Merge pull request #3 from ImDuong/feature/processes-with-ports

Add plugins containing data about network connection related with processes
ImDuong · Jun 12, 2024 · cea1ed5 · cea1ed5
2 parents 1073e3c + cf2d432
commit cea1ed5
Show file tree

Hide file tree

Showing 18 changed files with 704 additions and 82 deletions.
diff --git a/README.md b/README.md
@@ -71,7 +71,7 @@ Where:
 - Run Volatility 3 auto streamline with `--vol` pointing to volatility 3 folder, and `--file or -f` pointing to memory dump file
 
     ```
-    go run cmd\main.go --vol <path_to_volatility3> -f <path_to_memory_dump> -o <output_folder>
+    go run cmd\main.go --vol <path_to_volatility3_folder> -f <path_to_memory_dump> -o <output_folder>
     ```
 
     - By default (also means when `-o` is not specified), vola-auto will generate folder `artifacts` in folder containing `path_to_memory_dump`

diff --git a/datastore/network.go b/datastore/network.go
@@ -0,0 +1,80 @@
+package datastore
+
+import (
+	"fmt"
+	"strings"
+	"time"
+)
+
+type (
+	TCPConnectionState string
+
+	NetworkConnection struct {
+		Protocol     string
+		LocalAddr    string
+		LocalPort    uint
+		ForeignAddr  string
+		ForeignPort  uint
+		State        string
+		CreatedTime  time.Time
+		OwnerProcess *Process
+	}
+)
+
+// TCPConnectionStates
+// Ref: https://github.com/volatilityfoundation/volatility3/blob/771ed10b44573a7f8baa32822f3bc524195fe0c9/volatility3/framework/symbols/windows/netscan/netscan-win10-x64.json#L364
+var TCPConnectionStates = [...]TCPConnectionState{
+	"CLOSED",
+	"LISTENING",
+	"SYN_SENT",
+	"SYN_RCVD",
+	"ESTABLISHED",
+	"FIN_WAIT1",
+	"FIN_WAIT2",
+	"CLOSE_WAIT",
+	"CLOSING",
+	"LAST_ACK",
+	"TIME_WAIT",
+	"DELETE_TCB",
+}
+
+var MissingInfoNetworkConnection = make(map[string]*NetworkConnection)
+
+func (nc *NetworkConnection) GetLocalSocketAddr() string {
+	return nc.getSocketAddr(nc.LocalAddr, nc.LocalPort)
+}
+
+func (nc *NetworkConnection) GetForeignSocketAddr() string {
+	return nc.getSocketAddr(nc.ForeignAddr, nc.ForeignPort)
+}
+
+func (nc *NetworkConnection) getSocketAddr(ipAddr string, port uint) string {
+	if ipAddr == "::" {
+		ipAddr = "[" + ipAddr + "]"
+	}
+	return fmt.Sprintf("%s:%d", ipAddr, port)
+}
+
+func (nc *NetworkConnection) GetSocketPair() string {
+	return fmt.Sprintf("%s=>%s", nc.GetLocalSocketAddr(), nc.GetForeignSocketAddr())
+}
+
+func (nc *NetworkConnection) GetCreatedTimeAsStr() string {
+	var createdTime string = "N/A"
+	if !nc.CreatedTime.IsZero() {
+		createdTime = nc.CreatedTime.Format(time.DateTime)
+	}
+	return createdTime
+}
+
+func IsValidTCPConnectionState(checkingState string) bool {
+	if len(checkingState) == 0 {
+		return false
+	}
+	for i := range TCPConnectionStates {
+		if strings.EqualFold(string(TCPConnectionStates[i]), checkingState) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/datastore/processes.go b/datastore/processes.go
@@ -1,14 +1,21 @@
 package datastore
 
-import "time"
+import (
+	"strings"
+	"time"
+
+	"github.com/ImDuong/vola-auto/utils"
+)
 
 type (
 	Process struct {
 		ImageName   string
+		FullPath    string
 		PID         uint
 		ParentProc  *Process
 		Args        string
 		CreatedTime time.Time
+		Connections []*NetworkConnection
 	}
 )
 
@@ -19,3 +26,55 @@ type ProcessByPID []*Process
 func (a ProcessByPID) Len() int           { return len(a) }
 func (a ProcessByPID) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
 func (a ProcessByPID) Less(i, j int) bool { return a[i].PID < a[j].PID }
+
+func (p *Process) ParseFullPathByArgs() {
+	fullPath := strings.TrimSpace(p.Args)
+	p.FullPath = fullPath
+	if len(fullPath) == 0 {
+		return
+	}
+
+	if fullPath[0] == '"' {
+		endIdx := strings.Index(fullPath[1:], "\"") + 1
+		if endIdx > 0 {
+			p.FullPath = fullPath[1:endIdx]
+			return
+		}
+	} else {
+		endIdx := strings.Index(fullPath, " ")
+		if endIdx > 0 {
+			p.FullPath = fullPath[:endIdx]
+			return
+		}
+	}
+}
+
+func (p *Process) GetFullPath() string {
+	return utils.GetPathInCamelCase(p.FullPath)
+}
+
+func (p *Process) GetCmdline() string {
+	if len(p.Args) == 0 {
+		return p.FullPath
+	}
+	return p.Args
+}
+
+func (p *Process) AddConn(conn *NetworkConnection) {
+	if conn == nil {
+		return
+	}
+	p.Connections = append(p.Connections, conn)
+}
+
+func (p *Process) IsConnExisted(conn *NetworkConnection) bool {
+	if conn == nil {
+		return false
+	}
+	for i := range p.Connections {
+		if p.Connections[i].GetSocketPair() == conn.GetSocketPair() {
+			return true
+		}
+	}
+	return false
+}
diff --git a/datastore/processes_test.go b/datastore/processes_test.go
@@ -0,0 +1,36 @@
+package datastore_test
+
+import (
+	"testing"
+
+	"github.com/ImDuong/vola-auto/datastore"
+)
+
+func TestParseFullPathByArgs(t *testing.T) {
+	type testCase struct {
+		input    string
+		expected string
+	}
+
+	testCases := []testCase{
+		{input: `%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows`, expected: `%SystemRoot%\system32\csrss.exe`},
+		{input: `C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation`, expected: `C:\Windows\system32\svchost.exe`},
+		{input: `"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default`, expected: `C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe`},
+		{input: `C:\simplepath.exe`, expected: `C:\simplepath.exe`},
+		{input: `"C:\Path With Spaces\app.exe" argument`, expected: `C:\Path With Spaces\app.exe`},
+		{input: `  C:\LeadingAndTrailingSpaces.exe  argument`, expected: `C:\LeadingAndTrailingSpaces.exe`},
+		{input: `""`, expected: ``},
+		{input: ` `, expected: ``},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.input, func(t *testing.T) {
+			p := &datastore.Process{}
+			p.Args = tc.input
+			p.ParseFullPathByArgs()
+			if p.FullPath != tc.expected {
+				t.Errorf("expected %q, got %q", tc.expected, p.FullPath)
+			}
+		})
+	}
+}
diff --git a/go.sum b/go.sum
@@ -10,6 +10,8 @@ github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/iancoleman/strcase v0.3.0 h1:nTXanmYxhfFAMjZL34Ov6gkzEsSJZ5DbhxWjvSASxEI=
+github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d h1:VhgPp6v9qf9Agr/56bj7Y/xa04UccTW04VP0Qed4vnQ=
 github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=