output

package
v0.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 19, 2021 License: AGPL-3.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source
const FSProgressFileName = "file-scans.json"

FSProgressFileName is the name of the file used to report information about file scans.

View Source
const MemoryProgressFileName = "memory-scans.json"

MemoryProgressFileName is the name of the file used to report information about memory scans.

View Source
const ProcessFileName = "processes.json"

ProcessFileName is the name of the file used to report information about processes.

View Source
const RulesFileName = "rules.yarc"

RulesFileName is the name of the file, where the used rules will be stored.

View Source
const ScanningStatisticsFileName = "stats.json"

ScanningStatisticsFileName is the name of the file used to report scanning.

View Source
const SystemInfoFileName = "systeminfo.json"

SystemInfoFileName is the name of the file, where system info is stored.

Variables

This section is empty.

Functions

func NewPGPEncryptor added in v0.6.0

func NewPGPEncryptor(ring []*openpgp.Entity, isBinary bool, output io.Writer) (io.WriteCloser, error)

func NewPGPSymmetricEncryptor added in v0.6.0

func NewPGPSymmetricEncryptor(password string, isBinary bool, output io.Writer) (io.WriteCloser, error)

func NewZSTDCompressor added in v0.6.0

func NewZSTDCompressor(out io.Writer) io.WriteCloser

func ReadKeyRing added in v0.6.0

func ReadKeyRing(filepath string) ([]*openpgp.Entity, error)

Types

type AnalysisReporter

type AnalysisReporter struct {
	// contains filtered or unexported fields
}

AnalysisReporter implements a Reporter, which is specifically intended for later analysis of the report in order to determine rule quality.

func (*AnalysisReporter) Close

func (r *AnalysisReporter) Close() error

Close closes the AnalysisReporter and all associated files.

func (*AnalysisReporter) ConsumeFSScanProgress

func (r *AnalysisReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error

ConsumeFSScanProgress consumes and reports all *yapscan.FSScanProgress instances sent in the given channel. This function may only called once, otherwise the behaviour depends on the used Archiver.

func (*AnalysisReporter) ConsumeMemoryScanProgress

func (r *AnalysisReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error

ConsumeMemoryScanProgress consumes and reports all *yapscan.MemoryScanProgress instances sent in the given channel. This function may only called once, otherwise the behaviour depends on the used Archiver.

func (*AnalysisReporter) ReportRules

func (r *AnalysisReporter) ReportRules(rules *yara.Rules) error

ReportRules reports the given *yara.Rules. This function may only called once, otherwise the behaviour depends on the used Archiver.

func (*AnalysisReporter) ReportScanningStatistics added in v0.7.0

func (r *AnalysisReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error

ReportScanningStatistics reports about scanning statistics. This function may only called once, otherwise the behaviour depends on the used Archiver.

func (*AnalysisReporter) ReportSystemInfo

func (r *AnalysisReporter) ReportSystemInfo(info *system.Info) error

ReportSystemInfo reports info about the running system. This function may only called once, otherwise the behaviour depends on the used Archiver.

type AnalysisReporterFactory added in v0.6.0

type AnalysisReporterFactory struct {
	// contains filtered or unexported fields
}

func NewAnalysisReporterFactory added in v0.6.0

func NewAnalysisReporterFactory(archiver Archiver) *AnalysisReporterFactory

func (*AnalysisReporterFactory) AutoCloseArchiver added in v0.6.0

func (f *AnalysisReporterFactory) AutoCloseArchiver() *AnalysisReporterFactory

func (*AnalysisReporterFactory) Build added in v0.6.0

func (*AnalysisReporterFactory) WithDumpStorage added in v0.6.0

func (*AnalysisReporterFactory) WithFilenamePrefix added in v0.6.0

func (f *AnalysisReporterFactory) WithFilenamePrefix(prefix string) *AnalysisReporterFactory

type Anonymizer added in v0.6.0

type Anonymizer struct {
	Salt []byte
	// contains filtered or unexported fields
}

func NewAnonymizer added in v0.6.0

func NewAnonymizer(salt []byte) *Anonymizer

func (*Anonymizer) Anonymize added in v0.6.0

func (a *Anonymizer) Anonymize(data string) string

func (*Anonymizer) AnonymizeCaseInsensitive added in v0.6.0

func (a *Anonymizer) AnonymizeCaseInsensitive(data string) string

func (*Anonymizer) AnonymizeMemorySegment added in v0.6.0

func (a *Anonymizer) AnonymizeMemorySegment(segment *procio.MemorySegmentInfo) *procio.MemorySegmentInfo

func (*Anonymizer) AnonymizeMemorySegments added in v0.6.0

func (a *Anonymizer) AnonymizeMemorySegments(segments []*procio.MemorySegmentInfo) []*procio.MemorySegmentInfo

func (*Anonymizer) AnonymizePath added in v0.6.0

func (a *Anonymizer) AnonymizePath(path string) string

type AnonymizingFilter added in v0.6.0

type AnonymizingFilter struct {
	Anonymizer *Anonymizer
}

func NewAnonymizingFilter added in v0.6.0

func NewAnonymizingFilter(salt []byte) *AnonymizingFilter

func NewAnonymizingFilterWithRandomSalt added in v0.6.0

func NewAnonymizingFilterWithRandomSalt(saltLength int) (*AnonymizingFilter, error)

func (*AnonymizingFilter) Chain added in v0.6.0

func (f *AnonymizingFilter) Chain(other Filter) Filter

func (*AnonymizingFilter) FilterFSScanProgress added in v0.6.0

func (f *AnonymizingFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress

func (*AnonymizingFilter) FilterMemoryScanProgress added in v0.6.0

func (f *AnonymizingFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress

func (*AnonymizingFilter) FilterRules added in v0.6.0

func (f *AnonymizingFilter) FilterRules(rules *yara.Rules) *yara.Rules

func (*AnonymizingFilter) FilterSystemInfo added in v0.6.0

func (f *AnonymizingFilter) FilterSystemInfo(info *system.Info) *system.Info

type ArchiveDumpStorage added in v0.6.0

type ArchiveDumpStorage struct {

	// The prefix of filenames created in the Archiver.
	FilePrefix string
	// contains filtered or unexported fields
}

ArchiveDumpStorage stores dumps using an Archiver.

func NewArchiveDumpStorage added in v0.6.0

func NewArchiveDumpStorage(archiver Archiver) *ArchiveDumpStorage

NewArchiveDumpStorage creates a new ArchiveDumpStorage with an Archiver backend.

func (*ArchiveDumpStorage) Close added in v0.6.0

func (s *ArchiveDumpStorage) Close() error

func (*ArchiveDumpStorage) Store added in v0.6.0

func (s *ArchiveDumpStorage) Store(dump *Dump) error

Store stores a new dump. Depending on the underlying Archiver, this must not be called in parallel.

type Archiver added in v0.6.0

type Archiver interface {
	Create(name string) (io.WriteCloser, error)
	io.Closer
}

func NewTarArchiver added in v0.6.0

func NewTarArchiver(out io.WriteCloser) Archiver

func NewZipArchiver added in v0.6.0

func NewZipArchiver(out io.Writer, compressionMethod uint16) Archiver

type Dump

type Dump struct {
	PID     int
	Segment *procio.MemorySegmentInfo
	Data    io.ReadCloser
}

Dump contains the dump of a memory segment.

func (*Dump) Filename

func (d *Dump) Filename() string

Filename returns a filename with the PID of the process and the address of the Segment of the dump.

type DumpOrError

type DumpOrError struct {
	Dump *Dump
	Err  error
}

DumpOrError contains either a Dump or an Err.

type DumpStorage

type DumpStorage interface {
	// Store stores a Dump.
	Store(dump *Dump) error
	io.Closer
}

DumpStorage provides capability to store dumps.

type FSScanProgressReport

type FSScanProgressReport struct {
	Path    string      `json:"path"`
	Matches []*Match    `json:"match"`
	Error   interface{} `json:"error"`
}

FSScanProgressReport represents all matches on a file.

type Filter added in v0.6.0

type Filter interface {
	Chain(f Filter) Filter

	FilterSystemInfo(info *system.Info) *system.Info
	FilterRules(rules *yara.Rules) *yara.Rules
	FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress
	FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress
}

type FilteringReporter added in v0.6.0

type FilteringReporter struct {
	Reporter Reporter
	Filter   Filter
}

func (*FilteringReporter) Close added in v0.6.0

func (r *FilteringReporter) Close() error

func (*FilteringReporter) ConsumeFSScanProgress added in v0.6.0

func (r *FilteringReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error

func (*FilteringReporter) ConsumeMemoryScanProgress added in v0.6.0

func (r *FilteringReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error

func (*FilteringReporter) ReportRules added in v0.6.0

func (r *FilteringReporter) ReportRules(rules *yara.Rules) error

func (*FilteringReporter) ReportScanningStatistics added in v0.7.0

func (r *FilteringReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error

func (*FilteringReporter) ReportSystemInfo added in v0.6.0

func (r *FilteringReporter) ReportSystemInfo(info *system.Info) error

type Match

type Match struct {
	Rule      string         `json:"rule"`
	Namespace string         `json:"namespace"`
	Strings   []*MatchString `json:"strings"`
}

Match represents the match of a yara Rule.

func ConvertYaraMatchRules added in v0.5.0

func ConvertYaraMatchRules(mr []yara.MatchRule) []*Match

ConvertYaraMatchRules converts the given slice of yara.MatchRule to a slice of *Match.

type MatchString

type MatchString struct {
	Name   string `json:"name"`
	Base   uint64 `json:"base"`
	Offset uint64 `json:"offset"`
}

A MatchString represents a string declared and matched in a rule.

type MemoryScanProgressReport

type MemoryScanProgressReport struct {
	PID           int         `json:"pid"`
	MemorySegment uintptr     `json:"memorySegment"`
	Matches       []*Match    `json:"match"`
	Error         interface{} `json:"error"`
}

MemoryScanProgressReport represents all matches on a single memory segment of a process.

type MultiReporter

type MultiReporter struct {
	Reporters []Reporter
}

MultiReporter is a Reporter which reports all information it recieves to all given Reporters.

func (*MultiReporter) Close

func (r *MultiReporter) Close() error

Close closes all reporters.

func (*MultiReporter) ConsumeFSScanProgress

func (r *MultiReporter) ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error

ConsumeFSScanProgress consumes and reports all *yapscan.FSScanProgress instances sent in the given channel.

func (*MultiReporter) ConsumeMemoryScanProgress

func (r *MultiReporter) ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error

ConsumeMemoryScanProgress consumes and reports all *yapscan.MemoryScanProgress instances sent in the given channel.

func (*MultiReporter) ReportRules

func (r *MultiReporter) ReportRules(rules *yara.Rules) error

ReportRules reports the given *yara.Rules.

func (*MultiReporter) ReportScanningStatistics added in v0.7.0

func (r *MultiReporter) ReportScanningStatistics(stats *yapscan.ScanningStatistics) error

ReportScanningStatistics reports scanning statistics.

func (*MultiReporter) ReportSystemInfo

func (r *MultiReporter) ReportSystemInfo(info *system.Info) error

ReportSystemInfo retrieves and reports info about the running system.

type NOPFilter added in v0.7.0

type NOPFilter struct{}

NOPFilter is a filter that does nothing. Any FilteringReporter which uses this behave as an unfiltered Reporter.

func (*NOPFilter) Chain added in v0.7.0

func (c *NOPFilter) Chain(f Filter) Filter

func (*NOPFilter) FilterFSScanProgress added in v0.7.0

func (c *NOPFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress

func (*NOPFilter) FilterMemoryScanProgress added in v0.7.0

func (c *NOPFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress

func (*NOPFilter) FilterRules added in v0.7.0

func (c *NOPFilter) FilterRules(rules *yara.Rules) *yara.Rules

func (*NOPFilter) FilterSystemInfo added in v0.7.0

func (c *NOPFilter) FilterSystemInfo(info *system.Info) *system.Info

type NoEmptyScansFilter added in v0.6.0

type NoEmptyScansFilter struct{}

func (*NoEmptyScansFilter) Chain added in v0.6.0

func (f *NoEmptyScansFilter) Chain(other Filter) Filter

func (*NoEmptyScansFilter) FilterFSScanProgress added in v0.6.0

func (f *NoEmptyScansFilter) FilterFSScanProgress(scan *fileio.FSScanProgress) *fileio.FSScanProgress

func (*NoEmptyScansFilter) FilterMemoryScanProgress added in v0.6.0

func (f *NoEmptyScansFilter) FilterMemoryScanProgress(scan *yapscan.MemoryScanProgress) *yapscan.MemoryScanProgress

func (*NoEmptyScansFilter) FilterRules added in v0.6.0

func (f *NoEmptyScansFilter) FilterRules(rules *yara.Rules) *yara.Rules

func (*NoEmptyScansFilter) FilterSystemInfo added in v0.6.0

func (f *NoEmptyScansFilter) FilterSystemInfo(info *system.Info) *system.Info

type OutputDecorator added in v0.6.0

type OutputDecorator struct {
	// contains filtered or unexported fields
}

func PGPEncryptionDecorator added in v0.6.0

func PGPEncryptionDecorator(ring []*openpgp.Entity, dataIsBinary bool) *OutputDecorator

func PGPSymmetricEncryptionDecorator added in v0.6.0

func PGPSymmetricEncryptionDecorator(password string, dataIsBinary bool) *OutputDecorator

func ZSTDCompressionDecorator added in v0.6.0

func ZSTDCompressionDecorator() *OutputDecorator

type ProgressFormatter

type ProgressFormatter interface {
	FormatMemoryScanProgress(progress *yapscan.MemoryScanProgress) string
	FormatFSScanProgress(progress *fileio.FSScanProgress) string
	FormatPath(path string, maxlen int) string
}

ProgressFormatter formats progress information.

func NewPrettyFormatter

func NewPrettyFormatter(showStringMatches bool) ProgressFormatter

NewPrettyFormatter creates a new pretty formatter for human readable console output.

type ReadableDumpStorage

type ReadableDumpStorage interface {
	DumpStorage
	// Retrieve retrieves the dumps stored in this DumpStorage.
	Retrieve(ctx context.Context) <-chan *DumpOrError
}

ReadableDumpStorage is a DumpStorage that can also Retrieve dumps after storing.

type Reporter

type Reporter interface {
	ReportSystemInfo(info *system.Info) error
	ReportRules(rules *yara.Rules) error
	ConsumeMemoryScanProgress(progress <-chan *yapscan.MemoryScanProgress) error
	ConsumeFSScanProgress(progress <-chan *fileio.FSScanProgress) error
	ReportScanningStatistics(stats *yapscan.ScanningStatistics) error
	io.Closer
}

Reporter provides capability to report on scanning progress.

func NewProgressReporter

func NewProgressReporter(out io.WriteCloser, formatter ProgressFormatter) Reporter

NewProgressReporter creates a new Reporter, which will write memory and file scanning progress to the given io.WriteCloser out using the ProgressFormatter formatter for formatting. This Reporter is intended for live updates to the console, hence ReportSystemInfo() and ReportRules() do nothing.

type WriteCloserBuilder added in v0.6.0

type WriteCloserBuilder struct {
	// contains filtered or unexported fields
}

func NewWriteCloserBuilder added in v0.6.0

func NewWriteCloserBuilder() *WriteCloserBuilder

func (*WriteCloserBuilder) Append added in v0.6.0

func (b *WriteCloserBuilder) Append(decorator *OutputDecorator) *WriteCloserBuilder

Append appends a decorator. The appended decorator will be the first one to mutate any input.

func (*WriteCloserBuilder) Build added in v0.6.0

func (b *WriteCloserBuilder) Build(finalOutput io.WriteCloser) (io.WriteCloser, error)

func (*WriteCloserBuilder) SuggestedFileExtension added in v0.6.0

func (b *WriteCloserBuilder) SuggestedFileExtension() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL