report

package
v0.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 6, 2022 License: AGPL-3.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const FileScansFileName = "file-scans.json"

FileScansFileName is the name of the file used to report information about file scans.

View Source
const Format = "2006-01-02T15:04:05.000000Z-07:00"
View Source
const MemoryScansFileName = "memory-scans.json"

MemoryScansFileName is the name of the file used to report information about memory scans.

View Source
const MetaFileName = "meta.json"

MetaFileName is the name of the file containing meta information about the report format.

View Source
const ProcessesFileName = "processes.json"

ProcessesFileName is the name of the file used to report information about processes.

View Source
const RulesFileName = "rules.yarc"

RulesFileName is the name of the file, where the used rules will be stored.

View Source
const ScanningStatisticsFileName = "stats.json"

ScanningStatisticsFileName is the name of the file used to report scanning.

View Source
const SystemInfoFileName = "systeminfo.json"

SystemInfoFileName is the name of the file, where system info is stored.

Variables

View Source
var FormatVersion = version.Version{
	Major:  1,
	Minor:  0,
	Bugfix: 0,
}
View Source
var MetaV1Schema = fmt.Sprintf(schemaURLFormat, "1.0.0", "meta.schema.json")

Functions

func ReadArmoredKeyring

func ReadArmoredKeyring(path string) (openpgp.KeyRing, error)

Types

type File

type File struct {
	FilePath  string `json:"path"`
	MD5Sum    string `json:"md5,omitempty"`
	SHA256Sum string `json:"sha256,omitempty"`
}

type FileReader

type FileReader struct {
	// contains filtered or unexported fields
}

func (*FileReader) Close

func (rdr *FileReader) Close() error

func (*FileReader) OpenFileScans

func (rdr *FileReader) OpenFileScans() (io.ReadCloser, error)

func (*FileReader) OpenMemoryScans

func (rdr *FileReader) OpenMemoryScans() (io.ReadCloser, error)

func (*FileReader) OpenMeta

func (rdr *FileReader) OpenMeta() (io.ReadCloser, error)

func (*FileReader) OpenProcesses

func (rdr *FileReader) OpenProcesses() (io.ReadCloser, error)

func (*FileReader) OpenStatistics

func (rdr *FileReader) OpenStatistics() (io.ReadCloser, error)

func (*FileReader) OpenSystemInformation

func (rdr *FileReader) OpenSystemInformation() (io.ReadCloser, error)

func (*FileReader) SetKeyring

func (rdr *FileReader) SetKeyring(keyring openpgp.KeyRing)

func (*FileReader) SetPassword

func (rdr *FileReader) SetPassword(password string)

type FileScan

type FileScan struct {
	File    *File       `json:"file"`
	Matches []*Match    `json:"match"`
	Error   interface{} `json:"error"`
}

FileScan represents all matches on a file.

type Match

type Match struct {
	Rule      string         `json:"rule"`
	Namespace string         `json:"namespace"`
	Strings   []*MatchString `json:"strings"`
}

Match represents the match of a yara Rule.

type MatchString

type MatchString struct {
	Name   string `json:"name"`
	Base   uint64 `json:"base"`
	Offset uint64 `json:"offset"`
}

A MatchString represents a string declared and matched in a rule.

type MemoryScan

type MemoryScan struct {
	PID           int         `json:"pid"`
	MemorySegment uintptr     `json:"memorySegment"`
	Matches       []*Match    `json:"match"`
	Error         interface{} `json:"error"`
}

MemoryScan represents all matches on a single memory segment of a process.

type MemorySegmentInfo

type MemorySegmentInfo struct {
	// ParentBaseAddress is the base address of the parent segment.
	// If no parent segment exists, this is equal to the BaseAddress.
	// Equivalence on windows: _MEMORY_BASIC_INFORMATION->AllocationBase
	ParentBaseAddress uintptr `json:"parentBaseAddress"`

	// BaseAddress is the base address of the current memory segment.
	// Equivalence on windows: _MEMORY_BASIC_INFORMATION->BaseAddress
	BaseAddress uintptr `json:"baseAddress"`

	// AllocatedPermissions is the Permissions that were used to initially
	// allocate this segment.
	// Equivalence on windows: _MEMORY_BASIC_INFORMATION->AllocationProtect
	AllocatedPermissions procio.Permissions `json:"allocatedPermissions"`

	// CurrentPermissions is the Permissions that the segment currently has.
	// This may differ from AllocatedPermissions if the permissions where changed
	// at some point (e.g. via VirtualProtect).
	// Equivalence on windows: _MEMORY_BASIC_INFORMATION->Protect
	CurrentPermissions procio.Permissions `json:"currentPermissions"`

	// Size contains the size of the segment in bytes.
	// Equivalence on windows: _MEMORY_BASIC_INFORMATION->RegionSize
	Size uintptr `json:"size"`

	// RSS contains the ResidentSetSize as reported on linux, i.e.
	// the amount of RAM this segment actually uses right now.
	// Equivalence on windows: No equivalence, this is currently always equal to Size.
	RSS uintptr `json:"rss"`

	// State contains the current State of the segment.
	// Equivalence on windows: _MEMORY_BASIC_INFORMATION->State
	State procio.State `json:"state"`

	// Type contains the Type of the segment.
	// Equivalence on windows: _MEMORY_BASIC_INFORMATION->SegmentType
	Type procio.SegmentType `json:"type"`

	// File contains the path to the mapped file, or empty string if
	// no file mapping is associated with this memory segment.
	MappedFile *File `json:"mappedFile"`
}

MemorySegmentInfo contains information about a memory segment.

type MetaInformation

type MetaInformation struct {
	YapscanVersion version.Version   `json:"yapscanVersion"`
	FormatVersion  version.Version   `json:"formatVersion"`
	SchemaURLs     map[string]string `json:"schemaURLs"`
}

func GetMetaInformation

func GetMetaInformation() *MetaInformation

type Parser

type Parser struct{}

func NewParser

func NewParser() *Parser

func (*Parser) Parse

func (p *Parser) Parse(rdr Reader) (*Report, error)

type ProcessInfo

type ProcessInfo struct {
	PID              int                  `json:"pid"`
	Bitness          arch.Bitness         `json:"bitness"`
	ExecutablePath   string               `json:"executablePath"`
	ExecutableMD5    string               `json:"executableMD5"`
	ExecutableSHA256 string               `json:"executableSHA256"`
	Username         string               `json:"username"`
	MemorySegments   []*MemorySegmentInfo `json:"memorySegments"`
}

ProcessInfo represents information about a Process.

type ProfilingInformation

type ProfilingInformation struct {
	Time                  Time    `json:"time"`
	FreeRAM               uintptr `json:"freeRAM"`
	FreeSwap              uintptr `json:"freeSwap"`
	LoadAvgOneMinute      float64 `json:"loadAvgOneMinute"`
	LoadAvgFiveMinutes    float64 `json:"loadAvgFiveMinutes"`
	LoadAvgFifteenMinutes float64 `json:"loadAvgFifteenMinutes"`
}

type Reader

type Reader interface {
	SetPassword(password string)
	SetKeyring(keyring openpgp.KeyRing)
	OpenMeta() (io.ReadCloser, error)
	OpenSystemInformation() (io.ReadCloser, error)
	OpenStatistics() (io.ReadCloser, error)
	OpenProcesses() (io.ReadCloser, error)
	OpenMemoryScans() (io.ReadCloser, error)
	OpenFileScans() (io.ReadCloser, error)
	io.Closer
}

func NewFileReader

func NewFileReader(path string) Reader

type Report

type Report struct {
	Meta        *MetaInformation
	Stats       *ScanningStatistics
	SystemInfo  *SystemInfo
	Processes   []*ProcessInfo
	MemoryScans []*MemoryScan
	FileScans   []*FileScan
}

type ScanningStatistics

type ScanningStatistics struct {
	Start                      Time                    `json:"start"`
	End                        Time                    `json:"end"`
	NumberOfProcessesScanned   uint64                  `json:"numberOfProcessesScanned"`
	NumberOfSegmentsScanned    uint64                  `json:"numberOfSegmentsScanned"`
	NumberOfMemoryBytesScanned uint64                  `json:"numberOfMemoryBytesScanned"`
	NumberOfFileBytesScanned   uint64                  `json:"numberOfFileBytesScanned"`
	NumberOfFilesScanned       uint64                  `json:"numberOfFilesScanned"`
	ProfilingInformation       []*ProfilingInformation `json:"profilingInformation"`
}

ScanningStatistics holds statistic information about a scan.

type SystemInfo

type SystemInfo struct {
	OSName    string   `json:"osName"`
	OSVersion string   `json:"osVersion"`
	OSFlavour string   `json:"osFlavour"`
	OSArch    arch.T   `json:"osArch"`
	Hostname  string   `json:"hostname"`
	IPs       []string `json:"ips"`
	NumCPUs   int      `json:"numCPUs"`
	TotalRAM  uintptr  `json:"totalRAM"`
	TotalSwap uintptr  `json:"totalSwap"`
}

SystemInfo contains information about the running system.

type Time

type Time struct {
	time.Time
}

func Now

func Now() Time

func (Time) MarshalJSON

func (t Time) MarshalJSON() ([]byte, error)

func (*Time) UnmarshalJSON

func (t *Time) UnmarshalJSON(b []byte) error

type Validator

type Validator struct {
	// contains filtered or unexported fields
}

func NewOfflineValidator

func NewOfflineValidator(schemaRootPath string) *Validator

func NewOnlineValidator

func NewOnlineValidator(schemaRootPath string) *Validator

func (*Validator) ValidateReport

func (v *Validator) ValidateReport(rdr Reader) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL