Implement memory scanning feature and enhance configuration options; update examples and documentation

Author: codeyourweb

README.md

@@ -133,7 +133,7 @@ fastfinder [OPTIONS]
 > 💡 **Tip**: FastFinder can run with standard user privileges, but administrative rights provide access to all system files.
 
 ### Scan and export file match according to your needs
-configuration examples are available [there](./examples)
+configuration examples are available [there](./examples). Here is a full configuration blank example. You do not need to implement every attribute if you are not using everything.
 
 ```yaml 
 input:
@@ -143,7 +143,7 @@ input:
         yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions) 
         checksum: [] # parse for md5/sha1/sha256 in file content 
 options:
-    contentMatchDependsOnPathMatch: true # if true, paths are a pre-filter for content searchs. If false, paths and content both generate matchs
+    contentMatchDependsOnPathMatch: true # if true, paths are a pre-filter for grep (string) searches only. YARA and Checksums are always evaluated.
     findInHardDrives: true	# enumerate hard drive content
     findInRemovableDrives: true # enumerate removable drive content 
     findInNetworkDrives: true # enumerate network drive content
@@ -215,7 +215,7 @@ project/
 ### Important notes
 * input path are always case INSENSITIVE
 * content search on string (grep) are always case SENSITIVE
-* backslashes SHOULD NOT be escaped (except with regular expressions)
+* backslashes HAVE TO be escaped (except with regular expressions)
 * **YARA rules must exist** - missing rules will cause FastFinder to exit with an error
 For more informations, take a look at the [examples](./examples)
 

configuration.go

@@ -28,8 +28,9 @@ type Configuration struct {
 }
 
 type Input struct {
-	Path    []string `yaml:"path"`
-	Content Content  `yaml:"content"`
+	Path        []string `yaml:"path"`
+	DirectPaths []string `yaml:"-"`
+	Content     Content  `yaml:"content"`
 }
 
 type Content struct {
@@ -44,6 +45,7 @@ type Options struct {
 	FindInRemovableDrives          bool `yaml:"findInRemovableDrives"`
 	FindInNetworkDrives            bool `yaml:"findInNetworkDrives"`
 	FindInCDRomDrives              bool `yaml:"findInCDRomDrives"`
+	ScanMemory                     bool `yaml:"scanMemory"`
 }
 
 type Output struct {
@@ -135,6 +137,8 @@ func (c *Configuration) getConfiguration(configFile string) *Configuration {
 
 	// parsing input paths
 	environmentVariables := GetEnvironmentVariables()
+	allPathsAreDirect := true
+	var directPaths []string
 
 	for i := 0; i < len(c.Input.Path); i++ {
 		// replace environment variables
@@ -144,6 +148,20 @@ func (c *Configuration) getConfiguration(configFile string) *Configuration {
 			}
 		}
 
+		// check for direct paths validity
+		if allPathsAreDirect {
+			rawPath := c.Input.Path[i]
+			if strings.Contains(rawPath, "*") || strings.Contains(rawPath, "?") || (strings.HasPrefix(rawPath, "/") && strings.HasSuffix(rawPath, "/")) {
+				allPathsAreDirect = false
+			} else {
+				if _, err := os.Stat(rawPath); err != nil {
+					allPathsAreDirect = false
+				} else {
+					directPaths = append(directPaths, rawPath)
+				}
+			}
+		}
+
 		// handle regex and simple find strings
 		if c.Input.Path[i][0] != '/' || c.Input.Path[i][len(c.Input.Path[i])-1] != '/' {
 			c.Input.Path[i] = regexp.QuoteMeta(strings.ToLower(c.Input.Path[i]))
@@ -165,6 +183,10 @@ func (c *Configuration) getConfiguration(configFile string) *Configuration {
 
 	}
 
+	if allPathsAreDirect && len(directPaths) > 0 {
+		c.Input.DirectPaths = directPaths
+	}
+
 	// normalize checksums
 	for i := 0; i < len(c.Input.Content.Checksum); i++ {
 		c.Input.Content.Checksum[i] = strings.ToLower(c.Input.Content.Checksum[i])

examples/CISA-AA21-259A/CISA-AA21-259A.yaml

@@ -29,6 +29,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
+    scanMemory: false
 output:
     copyMatchingFiles: false
     base64Files: false

examples/React2Shell/react2shell.yaml

@@ -24,6 +24,7 @@ options:
     findInRemovableDrives: true
     findInNetworkDrives: true
     findInCDRomDrives: true
+    scanMemory: true
 output:
     copyMatchingFiles: false
     base64Files: false

examples/example_configuration_api_triage.yaml

@@ -11,6 +11,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
+    scanMemory: false
 output:
     copyMatchingFiles: false
     base64Files: false

examples/example_configuration_distant.yaml

@@ -12,6 +12,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
+    scanMemory: false
 output:
     copyMatchingFiles: false
     base64Files: false

examples/example_configuration_docker_triage.yaml

@@ -38,7 +38,7 @@ options:
   findInRemovableDrives: false
   findInNetworkDrives: false
   findInCDRomDrives: false
-
+  scanMemory: false
 output:
   copyMatchingFiles: true
   base64Files: true

examples/example_configuration_linux.yaml

@@ -14,6 +14,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
+    scanMemory: true
 output:
     copyMatchingFiles: false
     base64Files: false

examples/example_configuration_windows.yaml

@@ -20,6 +20,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
+    scanMemory: true
 output:
     copyMatchingFiles: false
     base64Files: false

examples/linux-fontonlake/eset_fontonlake_linux.yaml

@@ -48,6 +48,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
+    scanMemory: false
 output:
     copyMatchingFiles: false
     base64Files: false