Add memory scanning capabilities and related event forwarding functions

Author: codeyourweb

README.md

@@ -148,6 +148,7 @@ options:
     findInRemovableDrives: true # enumerate removable drive content 
     findInNetworkDrives: true # enumerate network drive content
     findInCDRomDrives: true # enumerate physical CD-ROM and mounted iso / vhd...
+    findInMemory: true # check for results in processes memory
 output:
     copyMatchingFiles: true # create a copy of every matching file
     base64Files: true # base64 matched content before copy

configuration.go

@@ -39,7 +39,7 @@ type Options struct {
 	FindInRemovableDrives          bool `yaml:"findInRemovableDrives"`
 	FindInNetworkDrives            bool `yaml:"findInNetworkDrives"`
 	FindInCDRomDrives              bool `yaml:"findInCDRomDrives"`
-	ScanMemory                     bool `yaml:"scanMemory"`
+	FindInMemory                   bool `yaml:"findInMemory"`
 }
 
 type Output struct {

event_forwarding.go

@@ -192,6 +192,30 @@ func ForwardAlertEvent(ruleName, filePath string, fileSize int64, fileHash strin
 	ForwardEvent("alert", "high", fmt.Sprintf("YARA rule match: %s in %s", ruleName, filePath), metadata)
 }
 
+// ForwardGrepMatchEvent forwards a Grep match event
+func ForwardGrepMatchEvent(pattern, filePath string, fileSize int64, metadata map[string]string) {
+	if metadata == nil {
+		metadata = make(map[string]string)
+	}
+	metadata["grep_pattern"] = pattern
+	metadata["file_path"] = filePath
+	metadata["file_size"] = fmt.Sprintf("%d", fileSize)
+
+	ForwardEvent("alert", "high", fmt.Sprintf("Grep match: %s in %s", pattern, filePath), metadata)
+}
+
+// ForwardChecksumMatchEvent forwards a Checksum match event
+func ForwardChecksumMatchEvent(checksum, filePath string, fileSize int64, metadata map[string]string) {
+	if metadata == nil {
+		metadata = make(map[string]string)
+	}
+	metadata["checksum"] = checksum
+	metadata["file_path"] = filePath
+	metadata["file_size"] = fmt.Sprintf("%d", fileSize)
+
+	ForwardEvent("alert", "high", fmt.Sprintf("Checksum match: %s in %s", checksum, filePath), metadata)
+}
+
 // ForwardScanCompleteEvent forwards scan completion statistics
 func ForwardScanCompleteEvent(filesScanned, matchesFound, errorsEncountered int, duration time.Duration) {
 	if eventForwarder == nil {

finder.go

@@ -174,6 +174,7 @@ func checkForChecksum(path string, content []byte, hashList []string) (matchingF
 	for _, c := range hashs {
 		if Contains(hashList, c) && !Contains(matchingFiles, path) {
 			LogMessage(LOG_ALERT, "(ALERT)", "Checksum match:", c, "in", path)
+			ForwardChecksumMatchEvent(c, path, int64(len(content)), nil)
 			matchingFiles = append(matchingFiles, path)
 		}
 	}
@@ -190,7 +191,13 @@ func checkForStringPattern(path string, content []byte, patterns []string) (matc
 	for _, expression := range patterns {
 		for i, line := range lines {
 			if strings.Contains(line, expression) {
-				LogMessage(LOG_ALERT, "(ALERT)", "Grep match:", expression, "in", path, "at line", fmt.Sprintf("%d:", i+1), strings.TrimSpace(line))
+				LogMessage(LOG_ALERT, "(ALERT)", "Grep match:", expression, "in", path, "at line", fmt.Sprintf("%d", i+1))
+
+				metadata := map[string]string{
+					"line_number": fmt.Sprintf("%d", i+1),
+				}
+				ForwardGrepMatchEvent(expression, path, int64(len(content)), metadata)
+
 				matchingFiles = append(matchingFiles, path)
 				break
 			}

main.go

@@ -150,7 +150,7 @@ func MainFastfinderRoutine(config Configuration, pConfigPath string, pNoAdvUI bo
 	}
 
 	// Memory Scan
-	if config.Options.ScanMemory {
+	if config.Options.FindInMemory {
 		ScanMemory(config, rules)
 	}
 

process_scanner.go

@@ -22,22 +22,31 @@ func ScanMemory(config Configuration, rules *yara.Rules) {
 	procs := ListProcesses()
 	LogMessage(LOG_INFO, "(INFO)", fmt.Sprintf("Found %d running processes", len(procs)))
 
+	ScanProcesses(procs, config, rules)
+
+	LogMessage(LOG_INFO, "(INFO)", "Memory scan finished")
+}
+
+// ScanProcesses scans a list of processes for patterns and YARA rules
+func ScanProcesses(procs []ProcessInformation, config Configuration, rules *yara.Rules) int {
+	totalMatches := 0
 	for _, proc := range procs {
 		LogMessage(LOG_VERBOSE, "(MEMORY)", "Scanning process:", proc.ProcessName, fmt.Sprintf("(PID: %d)", proc.PID))
 
 		// Check memory content with Grep
 		if len(config.Input.Content.Grep) > 0 {
+			// checkForStringPattern already handles logging and alerting
 			matches := checkForStringPattern(fmt.Sprintf("MEMORY:%s:%d", proc.ProcessName, proc.PID), proc.MemoryDump, config.Input.Content.Grep)
-			for _, m := range matches {
-				LogMessage(LOG_ALERT, "(ALERT)", "Memory Grep match:", m)
-			}
+			totalMatches += len(matches)
 		}
 
 		// Check memory content with YARA
 		if rules != nil && len(rules.GetRules()) > 0 {
 			matchs, err := PerformYaraScan(&proc.MemoryDump, rules)
 			if err != nil {
 				LogMessage(LOG_ERROR, "(ERROR)", "Memory YARA scan failed for", proc.ProcessName, err)
+			} else {
+				totalMatches += len(matchs)
 			}
 
 			for i := 0; i < len(matchs); i++ {
@@ -61,6 +70,5 @@ func ScanMemory(config Configuration, rules *yara.Rules) {
 		proc.MemoryDump = nil
 		debug.FreeOSMemory()
 	}
-
-	LogMessage(LOG_INFO, "(INFO)", "Memory scan finished")
+	return totalMatches
 }

process_scanner_test.go

@@ -0,0 +1,77 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/hillu/go-yara/v4"
+)
+
+func TestScanProcessesGrep(t *testing.T) {
+	// Setup
+	config := Configuration{}
+	config.Input.Content.Grep = []string{"bad_string"}
+
+	proc := ProcessInformation{
+		PID:         1234,
+		ProcessName: "test_process.exe",
+		MemoryDump:  []byte("This is a memory dump containing a bad_string here."),
+	}
+	procs := []ProcessInformation{proc}
+
+	// Execute
+	matches := ScanProcesses(procs, config, nil)
+
+	// Verify
+	if matches != 1 {
+		t.Errorf("Expected 1 match, got %d", matches)
+	}
+}
+
+func TestScanProcessesNoMatch(t *testing.T) {
+	// Setup
+	config := Configuration{}
+	config.Input.Content.Grep = []string{"missing_string"}
+
+	proc := ProcessInformation{
+		PID:         1234,
+		ProcessName: "test_process.exe",
+		MemoryDump:  []byte("This is a memory dump containing a bad_string here."),
+	}
+	procs := []ProcessInformation{proc}
+
+	// Execute
+	matches := ScanProcesses(procs, config, nil)
+
+	// Verify
+	if matches != 0 {
+		t.Errorf("Expected 0 matches, got %d", matches)
+	}
+}
+
+func TestScanProcessesYara(t *testing.T) {
+	c, err := yara.NewCompiler()
+	if err != nil {
+		t.Skip("YARA compiler not available: ", err)
+		return
+	}
+	err = c.AddString(`rule test { strings: $a = "yara_match" condition: $a }`, "test")
+	if err != nil {
+		t.Fatal("Failed to compile yara rule:", err)
+	}
+	rules, err := c.GetRules()
+	if err != nil {
+		t.Fatal("Failed to get rules:", err)
+	}
+
+	config := Configuration{}
+	proc := ProcessInformation{
+		PID:         1234,
+		ProcessName: "test_process.exe",
+		MemoryDump:  []byte("Before yara_match After"),
+	}
+
+	matches := ScanProcesses([]ProcessInformation{proc}, config, rules)
+	if matches != 1 {
+		t.Errorf("Expected 1 YARA match, got %d", matches)
+	}
+}