bug bashing & task scheduler scan improvements

codeyourweb · Dec 31, 2020 · 8ea7643 · 8ea7643
1 parent 549ae75
commit 8ea7643
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -4,9 +4,10 @@
 
 ## What is this project designed for?
 _IRMA_ is a lightweight tool made for live forensics on Windows Platform. It is 
-focused on two use cases:
+focused on three use cases:
 * enpoint detection - live analysis, quarantine and eradication of malware on a workstation 
 * live analysis & sandbox host - logging and instant notifications for malware TTP's assesment
+* signatures quality test - scan your endpoint baseline and check for false positives
 
 ## How IRMA scan for malware behaviour?
 _IRMA_ is intended to work with both user or administrator rights.

diff --git a/filehelper.go b/filehelper.go
@@ -86,7 +86,7 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool,
 
 			// logging
 			for _, match := range result {
-				log.Println("[ALERT]", "YARA MATCH", path, match.Namespace, match.Rule)
+				log.Println("[ALERT]", "YARA match", path, match.Namespace, match.Rule)
 			}
 
 			// dump matching process to quarantine

diff --git a/procsmemory.go b/procsmemory.go
@@ -53,12 +53,12 @@ func MemoryAnalysisRoutine(pDump string, pQuarantine string, pKill bool, pAggres
 			if len(result) > 0 {
 				// windows notifications
 				if pNotifications {
-					NotifyUser("YARA match", proc.ProcessName+":"+fmt.Sprint(proc.PID)+" match "+fmt.Sprint(len(result))+" rules")
+					NotifyUser("YARA match", proc.ProcessName+" - PID:"+fmt.Sprint(proc.PID)+" match "+fmt.Sprint(len(result))+" rules")
 				}
 
 				// logging
 				for _, match := range result {
-					log.Println("[ALERT]", "YARA MATCH", proc.ProcessName, "PID:", fmt.Sprint(proc.PID), match.Namespace, match.Rule)
+					log.Println("[ALERT]", "YARA match", proc.ProcessName, "PID:", fmt.Sprint(proc.PID), match.Namespace, match.Rule)
 				}
 
 				// dump matching process to quarantine

diff --git a/windowstaskscheduler.go b/windowstaskscheduler.go
@@ -27,9 +27,18 @@ type ExecAction struct {
 	Arguments        string
 }
 
+var (
+	unknown *ole.IUnknown
+	variant *ole.VARIANT
+	ts      *ole.IDispatch
+)
+
+var taskSchedulerInitialized bool = false
+
 // TaskSchedulerAnalysisRoutine analyse Windows Task Scheduler executable every 15 seconds
 func TaskSchedulerAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for true {
+		defer UninitializeTaskScheduler()
 		tasks, err := GetTasks()
 		if err != nil && pVerbose {
 			log.Println("[ERROR]", err)
@@ -48,29 +57,52 @@ func TaskSchedulerAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bo
 	}
 }
 
-// GetTasks returns a list of all scheduled Tasks in Windows Task Scheduler
-func GetTasks() ([]Task, error) {
-	// Initialize COM API
-	if err := ole.CoInitialize(0); err != nil {
-		return nil, errors.New("Could not initialize Windows COM API")
+// InitTaskScheduler Initialize COM API & Task scheduler connect
+func InitTaskScheduler() error {
+	var err error
+	if err = ole.CoInitializeEx(0, 0); err != nil {
+		return errors.New("Could not initialize Windows COM API")
 	}
-	defer ole.CoUninitialize()
+
 	// Create an ITaskService object
-	unknown, err := ole.CreateInstance(ole.NewGUID("{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}"), nil)
+	unknown, err = ole.CreateInstance(ole.NewGUID("{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}"), nil)
 	if err != nil {
-		return nil, errors.New("Could not initialize Task Scheduler")
+		return errors.New("Could not initialize Task Scheduler")
 	}
-	defer unknown.Release()
+
 	// Convert IUnknown to IDispatch to get more functions like CallMethod()
-	ts, err := unknown.QueryInterface(ole.IID_IDispatch)
+	ts, err = unknown.QueryInterface(ole.IID_IDispatch)
 	if err != nil {
-		return nil, errors.New("Could not prepare Task Scheduler")
+		return errors.New("Could not prepare Task Scheduler")
 	}
-	defer ts.Release()
+
 	// Connect to the Task Scheduler
-	if _, err := ts.CallMethod("Connect", "", "", "", ""); err != nil {
-		return nil, errors.New("Could not connect to Task Scheduler")
+	if _, err = ts.CallMethod("Connect", "", "", "", ""); err != nil {
+		return errors.New("Could not connect to Task Scheduler")
 	}
+
+	return nil
+}
+
+// UninitializeTaskScheduler Release Task Scheduler COM API
+func UninitializeTaskScheduler() {
+	ole.CoUninitialize()
+	unknown.Release()
+	ts.Release()
+}
+
+// GetTasks returns a list of all scheduled Tasks in Windows Task Scheduler
+func GetTasks() ([]Task, error) {
+	var err error
+
+	if !taskSchedulerInitialized {
+		err = InitTaskScheduler()
+		if err != nil {
+			return nil, err
+		}
+		taskSchedulerInitialized = true
+	}
+
 	// Get Root Directory of Task Scheduler and get all tasks recursively
 	variant, err := oleutil.CallMethod(ts, "GetFolder", "\\")
 	if err != nil {