | return "FireEye" 9 | } 10 | 11 | func (w *FireEyeDetection) Type() resources.EDRType { 12 | return resources.FireEyeEDR 13 | } 14 | 15 | var FireEyeHeuristic = []string{ 16 | "FireEye", 17 | "C:\\Program Files\\FireEye\\xagt\\", 18 | "xagt.exe", 19 | } 20 | 21 | func (w *FireEyeDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 22 | _, ok := data.CountMatchesAll(FireEyeHeuristic) 23 | if !ok { 24 | return "", false 25 | } 26 | 27 | return resources.FireEyeEDR, true 28 | } 29 | -------------------------------------------------------------------------------- /pkg/scanners/scan_fortinet.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type FortinetDetection struct{} 6 | 7 | func (w *FortinetDetection) Name() string { 8 | return "Fortinet" 9 | } 10 | 11 | func (w *FortinetDetection) Type() resources.EDRType { 12 | return resources.FortinetEDR 13 | } 14 | 15 | var FortinetHeuristic = []string{ 16 | "Fortinet", 17 | "dcagent_amd64.dll", 18 | "FSAEConfig.exe", 19 | "fortilspheuristics.dll", 20 | "fccomintdll.dll", 21 | "fcoeam.dll", 22 | "fccomint.exe", 23 | "fclanguageselector.exe", 24 | "fortifw.exe", 25 | "fortitray.exe", 26 | "libcfg.dll", 27 | "fcappdb.exe", 28 | "fcoehook.dll", 29 | "fcwizard.exe", 30 | "fcresc.dll", 31 | "fortiwf.exe", 32 | "forticlish.dll", 33 | "fortiece.dll", 34 | "libavr.dll", 35 | "fortiwadbd.exe", 36 | "fcdblog.exe", 37 | "fortiwad.exe", 38 | "fortiproxy.exe", 39 | "fortiskin.dll", 40 | "fortiscand.exe", 41 | "fortivpnst.dll", 42 | "fortivpnst.exe", 43 | "fortivpnst64.dll", 44 | "fasle.dll", 45 | "fcwscd7.exe", 46 | "forticlient.exe", 47 | "forticlish.dll", 48 | "FortiClient Service Scheduler", 49 | "FortiClient.exe", 50 | "fortiwad.exe", 51 | "fortiproxy.exe", 52 | "FortiLSPHeuristics.dll", 53 | "npccpluginex.dll", 54 | "nptcplugin.dll", 55 | "npccplugin.dll", 56 | "FCCOMIntDLL.dll", 57 | "FCOEAM.dll", 58 | "FSSOMA.exe", 59 | "LaunchCacheClean.dll", 60 | "launchcacheclean64.dll", 61 | "FCCOMInt.exe", 62 | "FCVbltScan.exe", 63 | "sslvpnhostcheck.dll", 64 | "sslvpnhostcheck64.dll", 65 | "FortiESNAC.exe", 66 | "FortiTray.exe", 67 | "FCConfig.exe", 68 | "FCOEHook.dll", 69 | "FCResc.dll", 70 | "forticachecleaner.dll", 71 | "FortiCacheCleaner64.dll", 72 | "forticredentialprovider.dll", 73 | "FortiCredentialProvider2x64.dll", 74 | "forticredentialprovider64.dll", 75 | "FortiTrayResc.dll", 76 | "FortiWF.exe", 77 | "EPCUserAvatar.exe", 78 | "FortiAvatar.exe", 79 | "FortiCliSh.dll", 80 | "FortiCliSh64.dll", 81 | "fortifws.exe", 82 | "FortiWadbd.exe", 83 | "FortiClient_Diagnostic_Tool.exe", 84 | "forticontrol.dll", 85 | "FortiSSLVPNdaemon.exe", 86 | "FortiCliSh.dll", 87 | "FortiCliSh64.dll", 88 | "npccpluginex.dll", 89 | "nptcplugin.dll", 90 | "npccplugin.dll", 91 | "FortiClient Service Scheduler", 92 | "FortiESNAC.exe", 93 | "FortiWad.exe", 94 | "FortiProxy.exe", 95 | } 96 | 97 | func (w *FortinetDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 98 | _, ok := data.CountMatchesAll(FortinetHeuristic) 99 | if !ok { 100 | return "", false 101 | } 102 | 103 | return resources.FortinetEDR, true 104 | } 105 | -------------------------------------------------------------------------------- /pkg/scanners/scan_kaspersky.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type KaskperskyDetection struct{} 6 | 7 | func (w *KaskperskyDetection) Name() string { 8 | return "Kaspersky Security" 9 | } 10 | 11 | func (w *KaskperskyDetection) Type() resources.EDRType { 12 | return resources.KaskperskyEDR 13 | } 14 | 15 | var KasperskyHeuristic = []string{ 16 | "kaspersky", 17 | "avpui.exe", 18 | "avpservice.dll", 19 | "avzkrnl.dll", 20 | "cf_anti_malware_facade.dll", 21 | "cf_facade.dll", 22 | "cf_mgmt_facade.dll", 23 | "cf_response_provider.dll", 24 | "ckahcomm.dll", 25 | "ckahrule.dll", 26 | "ckahum.dll", 27 | "eka_meta.dll", 28 | "kasperskylab.kis.ui.dll", 29 | "am_facade.dll", 30 | "am_meta.dll", 31 | "attestation_task.dll", 32 | "avs_eka.dll", 33 | "kasperskylab.ksde.ui.dll", 34 | "kasperskylab.ui.core.dll", 35 | "kasperskylab.ui.core.visuals.dll", 36 | "ksdeuimain.dll", 37 | "avpsus.exe", 38 | "klnagent.exe", 39 | "klnsacwsrv.exe", 40 | "klnagent.exe", 41 | "kl_platf.exe", 42 | "klnagwds.exe", 43 | // 自己添加 44 | "_avp32.exe", 45 | "_avpcc.exe", 46 | "_avpm.exe", 47 | } 48 | 49 | func (w *KaskperskyDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 50 | _, ok := data.CountMatchesAll(KasperskyHeuristic) 51 | if !ok { 52 | return "", false 53 | } 54 | 55 | return resources.KaskperskyEDR, true 56 | } 57 | -------------------------------------------------------------------------------- /pkg/scanners/scan_limacharlie.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type LimacharlieDetection struct{} 6 | 7 | func (w *LimacharlieDetection) Name() string { 8 | return "Limacharlie Agent" 9 | } 10 | 11 | func (w *LimacharlieDetection) Type() resources.EDRType { 12 | return resources.LimacharlieEDR 13 | } 14 | 15 | var LimacharlieHeuristic = []string{ 16 | "rphcp.exe", 17 | "lc_sensor.exe", 18 | "refractionPOINT HCP", 19 | "LimaCharlie", 20 | } 21 | 22 | func (w *LimacharlieDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 23 | _, ok := data.CountMatchesAll(LimacharlieHeuristic) 24 | if !ok { 25 | return "", false 26 | } 27 | 28 | return resources.DeepInstinctEDR, true 29 | } 30 | -------------------------------------------------------------------------------- /pkg/scanners/scan_malwarebytes.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type MalwareBytesDetection struct{} 6 | 7 | func (w *MalwareBytesDetection) Name() string { 8 | return "Malware Bytes" 9 | } 10 | 11 | func (w *MalwareBytesDetection) Type() resources.EDRType { 12 | return resources.MalwareBytesEDR 13 | } 14 | 15 | var MalwareBytesHeuristic = []string{ 16 | "MalwareBytes", 17 | "mbae.exe", 18 | "mbae64.dll", 19 | "mbae64.exe", 20 | "mbae-api.dll", 21 | "mbae-svc.exe", 22 | "mbae-uninstaller.exe", 23 | "mbae.sys", 24 | "mbae64.sys", 25 | "mbae-svc.exe", 26 | "Malwarebytes Anti-Exploit Service", 27 | "C:\\Program Files\\Malwarebytes Anti-Exploit\\mbae.exe", 28 | "mbae-loader.exe ", 29 | "mbaeLoader32.exe", 30 | "mbaeloader64.exe", 31 | "mbamcore.dll", 32 | "mbam-dor.exe", 33 | "mbamext.dll", 34 | "mbamgui.exe", 35 | "mbamnet.dll", 36 | "mbamservice.exe", 37 | "mbamtrayctrl.exe", 38 | "mbampt.exe", 39 | "mbamscheduler.exe", 40 | "C:\\Program Files\\Malwarebytes Anti-Rootkit", 41 | "mbar-1.08.2.1001.exe ", 42 | "mbeadomain.dll", 43 | "mbae-setup.exe", 44 | "MBAMHelper.exe", 45 | } 46 | 47 | func (w *MalwareBytesDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 48 | _, ok := data.CountMatchesAll(MalwareBytesHeuristic) 49 | if !ok { 50 | return "", false 51 | } 52 | 53 | return resources.MalwareBytesEDR, true 54 | } 55 | -------------------------------------------------------------------------------- /pkg/scanners/scan_mcafee.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type McafeeDetection struct{} 6 | 7 | func (w *McafeeDetection) Name() string { 8 | return "McAfee MVISION Endpoint Detection and Response" 9 | } 10 | 11 | func (w *McafeeDetection) Type() resources.EDRType { 12 | return resources.McafeeEDR 13 | } 14 | 15 | var McafeeHeuristic = []string{ 16 | "Mcafee\\", 17 | "mcupdate.exe", 18 | "McAfeeAgent\\", 19 | "APPolicyName", 20 | "EPPolicyName", 21 | "OASPolicyName", 22 | "ESConfigTool.exe", 23 | "FWInstCheck.exe", 24 | "FwWindowsFirewallHandler.exe", 25 | "mfeesp.exe", 26 | "mfefw.exe", 27 | "mfeProvisionModeUtility.exe", 28 | "mfetp.exe", 29 | "WscAVExe.exe", 30 | "mcshield.exe", 31 | "McChHost.exe", 32 | "mfewc.exe", 33 | "mfewch.exe", 34 | "mfewcui.exe", 35 | "mfecanary.exe", 36 | "mfefire.exe", 37 | "mfehidin.exe", 38 | "mfemms.exe", 39 | "mfevtps.exe", 40 | "MarSetup.exe", 41 | "masvc.exe", 42 | "macmnsvc.exe", 43 | "MfeServiceMgr.exe ", 44 | "McAPExe.exe", 45 | "McPvTray.exe", 46 | "mcuicnt.exe", 47 | "mcuihost.exe", 48 | "Mcshield.exe", 49 | "McpService.exe", 50 | "Tbmon.exe", 51 | "Frameworkservice.exe", 52 | "epefprtrainer.exe", 53 | "mfeffcoreservice.exe", 54 | "MfeEpeSvc.exe", 55 | //自己添加 56 | "firesvc.exe", 57 | "firetray.exe", 58 | "hipsvc.exe", 59 | "mfevtps.exe", 60 | "mcafeefire.exe", 61 | "scan32.exe", 62 | "shstat.exe", 63 | "vstskmgr.exe", 64 | "engineserver.exe", 65 | "mfeann.exe", 66 | "mcscript.exe", 67 | "updaterui.exe", 68 | "udaterui.exe", 69 | "naprdmgr.exe", 70 | "cleanup.exe", 71 | "cmdagent.exe", 72 | "frminst.exe", 73 | "mcscript_inuse.exe", 74 | "mctray.exe", 75 | } 76 | 77 | func (w *McafeeDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 78 | _, ok := data.CountMatchesAll(McafeeHeuristic) 79 | if !ok { 80 | return "", false 81 | } 82 | 83 | return resources.McafeeEDR, true 84 | } 85 | -------------------------------------------------------------------------------- /pkg/scanners/scan_qualys.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type QualysDetection struct{} 6 | 7 | func (w *QualysDetection) Name() string { 8 | return "Qualys Cloud Agent EDR" 9 | } 10 | 11 | func (w *QualysDetection) Type() resources.EDRType { 12 | return resources.QualysEDR 13 | } 14 | 15 | var QualysHeuristic = []string{ 16 | "Qualys", 17 | "qualysagent.exe", 18 | "QualysProxy.exe", 19 | "QualysAgentUI.exe", 20 | } 21 | 22 | func (w *QualysDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 23 | _, ok := data.CountMatchesAll(QualysHeuristic) 24 | if !ok { 25 | return "", false 26 | } 27 | 28 | return resources.QualysEDR, true 29 | } 30 | -------------------------------------------------------------------------------- /pkg/scanners/scan_sentinelone.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type SentinelOneDetection struct{} 6 | 7 | func (w *SentinelOneDetection) Name() string { 8 | return "SentinelOne" 9 | } 10 | 11 | func (w *SentinelOneDetection) Type() resources.EDRType { 12 | return resources.SentinelOneEDR 13 | } 14 | 15 | var SentinelOneHeuristic = []string{ 16 | "SentinelOne\\", 17 | "C:\\Program Files\\SentinelOne", 18 | "SentinelAgent", 19 | "SentinelMonitor", 20 | } 21 | 22 | func (w *SentinelOneDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 23 | _, ok := data.CountMatchesAll(SentinelOneHeuristic) 24 | if !ok { 25 | return "", false 26 | } 27 | 28 | return resources.SentinelOneEDR, true 29 | } 30 | -------------------------------------------------------------------------------- /pkg/scanners/scan_sophos.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type SophosDetection struct{} 6 | 7 | func (w *SophosDetection) Name() string { 8 | return "Sophos" 9 | } 10 | 11 | func (w *SophosDetection) Type() resources.EDRType { 12 | return resources.SophosEDR 13 | } 14 | 15 | var SophosHeuristic = []string{ 16 | "Sophos", 17 | "SVRTgui.exe", 18 | "SVRTcli.exe", 19 | "Sophos Virus Removal Tool install.exe", 20 | "SVRTcli.exe", 21 | "SVRTgui.exe", 22 | "SCTCleanupService.exe", 23 | "SVRTservice.exe", 24 | "osdp.dll", 25 | "SAVI.dll", 26 | "veex.dll", 27 | "rkdisk.dll", 28 | "SCTBootTasks.exe", 29 | "SUMService.exe", 30 | "SVRTservice.exe", 31 | "SCFService.exe", 32 | "SCFManager.exe", 33 | "SpaRmsAdapter.dll", 34 | "sargui.exe", 35 | "Sophos Computer Security Scan.exe", 36 | "sntpservice.exe", 37 | "SophosLinkIconHandler32.dll", 38 | "McsHeartbeat.exe", 39 | "SAVAdminService.exe", 40 | "conan.dll", 41 | "DCManagement.dll", 42 | "DesktopMessaging.dll", 43 | "DetectionFeedback.dll", 44 | "DeviceControlPlugin.dll", 45 | "DriveProcessor.dll", 46 | "EEConsumer.dll", 47 | "ForceUpdateAlongSideSGN.exe", 48 | "FSDecomposer.dll", 49 | "ICAdapter.dll", 50 | "ICManagement.dll", 51 | "ICProcessors.dll", 52 | "osdp.dll", 53 | "SavAdapter.dll", 54 | "SAVAdminService.exe", 55 | "SAVCleanupService.exe", 56 | "SAVControl.dll", 57 | "SAVI.dll", 58 | "SavMain.exe", 59 | "savmscm.dll", 60 | "SavNeutralRes.dll", 61 | "SavPlugin.dll", 62 | "SavProgress.exe", 63 | "SavProxy.exe", 64 | "SavRes.dll", 65 | "SavResChs.dll", 66 | "SavResCht.dll", 67 | "SavResDeu.dll", 68 | "SavResEng.dll", 69 | "SavResEsp.dll", 70 | "SavSecurity.dll", 71 | "SavService.exe", 72 | "SavShellExt.dll", 73 | "SavShellExtX64.dll", 74 | "bpaif.dll", 75 | "swc_service.exe", 76 | "swcadapter.dll", 77 | "swi_callout.sys", 78 | "swi_service.exe", 79 | "swc_service.exe", 80 | "swi_filter.exe", 81 | "SophosUpdate.exe", 82 | "ALMsg.dll", 83 | "ALUpdate.exe", 84 | "AUAdapter.dll", 85 | "ChannelUpdater.dll", 86 | "cidsync.dll", 87 | "config.dll", 88 | "crypto.dll", 89 | "EECustomActions.dll", 90 | "InstlMgr.dll", 91 | "ispsheet.dll", 92 | "SAUConfigDLL.dll", 93 | "SingleGUIPlugin.dll", 94 | "SophosAlert.exe", 95 | "swlocale.dll", 96 | "SavShellExt.dll", 97 | "SavShellExtX64.dll", 98 | "SavMain.exe", 99 | "SAVAdminService.exe", 100 | "SAVCleanupService.exe", 101 | "SavService.exe", 102 | } 103 | 104 | func (w *SophosDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 105 | _, ok := data.CountMatchesAll(SophosHeuristic) 106 | if !ok { 107 | return "", false 108 | } 109 | 110 | return resources.SophosEDR, true 111 | } 112 | -------------------------------------------------------------------------------- /pkg/scanners/scan_symantec.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type SymantecDetection struct{} 6 | 7 | func (w *SymantecDetection) Name() string { 8 | return "Symantec Endpoint Security" 9 | } 10 | 11 | func (w *SymantecDetection) Type() resources.EDRType { 12 | return resources.SymantecEDR 13 | } 14 | 15 | var SymantecHeuristic = []string{ 16 | "symantec", 17 | "symcorpu", 18 | "symefasi", 19 | "Symantec", 20 | "Norton 360", 21 | "AVSubmit.dll", 22 | "AVSvcPlg.dll", 23 | "NTPAlert.dll", 24 | "NTPFW.dll", 25 | "N360Downloader.exe", 26 | "bushell.dll", 27 | "InstWrap.exe", 28 | "symcorpui.exe", 29 | "isPwdSvc.exe", 30 | "ccsvchst.exe", 31 | "Symantec Endpoint Protection\\", 32 | } 33 | 34 | func (w *SymantecDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 35 | _, ok := data.CountMatchesAll(SymantecHeuristic) 36 | if !ok { 37 | return "", false 38 | } 39 | 40 | return resources.SymantecEDR, true 41 | } 42 | -------------------------------------------------------------------------------- /pkg/scanners/scan_trendmicro.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type TrendMicroDetection struct{} 6 | 7 | func (w *TrendMicroDetection) Name() string { 8 | return "Trend Micro Deep Security" 9 | } 10 | 11 | func (w *TrendMicroDetection) Type() resources.EDRType { 12 | return resources.TrendMicroEDR 13 | } 14 | 15 | var TrendMicroHeuristic = []string{ 16 | "Trend Micro", 17 | "pccntmon.exe", 18 | "AosUImanager.exe", 19 | "NTRTScan.exe", 20 | "tmaseng.dll", 21 | "TMAS_OL.exe", 22 | "TMAS_OLA.dll", 23 | "TMAS_OLImp.exe", 24 | "TMAS_OLShare.dll", 25 | "EMapiWpr.dll", 26 | "TMAS_OLSentry.exe", 27 | "ufnavi.exe", 28 | "Clnrbin.exe", 29 | "vizorhtmldialog.exe", 30 | "pwmConsole.exe", 31 | "PwmSvc.exe", 32 | "coreServiceShell.exe", 33 | "ds_agent.exe", 34 | "ufnavi.exe", 35 | "SfCtlCom.exe", 36 | //自己添加 37 | "PCCPFW.exe", 38 | "PCCTLCOM.exe", 39 | "TMLISTEN.exe", 40 | "TMNTSRV.exe", 41 | "TMPROXY.exe", 42 | } 43 | 44 | func (w *TrendMicroDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 45 | _, ok := data.CountMatchesAll(TrendMicroHeuristic) 46 | if !ok { 47 | return "", false 48 | } 49 | 50 | return resources.QualysEDR, true 51 | } 52 | -------------------------------------------------------------------------------- /pkg/scanners/scan_win_defender.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | type WinDefenderDetection struct{} 6 | 7 | func (w *WinDefenderDetection) Name() string { 8 | return "Windows Defender" 9 | } 10 | 11 | func (w *WinDefenderDetection) Type() resources.EDRType { 12 | return resources.WinDefenderEDR 13 | } 14 | 15 | var WinDefenderProcessHeuristic = []string{ 16 | "defender", 17 | "msmpeng", 18 | } 19 | 20 | var WinDefenderServicesHeuristic = []string{ 21 | "defender", 22 | "msmpeng", 23 | } 24 | 25 | var WinDefenderDriverHeuristic = []string{ 26 | "defender", 27 | } 28 | 29 | var WinDefenderRegistryHeuristic = []string{ 30 | "Windows Defender", 31 | } 32 | 33 | // Detect returnns EDRType `defender` 34 | // If 35 | // - processes list contains WinDefenderProcessHeuristic keywords 36 | // - services list contains WinDefenderServicesHeuristic keywords 37 | // - registry list contains WinDefenderRegistryHeuristic keywords 38 | // - driver list contains WinDefenderDriverHeuristic keywords 39 | func (w *WinDefenderDetection) Detect(data resources.SystemData) (resources.EDRType, bool) { 40 | _, ok := data.CountMatchesAll(WinDefenderDriverHeuristic, WinDefenderProcessHeuristic, WinDefenderRegistryHeuristic, WinDefenderServicesHeuristic) 41 | if !ok { 42 | return "", false 43 | } 44 | 45 | return resources.WinDefenderEDR, true 46 | } 47 | -------------------------------------------------------------------------------- /pkg/scanners/scanner.go: -------------------------------------------------------------------------------- 1 | package scanners 2 | 3 | import "AvHunt/pkg/resources" 4 | 5 | var ( 6 | Scanners = []resources.EDRDetection{ 7 | // 原始版本 8 | &CarbonBlackDetection{}, 9 | &CrowdstrikeDetection{}, 10 | &CylanceDetection{}, 11 | &FireEyeDetection{}, 12 | &KaskperskyDetection{}, 13 | &McafeeDetection{}, 14 | &SymantecDetection{}, 15 | &SentinelOneDetection{}, 16 | &WinDefenderDetection{}, 17 | &ElasticAgentDetection{}, 18 | // CN 19 | &HuorongDetection{}, 20 | &SLL360Detection{}, 21 | &TianQingDetection{}, 22 | &JinshanDetection{}, 23 | &SafedogDetection{}, 24 | &YunsuoDetection{}, 25 | &TencentguanjiaDetection{}, 26 | &TopsecedrDetection{}, 27 | &RisingDetection{}, 28 | &JiangminDetection{}, 29 | &AntianDetection{}, 30 | &BaiduDetection{}, 31 | &D99netDetection{}, 32 | &HwsDetection{}, 33 | &MozheDetection{}, 34 | &YaxinDetection{}, 35 | &AliYunDunDetection{}, 36 | &PandaDetection{}, 37 | 38 | //v1.4.4 39 | &ESETEDRDetection{}, 40 | &QualysDetection{}, 41 | &TrendMicroDetection{}, 42 | &CybereasonDetection{}, 43 | &BitDefenderDetection{}, 44 | &CheckPointDetection{}, 45 | &CynetDetection{}, 46 | &DeepInstictDetection{}, 47 | &SophosDetection{}, 48 | &FortinetDetection{}, 49 | &MalwareBytesDetection{}, 50 | &LimacharlieDetection{}, 51 | } 52 | ) 53 | -------------------------------------------------------------------------------- /pkg/util/util.go: -------------------------------------------------------------------------------- 1 | package util 2 | 3 | import "strings" 4 | 5 | // StrSliceEqual checks wheter slice s contains a string exactly like e. 6 | func StrSliceEqual(s []string, e string) bool { 7 | for _, a := range s { 8 | if strings.EqualFold(a, e) { 9 | return true 10 | } 11 | } 12 | return false 13 | } 14 | 15 | // StrSliceContains checks wheter slice s contains a string which contains e. 16 | func StrSliceContains(s []string, e string) bool { 17 | for _, a := range s { 18 | if strings.Contains(a, e) { 19 | return true 20 | } 21 | } 22 | return false 23 | } 24 | -------------------------------------------------------------------------------- /release/AvHunt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Goqi/AvHunt/203fe43d652fadd576c53dfd41392d0e4cad36a8/release/AvHunt.exe -------------------------------------------------------------------------------- /release/AvHunt32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Goqi/AvHunt/203fe43d652fadd576c53dfd41392d0e4cad36a8/release/AvHunt32.exe --------------------------------------------------------------------------------