-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1acbce9
commit 19a27b5
Showing
17 changed files
with
362 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,3 @@ | ||
dist | ||
EDRHunt.exe | ||
dist | ||
EDRHunt.exe | ||
.vscode |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,14 @@ | ||
all: build | ||
|
||
build: | ||
go build -ldflags="-w -s" -o EDRHunt.exe github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt | ||
garble-build: | ||
garble -literals build -ldflags="-w -s" -o EDRHunt.exe github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt | ||
local: | ||
go build -ldflags="-w -s" -o EDRHunt.exe github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt | ||
run: | ||
go run -ldflags="-w -s" github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt all | ||
drivers: | ||
go run -ldflags="-w -s" github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt -d | ||
all: build | ||
|
||
build: | ||
go build -ldflags="-w -s" -o EDRHunt.exe github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt | ||
garble-build: | ||
garble -literals build -ldflags="-w -s" -o EDRHunt.exe github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt | ||
local: | ||
go build -ldflags="-w -s" -o EDRHunt.exe github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt | ||
run: | ||
go run -ldflags="-w -s" github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt all | ||
drivers: | ||
go run -ldflags="-w -s" github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt -d | ||
avwmi: | ||
go run -ldflags="-w -s" github.com/FourCoreLabs/EDRHunt/cmd/EDRHunt -w |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
package edrRecon | ||
|
||
import ( | ||
"errors" | ||
"fmt" | ||
"strings" | ||
"time" | ||
|
||
"github.com/FourCoreLabs/EDRHunt/pkg/resources" | ||
"github.com/hashicorp/go-multierror" | ||
"github.com/yusufpapurcu/wmi" | ||
) | ||
|
||
type AntiVirusProduct struct { | ||
DisplayName string | ||
InstanceGuid string | ||
PathToSignedProductExe string | ||
PathToSignedReportingExe string | ||
ProductState uint32 | ||
} | ||
|
||
type AvResult struct { | ||
AvProduct []AntiVirusProduct | ||
Err error | ||
} | ||
|
||
const ( | ||
namespace = "root\\SecurityCenter2" | ||
class = "AntiVirusProduct" | ||
wmiErr = "wmi query timed out" | ||
) | ||
|
||
func CheckAVWmiRepo() ([]resources.AVWmiMetaData, error) { | ||
var ( | ||
avList []AntiVirusProduct | ||
multiErr error | ||
summary []resources.AVWmiMetaData = make([]resources.AVWmiMetaData, 0) | ||
err error | ||
) | ||
|
||
avList, err = GetAVwithWMI() | ||
if err != nil { | ||
return summary, err | ||
} | ||
for _, av := range avList { | ||
if av.DisplayName == "" { | ||
continue | ||
} | ||
output, err := AnalyzeAVProduct(av) | ||
if err != nil { | ||
multiErr = multierror.Append(multiErr, err) | ||
continue | ||
} | ||
|
||
if len(output.ScanMatch) > 0 { | ||
summary = append(summary, output) | ||
} | ||
|
||
} | ||
return summary, multiErr | ||
} | ||
|
||
func AnalyzeAVProduct(av AntiVirusProduct) (resources.AVWmiMetaData, error) { | ||
analysis := resources.AVWmiMetaData{ | ||
ProductName: av.DisplayName, | ||
ProductGUID: av.InstanceGuid, | ||
PathToProductExe: av.PathToSignedProductExe, | ||
PathToReportingExe: av.PathToSignedReportingExe, | ||
ProductState: av.ProductState, | ||
} | ||
|
||
if analysis.PathToProductExe != "" { | ||
analysis.ProductExeMetaData, _ = GetFileMetaData(analysis.PathToProductExe) | ||
} | ||
|
||
if analysis.PathToReportingExe != "" { | ||
analysis.ReportingExeMetaData, _ = GetFileMetaData(analysis.PathToReportingExe) | ||
} | ||
|
||
for _, edr := range EdrList { | ||
if strings.Contains( | ||
strings.ToLower(fmt.Sprint(analysis)), | ||
strings.ToLower(edr)) { | ||
analysis.ScanMatch = append(analysis.ScanMatch, edr) | ||
} | ||
} | ||
|
||
return analysis, nil | ||
} | ||
|
||
func GetAVwithWMI() ([]AntiVirusProduct, error) { | ||
result := make(chan AvResult, 1) | ||
go func() { | ||
result <- WMIQuery() | ||
}() | ||
select { | ||
case <-time.After(6 * time.Second): | ||
return nil, errors.New(wmiErr) | ||
case result := <-result: | ||
return result.AvProduct, result.Err | ||
} | ||
|
||
} | ||
|
||
func WMIQuery() AvResult { | ||
var avResults []AntiVirusProduct | ||
query := wmi.CreateQuery(&avResults, "", class) | ||
err := wmi.QueryNamespace(query, &avResults, namespace) | ||
return AvResult{ | ||
AvProduct: avResults, | ||
Err: err, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.