Merge pull request #8 from codeyourweb/dev

3.6.0 release

Author: codeyourweb

README.md

@@ -7,8 +7,8 @@
 [![Go Version](https://img.shields.io/badge/Go-1.24+-00ADD8?style=flat-square&logo=go)](https://golang.org)
 [![License](https://img.shields.io/github/license/codeyourweb/fastfinder?style=flat-square)](LICENSE)
 [![Release](https://img.shields.io/github/v/release/codeyourweb/fastfinder?style=flat-square)](https://github.com/codeyourweb/fastfinder/releases)
-[![Build Status](https://img.shields.io/github/actions/workflow/status/codeyourweb/fastfinder/go_build_windows.yml?style=flat-square&label=Windows)](https://github.com/codeyourweb/fastfinder/actions)
-[![Build Status](https://img.shields.io/github/actions/workflow/status/codeyourweb/fastfinder/go_build_linux.yml?style=flat-square&label=Linux)](https://github.com/codeyourweb/fastfinder/actions)
+[![Build Status](https://img.shields.io/github/actions/workflow/status/codeyourweb/fastfinder/go_build_windows_amd64.yml?style=flat-square&label=Windows)](https://github.com/codeyourweb/fastfinder/actions)
+[![Build Status](https://img.shields.io/github/actions/workflow/status/codeyourweb/fastfinder/go_build_linux_amd64.yml?style=flat-square&label=Linux)](https://github.com/codeyourweb/fastfinder/actions)
 [![Platform Support](https://img.shields.io/badge/Platform-Windows%20%7C%20Linux-brightgreen?style=flat-square)](#installation)
 
 ## ✨ Overview
@@ -148,6 +148,7 @@ options:
     findInRemovableDrives: true # enumerate removable drive content 
     findInNetworkDrives: true # enumerate network drive content
     findInCDRomDrives: true # enumerate physical CD-ROM and mounted iso / vhd...
+    findInMemory: true # check for results in processes memory
 output:
     copyMatchingFiles: true # create a copy of every matching file
     base64Files: true # base64 matched content before copy

config_integration_test.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"os"
+	"os/exec"
 	"path/filepath"
 	"testing"
 )
@@ -108,14 +109,26 @@ func TestConfigurationMissingRequired(t *testing.T) {
 
 // TestConfigurationEmpty tests handling of empty configuration
 func TestConfigurationEmpty(t *testing.T) {
+	if os.Getenv("TEST_CONFIGURATION_EMPTY_SUBPROCESS") == "1" {
+		tmpFile := os.Getenv("TEST_CONFIGURATION_EMPTY_FILE")
+		var config Configuration
+		config.getConfiguration(tmpFile)
+		return
+	}
+
 	tmpFile := filepath.Join(t.TempDir(), "empty_config.yml")
 	os.WriteFile(tmpFile, []byte(""), 0644)
 
-	var config Configuration
-	config.getConfiguration(tmpFile)
+	cmd := exec.Command(os.Args[0], "-test.run=TestConfigurationEmpty")
+	cmd.Env = append(os.Environ(), "TEST_CONFIGURATION_EMPTY_SUBPROCESS=1", "TEST_CONFIGURATION_EMPTY_FILE="+tmpFile)
+	err := cmd.Run()
 
-	// Verify no panic occurred
-	t.Log("Empty configuration handled gracefully")
+	// We expect an exit error here because LogFatal calls os.Exit(1)
+	if e, ok := err.(*exec.ExitError); ok && !e.Success() {
+		t.Log("Empty configuration triggered exit as expected")
+		return
+	}
+	t.Fatalf("process ran with err %v, want exit status 1", err)
 }
 
 // TestConfigurationYARAWithRC4 tests YARA section with RC4 encryption

configuration.go

@@ -13,12 +13,6 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-type ConfigurationObject struct {
-	Line int
-
-	Configuration
-}
-
 type Configuration struct {
 	Input              Input              `yaml:"input"`
 	Options            Options            `yaml:"options"`
@@ -45,7 +39,7 @@ type Options struct {
 	FindInRemovableDrives          bool `yaml:"findInRemovableDrives"`
 	FindInNetworkDrives            bool `yaml:"findInNetworkDrives"`
 	FindInCDRomDrives              bool `yaml:"findInCDRomDrives"`
-	ScanMemory                     bool `yaml:"scanMemory"`
+	FindInMemory                   bool `yaml:"findInMemory"`
 }
 
 type Output struct {
@@ -60,17 +54,6 @@ type AdvancedParameters struct {
 	CleanMemoryIfFileGreaterThanSize int    `yaml:"cleanMemoryIfFileGreaterThanSize"`
 }
 
-func (i *ConfigurationObject) UnmarshalYAML(value *yaml.Node) error {
-	err := value.Decode(&i.Configuration)
-	if err != nil {
-		return err
-	}
-
-	i.Line = value.Line
-
-	return nil
-}
-
 func (c *Configuration) getConfiguration(configFile string) *Configuration {
 	var yamlContent []byte
 	var err error
@@ -107,15 +90,14 @@ func (c *Configuration) getConfiguration(configFile string) *Configuration {
 		yamlContent = RC4Cipher(yamlContent, BUILDER_RC4_KEY)
 	}
 
-	var o ConfigurationObject
-	err = yaml.Unmarshal(yamlContent, &o)
+	decoder := yaml.NewDecoder(bytes.NewReader(yamlContent))
+	decoder.KnownFields(true)
+	err = decoder.Decode(c)
 
 	if err != nil {
 		LogFatal(fmt.Sprintf("%s - %v", configFile, err))
 	}
 
-	*c = o.Configuration
-
 	// check for specific user configuration params inconsistencies
 	if len(c.Input.Path) == 0 || (len(c.Input.Content.Grep) == 0 && len(c.Input.Content.Yara) == 0 && len(c.Input.Content.Checksum) == 0) {
 		c.Options.ContentMatchDependsOnPathMatch = false
@@ -203,5 +185,6 @@ func (c *Configuration) getConfiguration(configFile string) *Configuration {
 		}
 	}
 
+	LogMessage(LOG_INFO, "Configuration loaded")
 	return c
-}
+}

event_forwarding.go

@@ -24,6 +24,7 @@ type EventForwarder struct {
 	currentFilePath string
 	lastRotation    time.Time
 	fileMutex       sync.Mutex
+	wg              sync.WaitGroup
 }
 
 // FastFinderEvent represents an event to be forwarded
@@ -133,6 +134,7 @@ func InitializeEventForwarding(config *ForwardingConfig) error {
 		httpClient:  httpClient,
 	}
 
+	eventForwarder.wg.Add(1)
 	// Start the forwarding goroutine
 	go eventForwarder.forwardingLoop()
 
@@ -190,6 +192,30 @@ func ForwardAlertEvent(ruleName, filePath string, fileSize int64, fileHash strin
 	ForwardEvent("alert", "high", fmt.Sprintf("YARA rule match: %s in %s", ruleName, filePath), metadata)
 }
 
+// ForwardGrepMatchEvent forwards a Grep match event
+func ForwardGrepMatchEvent(pattern, filePath string, fileSize int64, metadata map[string]string) {
+	if metadata == nil {
+		metadata = make(map[string]string)
+	}
+	metadata["grep_pattern"] = pattern
+	metadata["file_path"] = filePath
+	metadata["file_size"] = fmt.Sprintf("%d", fileSize)
+
+	ForwardEvent("alert", "high", fmt.Sprintf("Grep match: %s in %s", pattern, filePath), metadata)
+}
+
+// ForwardChecksumMatchEvent forwards a Checksum match event
+func ForwardChecksumMatchEvent(checksum, filePath string, fileSize int64, metadata map[string]string) {
+	if metadata == nil {
+		metadata = make(map[string]string)
+	}
+	metadata["checksum"] = checksum
+	metadata["file_path"] = filePath
+	metadata["file_size"] = fmt.Sprintf("%d", fileSize)
+
+	ForwardEvent("alert", "high", fmt.Sprintf("Checksum match: %s in %s", checksum, filePath), metadata)
+}
+
 // ForwardScanCompleteEvent forwards scan completion statistics
 func ForwardScanCompleteEvent(filesScanned, matchesFound, errorsEncountered int, duration time.Duration) {
 	if eventForwarder == nil {
@@ -243,6 +269,7 @@ func (ef *EventForwarder) shouldForwardEvent(eventType, severity string) bool {
 
 // forwardingLoop runs the periodic event forwarding
 func (ef *EventForwarder) forwardingLoop() {
+	defer ef.wg.Done()
 	ticker := time.NewTicker(time.Duration(ef.config.FlushTime) * time.Second)
 	defer ticker.Stop()
 
@@ -466,11 +493,14 @@ func (ef *EventForwarder) cleanOldFiles() {
 // StopEventForwarding stops the event forwarding system
 func StopEventForwarding() {
 	if eventForwarder != nil {
+		close(eventForwarder.stopChannel)
+		eventForwarder.wg.Wait()
+
 		// Close current file if open
 		if eventForwarder.currentFile != nil {
 			eventForwarder.currentFile.Close()
+			eventForwarder.currentFile = nil
 		}
-		close(eventForwarder.stopChannel)
 		eventForwarder = nil
 	}
 }

examples/CISA-AA21-259A/CISA-AA21-259A.yaml

@@ -29,7 +29,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
-    scanMemory: false
+    findInMemory: false
 output:
     copyMatchingFiles: false
     base64Files: false

examples/React2Shell/react2shell.yaml

@@ -24,7 +24,7 @@ options:
     findInRemovableDrives: true
     findInNetworkDrives: true
     findInCDRomDrives: true
-    scanMemory: true
+    findInMemory: true
 output:
     copyMatchingFiles: false
     base64Files: false

examples/example_configuration_api_triage.yaml

@@ -11,7 +11,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
-    scanMemory: false
+    findInMemory: false
 output:
     copyMatchingFiles: false
     base64Files: false

examples/example_configuration_distant.yaml

@@ -12,7 +12,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
-    scanMemory: false
+    findInMemory: false
 output:
     copyMatchingFiles: false
     base64Files: false

examples/example_configuration_docker_triage.yaml

@@ -38,7 +38,7 @@ options:
   findInRemovableDrives: false
   findInNetworkDrives: false
   findInCDRomDrives: false
-  scanMemory: false
+  findInMemory: false
 output:
   copyMatchingFiles: true
   base64Files: true

examples/example_configuration_linux.yaml

@@ -14,7 +14,7 @@ options:
     findInRemovableDrives: false
     findInNetworkDrives: false
     findInCDRomDrives: false
-    scanMemory: true
+    findInMemory: true
 output:
     copyMatchingFiles: false
     base64Files: false