Documentation ¶
Index ¶
- func ConvertYaraMatchRules(mr []yara.MatchRule) []*report.Match
- func GenerateRandomSalt(saltLength int) []byte
- func NewZSTDCompressor(out io.Writer) io.WriteCloser
- type AnalysisReporter
- func (r *AnalysisReporter) Close() error
- func (r *AnalysisReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error
- func (r *AnalysisReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error
- func (r *AnalysisReporter) ReportRules(rules *yara.Rules) error
- func (r *AnalysisReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error
- func (r *AnalysisReporter) ReportSystemInfo(info *system.Info) error
- type AnalysisReporterFactory
- func (f *AnalysisReporterFactory) AutoCloseArchiver() *AnalysisReporterFactory
- func (f *AnalysisReporterFactory) Build() (*AnalysisReporter, error)
- func (f *AnalysisReporterFactory) WithDumpStorage(ds DumpStorage) *AnalysisReporterFactory
- func (f *AnalysisReporterFactory) WithFilenamePrefix(prefix string) *AnalysisReporterFactory
- type AnonymizedFile
- type Anonymizer
- func (a *Anonymizer) Anonymize(data string) string
- func (a *Anonymizer) AnonymizeCaseInsensitive(data string) string
- func (a *Anonymizer) AnonymizeFile(file fileio.File) fileio.File
- func (a *Anonymizer) AnonymizeMemorySegment(segment *procio.MemorySegmentInfo) *procio.MemorySegmentInfo
- func (a *Anonymizer) AnonymizeMemorySegments(segments []*procio.MemorySegmentInfo) []*procio.MemorySegmentInfo
- func (a *Anonymizer) AnonymizePath(path string) string
- type AnonymizingFilter
- func (f *AnonymizingFilter) Chain(other Filter) Filter
- func (f *AnonymizingFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress
- func (f *AnonymizingFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress
- func (f *AnonymizingFilter) FilterRules(rules *yara.Rules) *yara.Rules
- func (f *AnonymizingFilter) FilterSystemInfo(info *system.Info) *system.Info
- type ArchiveDumpStorage
- type Dump
- type DumpOrError
- type DumpStorage
- type FileScan
- type Filter
- type FilteringReporter
- func (r *FilteringReporter) Close() error
- func (r *FilteringReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error
- func (r *FilteringReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error
- func (r *FilteringReporter) ReportRules(rules *yara.Rules) error
- func (r *FilteringReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error
- func (r *FilteringReporter) ReportSystemInfo(info *system.Info) error
- type MultiReporter
- func (r *MultiReporter) Close() error
- func (r *MultiReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error
- func (r *MultiReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error
- func (r *MultiReporter) ReportRules(rules *yara.Rules) error
- func (r *MultiReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error
- func (r *MultiReporter) ReportSystemInfo(info *system.Info) error
- type NOPFilter
- func (c *NOPFilter) Chain(f Filter) Filter
- func (c *NOPFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress
- func (c *NOPFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress
- func (c *NOPFilter) FilterRules(rules *yara.Rules) *yara.Rules
- func (c *NOPFilter) FilterSystemInfo(info *system.Info) *system.Info
- type NoEmptyScansFilter
- func (f *NoEmptyScansFilter) Chain(other Filter) Filter
- func (f *NoEmptyScansFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress
- func (f *NoEmptyScansFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress
- func (f *NoEmptyScansFilter) FilterRules(rules *yara.Rules) *yara.Rules
- func (f *NoEmptyScansFilter) FilterSystemInfo(info *system.Info) *system.Info
- type OutputDecorator
- type ProgressFormatter
- type ReadableDumpStorage
- type ReportAnonymizer
- func (a *ReportAnonymizer) AnonymizeFile(file *report.File) *report.File
- func (a *ReportAnonymizer) AnonymizeFileScans(scans []*report.FileScan) []*report.FileScan
- func (a *ReportAnonymizer) AnonymizeMemorySegments(segments []*report.MemorySegmentInfo) []*report.MemorySegmentInfo
- func (a *ReportAnonymizer) AnonymizeProcesses(processes []*report.ProcessInfo) []*report.ProcessInfo
- func (a *ReportAnonymizer) AnonymizeReport(rprt *report.Report) *report.Report
- func (a *ReportAnonymizer) AnonymizeSystemInfo(info *report.SystemInfo) *report.SystemInfo
- type Reporter
- type WriteCloserBuilder
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ConvertYaraMatchRules ¶ added in v0.5.0
ConvertYaraMatchRules converts the given slice of yara.MatchRule to a slice of *Match.
func GenerateRandomSalt ¶ added in v0.15.0
func NewZSTDCompressor ¶ added in v0.6.0
func NewZSTDCompressor(out io.Writer) io.WriteCloser
Types ¶
type AnalysisReporter ¶
type AnalysisReporter struct {
// contains filtered or unexported fields
}
AnalysisReporter implements a Reporter, which is specifically intended for later analysis of the report in order to determine rule quality.
func (*AnalysisReporter) Close ¶
func (r *AnalysisReporter) Close() error
Close closes the AnalysisReporter and all associated files.
func (*AnalysisReporter) ConsumeFSScanProgress ¶
func (r *AnalysisReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error
ConsumeFSScanProgress consumes and reports all *yapscan.FSScanProgress instances sent in the given channel. This function may only called once, otherwise the behaviour depends on the used Archiver.
func (*AnalysisReporter) ConsumeMemoryScanProgress ¶
func (r *AnalysisReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error
ConsumeMemoryScanProgress consumes and reports all *yapscan.MemoryScanProgress instances sent in the given channel. This function may only called once, otherwise the behaviour depends on the used Archiver.
func (*AnalysisReporter) ReportRules ¶
func (r *AnalysisReporter) ReportRules(rules *yara.Rules) error
ReportRules reports the given *yara.Rules. This function may only called once, otherwise the behaviour depends on the used Archiver.
func (*AnalysisReporter) ReportScanningStatistics ¶ added in v0.7.0
func (r *AnalysisReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error
ReportScanningStatistics reports about scanning statistics. This function may only called once, otherwise the behaviour depends on the used Archiver.
func (*AnalysisReporter) ReportSystemInfo ¶
func (r *AnalysisReporter) ReportSystemInfo(info *system.Info) error
ReportSystemInfo reports info about the running system. This function may only called once, otherwise the behaviour depends on the used Archiver.
type AnalysisReporterFactory ¶ added in v0.6.0
type AnalysisReporterFactory struct {
// contains filtered or unexported fields
}
func NewAnalysisReporterFactory ¶ added in v0.6.0
func NewAnalysisReporterFactory(archiver archiver.Archiver) *AnalysisReporterFactory
func (*AnalysisReporterFactory) AutoCloseArchiver ¶ added in v0.6.0
func (f *AnalysisReporterFactory) AutoCloseArchiver() *AnalysisReporterFactory
func (*AnalysisReporterFactory) Build ¶ added in v0.6.0
func (f *AnalysisReporterFactory) Build() (*AnalysisReporter, error)
func (*AnalysisReporterFactory) WithDumpStorage ¶ added in v0.6.0
func (f *AnalysisReporterFactory) WithDumpStorage(ds DumpStorage) *AnalysisReporterFactory
func (*AnalysisReporterFactory) WithFilenamePrefix ¶ added in v0.6.0
func (f *AnalysisReporterFactory) WithFilenamePrefix(prefix string) *AnalysisReporterFactory
type AnonymizedFile ¶ added in v0.8.0
type AnonymizedFile struct { FilePath string `json:"path"` MD5Sum string `json:"md5,omitempty"` SHA256Sum string `json:"sha256,omitempty"` // contains filtered or unexported fields }
func (*AnonymizedFile) EnableHashMarshalling ¶ added in v0.8.0
func (f *AnonymizedFile) EnableHashMarshalling() (err error)
func (*AnonymizedFile) Hashes ¶ added in v0.8.0
func (f *AnonymizedFile) Hashes() (md5sum, sha256sum string, err error)
func (*AnonymizedFile) Path ¶ added in v0.8.0
func (f *AnonymizedFile) Path() string
type Anonymizer ¶ added in v0.6.0
type Anonymizer struct { Salt []byte // contains filtered or unexported fields }
func NewAnonymizer ¶ added in v0.6.0
func NewAnonymizer(salt []byte) *Anonymizer
func NewAnonymizerForOS ¶ added in v0.15.0
func NewAnonymizerForOS(salt []byte, os string) *Anonymizer
func (*Anonymizer) Anonymize ¶ added in v0.6.0
func (a *Anonymizer) Anonymize(data string) string
func (*Anonymizer) AnonymizeCaseInsensitive ¶ added in v0.6.0
func (a *Anonymizer) AnonymizeCaseInsensitive(data string) string
func (*Anonymizer) AnonymizeFile ¶ added in v0.8.0
func (a *Anonymizer) AnonymizeFile(file fileio.File) fileio.File
func (*Anonymizer) AnonymizeMemorySegment ¶ added in v0.6.0
func (a *Anonymizer) AnonymizeMemorySegment(segment *procio.MemorySegmentInfo) *procio.MemorySegmentInfo
func (*Anonymizer) AnonymizeMemorySegments ¶ added in v0.6.0
func (a *Anonymizer) AnonymizeMemorySegments(segments []*procio.MemorySegmentInfo) []*procio.MemorySegmentInfo
func (*Anonymizer) AnonymizePath ¶ added in v0.6.0
func (a *Anonymizer) AnonymizePath(path string) string
type AnonymizingFilter ¶ added in v0.6.0
type AnonymizingFilter struct {
Anonymizer *Anonymizer
}
func NewAnonymizingFilter ¶ added in v0.6.0
func NewAnonymizingFilter(salt []byte) *AnonymizingFilter
func NewAnonymizingFilterWithRandomSalt ¶ added in v0.6.0
func NewAnonymizingFilterWithRandomSalt(saltLength int) (*AnonymizingFilter, error)
func (*AnonymizingFilter) Chain ¶ added in v0.6.0
func (f *AnonymizingFilter) Chain(other Filter) Filter
func (*AnonymizingFilter) FilterFSScanProgress ¶ added in v0.6.0
func (f *AnonymizingFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress
func (*AnonymizingFilter) FilterMemoryScanProgress ¶ added in v0.6.0
func (f *AnonymizingFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress
func (*AnonymizingFilter) FilterRules ¶ added in v0.6.0
func (f *AnonymizingFilter) FilterRules(rules *yara.Rules) *yara.Rules
func (*AnonymizingFilter) FilterSystemInfo ¶ added in v0.6.0
func (f *AnonymizingFilter) FilterSystemInfo(info *system.Info) *system.Info
type ArchiveDumpStorage ¶ added in v0.6.0
type ArchiveDumpStorage struct { // The prefix of filenames created in the Archiver. FilePrefix string // contains filtered or unexported fields }
ArchiveDumpStorage stores dumps using an Archiver.
func NewArchiveDumpStorage ¶ added in v0.6.0
func NewArchiveDumpStorage(archiver archiver2.Archiver) *ArchiveDumpStorage
NewArchiveDumpStorage creates a new ArchiveDumpStorage with an Archiver backend.
func (*ArchiveDumpStorage) Close ¶ added in v0.6.0
func (s *ArchiveDumpStorage) Close() error
func (*ArchiveDumpStorage) Store ¶ added in v0.6.0
func (s *ArchiveDumpStorage) Store(dump *Dump) error
Store stores a new dump. Depending on the underlying Archiver, this must not be called in parallel.
type Dump ¶
type Dump struct { PID int Segment *procio.MemorySegmentInfo Data io.ReadCloser }
Dump contains the dump of a memory segment.
type DumpOrError ¶
DumpOrError contains either a Dump or an Err.
type DumpStorage ¶
DumpStorage provides capability to store dumps.
type FileScan ¶ added in v0.13.0
type FileScan struct { File fileio.File `json:"file"` Matches []*report.Match `json:"match"` Error interface{} `json:"error"` }
FileScan represents all matches on a file.
type Filter ¶ added in v0.6.0
type Filter interface { Chain(f Filter) Filter FilterSystemInfo(info *system.Info) *system.Info FilterRules(rules *yara.Rules) *yara.Rules FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress }
type FilteringReporter ¶ added in v0.6.0
func (*FilteringReporter) Close ¶ added in v0.6.0
func (r *FilteringReporter) Close() error
func (*FilteringReporter) ConsumeFSScanProgress ¶ added in v0.6.0
func (r *FilteringReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error
func (*FilteringReporter) ConsumeMemoryScanProgress ¶ added in v0.6.0
func (r *FilteringReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error
func (*FilteringReporter) ReportRules ¶ added in v0.6.0
func (r *FilteringReporter) ReportRules(rules *yara.Rules) error
func (*FilteringReporter) ReportScanningStatistics ¶ added in v0.7.0
func (r *FilteringReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error
func (*FilteringReporter) ReportSystemInfo ¶ added in v0.6.0
func (r *FilteringReporter) ReportSystemInfo(info *system.Info) error
type MultiReporter ¶
type MultiReporter struct {
Reporters []Reporter
}
MultiReporter is a Reporter which reports all information it recieves to all given Reporters.
func (*MultiReporter) ConsumeFSScanProgress ¶
func (r *MultiReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error
ConsumeFSScanProgress consumes and reports all *yapscan.FSScanProgress instances sent in the given channel.
func (*MultiReporter) ConsumeMemoryScanProgress ¶
func (r *MultiReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error
ConsumeMemoryScanProgress consumes and reports all *yapscan.MemoryScanProgress instances sent in the given channel.
func (*MultiReporter) ReportRules ¶
func (r *MultiReporter) ReportRules(rules *yara.Rules) error
ReportRules reports the given *yara.Rules.
func (*MultiReporter) ReportScanningStatistics ¶ added in v0.7.0
func (r *MultiReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error
ReportScanningStatistics reports scanning statistics.
func (*MultiReporter) ReportSystemInfo ¶
func (r *MultiReporter) ReportSystemInfo(info *system.Info) error
ReportSystemInfo retrieves and reports info about the running system.
type NOPFilter ¶ added in v0.7.0
type NOPFilter struct{}
NOPFilter is a filter that does nothing. Any FilteringReporter which uses this behave as an unfiltered Reporter.
func (*NOPFilter) FilterFSScanProgress ¶ added in v0.7.0
func (c *NOPFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress
func (*NOPFilter) FilterMemoryScanProgress ¶ added in v0.7.0
func (c *NOPFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress
func (*NOPFilter) FilterRules ¶ added in v0.7.0
func (c *NOPFilter) FilterRules(rules *yara.Rules) *yara.Rules
type NoEmptyScansFilter ¶ added in v0.6.0
type NoEmptyScansFilter struct{}
func (*NoEmptyScansFilter) Chain ¶ added in v0.6.0
func (f *NoEmptyScansFilter) Chain(other Filter) Filter
func (*NoEmptyScansFilter) FilterFSScanProgress ¶ added in v0.6.0
func (f *NoEmptyScansFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress
func (*NoEmptyScansFilter) FilterMemoryScanProgress ¶ added in v0.6.0
func (f *NoEmptyScansFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress
func (*NoEmptyScansFilter) FilterRules ¶ added in v0.6.0
func (f *NoEmptyScansFilter) FilterRules(rules *yara.Rules) *yara.Rules
func (*NoEmptyScansFilter) FilterSystemInfo ¶ added in v0.6.0
func (f *NoEmptyScansFilter) FilterSystemInfo(info *system.Info) *system.Info
type OutputDecorator ¶ added in v0.6.0
type OutputDecorator struct {
// contains filtered or unexported fields
}
func PGPEncryptionDecorator ¶ added in v0.6.0
func PGPEncryptionDecorator(ring openpgp.EntityList, dataIsBinary bool) *OutputDecorator
func PGPSymmetricEncryptionDecorator ¶ added in v0.6.0
func PGPSymmetricEncryptionDecorator(password string, dataIsBinary bool) *OutputDecorator
func ZSTDCompressionDecorator ¶ added in v0.6.0
func ZSTDCompressionDecorator() *OutputDecorator
type ProgressFormatter ¶
type ProgressFormatter interface { FormatMemoryScanProgress(progress *yapscan.MemoryScanProgress) string FormatFSScanProgress(progress *fileio.FSScanProgress) string FormatPath(path string, maxlen int) string }
ProgressFormatter formats progress information.
func NewPrettyFormatter ¶
func NewPrettyFormatter(showStringMatches bool) ProgressFormatter
NewPrettyFormatter creates a new pretty formatter for human readable console output.
type ReadableDumpStorage ¶
type ReadableDumpStorage interface { DumpStorage // Retrieve retrieves the dumps stored in this DumpStorage. Retrieve(ctx context.Context) <-chan *DumpOrError }
ReadableDumpStorage is a DumpStorage that can also Retrieve dumps after storing.
type ReportAnonymizer ¶ added in v0.15.0
type ReportAnonymizer struct {
Anonymizer *Anonymizer
}
func NewReportAnonymizer ¶ added in v0.15.0
func NewReportAnonymizer(anonymizer *Anonymizer) *ReportAnonymizer
func (*ReportAnonymizer) AnonymizeFile ¶ added in v0.15.0
func (a *ReportAnonymizer) AnonymizeFile(file *report.File) *report.File
func (*ReportAnonymizer) AnonymizeFileScans ¶ added in v0.15.0
func (a *ReportAnonymizer) AnonymizeFileScans(scans []*report.FileScan) []*report.FileScan
func (*ReportAnonymizer) AnonymizeMemorySegments ¶ added in v0.15.0
func (a *ReportAnonymizer) AnonymizeMemorySegments(segments []*report.MemorySegmentInfo) []*report.MemorySegmentInfo
func (*ReportAnonymizer) AnonymizeProcesses ¶ added in v0.15.0
func (a *ReportAnonymizer) AnonymizeProcesses(processes []*report.ProcessInfo) []*report.ProcessInfo
func (*ReportAnonymizer) AnonymizeReport ¶ added in v0.15.0
func (a *ReportAnonymizer) AnonymizeReport(rprt *report.Report) *report.Report
func (*ReportAnonymizer) AnonymizeSystemInfo ¶ added in v0.15.0
func (a *ReportAnonymizer) AnonymizeSystemInfo(info *report.SystemInfo) *report.SystemInfo
type Reporter ¶
type Reporter interface { ReportSystemInfo(info *system.Info) error ReportRules(rules *yara.Rules) error ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error ReportScanningStatistics(stats *yapscan.ScanningStatistics) error io.Closer }
Reporter provides capability to report on scanning progress.
func NewProgressReporter ¶
func NewProgressReporter(out io.WriteCloser, formatter ProgressFormatter) Reporter
NewProgressReporter creates a new Reporter, which will write memory and file scanning progress to the given io.WriteCloser out using the ProgressFormatter formatter for formatting. This Reporter is intended for live updates to the console, hence ReportSystemInfo() and ReportRules() do nothing.
type WriteCloserBuilder ¶ added in v0.6.0
type WriteCloserBuilder struct {
// contains filtered or unexported fields
}
func NewWriteCloserBuilder ¶ added in v0.6.0
func NewWriteCloserBuilder() *WriteCloserBuilder
func (*WriteCloserBuilder) Append ¶ added in v0.6.0
func (b *WriteCloserBuilder) Append(decorator *OutputDecorator) *WriteCloserBuilder
Append appends a decorator. The appended decorator will be the first one to mutate any input.
func (*WriteCloserBuilder) Build ¶ added in v0.6.0
func (b *WriteCloserBuilder) Build(finalOutput io.WriteCloser) (io.WriteCloser, error)
func (*WriteCloserBuilder) SuggestedFileExtension ¶ added in v0.6.0
func (b *WriteCloserBuilder) SuggestedFileExtension() string