├── .github
    └── workflows
    │   ├── go_build_linux.yml
    │   └── go_build_windows.yml
├── Icon.png
├── LICENSE
├── README.linux-compilation.md
├── README.md
├── README.windows-compilation.md
├── configuration.go
├── examples
    ├── CISA-AA21-259A
    │   ├── CISA-AA21-259A.yaml
    │   ├── EncryptJSP.yar
    │   └── ReportGenerate_jsp.yar
    ├── example_configuration_api_triage.yaml
    ├── example_configuration_distant.yaml
    ├── example_configuration_linux.yaml
    ├── example_configuration_windows.yaml
    ├── example_rule_linux.yar
    ├── example_rule_windows.yar
    ├── example_windows_api_triage.yar
    ├── linux-fontonlake
    │   └── eset_fontonlake_linux.yaml
    ├── log4j_vuln_checker
    │   └── config-log4j_vuln_checker.yaml
    └── proxyshell
    │   └── drophell.yaml
├── finder.go
├── finder_test.go
├── go.mod
├── go.sum
├── gui.go
├── logger.go
├── main.go
├── main_test.go
├── progressbar.go
├── progressbar_test.go
├── resources
    ├── linux_sfx.elf
    └── windows_sfx.exe
├── screenshots
    ├── fastfinder_basicUI.jpg
    ├── fastfinder_configuration_linux.jpg
    ├── fastfinder_configuration_picker.jpg
    ├── fastfinder_linux_scan.jpg
    └── fastfinder_matchs.jpg
├── sfxbuilder.go
├── tests
    ├── config_test_ciphered.yml
    ├── config_test_standard.yml
    ├── rule_test_ciphered.yar
    └── rule_test_standard.yar
├── utils_common.go
├── utils_common_test.go
├── utils_linux.go
├── utils_windows.go
├── yaraprocessing.go
└── yaraprocessing_test.go


/.github/workflows/go_build_linux.yml:
--------------------------------------------------------------------------------
 1 | name: fastfinder_build_linux
 2 | 
 3 | on: [push, pull_request]
 4 | 
 5 | jobs:
 6 |   linux_standard-build:
 7 |     runs-on: ubuntu-latest
 8 |     steps:
 9 |       - name: Install system dependencies
10 |         run: |
11 |           sudo apt-get update
12 |           sudo apt-get install -y \
13 |             build-essential \
14 |             bison \
15 |             flex \
16 |             autoconf \
17 |             pkg-config \
18 |             automake \
19 |             libtool \
20 |       - name: Set up Go
21 |         uses: actions/setup-go@v2
22 |         with:
23 |             go-version: 1.17
24 |       - name: Install YARA v4.1
25 |         run: |
26 |           YARA_VERSION=4.1.3
27 |           wget --no-verbose -O- https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz | tar -C /tmp -xzf -
28 |           ( cd /tmp/yara-${YARA_VERSION} && ./bootstrap.sh && sudo ./configure && sudo make && sudo make install )
29 |       - uses: actions/checkout@v2
30 |       - name: Building Fastfinder
31 |         run: |
32 |            go build -trimpath -tags yara_static -a -ldflags '-s -w -extldflags "-static"' .
33 |            ls
34 |            sudo chmod +x fastfinder
35 |            sudo ./fastfinder -h


--------------------------------------------------------------------------------
/.github/workflows/go_build_windows.yml:
--------------------------------------------------------------------------------
 1 | name: fastfinder_build_windows
 2 | 
 3 | on: [push, pull_request]
 4 | 
 5 | jobs:
 6 |   windows_standard-build:
 7 |     runs-on: windows-latest
 8 |     defaults:
 9 |       run:
10 |         shell: msys2 {0}
11 |     steps:
12 |       - name: Install MSYS2
13 |         uses: msys2/setup-msys2@v2
14 |         with:
15 |           msystem: MSYS
16 |           path-type: minimal
17 |           update: true
18 |           install: mingw-w64-x86_64-toolchain mingw-w64-x86_64-pkg-config base-devel openssl-devel autoconf automake libtool unzip
19 |       - name: Install YARA v4.1
20 |         run: |
21 |              wget -c https://github.com/VirusTotal/yara/archive/refs/tags/v4.1.3.zip -O /tmp/yara.zip
22 |              cd /tmp && unzip yara.zip
23 |              cd /tmp/yara-4.1.3
24 |              export PATH=${PATH}:/c/msys64/mingw64/bin:/c/msys64/mingw64/lib:/c/msys64/mingw64/lib/pkgconfig
25 |              ./bootstrap.sh
26 |              ./configure
27 |              make
28 |              make install
29 |              cp -r libyara/include/* /c/msys64/mingw64/include
30 |              cp -r libyara/.libs/* /c/msys64/mingw64/lib
31 |              cp libyara/yara.pc /c/msys64/mingw64/lib/pkgconfig
32 |       - name: Set up Go
33 |         uses: actions/setup-go@v2
34 |         with:
35 |             go-version: 1.17
36 |       - uses: actions/checkout@v2
37 |       - name: Building Fastfinder
38 |         shell: powershell
39 |         run: |
40 |           $Env:PATH += ";C:/msys64/mingw64/include"
41 |           $Env:PATH += ";C:/msys64/mingw64/lib"
42 |           $Env:PATH += ";C:/msys64/mingw64/lib/pkgconfig"
43 |           $Env:GOOS="windows"
44 |           $Env:GOARCH="amd64"
45 |           $Env:CGO_CFLAGS="-IC:/msys64/mingw64/include"
46 |           $Env:CGO_LDFLAGS="-LC:/msys64/mingw64/lib -lyara -lcrypto"
47 |           $Env:PKG_CONFIG_PATH="C:/msys64/mingw64/lib/pkgconfig"
48 |           cd $Env:GITHUB_WORKSPACE
49 |           go build -trimpath -tags yara_static -a -ldflags '-s -w -extldflags "-static"' .
50 |           ls
51 |           .\fastfinder.exe -h


--------------------------------------------------------------------------------
/Icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/Icon.png


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Jean-Pierre GARNIER
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.linux-compilation.md:
--------------------------------------------------------------------------------
 1 | # Compiling instruction for _FastFinder_ on Linux
 2 | 
 3 | _FastFinder_ was originally designed for Windows platform but it also work perfectly on Linux. Unlike  other Go programs, if you want to compile or run it from source, you will need to install some libraries and compilation tools. Indeed, _FastFinder_ is strongly dependent of libyara, go-yara and CGO. Here's a little step by step guide: 
 4 | 
 5 | ## Before installation
 6 | 
 7 | Please ensure having:
 8 | * Go >= 1.17
 9 | * GOPATH / GOOS / GOARCH correctly set 
10 | * administrator rights to insall 
11 | 
12 | ## Compile YARA
13 | 
14 | 1/ download YARA latest release source tarball (https://github.com/VirusTotal/yara)
15 | 2/ Make sure you have `automake`, `libtool`, `make`, `gcc` and `pkg-config` installed in your system. 
16 | 2/ unzip and compile yara like this: 
17 | ```
18 | tar -zxf yara-<version>.tar.gz
19 | cd <version>.
20 | ./bootstrap.sh
21 | ./configure
22 | make
23 | make install
24 | ```
25 | 3/ Run the test cases to make sure that everything is fine:
26 | ```
27 | make check
28 | ```
29 | 
30 | ## Configure CGO
31 | CGO will link libyara and compile C instructions used by _Fastfinder_ (through go-yara project). Compiler and linker flags have to be set via the CGO_CFLAGS and CGO_LDFLAGS environment variables like this:
32 | ```
33 | export CGO_CFLAGS="-I<YARA_SRC_PATH>/libyara/include"
34 | export CGO_LDFLAGS="-L<YARA_SRC_PATH>/libyara/.libs -lyara"
35 | ```
36 | 
37 | ## You're ready to Go!
38 | You can compile _FastFinder_ with the following command:
39 | ```
40 | go build -tags yara_static -a -ldflags '-s -w' .
41 | ```
42 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ![Fastfinder logo](./Icon.png)
  2 | # _FastFinder_ - Incident Response - Fast suspicious file finder
  3 | [![Golang](https://img.shields.io/badge/Go-1.17-blue.svg)](https://golang.org) ![Linux](https://img.shields.io/badge/Supports-Linux-green.svg) ![windows](https://img.shields.io/badge/Supports-windows-green.svg)
  4 | ![build windows workflow](https://github.com/codeyourweb/fastfinder/actions/workflows/go_build_windows.yml/badge.svg) ![build windows workflow](https://github.com/codeyourweb/fastfinder/actions/workflows/go_build_linux.yml/badge.svg)
  5 | 
  6 | ## What is this project designed for?
  7 | _FastFinder_ is a lightweight tool made for threat hunting, live forensics and triage on both Windows and Linux Platforms. It is 
  8 | focused on endpoint enumeration and suspicious file finding based on various criterias:
  9 | * file path / name
 10 | * md5 / sha1 / sha256 checksum
 11 | * simple string content match
 12 | * complex content condition(s) based on YARA
 13 | 
 14 | ## Ready for battle!
 15 | * fastfinder has been tested in real cases in multiple CERT, CSIRT and SOC use cases
 16 | * examples directory now include real malwares / suspect behaviors or vulnerability scan examples
 17 | 
 18 | ### Installation 
 19 | Compiled release of this software are available. If you want to compile 
 20 | from sources, it could be a little bit tricky because it strongly depends of 
 21 | _go-yara_ and CGO compilation. Anyway, you'll find a detailed documentation [for windows](README.windows-compilation.md) and [for linux](README.linux-compilation.md)
 22 | 
 23 | ### Usage 
 24 | ```
 25 |   ___       __  ___  ___         __   ___  __
 26 |  |__   /\  /__`  |  |__  | |\ | |  \ |__  |__)
 27 |  |    /~~\ .__/  |  |    | | \| |__/ |___ |  \
 28 | 
 29 |   2021-2022 | Jean-Pierre GARNIER | @codeyourweb
 30 |   https://github.com/codeyourweb/fastfinder  
 31 | 
 32 | usage: fastfinder [-h|--help] [-c|--configuration "<value>"] [-b|--build
 33 |                   "<value>"] [-o|--output "<value>"] [-n|--no-window]
 34 |                   [-u|--no-userinterface] [-v|--verbosity <integer>]
 35 |                   [-t|--triage]
 36 | 
 37 |                   Incident Response - Fast suspicious file finder
 38 | 
 39 | Arguments:
 40 | 
 41 |   -h  --help              Print help information
 42 |   -c  --configuration     Fastfind configuration file. Default:
 43 |   -b  --build             Output a standalone package with configuration and
 44 |                           rules in a single binary
 45 |   -o  --output            Save fastfinder logs in the specified file
 46 |   -n  --no-window         Hide fastfinder window
 47 |   -u  --no-userinterface  Hide advanced user interface
 48 |   -v  --verbosity         File log verbosity
 49 |                                  | 4: Only alert
 50 |                                  | 3: Alert and errors
 51 |                                  | 2: Alerts,errors and I/O operations
 52 |                                  | 1: Full verbosity)
 53 |                                 . Default: 3
 54 |   -t  --triage            Triage mode (infinite run - scan every new file in
 55 |                           the input path directories). Default: false
 56 | ``` 
 57 | 
 58 | Depending on where you are looking for files, _FastFinder_ could be used with admin OR simple user rights. 
 59 | 
 60 | ### Scan and export file match according to your needs
 61 | configuration examples are available [there](./examples)
 62 | ``` 
 63 | input:
 64 |     path: [] # match file path AND / OR file name based on simple string 
 65 |     content:
 66 |         grep: [] # match literal string value inside file content
 67 |         yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions) 
 68 |         checksum: [] # parse for md5/sha1/sha256 in file content 
 69 | options:
 70 |     contentMatchDependsOnPathMatch: true # if true, paths are a pre-filter for content searchs. If false, paths and content both generate matchs
 71 |     findInHardDrives: true	# enumerate hard drive content
 72 |     findInRemovableDrives: true # enumerate removable drive content 
 73 |     findInNetworkDrives: true # enumerate network drive content
 74 |     findInCDRomDrives: true # enumerate physical CD-ROM and mounted iso / vhd...
 75 | output:
 76 |     copyMatchingFiles: true # create a copy of every matching file
 77 |     base64Files: true # base64 matched content before copy
 78 |     filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder
 79 | advancedparameters:
 80 |     yaraRC4Key: ''    # yara rules can be (un)/ciphered using the specified RC4 key
 81 |     maxScanFilesize: 2048 #  ignore files up to maxScanFileSize Mb (default: 2048)               
 82 |     cleanMemoryIfFileGreaterThanSize: 512 # clean fastfinder internal memory after heavy file scan (default: 512Mb) 
 83 | ``` 
 84 | ### Search everywhere or in specified paths:
 85 | * use '?' in paths for simple char wildcard (eg. powershe??.exe)
 86 | * use '\\\*' in paths for multiple chars wildcard (eg. \\\*.exe)
 87 | * regular expressions are also available , just enclose paths with slashes (eg. /[0-9]{8}\\.exe/)
 88 | * environment variables can also be used (eg. %TEMP%\\myfile.exe)
 89 | 
 90 | ### Important notes
 91 | * input path are always case INSENSITIVE
 92 | * content search on string (grep) are always case SENSITIVE
 93 | * backslashes SHOULD NOT be escaped (except with regular expressions)
 94 | For more informations, take a look at the [examples](./examples)
 95 | 
 96 | ## About this project
 97 | I initially created this project to automate fast system oriented IOC detection on a wide computer network. 
 98 | It fulfills the needs I have today. Nevertheless if you have complementary ideas, do not hesitate 
 99 | to ask for, I will see to implement them if they can be useful for everyone.
100 | On the other hand, pull request will be studied carefully.
101 | 
102 | ## Future releases
103 | I don't plan to add any additional features right now. The next release will be focused on:
104 | * Unit testing / Code testing coverage / CI
105 | * Build more examples based on live malwares tradecraft and threat actor campaigns
106 | 


--------------------------------------------------------------------------------
/README.windows-compilation.md:
--------------------------------------------------------------------------------
 1 | # Compiling instruction for _FastFinder_ on Windows
 2 | 
 3 | _FastFinder_ was originally designed for Windows platform but it's a little bit tricky to compile because it's strongly dependant of go-yara and CGO. Here's a little step by step guide: 
 4 | 
 5 | ## Before installation
 6 | 
 7 | All the installation process will be done with msys2/mingw terminal. In order to avoid any error, you have to ensure that your installation directories don't contains space or special characters. I haven't tested to install as a simple user, I strongly advise you to install everything with admin privileges on top of your c:\ drive.
 8 | 
 9 | For the configurations and examples below, my install paths are:
10 | 
11 | * GO: c:\Go
12 | * GOPATH: C:\Users\myuser\go
13 | * Msys2: c:\msys64
14 | * Git: c:\Git 
15 | 
16 | ## Install msys2 and dependencies:
17 | 
18 | First of all, note that you won't be able to get _FastFinder_ working if the dependencies are compiled with another compiler than GCC. There is currently some problems with CGO when external libraries are compiled with Visual C++, so no need to install Visual Studio or vcpkg.
19 | 
20 | * Download msys2 [from the official website](https://www.msys2.org/) and install it
21 | * there, you will find two distincts binaries shorcut "MSYS2 MSYS" and "MSYS2 MinGW 64bits". Please launch this second one.
22 | * install dependencies with the following command line: `pacman -S mingw-w64-x86_64-toolchain mingw-w64-x86_64-pkg-config base-devel openssl-devel`
23 | * add environment variables in mingw terminal: `export PATH=$PATH:/c/Go/bin:/c/msys64/mingw64/bin:/c/Git/bin`
24 | 
25 | ## Download and compile libyara
26 | 
27 | It's strongly advised NOT to clone VirusTotal's YARA repository but to download the source code of the latest release. If you compile libyara from the latest commit, it could generate some side effects when linking this library with _FastFinder_ and GCO.
28 | 
29 | * download latest VirusTotal release source code [from here](https://github.com/VirusTotal/yara/releases)
30 | * unzip the folder in a directory without space and special char
31 | * in mingw terminal, go to yara directory (backslash have to be replace with slash eg. cd c:/yara)
32 | * compile and install using the following command: `./bootstrap.sh &&./configure && make && make install`  
33 | 
34 | ## Configure your OS
35 | 
36 | With this step, you won't need to use mingw terminal anymore and you will be able to use Go to install _FastFinder_ and compile your projects directly from Windows cmd / powershell.
37 | 
38 | Make sure you have the following as system environment variables (not user env vars). If not, create them:
39 | ```
40 | GOARCH=<your-architecture> (eg. amd64)
41 | GOOS=windows
42 | CGO_CFLAGS=-IC:/msys64/mingw64/include
43 | CGO_LDFLAGS=-LC:/msys64/mingw64/lib -lyara -lcrypto
44 | PKG_CONFIG_PATH=C:/msys64/mingw64/lib/pkgconfig
45 | ```
46 | You also need C:\msys64\mingw64\bin in your system PATH env vars.
47 | 
48 | Make sure you have got the following user environment var (not system var):
49 | 
50 |     GOPATH=%USERPROFILE%\go
51 | 
52 | Note that paths must be written with slashs and not backslash. As already said, don't use path with spaces or special characters.
53 | 
54 | ## Download, Install and compile FastFinder
55 | Now, from Windows cmd or Powershell, you can install _FastFinder_: `go get github.com/codeyourweb/fastfinder`
56 | Compilation should be done with: `go build -tags yara_static -a -ldflags '-extldflags "-static"' .` 
57 | 


--------------------------------------------------------------------------------
/configuration.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"fmt"
  6 | 	"io/ioutil"
  7 | 	"net/http"
  8 | 	"regexp"
  9 | 	"strings"
 10 | 
 11 | 	"gopkg.in/yaml.v3"
 12 | )
 13 | 
 14 | type ConfigurationObject struct {
 15 | 	Line int
 16 | 
 17 | 	Configuration
 18 | }
 19 | 
 20 | type Configuration struct {
 21 | 	Input              Input              `yaml:"input"`
 22 | 	Options            Options            `yaml:"options"`
 23 | 	Output             Output             `yaml:"output"`
 24 | 	AdvancedParameters AdvancedParameters `yaml:"advancedparameters"`
 25 | }
 26 | 
 27 | type Input struct {
 28 | 	Path    []string `yaml:"path"`
 29 | 	Content Content  `yaml:"content"`
 30 | }
 31 | 
 32 | type Content struct {
 33 | 	Grep     []string `yaml:"grep"`
 34 | 	Yara     []string `yaml:"yara"`
 35 | 	Checksum []string `yaml:"checksum"`
 36 | }
 37 | 
 38 | type Options struct {
 39 | 	ContentMatchDependsOnPathMatch bool `yaml:"contentMatchDependsOnPathMatch"`
 40 | 	FindInHardDrives               bool `yaml:"findInHardDrives"`
 41 | 	FindInRemovableDrives          bool `yaml:"findInRemovableDrives"`
 42 | 	FindInNetworkDrives            bool `yaml:"findInNetworkDrives"`
 43 | 	FindInCDRomDrives              bool `yaml:"findInCDRomDrives"`
 44 | }
 45 | 
 46 | type Output struct {
 47 | 	Base64Files       bool   `yaml:"base64Files"`
 48 | 	FilesCopyPath     string `yaml:"filesCopyPath"`
 49 | 	CopyMatchingFiles bool   `yaml:"copyMatchingFiles"`
 50 | }
 51 | 
 52 | type AdvancedParameters struct {
 53 | 	YaraRC4Key                       string `yaml:"yaraRC4Key"`
 54 | 	MaxScanFilesize                  int    `yaml:"maxScanFilesize"`
 55 | 	CleanMemoryIfFileGreaterThanSize int    `yaml:"cleanMemoryIfFileGreaterThanSize"`
 56 | }
 57 | 
 58 | func (i *ConfigurationObject) UnmarshalYAML(value *yaml.Node) error {
 59 | 	err := value.Decode(&i.Configuration)
 60 | 	if err != nil {
 61 | 		return err
 62 | 	}
 63 | 
 64 | 	i.Line = value.Line
 65 | 
 66 | 	return nil
 67 | }
 68 | 
 69 | func (c *Configuration) getConfiguration(configFile string) *Configuration {
 70 | 	var yamlContent []byte
 71 | 	var err error
 72 | 	configFile = strings.TrimSpace(configFile)
 73 | 
 74 | 	// configuration reading
 75 | 	if IsValidUrl(configFile) {
 76 | 		response, err := http.Get(configFile)
 77 | 		if err != nil {
 78 | 			LogFatal(fmt.Sprintf("Configuration file URL unreachable %v", err))
 79 | 		}
 80 | 		yamlContent, err = ioutil.ReadAll(response.Body)
 81 | 		if err != nil {
 82 | 			LogFatal(fmt.Sprintf("Configuration file URL content unreadable %v", err))
 83 | 		}
 84 | 		response.Body.Close()
 85 | 	} else {
 86 | 		yamlContent, err = ioutil.ReadFile(configFile)
 87 | 		if err != nil {
 88 | 			LogFatal(fmt.Sprintf("Configuration file reading error %v ", err))
 89 | 		}
 90 | 	}
 91 | 
 92 | 	// ciphered yaml file
 93 | 	if !bytes.Contains(yamlContent, []byte("input")) {
 94 | 		yamlContent = RC4Cipher(yamlContent, BUILDER_RC4_KEY)
 95 | 	}
 96 | 
 97 | 	var o ConfigurationObject
 98 | 	err = yaml.Unmarshal(yamlContent, &o)
 99 | 
100 | 	if err != nil {
101 | 		LogFatal(fmt.Sprintf("%s - %v", configFile, err))
102 | 	}
103 | 
104 | 	*c = o.Configuration
105 | 
106 | 	// check for specific user configuration params inconsistencies
107 | 	if len(c.Input.Path) == 0 || (len(c.Input.Content.Grep) == 0 && len(c.Input.Content.Yara) == 0 && len(c.Input.Content.Checksum) == 0) {
108 | 		c.Options.ContentMatchDependsOnPathMatch = false
109 | 	}
110 | 
111 | 	if !c.Output.CopyMatchingFiles {
112 | 		c.Output.Base64Files = false
113 | 		c.Output.FilesCopyPath = ""
114 | 	}
115 | 
116 | 	// check for missing advanced parameters
117 | 	if c.AdvancedParameters.MaxScanFilesize == 0 {
118 | 		c.AdvancedParameters.MaxScanFilesize = 2048
119 | 	}
120 | 
121 | 	if c.AdvancedParameters.CleanMemoryIfFileGreaterThanSize == 0 {
122 | 		c.AdvancedParameters.CleanMemoryIfFileGreaterThanSize = 512
123 | 	}
124 | 
125 | 	// parsing input paths
126 | 	environmentVariables := GetEnvironmentVariables()
127 | 
128 | 	for i := 0; i < len(c.Input.Path); i++ {
129 | 		// replace environment variables
130 | 		for _, env := range environmentVariables {
131 | 			if strings.Contains(strings.ToLower(c.Input.Path[i]), "%"+strings.ToLower(env.Name)+"%") {
132 | 				c.Input.Path[i] = strings.Replace(c.Input.Path[i], "%"+env.Name+"%", env.Value, -1)
133 | 			}
134 | 		}
135 | 
136 | 		// handle regex and simple find strings
137 | 		if c.Input.Path[i][0] != '/' || c.Input.Path[i][len(c.Input.Path[i])-1] != '/' {
138 | 			c.Input.Path[i] = regexp.QuoteMeta(strings.ToLower(c.Input.Path[i]))
139 | 			// use regular expression ".+" for "*" search pattern
140 | 			if strings.Contains(strings.ToLower(c.Input.Path[i]), "\\*") {
141 | 				c.Input.Path[i] = strings.Replace(c.Input.Path[i], "\\*", "[^\\\\]+", -1)
142 | 			}
143 | 
144 | 			if strings.Contains(strings.ToLower(c.Input.Path[i]), "\\\\[^\\\\]+") {
145 | 				c.Input.Path[i] = strings.Replace(c.Input.Path[i], "\\\\[^\\\\]+", "[^\\\\]+", -1)
146 | 			}
147 | 
148 | 			if strings.Contains(strings.ToLower(c.Input.Path[i]), "\\?") {
149 | 				c.Input.Path[i] = strings.Replace(c.Input.Path[i], "\\?", ".", -1)
150 | 			}
151 | 		} else {
152 | 			c.Input.Path[i] = strings.Trim(c.Input.Path[i], "/")
153 | 		}
154 | 
155 | 	}
156 | 
157 | 	// normalize checksums
158 | 	for i := 0; i < len(c.Input.Content.Checksum); i++ {
159 | 		c.Input.Content.Checksum[i] = strings.ToLower(c.Input.Content.Checksum[i])
160 | 	}
161 | 
162 | 	return c
163 | }
164 | 


--------------------------------------------------------------------------------
/examples/CISA-AA21-259A/CISA-AA21-259A.yaml:
--------------------------------------------------------------------------------
 1 | # APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus (CVE-2021-40539)
 2 | # search for:
 3 | #   - msiexec.exe in "MagageEngine" directory or subdirectory
 4 | #   - OR *.bat file in %PUBLIC% directory
 5 | #   - OR any file starting by "custom." in %PUBLIC% directory
 6 | #   - OR any file matching one of the two specified yara rules
 7 | #   - OR any file matching one of the specified sha256 hash
 8 | # reference:
 9 | #   - https://www.cisa.gov/uscert/ncas/alerts/aa21-259a
10 | #   - https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
11 | input:
12 |     path:
13 |       - '/(?i)\\ManageEngine\\.+msiexec\.exe$/'
14 |       - '%PUBLIC%\\*.bat'
15 |       - '%PUBLIC%\custom\*'
16 |     content:
17 |         grep: []
18 |         yara: 
19 |          - 'EncryptJSP.yar'
20 |          - 'ReportGenerate_jsp.yar'
21 |         checksum:
22 |          - '068d1b3813489e41116867729504c40019ff2b1fe32aab4716d429780e666324'
23 |          - '49a6f77d380512b274baff4f78783f54cb962e2a8a5e238a453058a351fcfbba'
24 |          - 'ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7'
25 |          - '67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015'
26 | options:
27 |     contentMatchDependsOnPathMatch: false
28 |     findInHardDrives: true
29 |     findInRemovableDrives: false
30 |     findInNetworkDrives: false
31 |     findInCDRomDrives: false
32 | output:
33 |     copyMatchingFiles: false
34 |     base64Files: false
35 |     filesCopyPath: ''


--------------------------------------------------------------------------------
/examples/CISA-AA21-259A/EncryptJSP.yar:
--------------------------------------------------------------------------------
 1 | rule EncryptJSP {
 2 |    strings:
 3 |       $s1 = "AEScrypt"
 4 |       $s2 = "AES/CBC/PKCS5Padding"
 5 |       $s3 = "SecretKeySpec"
 6 |       $s4 = "FileOutputStream"
 7 |       $s5 = "getParameter"
 8 |       $s6 = "new ProcessBuilder"
 9 |       $s7 = "new BufferedReader"
10 |       $s8 = "readLine()"
11 |    condition:
12 |       filesize < 15KB and 6 of them
13 | }


--------------------------------------------------------------------------------
/examples/CISA-AA21-259A/ReportGenerate_jsp.yar:
--------------------------------------------------------------------------------
 1 | rule ReportGenerate_jsp {
 2 |    strings:
 3 |       $s1 = "decrypt(fpath)"
 4 |       $s2 = "decrypt(fcontext)"
 5 |       $s3 = "decrypt(commandEnc)"
 6 |       $s4 = "upload failed!"
 7 |       $s5 = "sevck"
 8 |       $s6 = "newid"
 9 |    condition:
10 |       filesize < 15KB and 4 of them
11 | }


--------------------------------------------------------------------------------
/examples/example_configuration_api_triage.yaml:
--------------------------------------------------------------------------------
 1 | input:
 2 |     path: []
 3 |     content:
 4 |         grep: []
 5 |         yara:
 6 |           - './examples/example_windows_api_triage.yar'
 7 |         checksum: []
 8 | options:
 9 |     contentMatchDependsOnPathMatch: false
10 |     findInHardDrives: true
11 |     findInRemovableDrives: false
12 |     findInNetworkDrives: false
13 |     findInCDRomDrives: false
14 | output:
15 |     copyMatchingFiles: false
16 |     base64Files: false
17 |     filesCopyPath: ''


--------------------------------------------------------------------------------
/examples/example_configuration_distant.yaml:
--------------------------------------------------------------------------------
 1 | input:
 2 |     path:
 3 |       - '*.exe'
 4 |     content:
 5 |         grep: []
 6 |         yara:
 7 |           - 'https://bit.ly/3dKRPnF'
 8 |         checksum: []
 9 | options:
10 |     contentMatchDependsOnPathMatch: true
11 |     findInHardDrives: true
12 |     findInRemovableDrives: false
13 |     findInNetworkDrives: false
14 |     findInCDRomDrives: false
15 | output:
16 |     copyMatchingFiles: false
17 |     base64Files: false
18 |     filesCopyPath: ''


--------------------------------------------------------------------------------
/examples/example_configuration_linux.yaml:
--------------------------------------------------------------------------------
 1 | input:
 2 |     path: []
 3 |     content:
 4 |         grep: []
 5 |         yara:
 6 |           - './examples/example_rule_linux.yar'
 7 |         checksum:
 8 |          - 'bf1cde9c94c301cdc3b5486f2f3fe66b'
 9 |          - '41ba1bd49cb22466e422098d184bd4267ef9529e'
10 |          - 'e875b1185577ff872fbaabde481cc196af03745c530403c8303f00fe35859bf7'
11 | options:
12 |     contentMatchDependsOnPathMatch: false
13 |     findInHardDrives: true
14 |     findInRemovableDrives: false
15 |     findInNetworkDrives: false
16 |     findInCDRomDrives: false
17 | output:
18 |     copyMatchingFiles: false
19 |     base64Files: false
20 |     filesCopyPath: ''
21 | 


--------------------------------------------------------------------------------
/examples/example_configuration_windows.yaml:
--------------------------------------------------------------------------------
 1 | input:
 2 |     path:
 3 |       - '%APPDATA%\\*.exe'
 4 |       - 'TEMP\\*.exe'
 5 |       - 'Windows\SysWOW64\cm*.exe'
 6 |       - 'Windows\System32\notepad\*'
 7 |       - '/temp\\\{[a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\}\\\w+\.exe$/'
 8 |     content:
 9 |         grep:
10 |           - 'fastfinder.exe'
11 |         yara:
12 |           - './examples/example_rule_windows.yar'
13 |         checksum:
14 |          - 'c4884dadc3680439e30bf48ae0ca7048'
15 |          - '7A320D69E436911A9EAF676D8C2B6A22580BF79F'
16 |          - 'A4AF9EF6E345B3B4EA50DDE672A986C14F9A195E407EBAC36B1652AACC10E3EE'
17 | options:
18 |     contentMatchDependsOnPathMatch: false
19 |     findInHardDrives: true
20 |     findInRemovableDrives: false
21 |     findInNetworkDrives: false
22 |     findInCDRomDrives: false
23 | output:
24 |     copyMatchingFiles: false
25 |     base64Files: false
26 |     filesCopyPath: ''


--------------------------------------------------------------------------------
/examples/example_rule_linux.yar:
--------------------------------------------------------------------------------
 1 | rule fastfinder_example{
 2 | 	meta:
 3 | 		name = "fastfinder_example"
 4 | 		description = "Example of fastfinder yara match (on legitimate linux 'more' binary)"
 5 | 		reference = "https://github.com/codeyourweb/fastfinder"
 6 | 	strings:
 7 | 		$str1 = "GNU"
 8 | 		$str3 = "--More--"
 9 | 		$str4 = "file perusal filter for CRT viewing"
10 | 		$str5 = "Press 'h' for instructions"
11 | 		$op = { ba 05 00 00 00 31 ff 4? 8d 35 ?? ?? ?? ?? e8 ?? ?? ?? ?? 4? 89 ee 4? 89 c7 e8 ?? ?? ?? ?? ba 05 00 00 00 31 ff 4? 8d 35 ?? ?? ?? ?? e8 ?? ?? ?? ??}
12 | 	condition:
13 | 		uint16(0) == 0x457f and all of them 
14 | }


--------------------------------------------------------------------------------
/examples/example_rule_windows.yar:
--------------------------------------------------------------------------------
 1 | rule fastfinder_example{
 2 | 	meta:
 3 | 		name = "fastfinder_example"
 4 | 		description = "Example of fastfinder yara match (on legitimate nslookup.exe)"
 5 | 		reference = "https://github.com/codeyourweb/fastfinder"
 6 | 	strings:
 7 | 		$str1 = "nslookup.exe" wide ascii
 8 | 		$str3 = "nslookup.pdb"
 9 | 		$str4 = "getaddrinfo"
10 | 		$str5 = "/.nslookuprc"
11 | 	condition:
12 | 		uint16(0) == 0x5a4d and all of them
13 | }


--------------------------------------------------------------------------------
/examples/linux-fontonlake/eset_fontonlake_linux.yaml:
--------------------------------------------------------------------------------
 1 | # FontOnLake is a malware family utilizing well-designed custom modules that are constantly under
 2 | # development It targets systems running Linux and provides remote access to those systems for its
 3 | # operators, collects credentials, and serves as a proxy server Its presence is always accompanied by a
 4 | #rootkit, which conceals its existence
 5 | #
 6 | # search for:
 7 | #   - one of the three specified file paths
 8 | #   - OR any file matching the specified sha1 hash
 9 | # reference:
10 | #   - https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf
11 | input:
12 |     path:
13 |       - '/lib/modules/\*/kernel/drivers/input/misc/ati_remote3.ko'
14 |       - '/etc/sysconfig/modules/ati_remote3.modules'
15 |       - '/tmp/.tmp_\*'
16 |     content:
17 |         grep: []
18 |         yara: []
19 |         checksum:
20 |          - '1f52db8e3fc3040c017928f5ffd99d9fa4757bf8'
21 |          - '771340752985dd8e84cf3843c9843ef7a76a39e7'
22 |          - '27e868c0505144f0708170df701d7c1ae8e1faea'
23 |          - '45e94abedad8c0044a43ff6d72a5c44c6abd9378'
24 |          - '1829b0e34807765f2b254ea5514d7bb587aeca3f'
25 |          - '8d6aca824d1a717ae908669e356e2d4bb6f857b0'
26 |          - '38b09d690fafe81e964cbd45ec7cf20dcb296b4d'
27 |          - '56556a53741111c04853a5e84744807eeadff63a'
28 |          - 'fe26cb98aa1416a8b1f6ced4ac1b5400517257b2'
29 |          - 'd4e0e38ec69cbb71475d8a22edb428c3e955a5ea'
30 |          - '204046b3279b487863738ddb17cbb6718af2a83a'
31 |          - '9c803d1e39f335f213f367a84d3df6150e5fe172'
32 |          - 'bfcc4e6628b63c92bc46219937ea7582ea6fbb41'
33 |          - '515cfb5cb760d3a1da31e9f906ea7f84f17c5136'
34 |          - 'a9ed0837e3af698906b229ca28b988010bcd5dc1'
35 |          - '56cb85675fe7a7896f0aa5365ff391ac376d9953'
36 |          - '72c9c5ce50a38d0a2b9cef6adeab1008bff12496'
37 |          - 'b439a503d68ad7164e0f32b03243a593312040f8'
38 |          - 'e7bf0a35c2cd79a658615e312d35bbcff9782672'
39 |          - '56580e7ba6bf26d878c538985a6dc62ca094cd04'
40 |          - '49d4e5fcd3a3018a88f329ae47ef4c87c6a2d27a'
41 |          - '74d44c2949da7d5164adec78801733680da8c110'
42 |          - '74d755e8566340a752b1db603ef468253adab6bd'
43 |          - 'e20f87497023e3454b5b1a22fe6c5a5501eae2cb'
44 |          - '6f43c598cd9e63f550ff4e6ef51500e47d0211f3'
45 | options:
46 |     contentMatchDependsOnPathMatch: false
47 |     findInHardDrives: true
48 |     findInRemovableDrives: false
49 |     findInNetworkDrives: false
50 |     findInCDRomDrives: false
51 | output:
52 |     copyMatchingFiles: false
53 |     base64Files: false
54 |     filesCopyPath: ''


--------------------------------------------------------------------------------
/examples/log4j_vuln_checker/config-log4j_vuln_checker.yaml:
--------------------------------------------------------------------------------
 1 | # scan local Java software installations for known instances of vulnerable #log4j 1.x and 2.x versions
 2 | # CVE-2019-17571, CVE-2021-44228
 3 | input:
 4 |     path:
 5 |       - '*.jar'
 6 |       - '*.class'
 7 |     content:
 8 |         grep: []
 9 |         yara: []
10 |         checksum:
11 |           - '39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8' # log4j 2.0-rc1 JndiLookup.class
12 |           - 'a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2' # log4j 2.0-rc2 JndiLookup.class
13 |           - '964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e' # log4j 2.0.1 JndiLookup.class
14 |           - '9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c' # log4j 2.0.2 JndiLookup.class
15 |           - 'fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29' # log4j 2.0 JndiLookup.class
16 |           - '03c77cca9aeff412f46eaf1c7425669e37008536dd52f1d6f088e80199e4aae7' # log4j 2.4-2.11.2 JndiManager$1.class
17 |           - '1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32' # log4j 2.7-2.8.1 JndiManager.class
18 |           - '1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de' # log4j 2.12.0-2.12.1 JndiManager.class
19 |           - '293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6' # log4j 2.9.0-2.11.2 JndiManager.class
20 |           - '3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7' # log4j 2.4-2.5 JndiManager.class
21 |           - '547883afa0aa245321e6b1aaced24bc10d73d5af4974d951e2bd53b017e2d4ab' # log4j 2.14.0-2.14.1 JndiManager$JndiManagerFactory.class
22 |           - '620a713d908ece7fb09b7d34c2b0461e1c366704da89ea20eb78b73116c77f23' # log4j 2.1-2.3 JndiManager$1.class
23 |           - '632a69aef3bc5012f61093c3d9b92d6170fdc795711e9fed7f5388c36e3de03d' # log4j 2.8.2 JndiManager$JndiManagerFactory.class
24 |           - '635ccd3aaa429f3fea31d84569a892b96a02c024c050460d360cc869bcf45840' # log4j 2.9.1-2.10.0 JndiManager$JndiManagerFactory.class
25 |           - '6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246' # log4j 2.6-2.6.2 JndiManager.class
26 |           - '764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407' # log4j 2.8.2 JndiManager.class
27 |           - '77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6' # log4j 2.14.0-2.14.1 JndiManager.class
28 |           - '8abaebc4d09926cd12b5269c781b64a7f5a57793c54dc1225976f02ba58343bf' # log4j 2.13.0-2.13.3 JndiManager$JndiManagerFactory.class
29 |           - '914a64f23e2bcc1ae166af645a21f71f18ad6be8282001ec10b3e45b37064c99' # log4j 2.13.0-2.15.0 JndiManager$1.class
30 |           - '91e58af100aface711700562b5002c5d397fb35d2a95d5704db41461ac1ad8fd' # log4j 2.1-2.3 JndiManager$JndiManagerFactory.class
31 |           - 'ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c' # log4j 2.1-2.3 JndiManager.class
32 |           - 'aec7ea2daee4d6468db2df25597594957a06b945bcb778bbcd5acc46f17de665' # log4j 2.4-2.6.2 JndiManager$JndiManagerFactory.class
33 |           - 'b8af4230b9fb6c79c5bf2e66a5de834bc0ebec4c462d6797258f5d87e356d64b' # log4j 2.7-2.8.1 JndiManager$JndiManagerFactory.class
34 |           - 'c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078' # log4j 2.13.0-2.13.3 JndiManager.class
35 |           - 'e4906e06c4e7688b468524990d9bb6460d6ef31fe938e01561f3f93ab5ca25a6' # log4j 2.8.2-2.12.0 JndiManager$1.class
36 |           - 'fe15a68ef8a75a3f9d3f5843f4b4a6db62d1145ef72937ed7d6d1bbcf8ec218f' # log4j 2.12.0-2.12.1 JndiManager$JndiManagerFactory.class
37 |           - '6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d' # log4j 1.2.4 SocketNode.class
38 |           - '3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0' # log4j 1.2.6-1.2.9 SocketNode.class
39 |           - 'bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9' # log4j 1.2.8  SocketNode.class
40 |           - '7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4' # log4j 1.2.15 SocketNode.class
41 |           - '688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46' # log4j 1.2.16 SocketNode.class
42 |           - '8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74' # log4j 1.2.17 SocketNode.class
43 |           - 'd778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6' # log4j 1.2.11 SocketNode.class
44 |           - 'ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a' # log4j 1.2.5 SocketNode.class
45 |           - 'f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c' # log4j 1.2.12 SocketNode.class
46 |           - 'fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7' # log4j 1.2.13-1.2.14 SocketNode.class
47 | options:
48 |     contentMatchDependsOnPathMatch: true
49 |     findInHardDrives: true
50 |     findInRemovableDrives: false
51 |     findInNetworkDrives: false
52 |     findInCDRomDrives: false
53 | output:
54 |     copyMatchingFiles: false
55 |     base64Files: false
56 |     filesCopyPath: ''


--------------------------------------------------------------------------------
/examples/proxyshell/drophell.yaml:
--------------------------------------------------------------------------------
 1 | # Proxyshell exploitation - DropHell malware
 2 | # search for:
 3 | #   - *.exe or *.aspx in a "ZING" directory or subdirectory
 4 | #   - OR aspx webshell in Page_Load function
 5 | #   - OR any of the specified sha256 hash
 6 | # reference:
 7 | #   - https://twitter.com/DeepInstinctSec/status/1450129546125131780
 8 | #   - https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside
 9 | #   - https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit
10 | input:
11 |     path:
12 |       - '/(?i)\\ZING\\.+(\.(exe)|(aspx))$/'
13 |     content:
14 |         grep: 
15 |          - '<script language="JScript" runat="server">function Page_Load(){eval(Request["'
16 |         yara: []
17 |         checksum:
18 |          - '742fd14cd1d53e3bd7a38e7f90956b3dc4185c2a31fccd0afc673cb98bbbefe6'
19 |          - '8f5156a457e287c2c60239d243fa8781fedb69b85b86f15e04b43b96abc53bc4'
20 |          - 'eb17d105dd5132ada75485963e6dbb344b0fe3109a9a583cebc0bf1795352185'
21 |          - '1f6aa7ddfc249e7a7f4c9fa2dadee249009f4d20676c3c09effe23dbe81c3be3'
22 | options:
23 |     contentMatchDependsOnPathMatch: false
24 |     findInHardDrives: true
25 |     findInRemovableDrives: false
26 |     findInNetworkDrives: false
27 |     findInCDRomDrives: false
28 | output:
29 |     copyMatchingFiles: false
30 |     base64Files: false
31 |     filesCopyPath: ''


--------------------------------------------------------------------------------
/finder.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"archive/zip"
  5 | 	"crypto/md5"
  6 | 	"crypto/sha1"
  7 | 	"crypto/sha256"
  8 | 	"fmt"
  9 | 	"io/ioutil"
 10 | 	"runtime/debug"
 11 | 	"strings"
 12 | 	"time"
 13 | 
 14 | 	"github.com/dlclark/regexp2"
 15 | 	"github.com/h2non/filetype"
 16 | 	"github.com/h2non/filetype/types"
 17 | 	"github.com/hillu/go-yara/v4"
 18 | )
 19 | 
 20 | // PathsFinder try to match regular expressions in file paths slice
 21 | func PathsFinder(files *[]string, patterns []*regexp2.Regexp) *[]string {
 22 | 	InitProgressbar(int64(len(*files)))
 23 | 	var matchingFiles []string
 24 | 	for _, expression := range patterns {
 25 | 		for _, f := range *files {
 26 | 			ProgressBarStep()
 27 | 			if match, _ := expression.MatchString(f); match {
 28 | 				matchingFiles = append(matchingFiles, f)
 29 | 			}
 30 | 		}
 31 | 	}
 32 | 
 33 | 	return &matchingFiles
 34 | }
 35 | 
 36 | // FindInFiles check for pattern or checksum match in files slice
 37 | func FindInFilesContent(files *[]string, patterns []string, rules *yara.Rules, hashList []string, triageMode bool, maxScanFilesize int, cleanMemoryIfFileGreaterThanSize int) *[]string {
 38 | 	var matchingFiles []string
 39 | 
 40 | 	InitProgressbar(int64(len(*files)))
 41 | 	for _, path := range *files {
 42 | 		ProgressBarStep()
 43 | 		b, err := ioutil.ReadFile(path)
 44 | 		if err != nil {
 45 | 			if triageMode {
 46 | 				time.Sleep(500 * time.Millisecond)
 47 | 				b, err = ioutil.ReadFile(path)
 48 | 				if err != nil {
 49 | 					LogMessage(LOG_ERROR, "(ERROR)", "Unable to read file", path)
 50 | 					continue
 51 | 				}
 52 | 			} else {
 53 | 				LogMessage(LOG_ERROR, "(ERROR)", "Unable to read file", path)
 54 | 				continue
 55 | 			}
 56 | 
 57 | 		}
 58 | 
 59 | 		// cancel analysis if file size is greater than maxScanFilesize
 60 | 		if len(b) > 1024*1024*maxScanFilesize {
 61 | 			LogMessage(LOG_ERROR, "(ERROR)", fmt.Sprintf("File %s size is greater than %dMb, skipping", path, maxScanFilesize))
 62 | 			continue
 63 | 		}
 64 | 
 65 | 		// get file type
 66 | 		filetype, err := filetype.Match(b)
 67 | 		if err != nil {
 68 | 			filetype = types.Unknown
 69 | 		}
 70 | 
 71 | 		// handle file content and checksum match
 72 | 		for _, m := range CheckFileChecksumAndContent(path, b, hashList, patterns) {
 73 | 			if !Contains(matchingFiles, m) {
 74 | 				LogMessage(LOG_ALERT, "(ALERT)", "File content match on:", path)
 75 | 				matchingFiles = append(matchingFiles, m)
 76 | 			}
 77 | 		}
 78 | 
 79 | 		// yara scan on file content
 80 | 		if rules != nil && len(rules.GetRules()) > 0 {
 81 | 			yaraResult, err := PerformYaraScan(&b, rules)
 82 | 			if err != nil {
 83 | 				LogMessage(LOG_ERROR, "(ERROR)", "Error performing yara scan on", path, err)
 84 | 				continue
 85 | 			}
 86 | 
 87 | 			if len(yaraResult) > 0 && !Contains(matchingFiles, path) {
 88 | 				matchingFiles = append(matchingFiles, path)
 89 | 			}
 90 | 
 91 | 			// output yara match results
 92 | 			for i := 0; i < len(yaraResult); i++ {
 93 | 				LogMessage(LOG_ALERT, "(ALERT)", "YARA match:")
 94 | 				LogMessage(LOG_ALERT, " | path:", path)
 95 | 				LogMessage(LOG_ALERT, " | rule namespace:", yaraResult[i].Namespace)
 96 | 				LogMessage(LOG_ALERT, " | rule name:", yaraResult[i].Rule)
 97 | 			}
 98 | 		}
 99 | 
100 | 		// if file type is an archive, extract and calculate checksum for every file inside
101 | 		if Contains([]string{"application/x-tar", "application/x-7z-compressed", "application/zip", "application/vnd.rar"}, filetype.MIME.Value) {
102 | 			zr, err := zip.OpenReader(path)
103 | 			if err != nil {
104 | 				LogMessage(LOG_ERROR, "(ERROR)", "Cant't open archive file:", path)
105 | 				continue
106 | 			}
107 | 
108 | 			for _, subFile := range zr.File {
109 | 				fr, err := subFile.Open()
110 | 				if err != nil {
111 | 					LogMessage(LOG_ERROR, "(ERROR)", "Can't open archive file member for reading:", path, subFile.Name)
112 | 					continue
113 | 				}
114 | 				defer fr.Close()
115 | 
116 | 				body, err := ioutil.ReadAll(fr)
117 | 				if err != nil {
118 | 					LogMessage(LOG_ERROR, "(ERROR)", "Unable to read file archive member:", path, subFile.Name)
119 | 					continue
120 | 				}
121 | 
122 | 				// handle file content and checksum match for each file in the archive
123 | 				for _, m := range CheckFileChecksumAndContent(path, body, hashList, patterns) {
124 | 					if !Contains(matchingFiles, m) {
125 | 						LogMessage(LOG_ALERT, "(ALERT)", "File content match on:", path)
126 | 						matchingFiles = append(matchingFiles, m)
127 | 					}
128 | 				}
129 | 
130 | 				// yara scan
131 | 				yaraResult, err := PerformYaraScan(&body, rules)
132 | 				if err != nil {
133 | 					LogMessage(LOG_ERROR, "(ERROR)", "Error performing yara scan on", path, err)
134 | 				}
135 | 
136 | 				// output yara match results
137 | 				for i := 0; i < len(yaraResult); i++ {
138 | 					LogMessage(LOG_ALERT, "(ALERT)", "YARA match:")
139 | 					LogMessage(LOG_ALERT, " | path:", path, "("+subFile.Name+")")
140 | 					LogMessage(LOG_ALERT, " | rule namespace:", yaraResult[i].Namespace)
141 | 					LogMessage(LOG_ALERT, " | rule name:", yaraResult[i].Rule)
142 | 					for j := 0; j < len(yaraResult[i].Strings); j++ {
143 | 						LogMessage(LOG_VERBOSE, " | ", "name:", yaraResult[i].Strings[j].Name, fmt.Sprintf("\"%s\"", yaraResult[i].Strings[j].Data), "offset:", yaraResult[i].Strings[j].Offset)
144 | 					}
145 | 				}
146 | 			}
147 | 		}
148 | 
149 | 		// cleaning memory if file size is greater than cleanMemoryIfFileGreaterThanSize
150 | 		if len(b) > 1024*1024*cleanMemoryIfFileGreaterThanSize {
151 | 			debug.FreeOSMemory()
152 | 		}
153 | 	}
154 | 
155 | 	return &matchingFiles
156 | }
157 | 
158 | // CheckFileChecksumAndContent check for pattern or checksum match in files slice
159 | func CheckFileChecksumAndContent(path string, content []byte, hashList []string, patterns []string) (matchingFiles []string) {
160 | 	// compare file checksum with hashList
161 | 	if len(hashList) > 0 {
162 | 		matchingFiles = append(matchingFiles, checkForChecksum(path, content, hashList)...)
163 | 	}
164 | 
165 | 	// compare file content with patterns
166 | 	if len(patterns) > 0 {
167 | 		matchingFiles = append(matchingFiles, checkForStringPattern(path, content, patterns)...)
168 | 	}
169 | 
170 | 	return matchingFiles
171 | }
172 | 
173 | // checkForChecksum calculate content checksum and check if it is in hashlist
174 | func checkForChecksum(path string, content []byte, hashList []string) (matchingFiles []string) {
175 | 	var hashs []string
176 | 	hashs = append(hashs, fmt.Sprintf("%x", md5.Sum(content)))
177 | 	hashs = append(hashs, fmt.Sprintf("%x", sha1.Sum(content)))
178 | 	hashs = append(hashs, fmt.Sprintf("%x", sha256.Sum256(content)))
179 | 
180 | 	for _, c := range hashs {
181 | 		if Contains(hashList, c) && !Contains(matchingFiles, path) {
182 | 			matchingFiles = append(matchingFiles, path)
183 | 		}
184 | 	}
185 | 
186 | 	return matchingFiles
187 | }
188 | 
189 | // checkForStringPattern check if file content matches any specified pattern
190 | func checkForStringPattern(path string, content []byte, patterns []string) (matchingFiles []string) {
191 | 	for _, expression := range patterns {
192 | 		if strings.Contains(string(content), expression) {
193 | 			matchingFiles = append(matchingFiles, path)
194 | 		}
195 | 	}
196 | 	return matchingFiles
197 | }
198 | 


--------------------------------------------------------------------------------
/finder_test.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"testing"
 5 | 
 6 | 	"github.com/dlclark/regexp2"
 7 | 	"github.com/hillu/go-yara/v4"
 8 | )
 9 | 
10 | func TestFindInFilesContent(t *testing.T) {
11 | 	p := []string{"TestFindInFilesContent"}
12 | 	r1 := checkForStringPattern("", []byte(p[0]), p)
13 | 	r2 := CheckFileChecksumAndContent("", []byte(p[0]), []string{}, p)
14 | 	if len(r1) != 1 || len(r2) != 1 {
15 | 		t.Fatal("checkForStringPattern or CheckFileChecksumAndContent doesn't match content in files")
16 | 	}
17 | }
18 | 
19 | func TestFindFileChecksum(t *testing.T) {
20 | 	p := []string{"TestFindInFilesContent"}
21 | 	r1 := checkForChecksum("", []byte(p[0]), []string{"98073143a031423fd912da2c646d4aeb"})
22 | 	r2 := checkForChecksum("", []byte(p[0]), []string{"7c6c8c4e28098e526be3ad183343a9868515d84e"})
23 | 	r3 := checkForChecksum("", []byte(p[0]), []string{"3f0cc1212847f71146ee33e1e879588c328348aa0c0327c6ef4e0cfb13114cb8"})
24 | 
25 | 	if len(r1) != 1 || len(r2) != 1 || len(r3) != 1 {
26 | 		t.Fatal("checkForChecksum fails find hash in content")
27 | 	}
28 | 
29 | 	r4 := CheckFileChecksumAndContent("", []byte(p[0]), []string{"98073143a031423fd912da2c646d4aeb"}, []string{})
30 | 	r5 := CheckFileChecksumAndContent("", []byte(p[0]), []string{"7c6c8c4e28098e526be3ad183343a9868515d84e"}, []string{})
31 | 	r6 := CheckFileChecksumAndContent("", []byte(p[0]), []string{"3f0cc1212847f71146ee33e1e879588c328348aa0c0327c6ef4e0cfb13114cb8"}, []string{})
32 | 
33 | 	if len(r4) != 1 || len(r5) != 1 || len(r6) != 1 {
34 | 		t.Fatal("CheckFileChecksumAndContent fails using checkForChecksum and matchs hash in content")
35 | 	}
36 | }
37 | 
38 | func TestFindWithYARA(t *testing.T) {
39 | 	compiler, err := yara.NewCompiler()
40 | 	if err != nil {
41 | 		t.Fatal("Fail to instanciate YARA compiler")
42 | 	}
43 | 
44 | 	compiler.AddString("rule testing{\r\n\tstrings:\r\n\t\t$ = \"TestFindInFilesContent\"\r\n\tcondition:\r\n\t\tall of them\r\n}", "testing")
45 | 	r, err := compiler.GetRules()
46 | 	if err != nil {
47 | 		t.Fatal("Fail to compile YARA rules")
48 | 	}
49 | 
50 | 	p := []byte("TestFindInFilesContent")
51 | 	r1, err := PerformYaraScan(&p, r)
52 | 	if err != nil || len(r1) != 1 {
53 | 		t.Fatal("PerformYaraScan fails to find string with YARA")
54 | 	}
55 | 
56 | 	f := []string{"finder_test.go"}
57 | 	r2 := *FindInFilesContent(&f, []string{}, r, []string{}, false, 512, 512)
58 | 	if len(r2) != 1 {
59 | 		t.Fatal("FindInFilesContent fails to return YARA match")
60 | 	}
61 | }
62 | 
63 | func TestPathMatching(t *testing.T) {
64 | 	var re []*regexp2.Regexp
65 | 	f := []string{"finder_test.go"}
66 | 	re = append(re, regexp2.MustCompile("finder_test\\.go", regexp2.IgnoreCase))
67 | 	r1 := PathsFinder(&f, re)
68 | 
69 | 	if len(*r1) != 1 {
70 | 		t.Fatal("PathsFinder fails to match path with regex")
71 | 	}
72 | }
73 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
 1 | module github.com/codeyourweb/fastfinder
 2 | 
 3 | go 1.17
 4 | 
 5 | require (
 6 | 	github.com/akamensky/argparse v1.3.1
 7 | 	github.com/gen2brain/go-unarr v0.1.2
 8 | 	github.com/h2non/filetype v1.1.3
 9 | 	github.com/hillu/go-yara/v4 v4.1.0
10 | 	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
11 | 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
12 | )
13 | 
14 | require (
15 | 	github.com/dlclark/regexp2 v1.4.0
16 | 	github.com/fsnotify/fsnotify v1.5.1
17 | 	github.com/gdamore/tcell/v2 v2.4.1-0.20210905002822-f057f0a857a1
18 | 	github.com/rivo/tview v0.0.0-20220106183741-90d72bc664f5
19 | 	github.com/schollz/progressbar/v3 v3.8.3
20 | )
21 | 
22 | require (
23 | 	github.com/gdamore/encoding v1.0.0 // indirect
24 | 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
25 | 	github.com/mattn/go-runewidth v0.0.13 // indirect
26 | 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
27 | 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
28 | 	github.com/rivo/uniseg v0.2.0 // indirect
29 | 	github.com/stretchr/testify v1.5.1 // indirect
30 | 	golang.org/x/crypto v0.0.0-20211202192323-5770296d904e // indirect
31 | 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
32 | 	golang.org/x/text v0.3.6 // indirect
33 | 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
34 | 	gopkg.in/yaml.v2 v2.2.8 // indirect
35 | )
36 | 


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
 1 | github.com/akamensky/argparse v1.3.1 h1:kP6+OyvR0fuBH6UhbE6yh/nskrDEIQgEA1SUXDPjx4g=
 2 | github.com/akamensky/argparse v1.3.1/go.mod h1:S5kwC7IuDcEr5VeXtGPRVZ5o/FdhcMlQz4IZQuw64xA=
 3 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 4 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 5 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 6 | github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=
 7 | github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 8 | github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
 9 | github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
10 | github.com/gdamore/encoding v1.0.0 h1:+7OoQ1Bc6eTm5niUzBa0Ctsh6JbMW6Ra+YNuAtDBdko=
11 | github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
12 | github.com/gdamore/tcell/v2 v2.4.1-0.20210905002822-f057f0a857a1 h1:QqwPZCwh/k1uYqq6uXSb9TRDhTkfQbO80v8zhnIe5zM=
13 | github.com/gdamore/tcell/v2 v2.4.1-0.20210905002822-f057f0a857a1/go.mod h1:Az6Jt+M5idSED2YPGtwnfJV0kXohgdCBPmHGSYc1r04=
14 | github.com/gen2brain/go-unarr v0.1.2 h1:17kYZ2WMCVFrnmU4A+7BeFXblIOyE8weqggjay+kVIU=
15 | github.com/gen2brain/go-unarr v0.1.2/go.mod h1:P05CsEe8jVEXhxqXqp9mFKUKFV0BKpFmtgNWf8Mcoos=
16 | github.com/h2non/filetype v1.1.3 h1:FKkx9QbD7HR/zjK1Ia5XiBsq9zdLi5Kf3zGyFTAFkGg=
17 | github.com/h2non/filetype v1.1.3/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
18 | github.com/hillu/go-yara/v4 v4.1.0 h1:ZLT9ar+g5r1IgEp1QVYpdqYCgKMNm7DuZYUJpHZ3yUI=
19 | github.com/hillu/go-yara/v4 v4.1.0/go.mod h1:rkb/gSAoO8qcmj+pv6fDZN4tOa3N7R+qqGlEkzT4iys=
20 | github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213/go.mod h1:vNUNkEQ1e29fT/6vq2aBdFsgNPmy8qMdSay1npru+Sw=
21 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
22 | github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
23 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
24 | github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
25 | github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
26 | github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
27 | github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
28 | github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
29 | github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ=
30 | github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw=
31 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
32 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
33 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
34 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
35 | github.com/rivo/tview v0.0.0-20220106183741-90d72bc664f5 h1:n0qwaaNXgplKv5AeDIzpXnwoLh9ddQzVsAY8d7WiZvs=
36 | github.com/rivo/tview v0.0.0-20220106183741-90d72bc664f5/go.mod h1:WIfMkQNY+oq/mWwtsjOYHIZBuwthioY2srOmljJkTnk=
37 | github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
38 | github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
39 | github.com/schollz/progressbar/v3 v3.8.3 h1:FnLGl3ewlDUP+YdSwveXBaXs053Mem/du+wr7XSYKl8=
40 | github.com/schollz/progressbar/v3 v3.8.3/go.mod h1:pWnVCjSBZsT2X3nx9HfRdnCDrpbevliMeoEVhStwHko=
41 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
42 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
43 | github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
44 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
45 | golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
46 | golang.org/x/crypto v0.0.0-20211202192323-5770296d904e h1:MUP6MR3rJ7Gk9LEia0LP2ytiH6MuCfs7qYz+47jGdD8=
47 | golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
48 | golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
49 | golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
50 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
51 | golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
52 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
53 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
54 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
55 | golang.org/x/sys v0.0.0-20210910150752-751e447fb3d0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
56 | golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 h1:XfKQ4OlFl8okEOr5UvAqFRVj8pY/4yfcXrddB8qAbU0=
57 | golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
58 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
59 | golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
60 | golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
61 | golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
62 | golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
63 | golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
64 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
65 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
66 | golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
67 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
68 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
69 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
70 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
71 | gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
72 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
73 | gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
74 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
75 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
76 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
77 | 


--------------------------------------------------------------------------------
/gui.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"io/ioutil"
  6 | 	"os"
  7 | 	"path/filepath"
  8 | 	"strings"
  9 | 
 10 | 	"github.com/gdamore/tcell/v2"
 11 | 	"github.com/rivo/tview"
 12 | )
 13 | 
 14 | var UIactive = true
 15 | var AppStarted = false
 16 | var UIapp *tview.Application
 17 | var txtMatchs *tview.TextView
 18 | var txtStdout *tview.TextView
 19 | var txtStderr *tview.TextView
 20 | var UIselectedConfigPath string
 21 | var UItmpConfigPath string
 22 | var currentMainWindowSelector int = 0
 23 | var currentConfigWindowSelector int = 0
 24 | 
 25 | func InitUI() {
 26 | 	UIapp = tview.NewApplication()
 27 | 	txtMatchs = tview.NewTextView()
 28 | 	txtStdout = tview.NewTextView()
 29 | 	txtStderr = tview.NewTextView()
 30 | }
 31 | 
 32 | // MainWindow display application UI
 33 | func MainWindow() {
 34 | 	currentMainWindowSelector = 1
 35 | 	/*
 36 | 	 * TEXTVIEW : Windows app name
 37 | 	 */
 38 | 	txtAppTitle := tview.NewTextView().
 39 | 		SetDynamicColors(true).
 40 | 		SetText(RenderFastfinderVersion()).
 41 | 		SetTextAlign(tview.AlignCenter)
 42 | 
 43 | 	/*
 44 | 	 * TEXTVIEW : selection box helper
 45 | 	 */
 46 | 	txtInfoTitle := tview.NewTextView().
 47 | 		SetDynamicColors(true).
 48 | 		SetText("Press tab to navigate between log panels | Up and Down arrow to scroll text").
 49 | 		SetTextAlign(tview.AlignCenter)
 50 | 
 51 | 	/*
 52 | 	 * TEXTVIEW : File matchs
 53 | 	 */
 54 | 	txtMatchs.
 55 | 		SetDynamicColors(true).
 56 | 		SetText("[yellow]File match:\n").
 57 | 		SetRegions(true).
 58 | 		SetChangedFunc(func() {
 59 | 			UIapp.Draw()
 60 | 		})
 61 | 
 62 | 	/*
 63 | 	 * TEXTVIEW : Program execution Output
 64 | 	 */
 65 | 	txtStdout.
 66 | 		SetDynamicColors(true).
 67 | 		SetText("[grey]Init and execution informations:\n").
 68 | 		SetRegions(true).
 69 | 		SetChangedFunc(func() {
 70 | 			UIapp.Draw()
 71 | 		})
 72 | 
 73 | 	/*
 74 | 	 * TEXTVIEW : execution errors
 75 | 	 */
 76 | 	txtStderr.
 77 | 		SetDynamicColors(true).
 78 | 		SetText("[red]Access and scan errors:\n").
 79 | 		SetRegions(true).
 80 | 		SetChangedFunc(func() {
 81 | 			UIapp.Draw()
 82 | 		})
 83 | 
 84 | 	/*
 85 | 	 * Building window
 86 | 	 */
 87 | 	grid := tview.NewGrid().SetRows(1, -5, -2, 1).SetColumns(0, 0).SetBorders(true)
 88 | 	grid.AddItem(txtAppTitle, 0, 0, 1, 2, 0, 0, false)
 89 | 	grid.AddItem(txtMatchs, 1, 1, 1, 1, 0, 0, false)
 90 | 	grid.AddItem(txtStderr, 1, 0, 1, 1, 0, 0, false)
 91 | 	grid.AddItem(txtStdout, 2, 0, 1, 2, 0, 0, false)
 92 | 	grid.AddItem(txtInfoTitle, 3, 0, 1, 2, 0, 0, false)
 93 | 
 94 | 	grid.SetInputCapture(func(event *tcell.EventKey) *tcell.EventKey {
 95 | 		if event.Key() == tcell.KeyTab {
 96 | 			switch currentMainWindowSelector {
 97 | 			case 1:
 98 | 				currentMainWindowSelector++
 99 | 				UIapp.SetFocus(txtStdout)
100 | 				txtInfoTitle.SetText("Selected box: Informations messages")
101 | 			case 2:
102 | 				currentMainWindowSelector++
103 | 				UIapp.SetFocus(txtStderr)
104 | 				txtInfoTitle.SetText("Selected box: Error messages")
105 | 			case 3:
106 | 				currentMainWindowSelector = 1
107 | 				UIapp.SetFocus(txtMatchs)
108 | 				txtInfoTitle.SetText("Selected box: Matchs messages")
109 | 			}
110 | 			return nil
111 | 		}
112 | 		return event
113 | 	})
114 | 
115 | 	AppStarted = true
116 | 	if err := UIapp.SetRoot(grid, true).SetFocus(txtMatchs).Run(); err != nil {
117 | 		UIapp.Stop()
118 | 		AppStarted = false
119 | 	}
120 | }
121 | 
122 | // OpenFileDialog show a navigable tree view of the current directory.
123 | func OpenFileDialog() {
124 | 	currentConfigWindowSelector = 1
125 | 	/*
126 | 	 * TEXTVIEW : Dialog title
127 | 	 */
128 | 	lblDialog := tview.NewTextView().SetTextAlign(tview.AlignCenter).SetText("Fastfinder : Please select a yaml configuration file")
129 | 
130 | 	/*
131 | 	 * TEXTVIEW : selection box helper
132 | 	 */
133 | 	txtInfoTitle := tview.NewTextView().
134 | 		SetDynamicColors(true).
135 | 		SetText("Press tab to navigate between left and right pane | Up and Down arrow to scroll in file preview").
136 | 		SetTextAlign(tview.AlignCenter)
137 | 
138 | 	/*
139 | 	 * TEXTVIEW : File preview
140 | 	 */
141 | 	textPreview := tview.NewTextView().
142 | 		SetDynamicColors(true).
143 | 		SetRegions(true).
144 | 		SetChangedFunc(func() {
145 | 			UIapp.Draw()
146 | 		})
147 | 
148 | 	/*
149 | 	 * TREEVIEW : File and directory navigation
150 | 	 */
151 | 	rootDir, _ := os.Getwd()
152 | 	root := tview.NewTreeNode(rootDir).
153 | 		SetColor(tcell.ColorRed)
154 | 	treeView := tview.NewTreeView().
155 | 		SetRoot(root).
156 | 		SetCurrentNode(root)
157 | 
158 | 	// function definition for adding files and directories to the treeview
159 | 	add := func(target *tview.TreeNode, p string) {
160 | 		files, err := ioutil.ReadDir(p)
161 | 		if err != nil {
162 | 			UIapp.Stop()
163 | 		}
164 | 		if filepath.Dir(p) != p {
165 | 			parentNode := tview.NewTreeNode("../ (" + filepath.Dir(p) + ")").SetReference(filepath.Dir(p)).SetSelectable(true).SetColor(tcell.ColorRed)
166 | 			target.AddChild(parentNode)
167 | 		}
168 | 
169 | 		for _, file := range files {
170 | 			node := tview.NewTreeNode(file.Name()).
171 | 				SetReference(filepath.Join(p, file.Name())).
172 | 				SetSelectable(file.IsDir() || !file.IsDir() && (strings.HasSuffix(strings.ToLower(file.Name()), ".yml") || strings.HasSuffix(strings.ToLower(file.Name()), ".yaml")))
173 | 			if file.IsDir() {
174 | 				node.SetColor(tcell.ColorWhite)
175 | 			} else if !file.IsDir() && (strings.HasSuffix(strings.ToLower(file.Name()), ".yml") || strings.HasSuffix(strings.ToLower(file.Name()), ".yaml")) {
176 | 				node.SetColor(tcell.ColorGreen)
177 | 			} else {
178 | 				node.SetColor(tcell.ColorGrey)
179 | 			}
180 | 
181 | 			target.AddChild(node)
182 | 		}
183 | 	}
184 | 
185 | 	// Add the current directory as the root node
186 | 	add(root, rootDir)
187 | 
188 | 	// If a file or directory was selected, open it.
189 | 	treeView.SetSelectedFunc(func(node *tview.TreeNode) {
190 | 		reference := node.GetReference()
191 | 		p := reference.(string)
192 | 
193 | 		file, err := os.Open(p)
194 | 		if err != nil {
195 | 			return
196 | 		}
197 | 
198 | 		fileInfo, err := file.Stat()
199 | 		if err != nil {
200 | 			return
201 | 		}
202 | 
203 | 		if fileInfo.IsDir() {
204 | 			// directory tree drawing
205 | 			children := node.GetChildren()
206 | 			if len(children) == 0 {
207 | 				// Load and show files in this directory.
208 | 				add(node, p)
209 | 			} else {
210 | 				// Collapse if visible, expand if collapsed.
211 | 				node.SetExpanded(!node.IsExpanded())
212 | 			}
213 | 		} else {
214 | 			// file preview & selection
215 | 			if strings.HasSuffix(strings.ToLower(p), ".yml") || strings.HasSuffix(strings.ToLower(p), ".yaml") {
216 | 				if UItmpConfigPath == p {
217 | 					UIselectedConfigPath = p
218 | 					UIapp.Stop()
219 | 				}
220 | 
221 | 				UItmpConfigPath = p
222 | 
223 | 				d, err := os.ReadFile(p)
224 | 				if err != nil {
225 | 					return
226 | 				}
227 | 
228 | 				textPreview.SetText("")
229 | 				fmt.Fprintf(textPreview, "[yellow]== Press Enter again to select this configuration file ==[white]\n\n%s", d)
230 | 				textPreview.ScrollTo(0, 0)
231 | 			}
232 | 
233 | 		}
234 | 	})
235 | 	/*
236 | 	 * Building window
237 | 	 */
238 | 	grid := tview.NewGrid().SetRows(1, -1, 1).SetColumns(-3, -2).SetBorders(true)
239 | 	grid.AddItem(lblDialog, 0, 0, 1, 2, 0, 0, false)
240 | 	grid.AddItem(treeView, 1, 0, 1, 1, 0, 0, true)
241 | 	grid.AddItem(textPreview, 1, 1, 1, 1, 0, 0, false)
242 | 	grid.AddItem(txtInfoTitle, 2, 0, 1, 2, 0, 0, false)
243 | 
244 | 	grid.SetInputCapture(func(event *tcell.EventKey) *tcell.EventKey {
245 | 		if event.Key() == tcell.KeyTab {
246 | 			switch currentConfigWindowSelector {
247 | 			case 1:
248 | 				currentConfigWindowSelector++
249 | 				UIapp.SetFocus(textPreview)
250 | 				txtInfoTitle.SetText("Selected box: Config file preview")
251 | 			case 2:
252 | 				currentConfigWindowSelector = 1
253 | 				UIapp.SetFocus(treeView)
254 | 				txtInfoTitle.SetText("Selected box: File browser")
255 | 			}
256 | 			return nil
257 | 		}
258 | 
259 | 		if event.Key() == tcell.KeyEnter {
260 | 			if currentConfigWindowSelector == 2 {
261 | 				currentConfigWindowSelector = 1
262 | 				UIapp.SetFocus(treeView)
263 | 				txtInfoTitle.SetText("Selected box: File browser")
264 | 			}
265 | 		}
266 | 
267 | 		return event
268 | 	})
269 | 
270 | 	AppStarted = true
271 | 	if err := UIapp.SetRoot(grid, true).SetFocus(treeView).Run(); err != nil {
272 | 		UIapp.Stop()
273 | 		AppStarted = false
274 | 	}
275 | }
276 | 


--------------------------------------------------------------------------------
/logger.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"log"
 6 | 	"os"
 7 | 	"strings"
 8 | 	"time"
 9 | )
10 | 
11 | const (
12 | 	LOG_EXIT    = 0
13 | 	LOG_VERBOSE = 1
14 | 	LOG_INFO    = 2
15 | 	LOG_ERROR   = 3
16 | 	LOG_ALERT   = 4
17 | )
18 | 
19 | var loggingVerbosity int = 3
20 | var loggingPath string = ""
21 | var loggingFile *os.File
22 | var unitTesting bool
23 | 
24 | func LogTesting(testing bool) {
25 | 	unitTesting = testing
26 | 
27 | 	if !testing {
28 | 		log.SetOutput(os.Stderr)
29 | 	}
30 | }
31 | 
32 | // LogMessage output message to the specific standard / error output
33 | func LogMessage(logType int, logMessage ...interface{}) {
34 | 	aString := make([]string, len(logMessage))
35 | 	for i, v := range logMessage {
36 | 		aString[i] = fmt.Sprintf("%v", v)
37 | 	}
38 | 
39 | 	message := strings.Join(aString, " ")
40 | 
41 | 	if UIactive && AppStarted && !unitTesting {
42 | 		currentTime := time.Now()
43 | 		message = "[" + currentTime.Format("2006-01-02 15:04:05") + "] " + message
44 | 		if logType == LOG_INFO || logType == LOG_VERBOSE || logType == LOG_EXIT {
45 | 			txtStdout.ScrollToEnd()
46 | 			fmt.Fprintf(txtStdout, "%s\n", message)
47 | 		} else if logType == LOG_ALERT {
48 | 			txtMatchs.ScrollToEnd()
49 | 			fmt.Fprintf(txtMatchs, "%s\n", message)
50 | 		} else {
51 | 			txtStderr.ScrollToEnd()
52 | 			fmt.Fprintf(txtStderr, "%s\n", message)
53 | 		}
54 | 	} else {
55 | 		if !unitTesting {
56 | 			if logType == LOG_ERROR {
57 | 				log.SetOutput(os.Stderr)
58 | 			} else {
59 | 				log.SetOutput(os.Stdout)
60 | 			}
61 | 		}
62 | 
63 | 		log.Println(message)
64 | 	}
65 | 
66 | 	if len(loggingPath) > 0 {
67 | 		LogToFile(logType, message)
68 | 	}
69 | }
70 | 
71 | // LogFatal use LogMessage and exit program
72 | func LogFatal(message string) {
73 | 	LogMessage(LOG_ERROR, message)
74 | 	ExitProgram(1, !UIactive)
75 | }
76 | 
77 | // LogToFile copy output log flow to the specified file according to the desired loglevel
78 | func LogToFile(logType int, message string) {
79 | 	var err error
80 | 	if loggingFile == nil {
81 | 		loggingFile, err = os.OpenFile(loggingPath, os.O_CREATE|os.O_WRONLY, 0644)
82 | 		if err != nil {
83 | 			loggingPath = ""
84 | 			LogMessage(LOG_ERROR, "(ERROR)", "Unable to write log file")
85 | 			ExitProgram(1, !UIactive)
86 | 		}
87 | 	}
88 | 
89 | 	if logType == LOG_EXIT || logType >= loggingVerbosity {
90 | 		if _, err := loggingFile.WriteString(message + "\n"); err != nil {
91 | 			loggingPath = ""
92 | 			LogMessage(LOG_ERROR, "(ERROR)", "Unable to write log file")
93 | 			ExitProgram(1, !UIactive)
94 | 		}
95 | 	}
96 | 
97 | }
98 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
  1 | // #cgo !yara_no_pkg_config,!yara_static  pkg-config: yara
  2 | // #cgo !yara_no_pkg_config,yara_static   pkg-config: --static yara
  3 | // #cgo yara_no_pkg_config                LDFLAGS:    -lyara
  4 | // compile: go build -trimpath -tags yara_static -a -ldflags '-s -w -extldflags "-static"' .
  5 | // suggestion: reduce binary size with "upx --best --lzma .\fastfinder.exe"
  6 | 
  7 | package main
  8 | 
  9 | import (
 10 | 	"fmt"
 11 | 	"log"
 12 | 	"os"
 13 | 	"runtime"
 14 | 	"sort"
 15 | 	"strings"
 16 | 	"time"
 17 | 
 18 | 	"github.com/akamensky/argparse"
 19 | 	"github.com/dlclark/regexp2"
 20 | 	"github.com/fsnotify/fsnotify"
 21 | 	"github.com/hillu/go-yara/v4"
 22 | )
 23 | 
 24 | const FASTFINDER_VERSION = "2.0.0"
 25 | const YARA_VERSION = "4.1.3"
 26 | const BUILDER_RC4_KEY = ">Õ°ªKb{¡§ÌB$lMÕ±9l.tòÑé¦Ø¿"
 27 | 
 28 | func main() {
 29 | 	// parse configuration file
 30 | 	parser := argparse.NewParser("fastfinder", "Fastfinder v"+FASTFINDER_VERSION+" (with YARA "+YARA_VERSION+")"+LineBreak+"\t\t\tIncident Response - Fast suspicious file finder")
 31 | 	pConfigPath := parser.String("c", "configuration", &argparse.Options{Required: false, Default: "", Help: "Fastfind configuration file"})
 32 | 	pSfxPath := parser.String("b", "build", &argparse.Options{Required: false, Help: "Output a standalone package with configuration and rules in a single binary"})
 33 | 	pOutLogPath := parser.String("o", "output", &argparse.Options{Required: false, Help: "Save fastfinder logs in the specified file"})
 34 | 	pHideWindow := parser.Flag("n", "no-window", &argparse.Options{Required: false, Help: "Hide fastfinder window"})
 35 | 	pDisableAdvUI := parser.Flag("u", "no-userinterface", &argparse.Options{Required: false, Help: "Hide advanced user interface"})
 36 | 	pLogVerbosity := parser.Int("v", "verbosity", &argparse.Options{Required: false, Default: 3, Help: "File log verbosity \n\t\t\t\t | 4: Only alert\n\t\t\t\t | 3: Alert and errors\n\t\t\t\t | 2: Alerts,errors and I/O operations\n\t\t\t\t | 1: Full verbosity)\n\t\t\t\t"})
 37 | 	pTriage := parser.Flag("t", "triage", &argparse.Options{Required: false, Default: false, Help: "Triage mode (infinite run - scan every new file in the input path directories)"})
 38 | 
 39 | 	// handle argument parsing error
 40 | 	err := parser.Parse(os.Args)
 41 | 	if err != nil {
 42 | 		log.Fatal(parser.Usage(err))
 43 | 	}
 44 | 
 45 | 	RunProgramWithParameters(*pConfigPath, *pSfxPath, *pOutLogPath, *pHideWindow, *pDisableAdvUI, *pLogVerbosity, *pTriage)
 46 | }
 47 | 
 48 | // RunProgramWithParameters used specified argv and run fastfinder
 49 | func RunProgramWithParameters(pConfigPath string, pSfxPath string, pOutLogPath string, pHideWindow bool, pDisableAdvUI bool, pLogVerbosity int, pTriage bool) {
 50 | 	// enable advanced UI
 51 | 	if pTriage || pDisableAdvUI || pHideWindow || len(pSfxPath) > 0 {
 52 | 		UIactive = false
 53 | 	} else {
 54 | 		InitUI()
 55 | 	}
 56 | 
 57 | 	// display open file dialog when config file empty
 58 | 	if len(pConfigPath) == 0 {
 59 | 		InitUI()
 60 | 		OpenFileDialog()
 61 | 		pConfigPath = UIselectedConfigPath
 62 | 	}
 63 | 
 64 | 	// check for log path validity
 65 | 	if len(pOutLogPath) > 0 {
 66 | 		if strings.Contains(pOutLogPath, " ") {
 67 | 			LogFatal("Log file path cannot contain spaces")
 68 | 		}
 69 | 	}
 70 | 
 71 | 	// init progressbar object
 72 | 	EnableProgressbar(pDisableAdvUI)
 73 | 
 74 | 	// configuration parsing
 75 | 	var config Configuration
 76 | 	config.getConfiguration(pConfigPath)
 77 | 	if config.Output.FilesCopyPath != "" {
 78 | 		config.Output.FilesCopyPath = "./"
 79 | 	}
 80 | 
 81 | 	// window hidden
 82 | 	if pHideWindow && len(pSfxPath) == 0 {
 83 | 		HideConsoleWindow()
 84 | 	}
 85 | 
 86 | 	// output log to file
 87 | 	if len(pOutLogPath) > 0 && len(pSfxPath) == 0 {
 88 | 		loggingPath = pOutLogPath
 89 | 	}
 90 | 
 91 | 	// file logging verbosity
 92 | 	if pLogVerbosity >= 1 && pLogVerbosity <= 4 {
 93 | 		loggingVerbosity = pLogVerbosity
 94 | 	}
 95 | 
 96 | 	// run app
 97 | 	if UIactive {
 98 | 		go MainFastfinderRoutine(config, pConfigPath, pDisableAdvUI, pHideWindow, pSfxPath, pTriage, pOutLogPath, pLogVerbosity)
 99 | 		MainWindow()
100 | 	} else {
101 | 		LogMessage(LOG_INFO, LineBreak+"================================================"+LineBreak+RenderFastfinderLogo()+"================================================"+LineBreak)
102 | 		MainFastfinderRoutine(config, pConfigPath, pDisableAdvUI, pHideWindow, pSfxPath, pTriage, pOutLogPath, pLogVerbosity)
103 | 	}
104 | 
105 | }
106 | 
107 | // MainFastfinderRoutine is used in every scan routine and based on config file directives
108 | func MainFastfinderRoutine(config Configuration, pConfigPath string, pNoAdvUI bool, pHideWindow bool, pSfxPath string, pTriage bool, pOutLogPath string, pLoglevel int) {
109 | 	var rules *yara.Rules
110 | 
111 | 	// check for input configuration
112 | 	if len(config.Input.Path) == 0 && len(config.Input.Content.Grep) == 0 && len(config.Input.Content.Checksum) == 0 && len(config.Input.Content.Yara) == 0 {
113 | 		LogMessage(LOG_ERROR, "(ERROR)", "Input parameters empty - cannot find any item")
114 | 		ExitProgram(1, !UIactive)
115 | 	}
116 | 
117 | 	// sfx building option
118 | 	if len(pSfxPath) > 0 {
119 | 		BuildSFX(config, pSfxPath, pLoglevel, pOutLogPath, pNoAdvUI, pHideWindow)
120 | 		LogMessage(LOG_INFO, "(INFO)", "Fastfinder package generated successfully at", pSfxPath)
121 | 		ExitProgram(0, !UIactive)
122 | 	}
123 | 
124 | 	// fastfinder init
125 | 	FastFinderInit(config, pConfigPath, pSfxPath, pHideWindow)
126 | 
127 | 	// if yara rules mentionned - compile them
128 | 	if len(config.Input.Content.Yara) > 0 {
129 | 		rules = CompileYaraRules(config.Input.Content.Yara, config.AdvancedParameters.YaraRC4Key)
130 | 	}
131 | 
132 | 	// drives enumeration
133 | 	baseDrives, excludedPaths := DriveEnumeration(config)
134 | 
135 | 	// triage mode start
136 | 	if pTriage {
137 | 		if len(config.Input.Path) == 0 {
138 | 			LogFatal("No initial path specified to look for in triage mode")
139 | 		}
140 | 
141 | 		if len(config.Input.Content.Yara) == 0 && len(config.Input.Content.Checksum) == 0 && len(config.Input.Content.Grep) == 0 {
142 | 			LogFatal("No criteria to look for in triage mode")
143 | 		}
144 | 
145 | 		if config.Options.FindInNetworkDrives || config.Options.FindInCDRomDrives {
146 | 			LogMessage(LOG_ERROR, "(WARNING)", "Triage mode cannot retrieve files modification on network and CD-ROM drives")
147 | 			time.Sleep(3 * time.Second)
148 | 		}
149 | 
150 | 		EnableProgressbar(false)
151 | 
152 | 		if !pNoAdvUI {
153 | 			UIactive = false
154 | 			LogMessage(LOG_INFO, "(INFO)", "Advanced UI and progressbar disabled for performance enhancements under triage")
155 | 		}
156 | 
157 | 		LogMessage(LOG_INFO, "(INFO)", "TRIAGE MODE - Use Ctrl+C to stop fastfinder")
158 | 		time.Sleep(3 * time.Second)
159 | 		InitTriageScan(config, rules, baseDrives, excludedPaths)
160 | 	}
161 | 
162 | 	// start main routine
163 | 	for _, basePath := range baseDrives {
164 | 		LogMessage(LOG_VERBOSE, "(INFO)", "Enumerating files in", basePath)
165 | 		var matchContent []string
166 | 		var matchPathPattern []string
167 | 
168 | 		// files listing
169 | 		filesEnumeration := ListFilesRecursively(basePath, excludedPaths)
170 | 		if runtime.GOOS != "windows" {
171 | 			excludedPaths = append(excludedPaths, basePath)
172 | 		}
173 | 
174 | 		// check for files matching path patterns
175 | 		if len(config.Input.Path) > 0 {
176 | 			LogMessage(LOG_VERBOSE, "(INFO)", "Checking for paths matchs in", basePath)
177 | 			var pathRegexPatterns []*regexp2.Regexp
178 | 			for _, pattern := range config.Input.Path {
179 | 				re := regexp2.MustCompile(pattern, regexp2.IgnoreCase)
180 | 				pathRegexPatterns = append(pathRegexPatterns, re)
181 | 			}
182 | 			matchPathPattern = *PathsFinder(filesEnumeration, pathRegexPatterns)
183 | 			if !config.Options.ContentMatchDependsOnPathMatch {
184 | 				for i := 0; i < len(matchPathPattern); i++ {
185 | 					LogMessage(LOG_ALERT, "(ALERT)", "File path match on:", matchPathPattern[i])
186 | 				}
187 | 			}
188 | 		}
189 | 
190 | 		// check for file matching content, checksum and yara rules
191 | 		if len(config.Input.Content.Grep) > 0 || len(config.Input.Content.Checksum) > 0 || len(config.Input.Content.Yara) > 0 {
192 | 			LogMessage(LOG_VERBOSE, "(INFO)", "Checking for content, checksum and YARA rules matchs in", basePath)
193 | 
194 | 			if config.Options.ContentMatchDependsOnPathMatch && len(config.Input.Path) > 0 {
195 | 				if len(matchPathPattern) == 0 {
196 | 					LogMessage(LOG_VERBOSE, "(INFO)", "Neither path nor pattern match. no file to scan with YARA.", basePath)
197 | 				} else {
198 | 					matchContent = *FindInFilesContent(&matchPathPattern, config.Input.Content.Grep, rules, config.Input.Content.Checksum, false, config.AdvancedParameters.MaxScanFilesize, config.AdvancedParameters.CleanMemoryIfFileGreaterThanSize)
199 | 				}
200 | 			} else {
201 | 				matchContent = *FindInFilesContent(filesEnumeration, config.Input.Content.Grep, rules, config.Input.Content.Checksum, false, config.AdvancedParameters.MaxScanFilesize, config.AdvancedParameters.CleanMemoryIfFileGreaterThanSize)
202 | 			}
203 | 		}
204 | 
205 | 		// listing and copy matching files
206 | 		LogMessage(LOG_INFO, "(INFO)", "scan finished in", basePath)
207 | 		if (len(matchPathPattern) > 0 && !config.Options.ContentMatchDependsOnPathMatch) || len(matchContent) > 0 {
208 | 			LogMessage(LOG_ALERT, "(INFO)", "Matching files: ")
209 | 			// output pattern matchs
210 | 			if !config.Options.ContentMatchDependsOnPathMatch {
211 | 				for i := 0; i < len(matchPathPattern); i++ {
212 | 					LogMessage(LOG_ALERT, " |", matchContent[i])
213 | 				}
214 | 			}
215 | 
216 | 			// output content, checksum and yara match
217 | 			for i := 0; i < len(matchContent); i++ {
218 | 				LogMessage(LOG_ALERT, " |", matchContent[i])
219 | 			}
220 | 
221 | 			// copy file matchs
222 | 			if config.Output.CopyMatchingFiles {
223 | 				LogMessage(LOG_INFO, "(INFO)", "Copy all matching files")
224 | 				if !config.Options.ContentMatchDependsOnPathMatch {
225 | 					InitProgressbar(int64(len(matchPathPattern)) + int64(len(matchContent)))
226 | 					for i := 0; i < len(matchPathPattern); i++ {
227 | 						ProgressBarStep()
228 | 						FileCopy(matchPathPattern[i], config.Output.FilesCopyPath, config.Output.Base64Files)
229 | 					}
230 | 				} else {
231 | 					InitProgressbar(int64(len(matchContent)))
232 | 				}
233 | 
234 | 				for i := 0; i < len(matchContent); i++ {
235 | 					ProgressBarStep()
236 | 					FileCopy(matchContent[i], config.Output.FilesCopyPath, config.Output.Base64Files)
237 | 				}
238 | 			}
239 | 		} else {
240 | 			LogMessage(LOG_INFO, "(INFO)", "No match found")
241 | 		}
242 | 	}
243 | 
244 | 	ExitProgram(0, !UIactive)
245 | }
246 | 
247 | // FastFinderInit return basic host informations / check for mutex and return current user permissions
248 | func FastFinderInit(config Configuration, pConfigPath string, pSfxPath string, pHideWindow bool) {
249 | 	var err error
250 | 
251 | 	LogMessage(LOG_INFO, "(INIT)", "Fastfinder v"+FASTFINDER_VERSION+" with embedded YARA v"+YARA_VERSION)
252 | 	LogMessage(LOG_INFO, "(INIT)", "OS:", runtime.GOOS, "Arch:", runtime.GOARCH)
253 | 	LogMessage(LOG_INFO, "(INIT)", "Hostname:", GetHostname())
254 | 	LogMessage(LOG_INFO, "(INIT)", "User:", GetUsername())
255 | 	LogMessage(LOG_INFO, "(INIT)", "Current directory:", GetCurrentDirectory())
256 | 	LogMessage(LOG_INFO, "(INIT)", "Max file size scan:", fmt.Sprintf("%dMB", config.AdvancedParameters.MaxScanFilesize))
257 | 	LogMessage(LOG_INFO, "(INIT)", "Config file:", pConfigPath)
258 | 	LogMessage(LOG_INFO, "(INIT)", "Fastfinder executable SHA256 checksum:", FileSHA256Sum(os.Args[0]))
259 | 	LogMessage(LOG_INFO, "(INIT)", "Configuration file SHA256 checksum:", FileSHA256Sum(pConfigPath))
260 | 
261 | 	if len(pSfxPath) == 0 {
262 | 		// create mutex
263 | 		if _, err = CreateMutex("fastfinder"); err != nil {
264 | 			LogMessage(LOG_ERROR, "(ERROR)", "Only one instance or fastfinder can be launched:", err.Error())
265 | 			ExitProgram(1, !UIactive)
266 | 		}
267 | 
268 | 		// Retrieve current user permissions
269 | 		admin, elevated := CheckCurrentUserPermissions()
270 | 		if !admin && !elevated {
271 | 			LogMessage(LOG_ERROR, "(WARNING) fastfinder is not running with fully elevated righs. Notice that the analysis will be partial and limited to the current user scope")
272 | 			if !pHideWindow {
273 | 				time.Sleep(3 * time.Second)
274 | 			}
275 | 		}
276 | 	}
277 | }
278 | 
279 | // DriveEnumeration enumerate drives based on configuration parameters
280 | func DriveEnumeration(config Configuration) ([]string, []string) {
281 | 	LogMessage(LOG_VERBOSE, "(INIT)", "Enumerating drives")
282 | 	var basePaths []string
283 | 	drives, excludedPaths := EnumLogicalDrives()
284 | 
285 | 	if len(drives) == 0 {
286 | 		LogMessage(LOG_ERROR, "(ERROR)", "Unable to find drives")
287 | 		ExitProgram(1, !UIactive)
288 | 	}
289 | 
290 | 	for _, drive := range drives {
291 | 		if (drive.Type == DRIVE_REMOVABLE && config.Options.FindInRemovableDrives) ||
292 | 			(drive.Type == DRIVE_FIXED && config.Options.FindInHardDrives) ||
293 | 			(drive.Type == DRIVE_REMOTE && config.Options.FindInNetworkDrives) ||
294 | 			(drive.Type == DRIVE_CDROM && config.Options.FindInCDRomDrives) {
295 | 			if runtime.GOOS == "windows" || len(basePaths) == 0 {
296 | 				basePaths = append(basePaths, drive.Name)
297 | 			} else {
298 | 				alreadyParsed := false
299 | 				for _, p := range basePaths {
300 | 					if len(drive.Name) > len(p) && !strings.HasPrefix(drive.Name, p) {
301 | 						alreadyParsed = true
302 | 					}
303 | 				}
304 | 				if !alreadyParsed {
305 | 					basePaths = append(basePaths, drive.Name)
306 | 				}
307 | 			}
308 | 		} else {
309 | 			if runtime.GOOS != "windows" {
310 | 				excludedPaths = append(excludedPaths, drive.Name)
311 | 			}
312 | 		}
313 | 	}
314 | 
315 | 	if len(basePaths) == 0 {
316 | 		LogMessage(LOG_ERROR, "(ERROR)", "No drive corresponding to your configuration drive type")
317 | 		ExitProgram(1, !UIactive)
318 | 	} else {
319 | 		LogMessage(LOG_VERBOSE, "(INIT)", "Looking for the following drives:")
320 | 		for _, p := range basePaths {
321 | 			LogMessage(LOG_INFO, " |", p)
322 | 		}
323 | 	}
324 | 
325 | 	if len(excludedPaths) > 0 {
326 | 		LogMessage(LOG_VERBOSE, "(INFO)", "Excluding the following paths:")
327 | 		for _, p := range excludedPaths {
328 | 			LogMessage(LOG_INFO, " |", p)
329 | 		}
330 | 	}
331 | 
332 | 	if len(config.Input.Path) > 0 {
333 | 		LogMessage(LOG_VERBOSE, "(INIT)", "Searching for the following paths patterns in your drives:")
334 | 		for _, p := range config.Input.Path {
335 | 			LogMessage(LOG_INFO, " |", p)
336 | 		}
337 | 	}
338 | 
339 | 	if runtime.GOOS != "windows" {
340 | 		sort.Slice(basePaths, func(i, j int) bool {
341 | 			return len(basePaths[i]) > len(basePaths[j])
342 | 		})
343 | 	}
344 | 
345 | 	return basePaths, excludedPaths
346 | }
347 | 
348 | // InitTriageScan convert fastfinder scan routine to triage infinite scan
349 | func InitTriageScan(config Configuration, rules *yara.Rules, baseDrives []string, excludedPaths []string) {
350 | 	// init filesystem watcher
351 | 	watcher, err := fsnotify.NewWatcher()
352 | 	if err != nil {
353 | 		log.Fatal(err)
354 | 	}
355 | 	defer watcher.Close()
356 | 
357 | 	// enumerate drive paths and add paths to watch
358 | 	var pathsEnumeration []string
359 | 	for _, drive := range baseDrives {
360 | 		pathsEnumeration = append(pathsEnumeration, *ListDirectoryRecursively(drive, excludedPaths)...)
361 | 	}
362 | 
363 | 	var pathRegexPatterns []*regexp2.Regexp
364 | 	for _, pattern := range config.Input.Path {
365 | 		re := regexp2.MustCompile(pattern, regexp2.IgnoreCase)
366 | 		pathRegexPatterns = append(pathRegexPatterns, re)
367 | 	}
368 | 
369 | 	for _, p := range *PathsFinder(&pathsEnumeration, pathRegexPatterns) {
370 | 		LogMessage(LOG_INFO, "(INFO)", "Add to watchlist:", p)
371 | 		err = watcher.Add(p)
372 | 		if err != nil {
373 | 			LogFatal(fmt.Sprintf("watcher error %v", err))
374 | 		}
375 | 	}
376 | 
377 | 	LogMessage(LOG_INFO, "(INFO)", "==== TRIAGE SCAN INITIALIZATION FINISHED - READY TO SCAN ===")
378 | 	time.Sleep(3 * time.Second)
379 | 
380 | 	// scan routine
381 | 	for {
382 | 		select {
383 | 		case event, ok := <-watcher.Events:
384 | 			if !ok {
385 | 				return
386 | 			}
387 | 			if event.Op&fsnotify.Write == fsnotify.Write {
388 | 				LogMessage(LOG_VERBOSE, "(INFO)", "Scanning file:", event.Name)
389 | 				time.Sleep(500 * time.Millisecond)
390 | 				m := FindInFilesContent(&[]string{event.Name}, config.Input.Content.Grep, rules, config.Input.Content.Checksum, true, config.AdvancedParameters.MaxScanFilesize, config.AdvancedParameters.CleanMemoryIfFileGreaterThanSize)
391 | 				if len(*m) > 0 && config.Output.CopyMatchingFiles {
392 | 					if config.Output.CopyMatchingFiles {
393 | 						LogMessage(LOG_VERBOSE, "(INFO)", "Copying file:", event.Name)
394 | 						FileCopy(event.Name, config.Output.FilesCopyPath, config.Output.Base64Files)
395 | 					}
396 | 				}
397 | 			}
398 | 		case err, ok := <-watcher.Errors:
399 | 			if !ok {
400 | 				return
401 | 			}
402 | 			LogMessage(LOG_ERROR, "Watcher error:", err)
403 | 		}
404 | 	}
405 | }
406 | 


--------------------------------------------------------------------------------
/main_test.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"os/exec"
 6 | 	"runtime"
 7 | 	"testing"
 8 | 	"time"
 9 | 
10 | 	"github.com/rivo/tview"
11 | )
12 | 
13 | func TestConfigWindow(t *testing.T) {
14 | 	InitUI()
15 | 	go OpenFileDialog()
16 | 	time.Sleep(500 * time.Millisecond)
17 | 
18 | 	if currentConfigWindowSelector == 0 {
19 | 		t.Fatal("OpenFileDialog failed to open")
20 | 	}
21 | }
22 | 
23 | func TestMainWindow(t *testing.T) {
24 | 	InitUI()
25 | 	go MainWindow()
26 | 	time.Sleep(500 * time.Millisecond)
27 | 
28 | 	if currentMainWindowSelector == 0 {
29 | 		t.Fatal("MainWindow failed to open")
30 | 	}
31 | }
32 | 
33 | func TestConfigurationFileLoading(t *testing.T) {
34 | 	var config Configuration
35 | 	config.getConfiguration("tests/config_test_standard.yml")
36 | 
37 | 	if len(config.Input.Content.Grep) == 0 || config.Input.Content.Grep[0] != "package main" {
38 | 		t.Fatal("config.getConfiguration fails to load and parse configuration file correctly")
39 | 	}
40 | }
41 | 
42 | func TestRC4CipheredConfigurationFileLoading(t *testing.T) {
43 | 	var config Configuration
44 | 	config.getConfiguration("tests/config_test_ciphered.yml")
45 | 
46 | 	if len(config.Input.Content.Grep) == 0 || config.Input.Content.Grep[0] != "package main" {
47 | 		t.Fatal("config.getConfiguration fails to load and parse configuration file correctly")
48 | 	}
49 | }
50 | 
51 | func TestCleanUI(t *testing.T) {
52 | 	UIapp = tview.NewApplication()
53 | 	UIapp.ForceDraw()
54 | 	UIactive = false
55 | 	AppStarted = false
56 | 	UIapp.Stop()
57 | 	if UIactive || AppStarted {
58 | 		t.Fatal("Can't reset GUI app for further testing")
59 | 	}
60 | 
61 | 	if runtime.GOOS == "linux" {
62 | 		cmd := exec.Command("clear")
63 | 		cmd.Stdout = os.Stdout
64 | 		cmd.Run()
65 | 	} else {
66 | 		cmd := exec.Command("cmd", "/c", "cls")
67 | 		cmd.Stdout = os.Stdout
68 | 		cmd.Run()
69 | 	}
70 | }
71 | 


--------------------------------------------------------------------------------
/progressbar.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import "github.com/schollz/progressbar/v3"
 4 | 
 5 | var progressbarEnabled bool
 6 | var bar *progressbar.ProgressBar
 7 | 
 8 | func EnableProgressbar(enable bool) {
 9 | 	progressbarEnabled = enable
10 | }
11 | 
12 | func InitProgressbar(value int64) {
13 | 	if progressbarEnabled {
14 | 		bar = progressbar.Default(value)
15 | 	}
16 | }
17 | 
18 | func ProgressBarStep() {
19 | 	if progressbarEnabled {
20 | 		bar.Add(1)
21 | 	}
22 | }
23 | 


--------------------------------------------------------------------------------
/progressbar_test.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"testing"
 5 | )
 6 | 
 7 | func TestProgressbar(t *testing.T) {
 8 | 	if progressbarEnabled {
 9 | 		t.Fatal("Progressbar global boolean has to be set to false on app start")
10 | 	}
11 | 	EnableProgressbar(true)
12 | 	InitProgressbar(100)
13 | 
14 | 	if !progressbarEnabled {
15 | 		t.Fatal("InitProgressbar fails set progressbarEnabled to true")
16 | 	}
17 | 
18 | 	if bar.GetMax() != 100 {
19 | 		t.Fatal("InitProgressbar fails set bar max value")
20 | 	}
21 | 
22 | 	for i := 0; i <= 100; i++ {
23 | 		ProgressBarStep()
24 | 	}
25 | 
26 | 	if !bar.IsFinished() {
27 | 		t.Fatal("ProgressBarStep fails setting progressbar")
28 | 	}
29 | 
30 | 	EnableProgressbar(false)
31 | }
32 | 


--------------------------------------------------------------------------------
/resources/linux_sfx.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/resources/linux_sfx.elf


--------------------------------------------------------------------------------
/resources/windows_sfx.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/resources/windows_sfx.exe


--------------------------------------------------------------------------------
/screenshots/fastfinder_basicUI.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/screenshots/fastfinder_basicUI.jpg


--------------------------------------------------------------------------------
/screenshots/fastfinder_configuration_linux.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/screenshots/fastfinder_configuration_linux.jpg


--------------------------------------------------------------------------------
/screenshots/fastfinder_configuration_picker.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/screenshots/fastfinder_configuration_picker.jpg


--------------------------------------------------------------------------------
/screenshots/fastfinder_linux_scan.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/screenshots/fastfinder_linux_scan.jpg


--------------------------------------------------------------------------------
/screenshots/fastfinder_matchs.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/screenshots/fastfinder_matchs.jpg


--------------------------------------------------------------------------------
/sfxbuilder.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"archive/zip"
  5 | 	"bytes"
  6 | 	"fmt"
  7 | 	"io"
  8 | 	"io/ioutil"
  9 | 	"net/http"
 10 | 	"os"
 11 | 	"path/filepath"
 12 | 	"runtime"
 13 | 	"strings"
 14 | 
 15 | 	"gopkg.in/yaml.v3"
 16 | )
 17 | 
 18 | // BuildSFX creates a self-extracting rar zip and embed the fastfinder executable / configuration file / yara rules
 19 | func BuildSFX(configuration Configuration, outputSfxExe string, logLevel int, logFileLocation string, noAdvUI bool, hideWindow bool) {
 20 | 	// compress inputDirectory into archive
 21 | 	archive := fastfinderResourcesCompress(configuration, logLevel, logFileLocation, noAdvUI, hideWindow)
 22 | 
 23 | 	file, err := os.Create(outputSfxExe)
 24 | 	if err != nil {
 25 | 		LogFatal(fmt.Sprintf("(ERROR) %v", err))
 26 | 	}
 27 | 
 28 | 	defer file.Close()
 29 | 
 30 | 	// pack sfx binary and customized archive together
 31 | 	file.Write(sfxBinary)
 32 | 	file.Write(archive.Bytes())
 33 | }
 34 | 
 35 | // fastfinderResourcesCompress compress every package file into the zip archive
 36 | func fastfinderResourcesCompress(configuration Configuration, logLevel int, logFileLocation string, noAdvUI bool, hideWindow bool) bytes.Buffer {
 37 | 	var buffer bytes.Buffer
 38 | 	archive := zip.NewWriter(&buffer)
 39 | 
 40 | 	// embed fastfinder executable
 41 | 	exeName := "fastfinder"
 42 | 	if runtime.GOOS == "windows" {
 43 | 		exeName += ".exe"
 44 | 	}
 45 | 	zipFile, err := archive.Create(exeName)
 46 | 	if err != nil {
 47 | 		LogFatal(fmt.Sprintf("(ERROR) %v", err))
 48 | 	}
 49 | 
 50 | 	fsFile, err := os.ReadFile(os.Args[0])
 51 | 	if err != nil {
 52 | 		LogFatal(fmt.Sprintf("(ERROR) %v", err))
 53 | 	}
 54 | 
 55 | 	r := bytes.NewReader(fsFile)
 56 | 	_, err = io.Copy(zipFile, r)
 57 | 	if err != nil {
 58 | 		LogFatal(fmt.Sprintf("(ERROR) %v", err))
 59 | 	}
 60 | 
 61 | 	// embed yara rules
 62 | 	configuration.Input.Content.Yara = EnumerateYaraInFolders(configuration.Input.Content.Yara)
 63 | 	for i := 0; i < len(configuration.Input.Content.Yara); i++ {
 64 | 		var fileName string
 65 | 		var fsFile []byte
 66 | 
 67 | 		if IsValidUrl(configuration.Input.Content.Yara[i]) {
 68 | 			response, err := http.Get(configuration.Input.Content.Yara[i])
 69 | 			if err != nil {
 70 | 				LogMessage(LOG_ERROR, "YARA file URL unreachable", configuration.Input.Content.Yara[i], err)
 71 | 			}
 72 | 			fsFile, err = ioutil.ReadAll(response.Body)
 73 | 			if err != nil {
 74 | 				LogMessage(LOG_ERROR, "YARA file URL content unreadable", configuration.Input.Content.Yara[i], err)
 75 | 			}
 76 | 			response.Body.Close()
 77 | 			fileName = filepath.Base(configuration.Input.Content.Yara[i])[:len(filepath.Base(configuration.Input.Content.Yara[i]))-4]
 78 | 			if !strings.HasSuffix(fileName, ".yar") {
 79 | 				fileName += ".yar"
 80 | 			}
 81 | 
 82 | 		} else {
 83 | 			fileName = filepath.Base(configuration.Input.Content.Yara[i])
 84 | 			fsFile, err = os.ReadFile(configuration.Input.Content.Yara[i])
 85 | 
 86 | 			if err != nil {
 87 | 				LogFatal(fmt.Sprintf("(ERROR) %v", err))
 88 | 			}
 89 | 		}
 90 | 
 91 | 		zipFile, err := archive.Create("fastfinder_resources/" + fileName)
 92 | 		if err != nil {
 93 | 			LogFatal(fmt.Sprintf("(ERROR) %v", err))
 94 | 		}
 95 | 
 96 | 		// cipher rules
 97 | 		if configuration.AdvancedParameters.YaraRC4Key != "" {
 98 | 			fsFile = RC4Cipher(fsFile, configuration.AdvancedParameters.YaraRC4Key)
 99 | 		}
100 | 
101 | 		r := bytes.NewReader(fsFile)
102 | 		_, err = io.Copy(zipFile, r)
103 | 		if err != nil {
104 | 			LogFatal(fmt.Sprintf("(ERROR) %v", err))
105 | 		}
106 | 
107 | 		configuration.Input.Content.Yara[i] = "'./fastfinder_resources/" + fileName + "'"
108 | 
109 | 	}
110 | 
111 | 	// embed configuration file
112 | 	zipFile, err = archive.Create("fastfinder_resources/configuration.yaml")
113 | 	if err != nil {
114 | 		LogFatal(fmt.Sprintf("(ERROR) %v", err))
115 | 	}
116 | 	d, err := yaml.Marshal(&configuration)
117 | 	if err != nil {
118 | 		LogFatal(fmt.Sprintf("(ERROR) %v", err))
119 | 	}
120 | 
121 | 	// cipher configuration file
122 | 	d = RC4Cipher(d, BUILDER_RC4_KEY)
123 | 
124 | 	r = bytes.NewReader(d)
125 | 	_, err = io.Copy(zipFile, r)
126 | 	if err != nil {
127 | 		LogFatal(fmt.Sprintf("(ERROR) %v", err))
128 | 	}
129 | 
130 | 	// sfx exec instructions
131 | 	var sfxcomment = "the comment below contains sfx script commands\r\n\r\n" +
132 | 		"Path=" + tempFolder + "\r\n" +
133 | 		"Setup=" + exeName + " -c " + "fastfinder_resources/configuration.yaml"
134 | 
135 | 	// propagate loglevel param
136 | 	sfxcomment += fmt.Sprintf(" -v %d", logLevel)
137 | 
138 | 	// propagage advanced UI param
139 | 	if noAdvUI {
140 | 		sfxcomment += " -u"
141 | 	}
142 | 
143 | 	// output log file
144 | 	if len(logFileLocation) > 0 {
145 | 		//sfxcomment += " -o \"" + logFileLocation + "\""
146 | 		sfxcomment += fmt.Sprintf(" -o %s", logFileLocation)
147 | 	}
148 | 
149 | 	if hideWindow && runtime.GOOS == "windows" {
150 | 		sfxcomment += " -n"
151 | 		sfxcomment += "\r\n" +
152 | 			"Silent=1"
153 | 	}
154 | 
155 | 	archive.SetComment(sfxcomment)
156 | 
157 | 	if err != nil {
158 | 		return buffer
159 | 	}
160 | 	err = archive.Close()
161 | 
162 | 	if err != nil {
163 | 		LogFatal(fmt.Sprintf("(ERROR) %v", err))
164 | 	}
165 | 	return buffer
166 | }
167 | 


--------------------------------------------------------------------------------
/tests/config_test_ciphered.yml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/tests/config_test_ciphered.yml


--------------------------------------------------------------------------------
/tests/config_test_standard.yml:
--------------------------------------------------------------------------------
 1 | input:
 2 |     path: []
 3 |     content:
 4 |         grep:
 5 |           - 'package main'
 6 |         yara: []
 7 |         checksum: []
 8 | options:
 9 |     contentMatchDependsOnPathMatch: false
10 |     findInHardDrives: true
11 |     findInRemovableDrives: false
12 |     findInNetworkDrives: false
13 |     findInCDRomDrives: false
14 | output:
15 |     copyMatchingFiles: false
16 |     base64Files: false
17 |     filesCopyPath: ''


--------------------------------------------------------------------------------
/tests/rule_test_ciphered.yar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/codeyourweb/fastfinder/3674dd00523c219562bd483607d93c830cd3b578/tests/rule_test_ciphered.yar


--------------------------------------------------------------------------------
/tests/rule_test_standard.yar:
--------------------------------------------------------------------------------
1 | rule testing{
2 | 	strings:
3 | 		$ = "TestFindInFilesContent"
4 | 	condition:
5 | 		all of them
6 | }


--------------------------------------------------------------------------------
/utils_common.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"crypto/rc4"
  5 | 	"crypto/sha256"
  6 | 	"encoding/base64"
  7 | 	"errors"
  8 | 	"fmt"
  9 | 	"io"
 10 | 	"net/url"
 11 | 	"os"
 12 | 	"os/user"
 13 | 	"path/filepath"
 14 | 	"strings"
 15 | 	"time"
 16 | )
 17 | 
 18 | type Env struct {
 19 | 	Name  string
 20 | 	Value string
 21 | }
 22 | 
 23 | type DriveInfo struct {
 24 | 	Name string
 25 | 	Type uint32
 26 | }
 27 | 
 28 | const (
 29 | 	DRIVE_UNKNOWN     = 0
 30 | 	DRIVE_NO_ROOT_DIR = 1
 31 | 	DRIVE_REMOVABLE   = 2
 32 | 	DRIVE_FIXED       = 3
 33 | 	DRIVE_REMOTE      = 4
 34 | 	DRIVE_CDROM       = 5
 35 | 	DRIVE_RAMDISK     = 6
 36 | )
 37 | 
 38 | // RenderFastfinderLogo is a (useless) function displaying fastfinder logo as ascii art
 39 | func RenderFastfinderLogo() string {
 40 | 	txtLogo := "  ___       __  ___  ___         __   ___  __     " + LineBreak
 41 | 	txtLogo += " |__   /\\  /__`  |  |__  | |\\ | |  \\ |__  |__) " + LineBreak
 42 | 	txtLogo += " |    /~~\\ .__/  |  |    | | \\| |__/ |___ |  \\ " + LineBreak
 43 | 	txtLogo += "                                                  " + LineBreak
 44 | 	txtLogo += "  2021-2022 | Jean-Pierre GARNIER | @codeyourweb  " + LineBreak
 45 | 	txtLogo += "  https://github.com/codeyourweb/fastfinder       " + LineBreak
 46 | 	return txtLogo
 47 | }
 48 | 
 49 | // RenderFastfinderVersion returns program and YARA version
 50 | func RenderFastfinderVersion() string {
 51 | 	return "Fastfinder version " + FASTFINDER_VERSION + " with embedded YARA version " + YARA_VERSION
 52 | }
 53 | 
 54 | // ExitProgram close file log handles and exit the program
 55 | func ExitProgram(code int, noWindow bool) {
 56 | 	if !noWindow {
 57 | 		message := "Press Ctrl+C to exit"
 58 | 		if AppStarted {
 59 | 			message = "[yellow]" + message
 60 | 		}
 61 | 		LogMessage(LOG_EXIT, message)
 62 | 		fmt.Scanln()
 63 | 		fmt.Print("\n\n")
 64 | 	}
 65 | 
 66 | 	if loggingFile != nil {
 67 | 		loggingFile.Close()
 68 | 	}
 69 | 
 70 | 	os.Exit(code)
 71 | }
 72 | 
 73 | // GetEnvironmentVariables return a list of environment variables in []Env slice
 74 | func GetEnvironmentVariables() (environmentVariables []Env) {
 75 | 	for _, item := range os.Environ() {
 76 | 		envPair := strings.SplitN(item, "=", 2)
 77 | 		env := Env{
 78 | 			Name:  envPair[0],
 79 | 			Value: envPair[1],
 80 | 		}
 81 | 		environmentVariables = append(environmentVariables, env)
 82 | 	}
 83 | 
 84 | 	return environmentVariables
 85 | }
 86 | 
 87 | // RetrivesFilesFromUserPath return a []string of available files from specified path (includeFileExtensions is available only if listFiles is true)
 88 | func RetrivesFilesFromUserPath(path string, listFiles bool, includeFileExtensions []string, recursive bool) ([]string, error) {
 89 | 	var p []string
 90 | 
 91 | 	info, err := os.Stat(path)
 92 | 	if os.IsNotExist(err) {
 93 | 		return []string{}, errors.New("Input file not found")
 94 | 	}
 95 | 
 96 | 	if !info.IsDir() {
 97 | 		p = append(p, path)
 98 | 	} else {
 99 | 		if !recursive {
100 | 			files, err := os.ReadDir(path)
101 | 			if err != nil {
102 | 				return []string{}, err
103 | 			}
104 | 			for _, f := range files {
105 | 				if !(f.IsDir() == listFiles) && (len(includeFileExtensions) == 0 || Contains(includeFileExtensions, filepath.Ext(f.Name()))) {
106 | 					p = append(p, path+string(os.PathSeparator)+f.Name())
107 | 				}
108 | 			}
109 | 		} else {
110 | 			err := filepath.Walk(path, func(walk string, info os.FileInfo, err error) error {
111 | 				if err != nil {
112 | 					LogMessage(LOG_ERROR, "(ERROR)", err)
113 | 				}
114 | 
115 | 				if err == nil && !(info.IsDir() == listFiles) && (len(includeFileExtensions) == 0 || Contains(includeFileExtensions, filepath.Ext(walk))) {
116 | 					p = append(p, walk)
117 | 				}
118 | 
119 | 				return nil
120 | 			})
121 | 
122 | 			if err != nil {
123 | 				LogMessage(LOG_ERROR, "(ERROR)", err)
124 | 			}
125 | 		}
126 | 	}
127 | 
128 | 	return p, nil
129 | }
130 | 
131 | // ListFilesRecursively returns a list of files in the specified path and its subdirectories
132 | func ListFilesRecursively(path string, excludedPaths []string) *[]string {
133 | 	var files []string
134 | 
135 | 	err := filepath.Walk(path, func(path string, f os.FileInfo, err error) error {
136 | 		if err != nil {
137 | 			LogMessage(LOG_ERROR, "(ERROR)", err)
138 | 			return filepath.SkipDir
139 | 		}
140 | 
141 | 		if !f.IsDir() {
142 | 			for _, excludedPath := range excludedPaths {
143 | 				if len(excludedPath) > 1 && strings.HasPrefix(path, excludedPath) && len(path) > len(excludedPath) {
144 | 					LogMessage(LOG_INFO, "(INFO)", "Skipping dir", path)
145 | 					return filepath.SkipDir
146 | 				}
147 | 			}
148 | 
149 | 			files = append(files, path)
150 | 		}
151 | 		return nil
152 | 	})
153 | 
154 | 	if err != nil {
155 | 		LogMessage(LOG_ERROR, "(ERROR)", err)
156 | 	}
157 | 
158 | 	return &files
159 | }
160 | 
161 | // ListFilesRecursively returns a list of files in the specified path and its subdirectories
162 | func ListDirectoryRecursively(path string, excludedPaths []string) *[]string {
163 | 	var directories []string
164 | 
165 | 	err := filepath.Walk(path, func(path string, f os.FileInfo, err error) error {
166 | 		if err != nil {
167 | 			LogMessage(LOG_ERROR, "(ERROR)", err)
168 | 			return filepath.SkipDir
169 | 		}
170 | 
171 | 		if f.IsDir() {
172 | 			for _, excludedPath := range excludedPaths {
173 | 				if len(excludedPath) > 1 && strings.HasPrefix(path, excludedPath) && len(path) > len(excludedPath) {
174 | 					LogMessage(LOG_INFO, "(INFO)", "Skipping dir", path)
175 | 					return filepath.SkipDir
176 | 				}
177 | 			}
178 | 
179 | 			directories = append(directories, path)
180 | 		}
181 | 		return nil
182 | 	})
183 | 
184 | 	if err != nil {
185 | 		LogMessage(LOG_ERROR, "(ERROR)", err)
186 | 	}
187 | 
188 | 	return &directories
189 | }
190 | 
191 | // FileCopy copy the specified file from src to dst path, and eventually encode its content to base64. Return copied file path
192 | func FileCopy(src, dst string, base64Encode bool) string {
193 | 	dst += fmt.Sprintf("%d_%s.fastfinder", time.Now().Unix(), filepath.Base(src))
194 | 	srcFile, err := os.Open(src)
195 | 	if err != nil {
196 | 		LogFatal(fmt.Sprintf("%v", err))
197 | 	}
198 | 	defer srcFile.Close()
199 | 
200 | 	dstFile, err := os.Create(dst)
201 | 	if err != nil {
202 | 		LogFatal(fmt.Sprintf("%v", err))
203 | 	}
204 | 	defer dstFile.Close()
205 | 
206 | 	if base64Encode {
207 | 		encoder := base64.NewEncoder(base64.StdEncoding, dstFile)
208 | 		defer encoder.Close()
209 | 
210 | 		_, err = io.Copy(encoder, srcFile)
211 | 	} else {
212 | 		_, err = io.Copy(dstFile, srcFile)
213 | 	}
214 | 
215 | 	if err != nil {
216 | 		LogFatal(fmt.Sprintf("%v", err))
217 | 	}
218 | 
219 | 	return dst
220 | }
221 | 
222 | // Contains checks if a string is contained in a slice of strings
223 | func Contains(s []string, str string) bool {
224 | 	for i := 0; i < len(s); i++ {
225 | 		if s[i] == str {
226 | 			return true
227 | 		}
228 | 	}
229 | 
230 | 	return false
231 | }
232 | 
233 | // IsValidUrl tests a string to determine if it is a well-structured url or not.
234 | func IsValidUrl(toTest string) bool {
235 | 	_, err := url.ParseRequestURI(toTest)
236 | 	if err != nil {
237 | 		return false
238 | 	}
239 | 
240 | 	u, err := url.Parse(toTest)
241 | 	if err != nil || u.Scheme == "" || u.Host == "" {
242 | 		return false
243 | 	}
244 | 
245 | 	return true
246 | }
247 | 
248 | // GetHostname returns the hostname of the current machine
249 | func GetHostname() string {
250 | 	name, err := os.Hostname()
251 | 	if err != nil {
252 | 		return ""
253 | 	}
254 | 
255 | 	return name
256 | }
257 | 
258 | // GetUsername returns the current user name
259 | func GetUsername() string {
260 | 	user, err := user.Current()
261 | 	if err != nil {
262 | 		return ""
263 | 	}
264 | 
265 | 	return user.Username
266 | }
267 | 
268 | // GetCurrentDirectory returns the current directory
269 | func GetCurrentDirectory() string {
270 | 	dir, err := os.Getwd()
271 | 	if err != nil {
272 | 		return ""
273 | 	}
274 | 
275 | 	return dir
276 | }
277 | 
278 | // Get SHA256 checksum of the specified file
279 | func FileSHA256Sum(path string) string {
280 | 	file, err := os.Open(path)
281 | 
282 | 	if err != nil {
283 | 		panic(err)
284 | 	}
285 | 
286 | 	defer file.Close()
287 | 
288 | 	hash := sha256.New()
289 | 	_, err = io.Copy(hash, file)
290 | 
291 | 	if err != nil {
292 | 		panic(err)
293 | 	}
294 | 
295 | 	return fmt.Sprintf("%x", hash.Sum(nil))
296 | }
297 | 
298 | // RC4Cipher is used on Yara ciphered rules
299 | func RC4Cipher(content []byte, key string) []byte {
300 | 	c, err := rc4.NewCipher([]byte(key))
301 | 	if err != nil {
302 | 		LogFatal(fmt.Sprintf("(ERROR) %v", err))
303 | 	}
304 | 
305 | 	c.XORKeyStream(content, content)
306 | 
307 | 	return content
308 | }
309 | 


--------------------------------------------------------------------------------
/utils_common_test.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"encoding/hex"
 6 | 	"errors"
 7 | 	"os"
 8 | 	"testing"
 9 | )
10 | 
11 | func TestRC4Cipher(t *testing.T) {
12 | 	input, err := hex.DecodeString("c31fc67a6d6fa9")
13 | 	if err != nil {
14 | 		t.Fatal("Fail to test RC4Cipher")
15 | 	}
16 | 
17 | 	if !bytes.Contains(RC4Cipher([]byte(input), "testing"), []byte("testing")) {
18 | 		t.Fatal("RC4Cipher doesn't return appropriate result")
19 | 	}
20 | }
21 | 
22 | func TestFileSHA256Sum(t *testing.T) {
23 | 	if FileSHA256Sum("tests/config_test_standard.yml") != "24def2a7f060ba758c682acef517b70e43ccd61002da5f7461103c2b9136694e" {
24 | 		t.Fatal("FileSHA256Sum returns unexpected result")
25 | 	}
26 | }
27 | 
28 | func TestHostEnumeration(t *testing.T) {
29 | 	if len(GetHostname()) == 0 {
30 | 		t.Fatal("GetHostname does not return appropriate result")
31 | 	}
32 | 
33 | 	if len(GetUsername()) == 0 {
34 | 		t.Fatal("GetUsername does not return appropriate result")
35 | 	}
36 | 
37 | 	if len(GetCurrentDirectory()) == 0 {
38 | 		t.Fatal("GetCurrentDirectory does not return appropriate result")
39 | 	}
40 | }
41 | 
42 | func TestValidUrl(t *testing.T) {
43 | 	if !IsValidUrl("http://www.github.com/codeyourweb/fastfinder") || IsValidUrl("http:\\www.github.com") {
44 | 		t.Fatal("IsValidUrl does not return appropriate result")
45 | 	}
46 | }
47 | 
48 | func TestContains(t *testing.T) {
49 | 	if !Contains([]string{"a", "b"}, "a") || Contains([]string{"c,d"}, "a") {
50 | 		t.Fatal("Contains does not return appropriate result")
51 | 	}
52 | }
53 | 
54 | func TestFileCopy(t *testing.T) {
55 | 	p := FileCopy("tests/config_test_standard.yml", "tests/", true)
56 | 	if _, err := os.Stat(p); errors.Is(err, os.ErrNotExist) {
57 | 		t.Fatal("FileCopy fails copying specified file")
58 | 	}
59 | 
60 | 	if FileSHA256Sum(p) != "0d77dfaf95d0adf67a27b8f44d4e1b7566efa77cf55344da85ce4a81ebe3b700" {
61 | 		t.Fatal("FileCopy base64 content return unexpected result")
62 | 	}
63 | 
64 | 	os.Remove(p)
65 | }
66 | 


--------------------------------------------------------------------------------
/utils_linux.go:
--------------------------------------------------------------------------------
  1 | //go:build linux
  2 | 
  3 | package main
  4 | 
  5 | import (
  6 | 	"bufio"
  7 | 	"bytes"
  8 | 	_ "embed"
  9 | 	"fmt"
 10 | 	"io"
 11 | 	"io/ioutil"
 12 | 	"os"
 13 | 	"os/exec"
 14 | 	"regexp"
 15 | 	"strconv"
 16 | 	"strings"
 17 | 	"syscall"
 18 | 	"time"
 19 | )
 20 | 
 21 | //go:embed resources/linux_sfx.elf
 22 | var sfxBinary []byte
 23 | var tempFolder = "/tmp"
 24 | 
 25 | const LineBreak = "\n"
 26 | 
 27 | type disks map[string]map[string]string
 28 | type cmdRunner struct{}
 29 | 
 30 | func New() *cmdRunner {
 31 | 	return &cmdRunner{}
 32 | }
 33 | 
 34 | func (c *cmdRunner) Run(cmd string, args []string) (io.Reader, error) {
 35 | 	command := exec.Command(cmd, args...)
 36 | 	resCh := make(chan []byte)
 37 | 	errCh := make(chan error)
 38 | 	go func() {
 39 | 		out, err := command.CombinedOutput()
 40 | 		if err != nil {
 41 | 			errCh <- err
 42 | 		}
 43 | 		resCh <- out
 44 | 	}()
 45 | 	timer := time.After(2 * time.Second)
 46 | 	select {
 47 | 	case err := <-errCh:
 48 | 		return nil, err
 49 | 	case res := <-resCh:
 50 | 		return bytes.NewReader(res), nil
 51 | 	case <-timer:
 52 | 		return nil, fmt.Errorf("time out (cmd:%v args:%v)", cmd, args)
 53 | 	}
 54 | }
 55 | 
 56 | // CheckCurrentUserPermissions retieves the current user permissions and check if the program run with elevated privileges
 57 | func CheckCurrentUserPermissions() (admin bool, elevated bool) {
 58 | 	cmd := exec.Command("id", "-u")
 59 | 	output, err := cmd.Output()
 60 | 
 61 | 	if err != nil {
 62 | 		LogFatal(fmt.Sprintf("(ERROR) Error finding current user privileges: %s", err))
 63 | 	}
 64 | 
 65 | 	i, err := strconv.Atoi(string(output[:len(output)-1]))
 66 | 	if err != nil {
 67 | 		LogFatal(fmt.Sprintf("(ERROR) Error finding current user privileges: %s", err))
 68 | 	}
 69 | 
 70 | 	return i == 0, i == 0
 71 | }
 72 | 
 73 | // HideConsoleWindow hide the process console window
 74 | func HideConsoleWindow() {
 75 | 	LogMessage(LOG_INFO, "[COMPAT]", "Hide console option not implented on linux. You should consider run this program as a task")
 76 | }
 77 | 
 78 | // CreateMutex creates a named mutex to avoid multiple instance run
 79 | func CreateMutex(name string) (uintptr, error) {
 80 | 	lockFile := "fastfinder.lock"
 81 | 	currentPid := os.Getpid()
 82 | 
 83 | 	lockContent, err := ioutil.ReadFile(lockFile)
 84 | 	if err == nil {
 85 | 		if len(lockContent) > 0 && string(lockContent) != fmt.Sprintf("%d", currentPid) {
 86 | 			lockProcessId, _ := strconv.Atoi(string(lockContent))
 87 | 			process, err := os.FindProcess(lockProcessId)
 88 | 			if err == nil {
 89 | 				pSignal := process.Signal(syscall.Signal(0))
 90 | 				if pSignal == nil {
 91 | 					return uintptr(currentPid), fmt.Errorf("another instance of fastfinder is running")
 92 | 				}
 93 | 			}
 94 | 		}
 95 | 	}
 96 | 
 97 | 	f, err := os.OpenFile(lockFile, os.O_CREATE|os.O_RDWR, 0664)
 98 | 	if err != nil {
 99 | 		return 0, fmt.Errorf("cannot instanciate mutex")
100 | 	}
101 | 	defer f.Close()
102 | 	f.Write([]byte(fmt.Sprintf("%d", currentPid)))
103 | 
104 | 	return uintptr(currentPid), nil
105 | }
106 | 
107 | // EnumLogicalDrives returns a list of all logical drives letters on the system.
108 | func EnumLogicalDrives() (drivesInfo []DriveInfo, excludedPaths []string) {
109 | 	excludedPaths = []string{"/dev", "/lost+found", "/proc", "/media/floppy"}
110 | 	disks, err := Lsblk()
111 | 	if err != nil {
112 | 		LogMessage(LOG_ERROR, "[COMPAT]", "Error getting disks info: %v - try to parse from /", err)
113 | 	} else {
114 | 		// Get fixed / removable / cdrom drives
115 | 		for _, disk := range disks {
116 | 			if disk["mountpoint"] != "" {
117 | 				switch disk["type"] {
118 | 				case "part":
119 | 					if IsUSBStorage("/dev/" + disk["name"]) {
120 | 						drivesInfo = append(drivesInfo, DriveInfo{Name: disk["mountpoint"], Type: DRIVE_REMOVABLE})
121 | 					} else {
122 | 						drivesInfo = append(drivesInfo, DriveInfo{Name: disk["mountpoint"], Type: DRIVE_FIXED})
123 | 					}
124 | 				case "rom":
125 | 					drivesInfo = append(drivesInfo, DriveInfo{Name: disk["mountpoint"], Type: DRIVE_CDROM})
126 | 				default:
127 | 					excludedPaths = append(excludedPaths, disk["mountpoint"])
128 | 
129 | 				}
130 | 			}
131 | 		}
132 | 	}
133 | 
134 | 	// Get network drives
135 | 	nDrives, err := FindInNetworkDrives()
136 | 	if err != nil {
137 | 		LogMessage(LOG_ERROR, "[COMPAT]", "Error getting network drives: %v", err)
138 | 	}
139 | 
140 | 	for _, driveName := range nDrives {
141 | 		drivesInfo = append(drivesInfo, DriveInfo{Name: driveName, Type: DRIVE_REMOTE})
142 | 	}
143 | 
144 | 	return drivesInfo, excludedPaths
145 | }
146 | 
147 | // FindInNetworkDrives uses  df -aT and returns a list of all valid fuse mount
148 | func FindInNetworkDrives() (mounts []string, err error) {
149 | 	out, err := exec.Command("df", "-aT").Output()
150 | 	if err != nil {
151 | 		return mounts, err
152 | 	}
153 | 
154 | 	outlines := strings.Split(string(out), "\n")
155 | 
156 | 	for _, line := range outlines {
157 | 		parsedLine := strings.Fields(line)
158 | 		if len(line) > 5 &&
159 | 			strings.HasPrefix(parsedLine[len(parsedLine)-1], "/") &&
160 | 			(strings.Contains(parsedLine[0], "fuse") || strings.Contains(parsedLine[1], "fuse")) {
161 | 			a, _ := strconv.ParseInt(parsedLine[3], 10, 64)
162 | 			b, _ := strconv.ParseInt(parsedLine[4], 10, 64)
163 | 			if a > 0 && b > 0 {
164 | 				mounts = append(mounts, parsedLine[len(parsedLine)-1])
165 | 			}
166 | 		}
167 | 	}
168 | 
169 | 	return mounts, nil
170 | }
171 | 
172 | // Lsblk returns a map of all disks and their properties
173 | func Lsblk() (disks, error) {
174 | 	var cmdrun = cmdRunner{}
175 | 	rr, err := cmdrun.Run("lsblk", []string{"-P", "-b", "-o", "NAME,TYPE,MOUNTPOINT"})
176 | 	if err != nil {
177 | 		return nil, err
178 | 	}
179 | 	disks := parser_lsblk(rr)
180 | 	return disks, nil
181 | }
182 | 
183 | func parser_lsblk(r io.Reader) map[string]map[string]string {
184 | 	var lsblk = make(disks)
185 | 	re := regexp.MustCompile("([A-Z]+)=(?:\"(.*?)\")")
186 | 	scan := bufio.NewScanner(r)
187 | 	for scan.Scan() {
188 | 		var disk_name = ""
189 | 		disk := make(map[string]string)
190 | 		raw := scan.Text()
191 | 		sr := re.FindAllStringSubmatch(raw, -1)
192 | 		for i, k := range sr {
193 | 			k[1] = strings.ToLower(k[1])
194 | 			if i == 0 {
195 | 				disk_name = k[2]
196 | 			}
197 | 
198 | 			if Contains([]string{"name", "type", "mountpoint"}, k[1]) {
199 | 				disk[k[1]] = k[2]
200 | 			}
201 | 		}
202 | 		lsblk[disk_name] = disk
203 | 	}
204 | 	return lsblk
205 | }
206 | 
207 | // IsUSBStorage returns true if the given device is a USB storage based on udevadm linux command return
208 | func IsUSBStorage(device string) bool {
209 | 	deviceVerifier := "ID_USB_DRIVER=usb-storage"
210 | 	cmd := "udevadm"
211 | 	args := []string{"info", "-q", "property", "-n", device}
212 | 	out, err := exec.Command(cmd, args...).Output()
213 | 
214 | 	if err != nil {
215 | 		LogMessage(LOG_ERROR, "(ERROR)", "Error checking device %s: %s", device, err)
216 | 		return false
217 | 	}
218 | 
219 | 	if strings.Contains(string(out), deviceVerifier) {
220 | 		return true
221 | 	}
222 | 
223 | 	return false
224 | }
225 | 


--------------------------------------------------------------------------------
/utils_windows.go:
--------------------------------------------------------------------------------
  1 | //go:build windows
  2 | 
  3 | package main
  4 | 
  5 | import (
  6 | 	_ "embed"
  7 | 	"fmt"
  8 | 	"syscall"
  9 | 	"unsafe"
 10 | 
 11 | 	"golang.org/x/sys/windows"
 12 | )
 13 | 
 14 | //go:embed resources/windows_sfx.exe
 15 | var sfxBinary []byte
 16 | var tempFolder = "%TEMP%"
 17 | 
 18 | const LineBreak = "\r\n"
 19 | 
 20 | var (
 21 | 	modKernel32          = windows.NewLazySystemDLL("kernel32.dll")
 22 | 	modUser32            = windows.NewLazySystemDLL("user32.dll")
 23 | 	procCreateMutex      = modKernel32.NewProc("CreateMutexW")
 24 | 	procGetLogicalDrives = modKernel32.NewProc("GetLogicalDrives")
 25 | 	procGetDriveTypeW    = modKernel32.NewProc("GetDriveTypeW")
 26 | 	procGetConsoleWindow = modKernel32.NewProc("GetConsoleWindow")
 27 | 	procShowWindow       = modUser32.NewProc("ShowWindow")
 28 | )
 29 | 
 30 | // CheckCurrentUserPermissions retieves the current user permissions and check if the program run with elevated privileges
 31 | func CheckCurrentUserPermissions() (admin bool, elevated bool) {
 32 | 	var err error
 33 | 	var sid *windows.SID
 34 | 	err = windows.AllocateAndInitializeSid(
 35 | 		&windows.SECURITY_NT_AUTHORITY,
 36 | 		2,
 37 | 		windows.SECURITY_BUILTIN_DOMAIN_RID,
 38 | 		windows.DOMAIN_ALIAS_RID_ADMINS,
 39 | 		0, 0, 0, 0, 0, 0,
 40 | 		&sid)
 41 | 	if err != nil {
 42 | 		LogFatal(fmt.Sprintf("(ERROR) SID Error: %s", err))
 43 | 		return false, false
 44 | 	}
 45 | 	defer windows.FreeSid(sid)
 46 | 	token := windows.Token(0)
 47 | 
 48 | 	admin, err = token.IsMember(sid)
 49 | 	if err != nil {
 50 | 		LogFatal(fmt.Sprintf("(ERROR) Token Membership Error: %s", err))
 51 | 		return false, false
 52 | 	}
 53 | 
 54 | 	return admin, token.IsElevated()
 55 | }
 56 | 
 57 | // HideConsoleWindow hide the process console window
 58 | func HideConsoleWindow() {
 59 | 	hwnd, _, _ := procGetConsoleWindow.Call()
 60 | 	if hwnd == 0 {
 61 | 		return
 62 | 	}
 63 | 
 64 | 	procShowWindow.Call(hwnd, 0)
 65 | }
 66 | 
 67 | // CreateMutex creates a named mutex to avoid multiple instance run
 68 | func CreateMutex(name string) (uintptr, error) {
 69 | 	mutexNamePtr, err := syscall.UTF16PtrFromString(name)
 70 | 	if err != nil {
 71 | 		return 0, err
 72 | 	}
 73 | 
 74 | 	ret, _, err := procCreateMutex.Call(0, 0, uintptr(unsafe.Pointer(mutexNamePtr)))
 75 | 	switch int(err.(syscall.Errno)) {
 76 | 	case 0:
 77 | 		return ret, nil
 78 | 	default:
 79 | 		return ret, err
 80 | 	}
 81 | }
 82 | 
 83 | // EnumLogicalDrives returns a list of all logical drives letters on the system.
 84 | func EnumLogicalDrives() (drivesInfo []DriveInfo, excludedPaths []string) {
 85 | 	var drives []string
 86 | 	if ret, _, callErr := procGetLogicalDrives.Call(); callErr != windows.ERROR_SUCCESS {
 87 | 		return []DriveInfo{}, []string{}
 88 | 	} else {
 89 | 		drives = bitsToDrives(uint32(ret))
 90 | 	}
 91 | 
 92 | 	for _, drive := range drives {
 93 | 		var driveInfo DriveInfo
 94 | 		driveInfo.Name = drive + ":\\"
 95 | 		drivePtr, err := syscall.UTF16PtrFromString(drive + ":")
 96 | 		if err != nil {
 97 | 			return drivesInfo, []string{}
 98 | 		}
 99 | 
100 | 		if ret, _, callErr := procGetDriveTypeW.Call(uintptr(unsafe.Pointer(drivePtr))); callErr != windows.ERROR_SUCCESS {
101 | 			driveInfo.Type = DRIVE_UNKNOWN
102 | 		} else {
103 | 			driveInfo.Type = uint32(ret)
104 | 		}
105 | 
106 | 		drivesInfo = append(drivesInfo, driveInfo)
107 | 	}
108 | 
109 | 	return drivesInfo, []string{}
110 | }
111 | 
112 | // map drive DWORD returned by EnumLogicalDrives to drive letters
113 | func bitsToDrives(bits uint32) (drives []string) {
114 | 	for i := 0; i < 26; i++ {
115 | 		if bits&(1<<uint(i)) != 0 {
116 | 			drives = append(drives, fmt.Sprintf("%c", rune('A'+i)))
117 | 		}
118 | 	}
119 | 	return drives
120 | }
121 | 


--------------------------------------------------------------------------------
/yaraprocessing.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"fmt"
  6 | 	"io/ioutil"
  7 | 	"net/http"
  8 | 	"os"
  9 | 	"path/filepath"
 10 | 	"runtime/debug"
 11 | 	"strings"
 12 | 
 13 | 	"github.com/gen2brain/go-unarr"
 14 | 	"github.com/h2non/filetype"
 15 | 	"github.com/hillu/go-yara/v4"
 16 | )
 17 | 
 18 | // CompileYaraRules return *yara.Rules result of yara files compilation
 19 | func CompileYaraRules(yaraFiles []string, yaraRC4Key string) (rules *yara.Rules) {
 20 | 	var compiler *yara.Compiler
 21 | 	var err error
 22 | 
 23 | 	LogMessage(LOG_VERBOSE, "(INIT)", "Compiling Yara rules")
 24 | 	compiler, err = LoadYaraRules(yaraFiles, yaraRC4Key)
 25 | 	if err != nil {
 26 | 		LogMessage(LOG_ERROR, err)
 27 | 		ExitProgram(1, !UIactive)
 28 | 	}
 29 | 
 30 | 	rules, err = CompileRules(compiler)
 31 | 	if err != nil {
 32 | 		LogMessage(LOG_ERROR, err)
 33 | 		ExitProgram(1, !UIactive)
 34 | 	}
 35 | 
 36 | 	LogMessage(LOG_VERBOSE, "(INIT)", len(rules.GetRules()), "YARA rules compiled")
 37 | 	for _, r := range rules.GetRules() {
 38 | 		LogMessage(LOG_INFO, " | rule:", r.Identifier())
 39 | 	}
 40 | 
 41 | 	return rules
 42 | }
 43 | 
 44 | // PerformYaraScan use provided YARA rules and search for match in the given byte slice
 45 | func PerformYaraScan(data *[]byte, rules *yara.Rules) (yara.MatchRules, error) {
 46 | 	result, err := yaraScan(*data, rules)
 47 | 	if err != nil {
 48 | 		return nil, err
 49 | 	}
 50 | 
 51 | 	return result, nil
 52 | }
 53 | 
 54 | // PerformArchiveYaraScan try to decompress archive and YARA scan every file in it
 55 | func PerformArchiveYaraScan(path string, rules *yara.Rules) (matchs yara.MatchRules, err error) {
 56 | 	var buffer [][]byte
 57 | 
 58 | 	a, err := unarr.NewArchive(path)
 59 | 	if err != nil {
 60 | 		content, err := os.ReadFile(path)
 61 | 		if err != nil {
 62 | 			return nil, err
 63 | 		}
 64 | 		return PerformYaraScan(&content, rules)
 65 | 	}
 66 | 	defer a.Close()
 67 | 
 68 | 	list, err := a.List()
 69 | 	if err != nil {
 70 | 		content, err := os.ReadFile(path)
 71 | 		if err != nil {
 72 | 			return nil, err
 73 | 		}
 74 | 		return PerformYaraScan(&content, rules)
 75 | 	}
 76 | 	for _, f := range list {
 77 | 		err := a.EntryFor(f)
 78 | 		if err != nil {
 79 | 			return nil, err
 80 | 		}
 81 | 
 82 | 		data, err := a.ReadAll()
 83 | 		if err != nil {
 84 | 			return nil, err
 85 | 		}
 86 | 
 87 | 		buffer = append(buffer, data)
 88 | 	}
 89 | 
 90 | 	matchs, err = yaraScan(bytes.Join(buffer, []byte{}), rules)
 91 | 	if err != nil {
 92 | 		return nil, err
 93 | 	}
 94 | 
 95 | 	return matchs, nil
 96 | }
 97 | 
 98 | // LoadYaraRules compile yara rules from specified paths and return a pointer to the yara compiler
 99 | func LoadYaraRules(path []string, rc4key string) (compiler *yara.Compiler, err error) {
100 | 	compiler, err = yara.NewCompiler()
101 | 	if err != nil {
102 | 		return nil, fmt.Errorf("failed to initialize YARA compiler: %s", err.Error())
103 | 	}
104 | 
105 | 	for _, dir := range EnumerateYaraInFolders(path) {
106 | 		var f []byte
107 | 		var err error
108 | 
109 | 		if IsValidUrl(dir) {
110 | 			response, err := http.Get(dir)
111 | 			if err != nil {
112 | 				LogMessage(LOG_ERROR, "YARA file URL unreachable", dir, err)
113 | 				continue
114 | 			}
115 | 			f, err = ioutil.ReadAll(response.Body)
116 | 			if err != nil {
117 | 				LogMessage(LOG_ERROR, "YARA file URL content unreadable", dir, err)
118 | 				continue
119 | 			}
120 | 			response.Body.Close()
121 | 		} else {
122 | 			f, err = os.ReadFile(dir)
123 | 			if err != nil {
124 | 				LogMessage(LOG_ERROR, "(ERROR)", "Could not read rule file ", dir, err)
125 | 				continue
126 | 			}
127 | 		}
128 | 
129 | 		if len(rc4key) > 0 && !bytes.Contains(f, []byte("rule")) && !bytes.Contains(f, []byte("condition")) {
130 | 			f = RC4Cipher(f, rc4key)
131 | 		}
132 | 
133 | 		namespace := filepath.Base(dir)[:len(filepath.Base(dir))-4]
134 | 		if err = compiler.AddString(string(f), namespace); err != nil {
135 | 			LogMessage(LOG_ERROR, "(ERROR)", "Could not load rule file ", dir, err)
136 | 			continue
137 | 		}
138 | 	}
139 | 
140 | 	return compiler, nil
141 | }
142 | 
143 | // EnumerateYaraInFolders return a list of YARA rules path in the specified folders - if path already is a file or URL, it add it also
144 | func EnumerateYaraInFolders(path []string) []string {
145 | 	var rulePaths []string
146 | 
147 | 	for _, rulePath := range path {
148 | 		LogMessage(LOG_INFO, "Searching for YARA rules in", rulePath)
149 | 		rulePath = strings.TrimSpace(rulePath)
150 | 
151 | 		fileInfo, err := os.Stat(rulePath)
152 | 		if err == nil {
153 | 			if fileInfo.IsDir() {
154 | 				paths, err := RetrivesFilesFromUserPath(rulePath, true, []string{".yar", ".yara"}, false)
155 | 				rulePaths = append(rulePaths, paths...)
156 | 				if err != nil {
157 | 					LogMessage(LOG_ERROR, "YARA file retrieve error found", rulePath, err)
158 | 					continue
159 | 				}
160 | 			} else {
161 | 				rulePaths = append(rulePaths, rulePath)
162 | 			}
163 | 		} else {
164 | 			if IsValidUrl(rulePath) {
165 | 				rulePaths = append(rulePaths, rulePath)
166 | 			}
167 | 		}
168 | 	}
169 | 
170 | 	return rulePaths
171 | }
172 | 
173 | // CompileRules try to compile every rules from the given compiler
174 | func CompileRules(compiler *yara.Compiler) (rules *yara.Rules, err error) {
175 | 	rules, err = compiler.GetRules()
176 | 	if err != nil {
177 | 		return nil, fmt.Errorf("failed to compile rules: %s", err.Error())
178 | 	}
179 | 
180 | 	return rules, err
181 | }
182 | 
183 | // yaraScan use libyara to scan the specified content with a compiled rule
184 | func yaraScan(content []byte, rules *yara.Rules) (match yara.MatchRules, err error) {
185 | 	sc, _ := yara.NewScanner(rules)
186 | 	var m yara.MatchRules
187 | 	err = sc.SetCallback(&m).ScanMem(content)
188 | 	return m, err
189 | }
190 | 
191 | // FileAnalyzeYaraMatch use yara to scan the specified file and return if it match to compiled rules or not
192 | func FileAnalyzeYaraMatch(path string, rules *yara.Rules, maxFileSizeScan int, cleanMemoryIfSizeGreaterThan int) bool {
193 | 	var err error
194 | 	var content []byte
195 | 	var result yara.MatchRules
196 | 
197 | 	if _, err = os.Stat(path); err != nil {
198 | 		LogMessage(LOG_ERROR, "(ERROR)", path, err)
199 | 		return false
200 | 	}
201 | 
202 | 	// read file content
203 | 	content, err = os.ReadFile(path)
204 | 	if err != nil {
205 | 		LogMessage(LOG_ERROR, "(ERROR)", path, err)
206 | 		return false
207 | 	}
208 | 
209 | 	filetype, err := filetype.Match(content)
210 | 	if err != nil {
211 | 		LogMessage(LOG_ERROR, "(ERROR)", path, err)
212 | 		return false
213 | 	}
214 | 
215 | 	// cleaning memory if file size is greater than 512Mb
216 | 	if len(content) > 1024*1024*cleanMemoryIfSizeGreaterThan {
217 | 		defer debug.FreeOSMemory()
218 | 	}
219 | 
220 | 	// cancel analysis if file size is greater than 2Gb
221 | 	if len(content) > 1024*1024*2048 {
222 | 		LogMessage(LOG_ERROR, fmt.Sprintf("File size is greater than %dMb, skipping", maxFileSizeScan), path)
223 | 		return false
224 | 	}
225 | 
226 | 	// archive or other file format scan
227 | 	if Contains([]string{"application/x-tar", "application/x-7z-compressed", "application/zip", "application/vnd.rar"}, filetype.MIME.Value) {
228 | 		result, err = PerformArchiveYaraScan(path, rules)
229 | 		if err != nil {
230 | 			LogMessage(LOG_ERROR, "(ERROR)", "Error performing yara scan on", path, err)
231 | 			return false
232 | 		}
233 | 	} else {
234 | 		result, err = PerformYaraScan(&content, rules)
235 | 		if err != nil {
236 | 			LogMessage(LOG_ERROR, "(ERROR)", "Error performing yara scan on", path, err)
237 | 			return false
238 | 		}
239 | 	}
240 | 
241 | 	// output rules matchs
242 | 	for i := 0; i < len(result); i++ {
243 | 		LogMessage(LOG_ALERT, "(ALERT)", "YARA match:")
244 | 		LogMessage(LOG_ALERT, " | path:", path)
245 | 		LogMessage(LOG_ALERT, " | rule namespace:", result[i].Namespace)
246 | 		LogMessage(LOG_ALERT, " | rule name:", result[i].Rule)
247 | 	}
248 | 
249 | 	return len(result) > 0
250 | }
251 | 


--------------------------------------------------------------------------------
/yaraprocessing_test.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"log"
 6 | 	"testing"
 7 | )
 8 | 
 9 | func TestYaraSearchEnumeration(t *testing.T) {
10 | 	r1 := EnumerateYaraInFolders([]string{"./tests/"})
11 | 
12 | 	if len(r1) == 0 {
13 | 		t.Fatal("EnumerateYaraInFolders fails to retrieve test yara rules")
14 | 	}
15 | }
16 | 
17 | func TestYaraRuleLoad(t *testing.T) {
18 | 	r1 := CompileYaraRules([]string{"tests/rule_test_standard.yar"}, "")
19 | 
20 | 	if len(r1.GetRules()) != 1 {
21 | 		t.Fatal("CompileYaraRules was unable to compile a YARA rule")
22 | 	}
23 | 
24 | 	r2 := CompileYaraRules([]string{"tests/rule_test_ciphered.yar"}, "testing")
25 | 
26 | 	if len(r2.GetRules()) != 1 {
27 | 		t.Fatal("CompileYaraRules was unable to compile a RC4 ciphered YARA rule")
28 | 	}
29 | }
30 | 
31 | func TestPerformYaraScan(t *testing.T) {
32 | 	r := CompileYaraRules([]string{"tests/rule_test_standard.yar"}, "")
33 | 	d := []byte("TestFindInFilesContent")
34 | 	r1, err := PerformYaraScan(&d, r)
35 | 
36 | 	if err != nil || len(r1) != 1 {
37 | 		t.Fatal("")
38 | 	}
39 | }
40 | 
41 | func TestYaraMatchAndResultOutput(t *testing.T) {
42 | 	r := CompileYaraRules([]string{"tests/rule_test_standard.yar"}, "")
43 | 	var buffer bytes.Buffer
44 | 	LogTesting(true)
45 | 	log.SetOutput(&buffer)
46 | 
47 | 	r1 := FileAnalyzeYaraMatch("finder_test.go", r, 512, 512)
48 | 	LogTesting(false)
49 | 
50 | 	if !r1 {
51 | 		log.Fatal("FileAnalyzeYaraMatch fails to match on testing file")
52 | 	}
53 | 
54 | 	if !bytes.Contains(buffer.Bytes(), []byte("ALERT")) {
55 | 		t.Fatal("FileAnalyzeYaraMatch does not output YARA match")
56 | 	}
57 | 
58 | }
59 | 


--------------------------------------------------------------------------------