output

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 27, 2020 License: AGPL-3.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultZIPPassword = "infected"
View Source 
const FSProgressFileName = "file-scans.json"
View Source 
const MemoryProgressFileName = "memory-scans.json"
View Source 
const ProcessFileName = "processes.json"
View Source 
const RulesFileName = "rules.yarc"
View Source 
const SystemInfoFileName = "systeminfo.json"

Variables

This section is empty.

Functions

This section is empty.

Types

type AnalysisReporter 

type AnalysisReporter struct {
	SystemInfoOut         io.WriteCloser
	RulesOut              io.WriteCloser
	ProcessInfoOut        io.WriteCloser
	MemoryScanProgressOut io.WriteCloser
	FSScanProgressOut     io.WriteCloser
	DumpStorage           DumpStorage
	// contains filtered or unexported fields
}

AnalysisReporter implements a Reporter, which is specifically intended for later analysis of the report in order to determine rule quality.

func (*AnalysisReporter) Close 

func (r *AnalysisReporter) Close() error

func (*AnalysisReporter) ConsumeFSScanProgress 

func (r *AnalysisReporter) ConsumeFSScanProgress(progress <-chan *fileIO.FSScanProgress) error

func (*AnalysisReporter) ConsumeMemoryScanProgress 

func (r *AnalysisReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error

func (*AnalysisReporter) ReportRules 

func (r *AnalysisReporter) ReportRules(rules *yara.Rules) error

func (*AnalysisReporter) ReportSystemInfo 

func (r *AnalysisReporter) ReportSystemInfo() error

type Dump 

type Dump struct {
	PID     int
	Segment *procIO.MemorySegmentInfo
	Data    io.ReadCloser
}

func (*Dump) Filename 

func (d *Dump) Filename() string

type DumpOrError 

type DumpOrError struct {
	Dump *Dump
	Err  error
}

type DumpStorage 

type DumpStorage interface {
	Store(dump *Dump) error
	Hint() string
	io.Closer
}

type FSScanProgressReport 

type FSScanProgressReport struct {
	Path    string      `json:"path"`
	Matches []*Match    `json:"match"`
	Error   interface{} `json:"error"`
}

type GatheredAnalysisReporter 

type GatheredAnalysisReporter struct {

	// If ZIP is set, the output files will be zipped into the
	// specified ZIP file.
	ZIP                string
	ZIPPassword        string
	DeleteAfterZipping bool
	// contains filtered or unexported fields
}

func NewGatheredAnalysisReporter 

func NewGatheredAnalysisReporter(outPath string) (*GatheredAnalysisReporter, error)

func (*GatheredAnalysisReporter) Close 

func (r *GatheredAnalysisReporter) Close() error

func (*GatheredAnalysisReporter) ConsumeFSScanProgress 

func (r *GatheredAnalysisReporter) ConsumeFSScanProgress(progress <-chan *fileIO.FSScanProgress) error

func (*GatheredAnalysisReporter) ConsumeMemoryScanProgress 

func (r *GatheredAnalysisReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error

func (*GatheredAnalysisReporter) ReportRules 

func (r *GatheredAnalysisReporter) ReportRules(rules *yara.Rules) error

func (*GatheredAnalysisReporter) ReportSystemInfo 

func (r *GatheredAnalysisReporter) ReportSystemInfo() error

func (*GatheredAnalysisReporter) SuggestZIPName 

func (r *GatheredAnalysisReporter) SuggestZIPName() string

func (*GatheredAnalysisReporter) WithFileDumpStorage 

func (r *GatheredAnalysisReporter) WithFileDumpStorage(outPath string) (err error)

type Match 

type Match struct {
	Rule      string         `json:"rule"`
	Namespace string         `json:"namespace"`
	Strings   []*MatchString `json:"strings"`
}

func FilterMatches 

func FilterMatches(mr []yara.MatchRule) []*Match

type MatchString 

type MatchString struct {
	Name   string `json:"name"`
	Base   uint64 `json:"base"`
	Offset uint64 `json:"offset"`
}

A MatchString represents a string declared and matched in a rule.

type MemoryScanProgressReport 

type MemoryScanProgressReport struct {
	PID           int         `json:"pid"`
	MemorySegment uintptr     `json:"memorySegment"`
	Matches       []*Match    `json:"match"`
	Error         interface{} `json:"error"`
}

type MultiReporter 

type MultiReporter struct {
	Reporters []Reporter
}

func (*MultiReporter) Close 

func (r *MultiReporter) Close() error

func (*MultiReporter) ConsumeFSScanProgress 

func (r *MultiReporter) ConsumeFSScanProgress(progress <-chan *fileIO.FSScanProgress) error

func (*MultiReporter) ConsumeMemoryScanProgress 

func (r *MultiReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error

func (*MultiReporter) ReportRules 

func (r *MultiReporter) ReportRules(rules *yara.Rules) error

func (*MultiReporter) ReportSystemInfo 

func (r *MultiReporter) ReportSystemInfo() error

type ProgressFormatter 

type ProgressFormatter interface {
	FormatMemoryScanProgress(progress *yapscan.MemoryScanProgress) string
	FormatFSScanProgress(progress *fileIO.FSScanProgress) string
	FormatPath(path string, maxlen int) string
}

func NewPrettyFormatter 

func NewPrettyFormatter() ProgressFormatter

type ReadableDumpStorage 

type ReadableDumpStorage interface {
	DumpStorage
	Retrieve(ctx context.Context) <-chan *DumpOrError
}

func NewFileDumpStorage 

func NewFileDumpStorage(dir string) (ReadableDumpStorage, error)

type Reporter 

type Reporter interface {
	ReportSystemInfo() error
	ReportRules(rules *yara.Rules) error
	ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error
	ConsumeFSScanProgress(progress <-chan *fileIO.FSScanProgress) error
	io.Closer
}

func NewProgressReporter 

func NewProgressReporter(out io.WriteCloser, formatter ProgressFormatter) Reporter

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.