parse content and calculate checksum from file inside archives

Author: codeyourweb

README.md

@@ -53,6 +53,7 @@ options:
     findInNetworkDrives: true # enumerate network drive content
     findInCDRomDrives: true # enumerate physical CD-ROM and mounted iso / vhd...
 output:
+    copyMatchingFiles: true # create a copy of every matching file
     base64Files: true # base64 matched content before copy
     filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder
 ``` 

configuration.go

@@ -35,8 +35,9 @@ type Options struct {
 }
 
 type Output struct {
-	Base64Files   bool   `yaml:"base64Files"`
-	FilesCopyPath string `yaml:"filesCopyPath"`
+	Base64Files       bool   `yaml:"base64Files"`
+	FilesCopyPath     string `yaml:"filesCopyPath"`
+	CopyMatchingFiles bool   `yaml:"copyMatchingFiles"`
 }
 
 func (c *Configuration) getConfiguration(configFile string) *Configuration {

examples/example_configuration_linux.yaml

@@ -15,5 +15,6 @@ options:
     findInNetworkDrives: false
     findInCDRomDrives: false
 output:
+    copyMatchingFiles: true
     base64Files: true
     filesCopyPath: ''

examples/example_configuration_windows.yaml

@@ -16,10 +16,11 @@ input:
          - 'A4AF9EF6E345B3B4EA50DDE672A986C14F9A195E407EBAC36B1652AACC10E3EE'
 options:
     contentMatchDependsOnPathMatch: false
-    findInHardDrives: true
+    findInHardDrives: false
     findInRemovableDrives: false
-    findInNetworkDrives: false
+    findInNetworkDrives: true
     findInCDRomDrives: false
 output:
+    copyMatchingFiles: true
     base64Files: true
     filesCopyPath: ''

examples/log4j_vuln_checker/config-log4j_vuln_checker.yaml

@@ -0,0 +1,56 @@
+# scan local Java software installations for known instances of vulnerable #log4j 1.x and 2.x versions
+# CVE-2019-17571, CVE-2021-44228
+input:
+    path:
+      - '*.jar'
+      - '*.class'
+    content:
+        grep: []
+        yara: []
+        checksum:
+          - '39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8' # log4j 2.0-rc1 JndiLookup.class
+          - 'a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2' # log4j 2.0-rc2 JndiLookup.class
+          - '964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e' # log4j 2.0.1 JndiLookup.class
+          - '9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c' # log4j 2.0.2 JndiLookup.class
+          - 'fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29' # log4j 2.0 JndiLookup.class
+          - '03c77cca9aeff412f46eaf1c7425669e37008536dd52f1d6f088e80199e4aae7' # log4j 2.4-2.11.2 JndiManager$1.class
+          - '1584b839cfceb33a372bb9e6f704dcea9701fa810a9ba1ad3961615a5b998c32' # log4j 2.7-2.8.1 JndiManager.class
+          - '1fa92c00fa0b305b6bbe6e2ee4b012b588a906a20a05e135cbe64c9d77d676de' # log4j 2.12.0-2.12.1 JndiManager.class
+          - '293d7e83d4197f0496855f40a7745cfcdd10026dc057dfc1816de57295be88a6' # log4j 2.9.0-2.11.2 JndiManager.class
+          - '3bff6b3011112c0b5139a5c3aa5e698ab1531a2f130e86f9e4262dd6018916d7' # log4j 2.4-2.5 JndiManager.class
+          - '547883afa0aa245321e6b1aaced24bc10d73d5af4974d951e2bd53b017e2d4ab' # log4j 2.14.0-2.14.1 JndiManager$JndiManagerFactory.class
+          - '620a713d908ece7fb09b7d34c2b0461e1c366704da89ea20eb78b73116c77f23' # log4j 2.1-2.3 JndiManager$1.class
+          - '632a69aef3bc5012f61093c3d9b92d6170fdc795711e9fed7f5388c36e3de03d' # log4j 2.8.2 JndiManager$JndiManagerFactory.class
+          - '635ccd3aaa429f3fea31d84569a892b96a02c024c050460d360cc869bcf45840' # log4j 2.9.1-2.10.0 JndiManager$JndiManagerFactory.class
+          - '6540d5695ddac8b0a343c2e91d58316cfdbfdc5b99c6f3f91bc381bc6f748246' # log4j 2.6-2.6.2 JndiManager.class
+          - '764b06686dbe06e3d5f6d15891250ab04073a0d1c357d114b7365c70fa8a7407' # log4j 2.8.2 JndiManager.class
+          - '77323460255818f4cbfe180141d6001bfb575b429e00a07cbceabd59adf334d6' # log4j 2.14.0-2.14.1 JndiManager.class
+          - '8abaebc4d09926cd12b5269c781b64a7f5a57793c54dc1225976f02ba58343bf' # log4j 2.13.0-2.13.3 JndiManager$JndiManagerFactory.class
+          - '914a64f23e2bcc1ae166af645a21f71f18ad6be8282001ec10b3e45b37064c99' # log4j 2.13.0-2.15.0 JndiManager$1.class
+          - '91e58af100aface711700562b5002c5d397fb35d2a95d5704db41461ac1ad8fd' # log4j 2.1-2.3 JndiManager$JndiManagerFactory.class
+          - 'ae950f9435c0ef3373d4030e7eff175ee11044e584b7f205b7a9804bbe795f9c' # log4j 2.1-2.3 JndiManager.class
+          - 'aec7ea2daee4d6468db2df25597594957a06b945bcb778bbcd5acc46f17de665' # log4j 2.4-2.6.2 JndiManager$JndiManagerFactory.class
+          - 'b8af4230b9fb6c79c5bf2e66a5de834bc0ebec4c462d6797258f5d87e356d64b' # log4j 2.7-2.8.1 JndiManager$JndiManagerFactory.class
+          - 'c3e95da6542945c1a096b308bf65bbd7fcb96e3d201e5a2257d85d4dedc6a078' # log4j 2.13.0-2.13.3 JndiManager.class
+          - 'e4906e06c4e7688b468524990d9bb6460d6ef31fe938e01561f3f93ab5ca25a6' # log4j 2.8.2-2.12.0 JndiManager$1.class
+          - 'fe15a68ef8a75a3f9d3f5843f4b4a6db62d1145ef72937ed7d6d1bbcf8ec218f' # log4j 2.12.0-2.12.1 JndiManager$JndiManagerFactory.class
+          - '6adb3617902180bdf9cbcfc08b5a11f3fac2b44ef1828131296ac41397435e3d' # log4j 1.2.4 SocketNode.class
+          - '3ef93e9cb937295175b75182e42ba9a0aa94f9f8e295236c9eef914348efeef0' # log4j 1.2.6-1.2.9 SocketNode.class
+          - 'bee4a5a70843a981e47207b476f1e705c21fc90cb70e95c3b40d04a2191f33e9' # log4j 1.2.8  SocketNode.class
+          - '7b996623c05f1a25a57fb5b43c519c2ec02ec2e647c2b97b3407965af928c9a4' # log4j 1.2.15 SocketNode.class
+          - '688a3dadfb1c0a08fb2a2885a356200eb74e7f0f26a197d358d74f2faf6e8f46' # log4j 1.2.16 SocketNode.class
+          - '8ef0ebdfbf28ec14b2267e6004a8eea947b4411d3c30d228a7b48fae36431d74' # log4j 1.2.17 SocketNode.class
+          - 'd778227b779f8f3a2850987e3cfe6020ca26c299037fdfa7e0ac8f81385963e6' # log4j 1.2.11 SocketNode.class
+          - 'ed5d53deb29f737808521dd6284c2d7a873a59140e702295a80bd0f26988f53a' # log4j 1.2.5 SocketNode.class
+          - 'f3b815a2b3c74851ff1b94e414c36f576fbcdf52b82b805b2e18322b3f5fc27c' # log4j 1.2.12 SocketNode.class
+          - 'fbda3cfc5853ab4744b853398f2b3580505f5a7d67bfb200716ef6ae5be3c8b7' # log4j 1.2.13-1.2.14 SocketNode.class
+options:
+    contentMatchDependsOnPathMatch: true
+    findInHardDrives: true
+    findInRemovableDrives: false
+    findInNetworkDrives: false
+    findInCDRomDrives: false
+output:
+    copyMatchingFiles: false
+    base64Files: false
+    filesCopyPath: ''

finder.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"archive/zip"
 	"crypto/md5"
 	"crypto/sha1"
 	"crypto/sha256"
@@ -10,6 +11,7 @@ import (
 	"strings"
 
 	"github.com/dlclark/regexp2"
+	"github.com/h2non/filetype"
 )
 
 // PathsFinder try to match regular expressions in file paths slice
@@ -29,45 +31,66 @@ func PathsFinder(files *[]string, patterns []*regexp2.Regexp) *[]string {
 }
 
 // FindInFiles check for pattern or checksum match in files slice
-func FindInFiles(files *[]string, patterns []string, checksum []string) *[]string {
+func FindInFiles(files *[]string, patterns []string, hashList []string) *[]string {
 	var matchingFiles []string
 	InitProgressbar(int64(len(*files)))
-	for _, f := range *files {
+	for _, path := range *files {
 		ProgressBarStep()
-		b, err := ioutil.ReadFile(f)
+		b, err := ioutil.ReadFile(path)
 		if err != nil {
-			LogMessage(LOG_ERROR, "[ERROR]", "Unable to read file", f)
+			LogMessage(LOG_ERROR, "[ERROR]", "Unable to read file", path)
 			continue
 		}
 
 		// cancel analysis if file size is greater than 2Gb
 		if len(b) > 1024*1024*2048 {
-			LogMessage(LOG_ERROR, "[ERROR]", "File size is greater than 2Gb, skipping", f)
+			LogMessage(LOG_ERROR, "[ERROR]", "File size is greater than 2Gb, skipping", path)
 			continue
 		}
 
-		// if checksum is not empty, calculate md5/sha1/sha256 for every file
-		if len(checksum) > 0 {
-			var hashs []string
-			hashs = append(hashs, fmt.Sprintf("%x", md5.Sum(b)))
-			hashs = append(hashs, fmt.Sprintf("%x", sha1.Sum(b)))
-			hashs = append(hashs, fmt.Sprintf("%x", sha256.Sum256(b)))
-
-			for _, c := range hashs {
-				if Contains(checksum, c) && !Contains(matchingFiles, f) {
-					matchingFiles = append(matchingFiles, f)
-					LogMessage(LOG_INFO, "[ALERT]", "File match on", f)
-				}
+		// get file type
+		filetype, err := filetype.Match(b)
+		if err != nil {
+			LogMessage(LOG_ERROR, "[ERROR]", "Unable to get file type", path)
+		}
+
+		for _, m := range CheckFileChecksumAndContent(path, b, hashList, patterns) {
+			if !Contains(matchingFiles, m) {
+				LogMessage(LOG_INFO, "[ALERT]", "File match on", path)
+				matchingFiles = append(matchingFiles, m)
 			}
 		}
 
-		for _, expression := range patterns {
-			if strings.Contains(string(b), expression) {
-				if !Contains(matchingFiles, f) {
-					matchingFiles = append(matchingFiles, f)
-					LogMessage(LOG_INFO, "[ALERT]", "File match on", f)
+		// if file type is an archive, extract and calculate checksum for every file inside
+		if Contains([]string{"application/x-tar", "application/x-7z-compressed", "application/zip", "application/vnd.rar"}, filetype.MIME.Value) {
+			zr, err := zip.OpenReader(path)
+			if err != nil {
+				fmt.Printf("cant't open archive file: %s: %v\n", path, err)
+				continue
+			}
+
+			for _, subFile := range zr.File {
+				fr, err := subFile.Open()
+				if err != nil {
+					fmt.Printf("can't open archive file member for reading: %s (%s): %v\n", path, subFile.Name, err)
+					continue
+				}
+				defer fr.Close()
+
+				body, err := ioutil.ReadAll(fr)
+				if err != nil {
+					LogMessage(LOG_ERROR, "[ERROR]", "Unable to read file archive member: %s (%s): %v\n", path, subFile.Name, err)
+					continue
+				}
+
+				for _, m := range CheckFileChecksumAndContent(path, body, hashList, patterns) {
+					if !Contains(matchingFiles, m) {
+						LogMessage(LOG_INFO, "[ALERT]", "File match on", path)
+						matchingFiles = append(matchingFiles, m)
+					}
 				}
 			}
+
 		}
 
 		// cleaning memory if file size is greater than 512Mb
@@ -78,3 +101,44 @@ func FindInFiles(files *[]string, patterns []string, checksum []string) *[]strin
 
 	return &matchingFiles
 }
+
+// CheckFileChecksumAndContent check for pattern or checksum match in files slice
+func CheckFileChecksumAndContent(path string, content []byte, hashList []string, patterns []string) (matchingFiles []string) {
+	// compare file checksum with hashList
+	if len(hashList) > 0 {
+		matchingFiles = append(matchingFiles, checkForChecksum(path, content, hashList)...)
+	}
+
+	// compare file content with patterns
+	if len(patterns) > 0 {
+		matchingFiles = append(matchingFiles, checkForStringPattern(path, content, patterns)...)
+	}
+
+	return matchingFiles
+}
+
+// checkForChecksum calculate content checksum and check if it is in hashlist
+func checkForChecksum(path string, content []byte, hashList []string) (matchingFiles []string) {
+	var hashs []string
+	hashs = append(hashs, fmt.Sprintf("%x", md5.Sum(content)))
+	hashs = append(hashs, fmt.Sprintf("%x", sha1.Sum(content)))
+	hashs = append(hashs, fmt.Sprintf("%x", sha256.Sum256(content)))
+
+	for _, c := range hashs {
+		if Contains(hashList, c) && !Contains(matchingFiles, path) {
+			matchingFiles = append(matchingFiles, path)
+		}
+	}
+
+	return matchingFiles
+}
+
+// checkForStringPattern check if file content matches any specified pattern
+func checkForStringPattern(path string, content []byte, patterns []string) (matchingFiles []string) {
+	for _, expression := range patterns {
+		if strings.Contains(string(content), expression) {
+			matchingFiles = append(matchingFiles, path)
+		}
+	}
+	return matchingFiles
+}

main.go

@@ -248,7 +248,7 @@ func main() {
 		}
 
 		// copy matching files
-		if len(*matchContent) > 0 {
+		if len(*matchContent) > 0 && config.Output.CopyMatchingFiles {
 			LogMessage(LOG_INFO, "[INFO]", "Copy all matching files")
 			InitProgressbar(int64(len(*matchPattern)))
 			for _, f := range *matchContent {