output

package
v0.19.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 3, 2023 License: AGPL-3.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ConvertYaraMatchRules added in v0.5.0

func ConvertYaraMatchRules(mr []yara.MatchRule) []*report.Match

ConvertYaraMatchRules converts the given slice of yara.MatchRule to a slice of *Match.

func GenerateRandomSalt added in v0.15.0

func GenerateRandomSalt(saltLength int) []byte

func NewZSTDCompressor added in v0.6.0

func NewZSTDCompressor(out io.Writer) io.WriteCloser

Types

type AnalysisReporter

type AnalysisReporter struct {
	// contains filtered or unexported fields
}

AnalysisReporter implements a Reporter, which is specifically intended for later analysis of the report in order to determine rule quality.

func (*AnalysisReporter) Close

func (r *AnalysisReporter) Close() error

Close closes the AnalysisReporter and all associated files.

func (*AnalysisReporter) ConsumeFSScanProgress

func (r *AnalysisReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error

ConsumeFSScanProgress consumes and reports all *yapscan.FSScanProgress instances sent in the given channel. This function may only called once, otherwise the behaviour depends on the used Archiver.

func (*AnalysisReporter) ConsumeMemoryScanProgress

func (r *AnalysisReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error

ConsumeMemoryScanProgress consumes and reports all *yapscan.MemoryScanProgress instances sent in the given channel. This function may only called once, otherwise the behaviour depends on the used Archiver.

func (*AnalysisReporter) ReportRules

func (r *AnalysisReporter) ReportRules(rules *yara.Rules) error

ReportRules reports the given *yara.Rules. This function may only called once, otherwise the behaviour depends on the used Archiver.

func (*AnalysisReporter) ReportScanningStatistics added in v0.7.0

func (r *AnalysisReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error

ReportScanningStatistics reports about scanning statistics. This function may only called once, otherwise the behaviour depends on the used Archiver.

func (*AnalysisReporter) ReportSystemInfo

func (r *AnalysisReporter) ReportSystemInfo(info *system.Info) error

ReportSystemInfo reports info about the running system. This function may only called once, otherwise the behaviour depends on the used Archiver.

type AnalysisReporterFactory added in v0.6.0

type AnalysisReporterFactory struct {
	// contains filtered or unexported fields
}

func NewAnalysisReporterFactory added in v0.6.0

func NewAnalysisReporterFactory(archiver archiver.Archiver) *AnalysisReporterFactory

func (*AnalysisReporterFactory) AutoCloseArchiver added in v0.6.0

func (f *AnalysisReporterFactory) AutoCloseArchiver() *AnalysisReporterFactory

func (*AnalysisReporterFactory) Build added in v0.6.0

func (*AnalysisReporterFactory) WithDumpStorage added in v0.6.0

func (*AnalysisReporterFactory) WithFilenamePrefix added in v0.6.0

func (f *AnalysisReporterFactory) WithFilenamePrefix(prefix string) *AnalysisReporterFactory

type AnonymizedFile added in v0.8.0

type AnonymizedFile struct {
	FilePath  string `json:"path"`
	MD5Sum    string `json:"md5,omitempty"`
	SHA256Sum string `json:"sha256,omitempty"`
	// contains filtered or unexported fields
}

func (*AnonymizedFile) Device added in v0.17.0

func (f *AnonymizedFile) Device() uint64

func (*AnonymizedFile) EnableHashMarshalling added in v0.8.0

func (f *AnonymizedFile) EnableHashMarshalling() (err error)

func (*AnonymizedFile) Hashes added in v0.8.0

func (f *AnonymizedFile) Hashes() (md5sum, sha256sum string, err error)

func (*AnonymizedFile) Inode added in v0.17.0

func (f *AnonymizedFile) Inode() uint64

func (*AnonymizedFile) Offset added in v0.17.0

func (f *AnonymizedFile) Offset() uint64

func (*AnonymizedFile) Path added in v0.8.0

func (f *AnonymizedFile) Path() string

func (*AnonymizedFile) Stat added in v0.8.0

func (f *AnonymizedFile) Stat() (os.FileInfo, error)

type Anonymizer added in v0.6.0

type Anonymizer struct {
	Salt []byte
	// contains filtered or unexported fields
}

func NewAnonymizer added in v0.6.0

func NewAnonymizer(salt []byte) *Anonymizer

func NewAnonymizerForOS added in v0.15.0

func NewAnonymizerForOS(salt []byte, os string) *Anonymizer

func (*Anonymizer) Anonymize added in v0.6.0

func (a *Anonymizer) Anonymize(data string) string

func (*Anonymizer) AnonymizeCaseInsensitive added in v0.6.0

func (a *Anonymizer) AnonymizeCaseInsensitive(data string) string

func (*Anonymizer) AnonymizeFile added in v0.8.0

func (a *Anonymizer) AnonymizeFile(file fileio.File) fileio.File

func (*Anonymizer) AnonymizeMemorySegment added in v0.6.0

func (a *Anonymizer) AnonymizeMemorySegment(segment *procio.MemorySegmentInfo) *procio.MemorySegmentInfo

func (*Anonymizer) AnonymizeMemorySegments added in v0.6.0

func (a *Anonymizer) AnonymizeMemorySegments(segments []*procio.MemorySegmentInfo) []*procio.MemorySegmentInfo

func (*Anonymizer) AnonymizePath added in v0.6.0

func (a *Anonymizer) AnonymizePath(path string) string

type AnonymizingFilter added in v0.6.0

type AnonymizingFilter struct {
	Anonymizer *Anonymizer
}

func NewAnonymizingFilter added in v0.6.0

func NewAnonymizingFilter(salt []byte) *AnonymizingFilter

func NewAnonymizingFilterWithRandomSalt added in v0.6.0

func NewAnonymizingFilterWithRandomSalt(saltLength int) (*AnonymizingFilter, error)

func (*AnonymizingFilter) Chain added in v0.6.0

func (f *AnonymizingFilter) Chain(other Filter) Filter

func (*AnonymizingFilter) FilterFSScanProgress added in v0.6.0

func (f *AnonymizingFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress

func (*AnonymizingFilter) FilterMemoryScanProgress added in v0.6.0

func (f *AnonymizingFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress

func (*AnonymizingFilter) FilterRules added in v0.6.0

func (f *AnonymizingFilter) FilterRules(rules *yara.Rules) *yara.Rules

func (*AnonymizingFilter) FilterSystemInfo added in v0.6.0

func (f *AnonymizingFilter) FilterSystemInfo(info *system.Info) *system.Info

type ArchiveDumpStorage added in v0.6.0

type ArchiveDumpStorage struct {

	// The prefix of filenames created in the Archiver.
	FilePrefix string
	// contains filtered or unexported fields
}

ArchiveDumpStorage stores dumps using an Archiver.

func NewArchiveDumpStorage added in v0.6.0

func NewArchiveDumpStorage(archiver archiver2.Archiver) *ArchiveDumpStorage

NewArchiveDumpStorage creates a new ArchiveDumpStorage with an Archiver backend.

func (*ArchiveDumpStorage) Close added in v0.6.0

func (s *ArchiveDumpStorage) Close() error

func (*ArchiveDumpStorage) Store added in v0.6.0

func (s *ArchiveDumpStorage) Store(dump *Dump) error

Store stores a new dump. Depending on the underlying Archiver, this must not be called in parallel.

type Dump

type Dump struct {
	PID     int
	Segment *procio.MemorySegmentInfo
	Data    io.ReadCloser
}

Dump contains the dump of a memory segment.

func (*Dump) Filename

func (d *Dump) Filename() string

Filename returns a filename with the PID of the process and the address of the Segment of the dump.

type DumpOrError

type DumpOrError struct {
	Dump *Dump
	Err  error
}

DumpOrError contains either a Dump or an Err.

type DumpStorage

type DumpStorage interface {
	// Store stores a Dump.
	Store(dump *Dump) error
	io.Closer
}

DumpStorage provides capability to store dumps.

type FileScan added in v0.13.0

type FileScan struct {
	File    fileio.File     `json:"file"`
	Matches []*report.Match `json:"match"`
	Error   interface{}     `json:"error"`
}

FileScan represents all matches on a file.

type Filter added in v0.6.0

type Filter interface {
	Chain(f Filter) Filter

	FilterSystemInfo(info *system.Info) *system.Info
	FilterRules(rules *yara.Rules) *yara.Rules
	FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress
	FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress
}

type FilteringReporter added in v0.6.0

type FilteringReporter struct {
	Reporter Reporter
	Filter   Filter
}

func (*FilteringReporter) Close added in v0.6.0

func (r *FilteringReporter) Close() error

func (*FilteringReporter) ConsumeFSScanProgress added in v0.6.0

func (r *FilteringReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error

func (*FilteringReporter) ConsumeMemoryScanProgress added in v0.6.0

func (r *FilteringReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error

func (*FilteringReporter) ReportRules added in v0.6.0

func (r *FilteringReporter) ReportRules(rules *yara.Rules) error

func (*FilteringReporter) ReportScanningStatistics added in v0.7.0

func (r *FilteringReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error

func (*FilteringReporter) ReportSystemInfo added in v0.6.0

func (r *FilteringReporter) ReportSystemInfo(info *system.Info) error

type MultiReporter

type MultiReporter struct {
	Reporters []Reporter
}

MultiReporter is a Reporter which reports all information it recieves to all given Reporters.

func (*MultiReporter) Close

func (r *MultiReporter) Close() error

Close closes all reporters.

func (*MultiReporter) ConsumeFSScanProgress

func (r *MultiReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error

ConsumeFSScanProgress consumes and reports all *yapscan.FSScanProgress instances sent in the given channel.

func (*MultiReporter) ConsumeMemoryScanProgress

func (r *MultiReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error

ConsumeMemoryScanProgress consumes and reports all *yapscan.MemoryScanProgress instances sent in the given channel.

func (*MultiReporter) ReportRules

func (r *MultiReporter) ReportRules(rules *yara.Rules) error

ReportRules reports the given *yara.Rules.

func (*MultiReporter) ReportScanningStatistics added in v0.7.0

func (r *MultiReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error

ReportScanningStatistics reports scanning statistics.

func (*MultiReporter) ReportSystemInfo

func (r *MultiReporter) ReportSystemInfo(info *system.Info) error

ReportSystemInfo retrieves and reports info about the running system.

type NOPFilter added in v0.7.0

type NOPFilter struct{}

NOPFilter is a filter that does nothing. Any FilteringReporter which uses this behave as an unfiltered Reporter.

func (*NOPFilter) Chain added in v0.7.0

func (c *NOPFilter) Chain(f Filter) Filter

func (*NOPFilter) FilterFSScanProgress added in v0.7.0

func (c *NOPFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress

func (*NOPFilter) FilterMemoryScanProgress added in v0.7.0

func (c *NOPFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress

func (*NOPFilter) FilterRules added in v0.7.0

func (c *NOPFilter) FilterRules(rules *yara.Rules) *yara.Rules

func (*NOPFilter) FilterSystemInfo added in v0.7.0

func (c *NOPFilter) FilterSystemInfo(info *system.Info) *system.Info

type NoEmptyScansFilter added in v0.6.0

type NoEmptyScansFilter struct{}

func (*NoEmptyScansFilter) Chain added in v0.6.0

func (f *NoEmptyScansFilter) Chain(other Filter) Filter

func (*NoEmptyScansFilter) FilterFSScanProgress added in v0.6.0

func (f *NoEmptyScansFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress

func (*NoEmptyScansFilter) FilterMemoryScanProgress added in v0.6.0

func (f *NoEmptyScansFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress

func (*NoEmptyScansFilter) FilterRules added in v0.6.0

func (f *NoEmptyScansFilter) FilterRules(rules *yara.Rules) *yara.Rules

func (*NoEmptyScansFilter) FilterSystemInfo added in v0.6.0

func (f *NoEmptyScansFilter) FilterSystemInfo(info *system.Info) *system.Info

type OutputDecorator added in v0.6.0

type OutputDecorator struct {
	// contains filtered or unexported fields
}

func PGPEncryptionDecorator added in v0.6.0

func PGPEncryptionDecorator(ring openpgp.EntityList, dataIsBinary bool) *OutputDecorator

func PGPSymmetricEncryptionDecorator added in v0.6.0

func PGPSymmetricEncryptionDecorator(password string, dataIsBinary bool) *OutputDecorator

func ZSTDCompressionDecorator added in v0.6.0

func ZSTDCompressionDecorator() *OutputDecorator

type ProgressFormatter

type ProgressFormatter interface {
	FormatMemoryScanProgress(progress *yapscan.MemoryScanProgress) string
	FormatFSScanProgress(progress *fileio.FSScanProgress) string
	FormatPath(path string, maxlen int) string
}

ProgressFormatter formats progress information.

func NewPrettyFormatter

func NewPrettyFormatter(showStringMatches bool) ProgressFormatter

NewPrettyFormatter creates a new pretty formatter for human readable console output.

type ReadableDumpStorage

type ReadableDumpStorage interface {
	DumpStorage
	// Retrieve retrieves the dumps stored in this DumpStorage.
	Retrieve(ctx context.Context) <-chan *DumpOrError
}

ReadableDumpStorage is a DumpStorage that can also Retrieve dumps after storing.

type ReportAnonymizer added in v0.15.0

type ReportAnonymizer struct {
	Anonymizer *Anonymizer
}

func NewReportAnonymizer added in v0.15.0

func NewReportAnonymizer(anonymizer *Anonymizer) *ReportAnonymizer

func (*ReportAnonymizer) AnonymizeFile added in v0.15.0

func (a *ReportAnonymizer) AnonymizeFile(file *report.File) *report.File

func (*ReportAnonymizer) AnonymizeFileScans added in v0.15.0

func (a *ReportAnonymizer) AnonymizeFileScans(scans []*report.FileScan) []*report.FileScan

func (*ReportAnonymizer) AnonymizeMemorySegments added in v0.15.0

func (a *ReportAnonymizer) AnonymizeMemorySegments(segments []*report.MemorySegmentInfo) []*report.MemorySegmentInfo

func (*ReportAnonymizer) AnonymizeProcesses added in v0.15.0

func (a *ReportAnonymizer) AnonymizeProcesses(processes []*report.ProcessInfo) []*report.ProcessInfo

func (*ReportAnonymizer) AnonymizeReport added in v0.15.0

func (a *ReportAnonymizer) AnonymizeReport(rprt *report.Report) *report.Report

func (*ReportAnonymizer) AnonymizeSystemInfo added in v0.15.0

func (a *ReportAnonymizer) AnonymizeSystemInfo(info *report.SystemInfo) *report.SystemInfo

type Reporter

type Reporter interface {
	ReportSystemInfo(info *system.Info) error
	ReportRules(rules *yara.Rules) error
	ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error
	ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error
	ReportScanningStatistics(stats *yapscan.ScanningStatistics) error
	io.Closer
}

Reporter provides capability to report on scanning progress.

func NewProgressReporter

func NewProgressReporter(out io.WriteCloser, formatter ProgressFormatter) Reporter

NewProgressReporter creates a new Reporter, which will write memory and file scanning progress to the given io.WriteCloser out using the ProgressFormatter formatter for formatting. This Reporter is intended for live updates to the console, hence ReportSystemInfo() and ReportRules() do nothing.

type WriteCloserBuilder added in v0.6.0

type WriteCloserBuilder struct {
	// contains filtered or unexported fields
}

func NewWriteCloserBuilder added in v0.6.0

func NewWriteCloserBuilder() *WriteCloserBuilder

func (*WriteCloserBuilder) Append added in v0.6.0

func (b *WriteCloserBuilder) Append(decorator *OutputDecorator) *WriteCloserBuilder

Append appends a decorator. The appended decorator will be the first one to mutate any input.

func (*WriteCloserBuilder) Build added in v0.6.0

func (b *WriteCloserBuilder) Build(finalOutput io.WriteCloser) (io.WriteCloser, error)

func (*WriteCloserBuilder) SuggestedFileExtension added in v0.6.0

func (b *WriteCloserBuilder) SuggestedFileExtension() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL