Enhance directory detection to handle prefix matching and eliminate duplicates
Helps to discover directories with a prefix instead of just by exact match
This commit is contained in:
Evan Hosinski
@@ -12,14 +12,33 @@ var appData = os.Getenv("APPDATA")
|
||||
|
||||
func Detect() []string {
|
||||
var suspiciousDirectories []string
|
||||
seen := make(map[string]bool) // Prevent duplicates
|
||||
|
||||
fmt.Printf("[*] Enumerating Suspicious Directories \n")
|
||||
// Check for common directories
|
||||
for _, dir := range common.CommonDirectories {
|
||||
dir = replaceAppData(dir)
|
||||
if _, err := os.Stat(dir); err == nil {
|
||||
fmt.Printf(" [?] Found %s\n", dir)
|
||||
suspiciousDirectories = append(suspiciousDirectories, dir)
|
||||
|
||||
// Check if this is a prefix pattern (ends with incomplete path such as Screen Connect "C:\Program Files (x86)\ScreenConnect Client (")
|
||||
if isPrefix(dir) {
|
||||
// Find all directories matching this prefix
|
||||
matches := findPrefixMatches(dir)
|
||||
for _, match := range matches {
|
||||
if !seen[match] {
|
||||
fmt.Printf(" [?] Found %s\n", match)
|
||||
suspiciousDirectories = append(suspiciousDirectories, match)
|
||||
seen[match] = true
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// Exact match
|
||||
if _, err := os.Stat(dir); err == nil {
|
||||
if !seen[dir] {
|
||||
fmt.Printf(" [?] Found %s\n", dir)
|
||||
suspiciousDirectories = append(suspiciousDirectories, dir)
|
||||
seen[dir] = true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
fmt.Printf("[+] Found %d Suspicious Directories\n", len(suspiciousDirectories))
|
||||
@@ -27,6 +46,7 @@ func Detect() []string {
|
||||
return suspiciousDirectories
|
||||
}
|
||||
|
||||
// replaceAppData replaces {{APPDATA}} with the actual APPDATA path
|
||||
func replaceAppData(path string) string {
|
||||
if strings.Contains(path, "{{APPDATA}}") {
|
||||
p := strings.Replace(path, "{{APPDATA}}", "", -1)
|
||||
@@ -34,3 +54,44 @@ func replaceAppData(path string) string {
|
||||
}
|
||||
return path
|
||||
}
|
||||
|
||||
// isPrefix checks if a path is a prefix pattern (incomplete path for matching)
|
||||
func isPrefix(path string) bool {
|
||||
// If path ends with "(" or other incomplete patterns, it's a prefix
|
||||
return strings.HasSuffix(path, "(") || strings.HasSuffix(path, "\\")
|
||||
}
|
||||
|
||||
// findPrefixMatches finds all directories that start with the given prefix
|
||||
func findPrefixMatches(prefix string) []string {
|
||||
var matches []string
|
||||
|
||||
// Get the parent directory to search in
|
||||
parentDir := filepath.Dir(prefix)
|
||||
|
||||
// Check if parent directory exists
|
||||
if _, err := os.Stat(parentDir); os.IsNotExist(err) {
|
||||
return matches
|
||||
}
|
||||
|
||||
// Read all entries in the parent directory
|
||||
entries, err := os.ReadDir(parentDir)
|
||||
if err != nil {
|
||||
return matches
|
||||
}
|
||||
|
||||
// Get the base name prefix
|
||||
basePrefix := filepath.Base(prefix)
|
||||
|
||||
// Check each entry
|
||||
for _, entry := range entries {
|
||||
if entry.IsDir() {
|
||||
// Check if this directory name starts with our prefix
|
||||
if strings.HasPrefix(entry.Name(), basePrefix) {
|
||||
fullPath := filepath.Join(parentDir, entry.Name())
|
||||
matches = append(matches, fullPath)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return matches
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user