bozhihouc/d-eyes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
270bb18b982a7fe83a9e0a428bedd36ac6f0dfc1
d-eyes/deyes_linux.go

292 lines
7.2 KiB
Go
Raw Normal View History

feat(d-eyes): init
2023-11-06 16:31:16 +08:00
package main
import (
"fmt"
"log"
"os"
"strconv"
"strings"
"time"
"github.com/gookit/color"
"github.com/urfave/cli/v2"
"github.com/xuri/excelize/v2"
"d-eyes/basicinfo/info"
"d-eyes/configcheck/check"
"d-eyes/filedetection"
"d-eyes/logo"
"d-eyes/output"
"d-eyes/process/controller"
"d-eyes/yaraobj"
)
var path string
var rule string
var thread int
var pid int
func main() {
logo.ShowLogo()
app := &cli.App{
Name: "D-Eyes",
Usage: "The Eyes of Darkness from Nsfocus spy on everything.",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "path",
Aliases: []string{"P"},
Value: "/",
Usage: "--path / or -P / (Only For Filescan)",
Destination: &path,
},
&cli.IntFlag{
Name: "pid",
Aliases: []string{"p"},
Value: -1,
Usage: "--pid 666 or -p 666 (Only For processcan.'-1' means all processes.)",
Destination: &pid,
},
&cli.StringFlag{
Name: "rule",
Aliases: []string{"r"},
//Value: 5,
Usage: "--rule Ransom.Wannacrypt or -r Ransom.Wannacrypt",
Destination: &rule,
},
&cli.IntFlag{
Name: "thread",
Aliases: []string{"t"},
Value: 5,
Usage: "--thread 1 or -t 1 (Only For Filescan)",
Destination: &thread,
},
},
Commands: []*cli.Command{
{
Name: "filescan",
Aliases: []string{"fs"},
Usage: "Command for scanning filesystem",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "path",
Aliases: []string{"P"},
Value: "/",
Usage: "--path / or -P / (Only For Filescan)",
Destination: &path,
},
&cli.StringFlag{
Name: "rule",
Aliases: []string{"r"},
//Value: 5,
Usage: "--rule Ransom.Wannacrypt or -r Ransom.Wannacrypt",
Destination: &rule,
},
&cli.IntFlag{
Name: "thread",
Aliases: []string{"t"},
Value: 5,
Usage: "--thread 1 or -t 1",
Destination: &thread,
},
},
Action: func(c *cli.Context) error {
// fmt.Println("added task: ", c.Args().First())
//
//
var paths []string
r := []output.Result{}
paths = strings.Split(path, ",")
var start = time.Now()
var sum = 0
if rule == "" {
yaraRule := "./yaraRules"
rules, err := yaraobj.LoadAllYaraRules(yaraRule)
if err != nil {
color.Redln("LoadCompiledRules goes error !!!")
color.Redln("GetRules err: ", err)
os.Exit(1)
}
for _, path := range paths {
files := filedetection.StartFileScan(path, rules, thread, &r)
sum += files
}
} else {
yaraRule := "./yaraRules/" + rule + ".yar"
_, err := os.Lstat(yaraRule)
if err != nil {
color.Redln("There is no such rule yet !!!")
os.Exit(1)
}
rules, err := yaraobj.LoadSingleYaraRule(yaraRule)
if err != nil {
color.Redln("GetRules err: ", err)
os.Exit(1)
}
for _, path := range paths {
files := filedetection.StartFileScan(path, rules, thread, &r)
sum += files
}
}
if len(r) > 0 {
length := len(r)
categories := map[string]string{
"A1": "Risk Description", "B1": "Risk File Path",
}
var values = make(map[string]string)
vulsumTmp := 0
for i := 0; i < length; i++ {
vulsumTmp++
color.Error.Println("[ Risk ", vulsumTmp, " ]")
fmt.Print("Risk Description: ")
color.Warn.Println(r[i].Risk)
fmt.Println("Risk File Path: ")
color.Warn.Println(r[i].RiskPath)
//set excel values
excelValuetmpA := "A" + strconv.Itoa(vulsumTmp+1)
excelValuetmpB := "B" + strconv.Itoa(vulsumTmp+1)
values[excelValuetmpA] = r[i].Risk
values[excelValuetmpB] = r[i].RiskPath
}
//output to a excel
f := excelize.NewFile()
f.SetColWidth("Sheet1", "A", "B", 50)
for k, v := range categories {
f.SetCellValue("Sheet1", k, v)
}
for k, v := range values {
f.SetCellValue("Sheet1", k, v)
}
style, err := f.NewStyle(
&excelize.Style{
Font: &excelize.Font{
Bold: true,
Size: 11,
Color: "e83723",
},
},
)
if err != nil {
fmt.Println(err)
}
f.SetCellStyle("Sheet1", "A1", "A1", style)
f.SetCellStyle("Sheet1", "B1", "B1", style)
// save the result to Deyes.xlsx
if err := f.SaveAs("D-Eyes.xlsx"); err != nil {
fmt.Println(err)
}
} else {
fmt.Println("\nNo suspicious files found. Your computer is safe with the rules you choose.")
}
var end = time.Now().Sub(start)
fmt.Println("Consuming Time: ", end, " Number of scanned files: ", sum)
return nil
},
},
{
Name: "processcan",
Aliases: []string{"ps"},
Usage: "Command for scanning processes",
Flags: []cli.Flag{
&cli.IntFlag{
Name: "pid",
Aliases: []string{"p"},
Value: -1,
Usage: "--pid 666 or -p 666 ('-1' means all processes.)",
Destination: &pid,
},
&cli.StringFlag{
Name: "rule",
Aliases: []string{"r"},
Usage: "--rule Ransom.Wannacrypt or -r Ransom.Wannacrypt",
Destination: &rule,
},
},
Action: func(c *cli.Context) error {
var start = time.Now()
controller.ScanProcess(pid, rule)
var end = time.Now().Sub(start)
fmt.Println("Consuming Time: ", end)
return nil
},
},
{
Name: "selfcheck",
Aliases: []string{"sc"},
Usage: "Command for checking some files which may have backdoors",
Action: func(c *cli.Context) error {
check.Trigger()
return nil
},
},
{
Name: "host",
Usage: "Command for displaying basic host information",
Action: func(c *cli.Context) error {
color.Infoln("Host Info:")
info.DisplayBaseInfo()
return nil
},
},
{
Name: "users",
Usage: "Command for displaying all the users on the host",
Action: func(c *cli.Context) error {
color.Infoln("AllUsers:")
info.DisplayAllUsers()
return nil
},
},
{
Name: "top",
Usage: "Command for displaying the top 15 processes in CPU usage",
Action: func(c *cli.Context) error {
info.Top()
return nil
},
},
{
Name: "netstat",
Usage: "Command for displaying host network information",
Action: func(c *cli.Context) error {
color.Infoln("Network Info:")
info.DisplayNetStat()
return nil
},
},
{
Name: "task",
Usage: "Command for displaying all the tasks on the host",
Action: func(c *cli.Context) error {
color.Infoln("Task:")
info.DisplayPlanTask()
return nil
},
},
{
Name: "autoruns",
Usage: "Command for displaying all the autoruns on the host",
Action: func(c *cli.Context) error {
color.Infoln("Autoruns:")
info.CallDisplayAutoruns()
return nil
},
},
{
Name: "export",
Usage: "Command for exporting basic host information",
Action: func(c *cli.Context) error {
info.SaveSummaryBaseInfo()
return nil
},
},
},
}
err := app.Run(os.Args)
if err != nil {
log.Fatal(err)
}
}
Reference in New Issue Copy Permalink