go 1.16 upgrade & archives introspection

codeyourweb · codeyourweb · commit 7342beac8ba8 · 2021-03-13T22:05:53.000+01:00
diff --git a/analysis.go b/analysis.go
@@ -4,14 +4,14 @@ import (
 	"crypto/rc4"
 	b64 "encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"os"
 	"path/filepath"
 	"runtime/debug"
 	"time"
 
-	"github.com/hillu/go-yara"
+	"github.com/h2non/filetype"
+	"github.com/hillu/go-yara/v4"
 )
 
 // FileDescriptor wrap path, filehash and last update into a structure. It is used for performance improvements and avoid reading file if it has not changed
@@ -33,8 +33,14 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool,
 			log.Println("[ERROR]", path, err)
 		}
 	} else {
-		if RegisterFileInHistory(f, path, &filescanHistory) {
-			content, err = ioutil.ReadFile(path)
+		if RegisterFileInHistory(f, path, &filescanHistory, pVerbose) {
+
+			content, err = os.ReadFile(path)
+			if err != nil && pVerbose {
+				log.Println("[ERROR]", path, err)
+			}
+
+			filetype, err := filetype.Match(content)
 			if err != nil && pVerbose {
 				log.Println("[ERROR]", path, err)
 			}
@@ -43,12 +49,17 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool,
 				log.Println("[INFO] ["+sourceIndex+"] Analyzing", path)
 			}
 
-			// cleaning memory if file size is greater than 1Gb
-			if len(content) > 1024*1024*1024 {
+			// cleaning memory if file size is greater than 512Mb
+			if len(content) > 1024*1024*cleanIfFileSizeGreaterThan {
 				defer debug.FreeOSMemory()
 			}
 
-			result = PerformYaraScan(&content, rules, pVerbose)
+			// archive or other file format scan
+			if StringInSlice(filetype.MIME.Value, archivesFormats) {
+				result = PerformArchiveYaraScan(path, rules, pVerbose)
+			} else {
+				result = PerformYaraScan(&content, rules, pVerbose)
+			}
 
 			if len(result) > 0 {
 				// windows notifications
@@ -133,7 +144,7 @@ func QuarantineProcess(proc *ProcessInformation, quarantinePath string) (err err
 
 // QuarantineFile dump specified file and cipher them in quarantine folder
 func QuarantineFile(path, quarantinePath string) (err error) {
-	fileContent, err := ioutil.ReadFile(path)
+	fileContent, err := os.ReadFile(path)
 	if err != nil {
 		return err
 	}
@@ -162,7 +173,7 @@ func quarantineContent(content []byte, filename string, quarantinePath string) (
 
 	xPE := make([]byte, len(content))
 	c.XORKeyStream(xPE, content)
-	err = ioutil.WriteFile(quarantinePath+"/"+filename+".irma", []byte(b64.StdEncoding.EncodeToString(xPE)), 0644)
+	err = os.WriteFile(quarantinePath+"/"+filename+".irma", []byte(b64.StdEncoding.EncodeToString(xPE)), 0644)
 	if err != nil {
 		return err
 	}
diff --git a/faker.go b/faker.go
diff --git a/filehelper.go b/filehelper.go
@@ -2,15 +2,14 @@ package main
 
 import (
 	"errors"
-	"io/ioutil"
 	"log"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
 
-	"github.com/hillu/go-yara"
+	"github.com/hillu/go-yara/v4"
 )
 
 // WindowsFileSystemAnalysisRoutine analyse windows filesystem every 300 seconds
@@ -154,7 +153,7 @@ func RetrivesFilesFromUserPath(path string, listFiles bool, includeFileExtension
 		p = append(p, path)
 	} else {
 		if !recursive {
-			files, err := ioutil.ReadDir(path)
+			files, err := os.ReadDir(path)
 			if err != nil {
 				return []string{}, err
 			}
diff --git a/go.mod b/go.mod
@@ -0,0 +1,16 @@
+module github.com/codeyourweb/irma
+
+go 1.16
+
+require (
+	github.com/akamensky/argparse v1.2.2
+	github.com/gen2brain/beeep v0.0.0-20200526185328-e9c15c258e28
+	github.com/gen2brain/go-unarr v0.1.1
+	github.com/go-ole/go-ole v1.2.5
+	github.com/google/gopacket v1.1.19
+	github.com/h2non/filetype v1.1.1
+	github.com/hillu/go-yara/v4 v4.0.4
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/parsiya/golnk v0.0.0-20200515071614-5db3107130ce
+	golang.org/x/sys v0.0.0-20210309074719-68d13333faf2
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,49 @@
+github.com/akamensky/argparse v1.2.2 h1:P17T0ZjlUNJuWTPPJ2A5dM1wxarHgHqfYH+AZTo2xQA=
+github.com/akamensky/argparse v1.2.2/go.mod h1:S5kwC7IuDcEr5VeXtGPRVZ5o/FdhcMlQz4IZQuw64xA=
+github.com/gen2brain/beeep v0.0.0-20200526185328-e9c15c258e28 h1:M2Zt3G2w6Q57GZndOYk42p7RvMeO8izO8yKTfIxGqxA=
+github.com/gen2brain/beeep v0.0.0-20200526185328-e9c15c258e28/go.mod h1:ElSskYZe3oM8kThaHGJ+kiN2yyUMVXMZ7WxF9QqLDS8=
+github.com/gen2brain/go-unarr v0.1.1 h1:wZl53oYzEN1PEIA/dPa/FjBq9rRqPmS/Gzul8BdKYK4=
+github.com/gen2brain/go-unarr v0.1.1/go.mod h1:P05CsEe8jVEXhxqXqp9mFKUKFV0BKpFmtgNWf8Mcoos=
+github.com/go-ole/go-ole v1.2.5 h1:t4MGB5xEDZvXI+0rMjjsfBsD7yAgp/s9ZDkL1JndXwY=
+github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-toast/toast v0.0.0-20190211030409-01e6764cf0a4 h1:qZNfIGkIANxGv/OqtnntR4DfOY2+BgwR60cAcu/i3SE=
+github.com/go-toast/toast v0.0.0-20190211030409-01e6764cf0a4/go.mod h1:kW3HQ4UdaAyrUCSSDR4xUzBKW6O2iA4uHhk7AtyYp10=
+github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
+github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
+github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
+github.com/gopherjs/gopherjs v0.0.0-20180825215210-0210a2f0f73c h1:16eHWuMGvCjSfgRJKqIzapE78onvvTbdi1rMkU00lZw=
+github.com/gopherjs/gopherjs v0.0.0-20180825215210-0210a2f0f73c/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gopherjs/gopherwasm v1.1.0 h1:fA2uLoctU5+T3OhOn2vYP0DVT6pxc7xhTlBB1paATqQ=
+github.com/gopherjs/gopherwasm v1.1.0/go.mod h1:SkZ8z7CWBz5VXbhJel8TxCmAcsQqzgWGR/8nMhyhZSI=
+github.com/h2non/filetype v1.1.1 h1:xvOwnXKAckvtLWsN398qS9QhlxlnVXBjXBydK2/UFB4=
+github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
+github.com/hillu/go-yara/v4 v4.0.4 h1:DxKUyCwk6BG2SONtvkpeuYOdjmHMZ5ybqLdaH2POLRw=
+github.com/hillu/go-yara/v4 v4.0.4/go.mod h1:rkb/gSAoO8qcmj+pv6fDZN4tOa3N7R+qqGlEkzT4iys=
+github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
+github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d h1:VhgPp6v9qf9Agr/56bj7Y/xa04UccTW04VP0Qed4vnQ=
+github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U=
+github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
+github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/parsiya/golnk v0.0.0-20200515071614-5db3107130ce h1:A8XpVS2Jz5/aVqmDh5lyeQA6V8d5IfjXTcDyFWj+JsY=
+github.com/parsiya/golnk v0.0.0-20200515071614-5db3107130ce/go.mod h1:K81/KqyRQt+tqXkg+ENusP67AeIrzJRa2uVlrCYwF5Y=
+github.com/tadvi/systray v0.0.0-20190226123456-11a2b8fa57af h1:6yITBqGTE2lEeTPG04SN9W+iWHCRyHqlVYILiSXziwk=
+github.com/tadvi/systray v0.0.0-20190226123456-11a2b8fa57af/go.mod h1:4F09kP5F+am0jAwlQLddpoMDM+iewkxxt6nxUQ5nq5o=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210309074719-68d13333faf2 h1:46ULzRKLh1CwgRq2dC5SlBzEqqNCi8rreOZnNrbqcIY=
+golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/main.go b/main.go
@@ -23,7 +23,10 @@ var (
 	exit                 = make(chan bool)
 )
 
-var defaultScannedFileExtensions = []string{".txt", ".csv", ".htm", ".html", ".flv", ".f4v", ".avi", ".3gp", ".3g2", ".3gp2", ".3p2", ".divx", ".mp4", ".mkv", ".mov", ".qt", ".asf", ".wmv", ".rm", ".rmvb", ".vob", ".dat", ".mpg", ".mpeg", ".bik", ".fcs", ".mp3", ".mpeg3", ".flac", ".ape", ".ogg", ".aac", ".m4a", ".wma", ".ac3", ".wav", ".mka", ".rm", ".ra", ".ravb", ".mid", ".midi", ".cda", ".jpg", ".jpe", ".jpeg", ".jff", ".gif", ".png", ".bmp", ".tif", ".tiff", ".emf", ".wmf", ".eps", ".psd", ".cdr", ".swf", ".exe", ".lnk", ".dll", ".ps1", ".scr", ".ocx", ".com", ".sys", ".class", ".o", ".so", ".elf", ".prx", ".vb", ".vbs", ".js", ".bat", ".cmd", ".msi", ".msp", ".deb", ".rpm", ".sh", ".pl", ".dylib", ".doc", ".dot", ".docx", ".dotx", ".docm", ".dotm", ".xsl", ".xls", ".xlsx", ".xltx", ".xlsm", ".xltm", ".xlam", ".xlsb", ".ppt", ".pot", ".pps", ".pptx", ".potx", ".pptm", ".potm", ".ppsx", ".ppsm", ".rtf", ".pdf", ".msg", ".eml", ".vsd", ".vss", ".vst", ".vdx", ".vsx", ".vtx", ".xps", ".oxps", ".one", ".onepkg", ".xsn", ".odt", ".ods", ".odp", ".sxw", ".pub", ".mdb", ".accdb", ".accde", ".accdr", ".accdc", ".chm", ".mht", ".zip", ".7z", ".7-z", ".rar", ".iso", ".cab", ".jar", ".bz", ".bz2", ".tbz", ".tbz2", ".gz", ".tgz", ".arj", ".dmg", ".smi", ".img", ".xar"}
+var defaultScannedFileExtensions = []string{".txt", ".csv", ".htm", ".html", ".flv", ".f4v", ".avi", ".3gp", ".3g2", ".3gp2", ".3p2", ".divx", ".mp4", ".mkv", ".mov", ".qt", ".asf", ".wmv", ".rm", ".rmvb", ".vob", ".dat", ".mpg", ".mpeg", ".bik", ".fcs", ".mp3", ".mpeg3", ".flac", ".ape", ".ogg", ".aac", ".m4a", ".wma", ".ac3", ".wav", ".mka", ".rm", ".ra", ".ravb", ".mid", ".midi", ".cda", ".jpg", ".jpe", ".jpeg", ".jff", ".gif", ".png", ".bmp", ".tif", ".tiff", ".emf", ".wmf", ".eps", ".psd", ".cdr", ".swf", ".exe", ".lnk", ".dll", ".ps1", ".scr", ".ocx", ".com", ".sys", ".class", ".o", ".so", ".elf", ".prx", ".vb", ".vbs", ".js", ".bat", ".cmd", ".msi", ".msp", ".deb", ".rpm", ".sh", ".pl", ".dylib", ".doc", ".dot", ".docx", ".dotx", ".docm", ".dotm", ".xsl", ".xls", ".xlsx", ".xltx", ".xlsm", ".xltm", ".xlam", ".xlsb", ".ppt", ".pot", ".pps", ".pptx", ".potx", ".pptm", ".potm", ".ppsx", ".ppsm", ".rtf", ".pdf", ".msg", ".eml", ".vsd", ".vss", ".vst", ".vdx", ".vsx", ".vtx", ".xps", ".oxps", ".one", ".onepkg", ".xsn", ".odt", ".ods", ".odp", ".sxw", ".pub", ".mdb", ".accdb", ".accde", ".accdr", ".accdc", ".chm", ".mht", ".zip", ".7z", ".7-z", ".rar", ".iso", ".cab", ".jar", ".arj", ".dmg", ".smi", ".img", ".xar"}
+var archivesFormats = []string{"application/x-7z-compressed", "application/zip", "application/vnd.rar"}
+var maxFilesizeScan = 1024
+var cleanIfFileSizeGreaterThan = 512
 
 func main() {
 	var err error
diff --git a/procsmemory.go b/procsmemory.go
@@ -4,14 +4,13 @@ import (
 	"bytes"
 	"crypto/md5"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"os"
 	"strings"
 	"syscall"
 	"time"
 
-	"github.com/hillu/go-yara"
+	"github.com/hillu/go-yara/v4"
 	"golang.org/x/sys/windows"
 )
 
@@ -199,7 +198,7 @@ func WriteProcessMemoryToFile(path string, file string, data []byte) (err error)
 		}
 	}
 
-	if err := ioutil.WriteFile(path+"/"+file, data, 0644); err != nil {
+	if err := os.WriteFile(path+"/"+file, data, 0644); err != nil {
 		return err
 	}
 
diff --git a/resources/fake_process.exe b/resources/fake_process.exe
diff --git a/utils.go b/utils.go
@@ -8,7 +8,14 @@ import (
 )
 
 // RegisterFileInHistory check if file is already known and hasn't change in files history return true if file is append to history and false if it is already known as is.
-func RegisterFileInHistory(f os.FileInfo, path string, history *[]FileDescriptor) bool {
+func RegisterFileInHistory(f os.FileInfo, path string, history *[]FileDescriptor, verbose bool) bool {
+	if int(f.Size()) > 1024*1024*maxFilesizeScan {
+		if verbose {
+			log.Println("[INFO]", path, "skipped - larger than", maxFilesizeScan, "Mb")
+		}
+		return true
+	}
+
 	for i, h := range *history {
 		if h.FilePath == path {
 			if h.LastModified == f.ModTime() && h.FileSize == f.Size() {
diff --git a/windowslnkparser.go b/windowslnkparser.go
@@ -6,7 +6,7 @@ import (
 	"os"
 	"time"
 
-	"github.com/hillu/go-yara"
+	"github.com/hillu/go-yara/v4"
 	golnk "github.com/parsiya/golnk"
 )
 
diff --git a/windowsregistry.go b/windowsregistry.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/hillu/go-yara"
+	"github.com/hillu/go-yara/v4"
 	"golang.org/x/sys/windows/registry"
 )
 
diff --git a/windowstaskscheduler.go b/windowstaskscheduler.go
@@ -7,7 +7,7 @@ import (
 
 	ole "github.com/go-ole/go-ole"
 	oleutil "github.com/go-ole/go-ole/oleutil"
-	"github.com/hillu/go-yara"
+	"github.com/hillu/go-yara/v4"
 )
 
 // Task is a task found in Windows Task Scheduler
diff --git a/yaraProcessing.go b/yaraProcessing.go
@@ -1,12 +1,14 @@
 package main
 
 import (
+	"bytes"
 	"errors"
 	"log"
 	"os"
 	"path/filepath"
 
-	"github.com/hillu/go-yara"
+	"github.com/gen2brain/go-unarr"
+	"github.com/hillu/go-yara/v4"
 )
 
 // PerformYaraScan use provided YARA rules and search for match in the given byte slice
@@ -19,6 +21,42 @@ func PerformYaraScan(data *[]byte, rules *yara.Rules, verbose bool) yara.MatchRu
 	return result
 }
 
+// PerformArchiveYaraScan try to decompress archive and YARA scan every file in it
+func PerformArchiveYaraScan(path string, rules *yara.Rules, verbose bool) yara.MatchRules {
+	var buffer [][]byte
+
+	a, err := unarr.NewArchive(path)
+	if err != nil && verbose {
+		log.Println("[ERROR]", err)
+	}
+	defer a.Close()
+
+	list, err := a.List()
+	if err != nil && verbose {
+		log.Println("[ERROR]", err)
+	}
+	for _, f := range list {
+		err := a.EntryFor(f)
+		if err != nil && verbose {
+			log.Println("[ERROR]", err)
+		}
+
+		data, err := a.ReadAll()
+		if err != nil && verbose {
+			log.Println("[ERROR]", err)
+		}
+
+		buffer = append(buffer, data)
+	}
+
+	result, err := YaraScan(bytes.Join(buffer, []byte{}), rules)
+	if err != nil && verbose {
+		log.Println("[ERROR]", err)
+	}
+
+	return result
+}
+
 // SearchForYaraFiles search *.yar file by walking recursively from specified input path
 func SearchForYaraFiles(path string, verbose bool) (rules []string) {
 	rules, err := RetrivesFilesFromUserPath(path, true, []string{".yar"}, true, verbose)

Original file line number	Diff line number	Diff line change
`@@ -4,14 +4,13 @@ import (`
`4`	`4`	`"bytes"`
`5`	`5`	`"crypto/md5"`
`6`	`6`	`"fmt"`
`7`		`- "io/ioutil"`
`8`	`7`	`"log"`
`9`	`8`	`"os"`
`10`	`9`	`"strings"`
`11`	`10`	`"syscall"`
`12`	`11`	`"time"`
`13`	`12`
`14`		`- "github.com/hillu/go-yara"`
	`13`	`+ "github.com/hillu/go-yara/v4"`
`15`	`14`	`"golang.org/x/sys/windows"`
`16`	`15`	`)`
`17`	`16`
`@@ -199,7 +198,7 @@ func WriteProcessMemoryToFile(path string, file string, data []byte) (err error)`
`199`	`198`	`}`
`200`	`199`	`}`
`201`	`200`
`202`		`- if err := ioutil.WriteFile(path+"/"+file, data, 0644); err != nil {`
	`201`	`+ if err := os.WriteFile(path+"/"+file, data, 0644); err != nil {`
`203`	`202`	`return err`
`204`	`203`	`}`
`205`	`204`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import (`
`6`	`6`	`"os"`
`7`	`7`	`"time"`
`8`	`8`
`9`		`- "github.com/hillu/go-yara"`
	`9`	`+ "github.com/hillu/go-yara/v4"`
`10`	`10`	`golnk "github.com/parsiya/golnk"`
`11`	`11`	`)`
`12`	`12`