1.2 release and linux version preparation

codeyourweb · Dec 5, 2021 · dd1af31 · dd1af31
1 parent b014ebf
commit dd1af31
Show file tree

Hide file tree

Showing 6 changed files with 145 additions and 106 deletions.
diff --git a/examples/example_configuration.yaml → examples/example_configuration_windows.yaml b/examples/example_configuration.yaml → examples/example_configuration_windows.yaml
@@ -1,4 +1,3 @@
-# TODO check REGEX / YARA / checksum
 input:
     path:
       - '%APPDATA%\\*.exe'
@@ -10,7 +9,7 @@ input:
         grep:
           - 'fastfinder.exe'
         yara:
-          - './example_rule.yar'
+          - './examples/example_rule_windows.yar'
         checksum:
          - 'c4884dadc3680439e30bf48ae0ca7048'
          - '7A320D69E436911A9EAF676D8C2B6A22580BF79F'

diff --git a/examples/example_rule.yar → examples/example_rule_windows.yar b/examples/example_rule.yar → examples/example_rule_windows.yar
diff --git a/main.go b/main.go
@@ -24,7 +24,7 @@ func main() {
 	}
 
 	// parse configuration file
-	parser := argparse.NewParser("fastfinder", "Incident Response - Fast suspicious file finder")
+	parser := argparse.NewParser("fastfinder", "(v1.2) Incident Response - Fast suspicious file finder")
 	configPath := parser.String("c", "configuration", &argparse.Options{Required: true, Default: "configuration.yaml", Help: "Fastfind configuration file"})
 	sfxPath := parser.String("b", "build", &argparse.Options{Required: false, Help: "Output a standalone package with configuration and rules in a single binary"})
 	outLogPath := parser.String("o", "output", &argparse.Options{Required: false, Help: "Save fastfinder logs in the specified file"})

diff --git a/utils_common.go b/utils_common.go
@@ -0,0 +1,107 @@
+package main
+
+import (
+	"encoding/base64"
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+type Env struct {
+	Name  string
+	Value string
+}
+
+type DriveInfo struct {
+	Name string
+	Type uint32
+}
+
+const (
+	DRIVE_UNKNOWN     = 0
+	DRIVE_NO_ROOT_DIR = 1
+	DRIVE_REMOVABLE   = 2
+	DRIVE_FIXED       = 3
+	DRIVE_REMOTE      = 4
+	DRIVE_CDROM       = 5
+	DRIVE_RAMDISK     = 6
+)
+
+// GetEnvironmentVariables return a list of environment variables in []Env slice
+func GetEnvironmentVariables() (environmentVariables []Env) {
+	for _, item := range os.Environ() {
+		envPair := strings.SplitN(item, "=", 2)
+		env := Env{
+			Name:  envPair[0],
+			Value: envPair[1],
+		}
+		environmentVariables = append(environmentVariables, env)
+	}
+
+	return environmentVariables
+}
+
+// ListFilesRecursively returns a list of files in the specified path and its subdirectories
+func ListFilesRecursively(path string) *[]string {
+	var files []string
+
+	err := filepath.Walk(path, func(path string, f os.FileInfo, err error) error {
+		if err != nil {
+			LogMessage(LOG_ERROR, "[ERROR]", err)
+			return filepath.SkipDir
+		}
+
+		if !f.IsDir() {
+			files = append(files, path)
+		}
+		return nil
+	})
+
+	if err != nil {
+		LogMessage(LOG_ERROR, "[ERROR]", err)
+	}
+
+	return &files
+}
+
+// FileCopy copy the specified file from src to dst path, and eventually encode its content to base64
+func FileCopy(src, dst string, base64Encode bool) {
+	dst += filepath.Base(src) + ".fastfinder"
+	srcFile, err := os.Open(src)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer srcFile.Close()
+
+	dstFile, err := os.Create(dst)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer dstFile.Close()
+
+	if base64Encode {
+		encoder := base64.NewEncoder(base64.StdEncoding, dstFile)
+		defer encoder.Close()
+
+		_, err = io.Copy(encoder, srcFile)
+	} else {
+		_, err = io.Copy(dstFile, srcFile)
+	}
+
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+// Contains checks if a string is contained in a slice of strings
+func Contains(s []string, str string) bool {
+	for _, v := range s {
+		if v == str {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/utils_linux.go b/utils_linux.go
@@ -0,0 +1,34 @@
+//go:build linux
+
+package main
+
+import (
+	"encoding/base64"
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"unsafe"
+)
+
+type Env struct {
+	Name  string
+	Value string
+}
+
+// HideConsoleWindow hide the process console window
+func HideConsoleWindow() {
+	LogMessage(LOG_INFO, "[COMPAT]", "Hide console not implented on linux. You should consider run this program as a task")
+}
+
+// CreateMutex creates a named mutex to avoid multiple instance run
+func CreateMutex(name string) (uintptr, error) {
+	return 0, nil
+}
+
+// EnumLogicalDrives returns a list of all logical drives letters on the system.
+func EnumLogicalDrives() (drivesInfo []DriveInfo) {
+	return drivesInfo
+}
diff --git a/utils.go → utils_windows.go b/utils.go → utils_windows.go
@@ -1,38 +1,14 @@
+//go:build windows
+
 package main
 
 import (
-	"encoding/base64"
-	"io"
-	"log"
-	"os"
-	"path/filepath"
-	"strings"
 	"syscall"
 	"unsafe"
 
 	"golang.org/x/sys/windows"
 )
 
-type Env struct {
-	Name  string
-	Value string
-}
-
-type DriveInfo struct {
-	Name string
-	Type uint32
-}
-
-const (
-	DRIVE_UNKNOWN     = 0
-	DRIVE_NO_ROOT_DIR = 1
-	DRIVE_REMOVABLE   = 2
-	DRIVE_FIXED       = 3
-	DRIVE_REMOTE      = 4
-	DRIVE_CDROM       = 5
-	DRIVE_RAMDISK     = 6
-)
-
 var (
 	modKernel32          = windows.NewLazySystemDLL("kernel32.dll")
 	modUser32            = windows.NewLazySystemDLL("user32.dll")
@@ -69,43 +45,6 @@ func CreateMutex(name string) (uintptr, error) {
 	}
 }
 
-// GetEnvironmentVariables return a list of environment variables in []Env slice
-func GetEnvironmentVariables() (environmentVariables []Env) {
-	for _, item := range os.Environ() {
-		envPair := strings.SplitN(item, "=", 2)
-		env := Env{
-			Name:  envPair[0],
-			Value: envPair[1],
-		}
-		environmentVariables = append(environmentVariables, env)
-	}
-
-	return environmentVariables
-}
-
-// ListFilesRecursively returns a list of files in the specified path and its subdirectories
-func ListFilesRecursively(path string) *[]string {
-	var files []string
-
-	err := filepath.Walk(path, func(path string, f os.FileInfo, err error) error {
-		if err != nil {
-			LogMessage(LOG_ERROR, "[ERROR]", err)
-			return filepath.SkipDir
-		}
-
-		if !f.IsDir() {
-			files = append(files, path)
-		}
-		return nil
-	})
-
-	if err != nil {
-		LogMessage(LOG_ERROR, "[ERROR]", err)
-	}
-
-	return &files
-}
-
 // EnumLogicalDrives returns a list of all logical drives letters on the system.
 func EnumLogicalDrives() (drivesInfo []DriveInfo) {
 	var drives []string
@@ -135,46 +74,6 @@ func EnumLogicalDrives() (drivesInfo []DriveInfo) {
 	return drivesInfo
 }
 
-// FileCopy copy the specified file from src to dst path, and eventually encode its content to base64
-func FileCopy(src, dst string, base64Encode bool) {
-	dst += filepath.Base(src) + ".fastfinder"
-	srcFile, err := os.Open(src)
-	if err != nil {
-		log.Fatal(err)
-	}
-	defer srcFile.Close()
-
-	dstFile, err := os.Create(dst)
-	if err != nil {
-		log.Fatal(err)
-	}
-	defer dstFile.Close()
-
-	if base64Encode {
-		encoder := base64.NewEncoder(base64.StdEncoding, dstFile)
-		defer encoder.Close()
-
-		_, err = io.Copy(encoder, srcFile)
-	} else {
-		_, err = io.Copy(dstFile, srcFile)
-	}
-
-	if err != nil {
-		log.Fatal(err)
-	}
-}
-
-// Contains checks if a string is contained in a slice of strings
-func Contains(s []string, str string) bool {
-	for _, v := range s {
-		if v == str {
-			return true
-		}
-	}
-
-	return false
-}
-
 // map drive DWORD returned by EnumLogicalDrives to drive letters
 func bitsToDrives(bits uint32) (drives []string) {
 	for i := 0; i < 26; i++ {