Refactor suspicious artifact data structures, enhance eliminated state tracking, and update UI rendering for eliminated items. Add JSON marshal/unmarshal support for Binary and Directory types.
This commit is contained in:
Evan Hosinski
+78
-15
@@ -1,5 +1,9 @@
|
||||
package suspicious
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
)
|
||||
|
||||
/*
|
||||
Suspicious
|
||||
The object used to resemble the Suspicious artifacts and activities.
|
||||
@@ -8,8 +12,8 @@ type Suspicious struct {
|
||||
Artifacts []Artifact `json:"artifacts"`
|
||||
Persistence Persistence `json:"persistence"`
|
||||
RootFolder string `json:"rootFolder"`
|
||||
Binaries []string `json:"binaries"`
|
||||
Directories []string `json:"directories"`
|
||||
Binaries []Binary `json:"binaries"`
|
||||
Directories []Directory `json:"directories"`
|
||||
Services []*Service `json:"services"`
|
||||
Processes []Process `json:"processes"`
|
||||
OutboundConnections []NetworkConnection `json:"outboundConnections"`
|
||||
@@ -17,13 +21,24 @@ type Suspicious struct {
|
||||
ScheduledTasks []*ScheduledTask `json:"scheduledTasks"`
|
||||
}
|
||||
|
||||
type Binary struct {
|
||||
Path string `json:"path"`
|
||||
Eliminated bool `json:"eliminated,omitempty"`
|
||||
}
|
||||
|
||||
type Directory struct {
|
||||
Path string `json:"path"`
|
||||
Eliminated bool `json:"eliminated,omitempty"`
|
||||
}
|
||||
|
||||
type NetworkConnection struct {
|
||||
LocalAddr string
|
||||
RemoteAddr string
|
||||
RemoteHost string
|
||||
State string
|
||||
PID string
|
||||
Process string
|
||||
LocalAddr string `json:"localAddr"`
|
||||
RemoteAddr string `json:"remoteAddr"`
|
||||
RemoteHost string `json:"remoteHost"`
|
||||
State string `json:"state"`
|
||||
PID string `json:"pid"`
|
||||
Process string `json:"process"`
|
||||
Eliminated bool `json:"eliminated,omitempty"`
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -60,6 +75,7 @@ type AutoRun struct {
|
||||
SHA256 string `json:"sha256"`
|
||||
Entry string `json:"entry"`
|
||||
LaunchString string `json:"launch_string"`
|
||||
Eliminated bool `json:"eliminated,omitempty"`
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -78,6 +94,7 @@ type ScheduledTask struct {
|
||||
NextRun string `json:"nextRun"`
|
||||
LastRun string `json:"lastRun"`
|
||||
Path string `json:"path"`
|
||||
Eliminated bool `json:"eliminated,omitempty"`
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -85,13 +102,14 @@ Process
|
||||
The object used to resemble the processes used by the Suspicious software.
|
||||
*/
|
||||
type Process struct {
|
||||
Name string `json:"name"`
|
||||
PID int `json:"pid"`
|
||||
PPID int `json:"ppid"`
|
||||
Parent string `json:"parent"`
|
||||
Args string `json:"args"`
|
||||
Created string `json:"created"`
|
||||
Path string `json:"path"`
|
||||
Name string `json:"name"`
|
||||
PID int `json:"pid"`
|
||||
PPID int `json:"ppid"`
|
||||
Parent string `json:"parent"`
|
||||
Args string `json:"args"`
|
||||
Created string `json:"created"`
|
||||
Path string `json:"path"`
|
||||
Eliminated bool `json:"eliminated,omitempty"`
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -116,4 +134,49 @@ type Service struct {
|
||||
Description string `json:"description"`
|
||||
SidType uint32 `json:"sidType"`
|
||||
DelayedAutoStart bool `json:"delayedAutoStart"`
|
||||
Eliminated bool `json:"eliminated,omitempty"`
|
||||
}
|
||||
|
||||
// UnmarshalJSON implements custom unmarshaling for Binary to support both string and object formats
|
||||
func (b *Binary) UnmarshalJSON(data []byte) error {
|
||||
// Try to unmarshal as string first (old format)
|
||||
var str string
|
||||
if err := json.Unmarshal(data, &str); err == nil {
|
||||
b.Path = str
|
||||
b.Eliminated = false
|
||||
return nil
|
||||
}
|
||||
|
||||
// Try to unmarshal as object (new format)
|
||||
type Alias Binary
|
||||
aux := &struct{ *Alias }{Alias: (*Alias)(b)}
|
||||
return json.Unmarshal(data, aux)
|
||||
}
|
||||
|
||||
// MarshalJSON implements custom marshaling for Binary to always use object format
|
||||
func (b Binary) MarshalJSON() ([]byte, error) {
|
||||
type Alias Binary
|
||||
return json.Marshal(&struct{ *Alias }{Alias: (*Alias)(&b)})
|
||||
}
|
||||
|
||||
// UnmarshalJSON implements custom unmarshaling for Directory to support both string and object formats
|
||||
func (d *Directory) UnmarshalJSON(data []byte) error {
|
||||
// Try to unmarshal as string first (old format)
|
||||
var str string
|
||||
if err := json.Unmarshal(data, &str); err == nil {
|
||||
d.Path = str
|
||||
d.Eliminated = false
|
||||
return nil
|
||||
}
|
||||
|
||||
// Try to unmarshal as object (new format)
|
||||
type Alias Directory
|
||||
aux := &struct{ *Alias }{Alias: (*Alias)(d)}
|
||||
return json.Unmarshal(data, aux)
|
||||
}
|
||||
|
||||
// MarshalJSON implements custom marshaling for Directory to always use object format
|
||||
func (d Directory) MarshalJSON() ([]byte, error) {
|
||||
type Alias Directory
|
||||
return json.Marshal(&struct{ *Alias }{Alias: (*Alias)(&d)})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user