performance improvements

Author: codeyourweb

analysis.go

@@ -1,14 +1,14 @@
 package main
 
 import (
-	"crypto/md5"
 	"crypto/rc4"
 	b64 "encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"os"
 	"path/filepath"
+	"runtime/debug"
 	"time"
 
 	"github.com/hillu/go-yara"
@@ -28,8 +28,10 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool,
 	var content []byte
 	var result yara.MatchRules
 
-	if f, err = os.Stat(path); err != nil && pVerbose {
-		log.Println("[ERROR]", path, err)
+	if f, err = os.Stat(path); err != nil {
+		if pVerbose {
+			log.Println("[ERROR]", path, err)
+		}
 	} else {
 		if RegisterFileInHistory(f, path, &filescanHistory) {
 			content, err = ioutil.ReadFile(path)
@@ -41,7 +43,12 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool,
 				log.Println("[INFO] ["+sourceIndex+"] Analyzing", path)
 			}
 
-			result = PerformYaraScan(content, rules, pVerbose)
+			// cleaning memory if file size is greater than 1Gb
+			if len(content) > 1024*1024*1024 {
+				defer debug.FreeOSMemory()
+			}
+
+			result = PerformYaraScan(&content, rules, pVerbose)
 
 			if len(result) > 0 {
 				// windows notifications
@@ -73,51 +80,45 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool,
 }
 
 // MemoryAnalysis sub-routine for running processes analysis
-func MemoryAnalysis(proc ProcessInformation, pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
-	memoryHash := fmt.Sprintf("%x", md5.Sum(proc.ProcessMemory))
+func MemoryAnalysis(proc *ProcessInformation, pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
+	if pVerbose {
+		log.Println("[INFO] [MEMORY] Analyzing", proc.ProcessName, "PID:", proc.PID)
+	}
 
-	// if hash isn't already whitelisted, yara scan it
-	if !StringInSlice(memoryHash, memoryscanHistory) {
-		if pVerbose {
-			log.Println("[INFO] [MEMORY] Analyzing", proc.ProcessName, "PID:", proc.PID)
+	result := PerformYaraScan(&proc.MemoryDump, rules, pVerbose)
+	if len(result) > 0 {
+		// windows notifications
+		if pNotifications {
+			NotifyUser("YARA match", proc.ProcessName+" - PID:"+fmt.Sprint(proc.PID)+" match "+fmt.Sprint(len(result))+" rules")
 		}
 
-		result := PerformYaraScan(proc.ProcessMemory, rules, pVerbose)
-		if len(result) > 0 {
-			// windows notifications
-			if pNotifications {
-				NotifyUser("YARA match", proc.ProcessName+" - PID:"+fmt.Sprint(proc.PID)+" match "+fmt.Sprint(len(result))+" rules")
-			}
-
-			// logging
-			for _, match := range result {
-				log.Println("[ALERT]", "[MEMORY] YARA match", proc.ProcessName, "PID:", fmt.Sprint(proc.PID), match.Namespace, match.Rule)
-			}
+		// logging
+		for _, match := range result {
+			log.Println("[ALERT]", "[MEMORY] YARA match", proc.ProcessName, "PID:", fmt.Sprint(proc.PID), match.Namespace, match.Rule)
+		}
 
-			// dump matching process to quarantine
-			if len(pQuarantine) > 0 {
-				log.Println("[INFO]", "DUMPING PID", proc.PID)
-				err := QuarantineProcess(proc, pQuarantine)
-				if err != nil {
-					log.Println("[ERROR]", "Cannot quarantine PID", proc.PID, err)
-				}
+		// dump matching process to quarantine
+		if len(pQuarantine) > 0 {
+			log.Println("[INFO]", "DUMPING PID", proc.PID)
+			err := QuarantineProcess(proc, pQuarantine)
+			if err != nil {
+				log.Println("[ERROR]", "Cannot quarantine PID", proc.PID, err)
 			}
+		}
 
-			// killing process
-			if pKill {
-				log.Println("[INFO]", "KILLING PID", proc.PID)
-				KillProcessByID(proc.PID, pVerbose)
-			}
-		} else {
-			memoryscanHistory = append(memoryscanHistory, memoryHash)
+		// killing process
+		if pKill {
+			log.Println("[INFO]", "KILLING PID", proc.PID)
+			KillProcessByID(proc.PID, pVerbose)
 		}
 	}
+
 }
 
 // QuarantineProcess dump process memory and cipher them in quarantine folder
-func QuarantineProcess(proc ProcessInformation, quarantinePath string) (err error) {
+func QuarantineProcess(proc *ProcessInformation, quarantinePath string) (err error) {
 
-	err = quarantineContent(proc.ProcessMemory, proc.ProcessName+fmt.Sprint(proc.PID)+".mem", quarantinePath)
+	err = quarantineContent(proc.MemoryDump, proc.ProcessName+fmt.Sprint(proc.PID)+".mem", quarantinePath)
 	if err != nil {
 		return err
 	}

main.go

@@ -17,8 +17,8 @@ import (
 
 var (
 	notificationsHistory []string
-	filescanHistory      []string
-	memoryscanHistory    []string
+	filescanHistory      []FileDescriptor
+	memoryHashHistory    []string
 	killQueue            []string
 	exit                 = make(chan bool)
 )

procsmemory.go

@@ -17,10 +17,10 @@ import (
 
 // ProcessInformation wrap basic process information and memory dump in a structure
 type ProcessInformation struct {
-	PID           uint32
-	ProcessName   string
-	ProcessPath   string
-	ProcessMemory []byte
+	PID         uint32
+	ProcessName string
+	ProcessPath string
+	MemoryDump  []byte
 }
 
 // MemoryAnalysisRoutine analyse processes memory every 5 seconds
@@ -29,28 +29,34 @@ func MemoryAnalysisRoutine(pDump string, pQuarantine string, pKill bool, pAggres
 		// list process information and memory
 		procs := ListProcess(pVerbose)
 
-		// dump process memory and quit the program
-		if len(pDump) > 0 {
-			for _, proc := range procs {
-				if err := WriteProcessMemoryToFile(pDump, proc.ProcessName+fmt.Sprint(proc.PID)+".dmp", proc.ProcessMemory); err != nil && pVerbose {
+		// analyze process memory and executable
+		for _, proc := range procs {
+			// dump processes memory and quit the program
+			if len(pDump) > 0 {
+				if err := WriteProcessMemoryToFile(pDump, proc.ProcessName+fmt.Sprint(proc.PID)+".dmp", proc.MemoryDump); err != nil && pVerbose {
 					log.Println("[ERROR]", err)
 				}
 			}
-			os.Exit(0)
-		}
-
-		// analyze process memory and executable
-		for _, proc := range procs {
 
 			// parsing kill queue
 			if StringInSlice(proc.ProcessPath, killQueue) && pKill {
 				log.Println("[INFO]", "KILLING PID", proc.PID)
 				KillProcessByID(proc.PID, pVerbose)
 			} else {
-				MemoryAnalysis(proc, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules)
+				// analyzing process memory and cleaning memory buffer
+				MemoryAnalysis(&proc, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules)
+				proc.MemoryDump = nil
+
+				// analyzing process executable
 				FileAnalysis(proc.ProcessPath, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "MEMORY")
 			}
 		}
+
+		if len(pDump) > 0 {
+			log.Println("[INFO] Processes memory dump completed - Exiting program.")
+			os.Exit(0)
+		}
+
 		killQueue = nil
 
 		time.Sleep(5 * time.Second)
@@ -73,38 +79,53 @@ func ListProcess(verbose bool) (procsInfo []ProcessInformation) {
 			}
 
 			if err == nil && procHandle > 0 {
-				procFilename, modules, err := GetProcessModulesHandles(procHandle)
-				if err == nil {
-					for _, moduleHandle := range modules {
-						if moduleHandle != 0 {
-							moduleRawName, err := GetModuleFileNameEx(procHandle, moduleHandle, 512)
-							if err != nil && verbose {
-								log.Println("[ERROR]", err)
-							}
-							moduleRawName = bytes.Trim(moduleRawName, "\x00")
-							modulePath := strings.Split(string(moduleRawName), "\\")
-							moduleFileName := modulePath[len(modulePath)-1]
-
-							if procFilename == moduleFileName {
-								memdump := DumpModuleMemory(procHandle, moduleHandle, verbose)
-								if len(memdump) > 0 {
-									proc := ProcessInformation{PID: procsIds[i], ProcessName: procFilename, ProcessPath: string(moduleRawName), ProcessMemory: memdump}
-									if !StringInSlice(fmt.Sprintf("%x", md5.Sum(memdump)), memoryscanHistory) {
-										procsInfo = append(procsInfo, proc)
-										memoryscanHistory = append(memoryscanHistory, fmt.Sprintf("%x", md5.Sum(memdump)))
-									}
-								}
-							}
+				if proc, memdump, err := GetProcessMemory(procsIds[i], procHandle, verbose); err != nil && verbose {
+					log.Println("[ERROR]", err)
+				} else {
+					if len(memdump) > 0 {
+						// return process memory only if it has changed since the last process scan
+						if !StringInSlice(fmt.Sprintf("%x", md5.Sum(memdump)), memoryHashHistory) {
+							proc.MemoryDump = memdump
+							procsInfo = append(procsInfo, proc)
+							memoryHashHistory = append(memoryHashHistory, fmt.Sprintf("%x", md5.Sum(memdump)))
 						}
 					}
 				}
+
 			}
 			windows.CloseHandle(procHandle)
 		}
 	}
 	return procsInfo
 }
 
+// GetProcessMemory return a process memory dump based on its handle
+func GetProcessMemory(pid uint32, handle windows.Handle, verbose bool) (ProcessInformation, []byte, error) {
+
+	procFilename, modules, err := GetProcessModulesHandles(handle)
+	if err != nil {
+		return ProcessInformation{}, nil, fmt.Errorf("Unable to get PID %d memory: %s", pid, err.Error())
+	}
+
+	for _, moduleHandle := range modules {
+		if moduleHandle != 0 {
+			moduleRawName, err := GetModuleFileNameEx(handle, moduleHandle, 512)
+			if err != nil {
+				return ProcessInformation{}, nil, err
+			}
+			moduleRawName = bytes.Trim(moduleRawName, "\x00")
+			modulePath := strings.Split(string(moduleRawName), "\\")
+			moduleFileName := modulePath[len(modulePath)-1]
+
+			if procFilename == moduleFileName {
+				return ProcessInformation{PID: pid, ProcessName: procFilename, ProcessPath: string(moduleRawName)}, DumpModuleMemory(handle, moduleHandle, verbose), nil
+			}
+		}
+	}
+
+	return ProcessInformation{}, nil, fmt.Errorf("Unable to get PID %d memory: no module corresponding to process name", pid)
+}
+
 // KillProcessByID try to kill the specified PID
 func KillProcessByID(procID uint32, verbose bool) (err error) {
 	hProc, err := GetProcessHandle(procID, windows.PROCESS_QUERY_INFORMATION|windows.PROCESS_TERMINATE)

yaraProcessing.go

@@ -10,8 +10,8 @@ import (
 )
 
 // PerformYaraScan use provided YARA rules and search for match in the given byte slice
-func PerformYaraScan(data []byte, rules *yara.Rules, verbose bool) yara.MatchRules {
-	result, err := YaraScan(data, rules)
+func PerformYaraScan(data *[]byte, rules *yara.Rules, verbose bool) yara.MatchRules {
+	result, err := YaraScan(*data, rules)
 	if err != nil && verbose {
 		log.Println("[ERROR]", err)
 	}