Enhance directory detection to handle prefix matching and eliminate duplicates

Helps to discover directories with a prefix instead of just by exact match
Standardize and fix README code block formatting for improved readability
2025-10-10 16:57:12 -04:00 · 2025-10-10 16:48:43 -04:00 · 2025-10-10 16:47:27 -04:00
2 changed files with 76 additions and 16 deletions
@@ -63,14 +63,12 @@ The HTML report includes:
 ### Binary Download
 Download the latest compiled binary from the releases page:
-```
+```powershell
 powershell
 Download rmm-hunter.exe
-Run with administrator privileges```
+Run with administrator privileges
 ```
 ### Building from Source
 ```
 The Scurvy Library is not publicly accessible making building this tool from source impossible at the moment.
@@ -79,20 +77,22 @@ The Scurvy Library is not publicly accessible making building this tool from sou
 ### Hunt Mode
 Execute a comprehensive system scan:
 ```
-powershell .\rmm-hunter.exe hunt```
+```powershell
 powershell .\rmm-hunter.exe hunt
 ```
 With custom output file:
 ```
-powershell .\rmm-hunter.exe hunt --output custom-report.json``` 
+```powershell
 powershell .\rmm-hunter.exe hunt --output custom-report.json
 ``` 
 Exclude specific RMM tools from detection:
 ```powershell
 powershell .\rmm-hunter.exe hunt --exclude TeamViewer,AnyDesk
 ```
 powershell .\rmm-hunter.exe hunt --exclude TeamViewer,AnyDesk```
 ### Eliminate Mode
 **Status: Under Construction**
@@ -122,7 +122,6 @@ The modular architecture allows for extensible detection capabilities while main
 ## Output Formats
 ### JSON Report
 ```
 json { "processes": [...], "services": [...], "binaries": [...], "autoRuns": [...], "scheduledTasks": [...], "outboundConnections": [...], "directories": [...] }``` 
@@ -168,7 +167,7 @@ If you use RMM-Hunter in your project or research, please provide attribution by
 - Credit to **KrakenTech LLC** (https://krakensec.tech)
 Example attribution:
-```
+```txt
 This project uses RMM-Hunter by KrakenTech LLC
 https://github.com/KrakenTech/RMM-Hunter
 ```
@@ -12,14 +12,33 @@ var appData = os.Getenv("APPDATA")
 func Detect() []string {
 	var suspiciousDirectories []string
 	seen := make(map[string]bool) // Prevent duplicates
 	fmt.Printf("[*] Enumerating Suspicious Directories \n")
 	// Check for common directories
 	for _, dir := range common.CommonDirectories {
 		dir = replaceAppData(dir)
 		// Check if this is a prefix pattern (ends with incomplete path such as Screen Connect "C:\Program Files (x86)\ScreenConnect Client (")
 		if isPrefix(dir) {
 			// Find all directories matching this prefix
 			matches := findPrefixMatches(dir)
 			for _, match := range matches {
 				if !seen[match] {
 					fmt.Printf("   [?] Found %s\n", match)
 					suspiciousDirectories = append(suspiciousDirectories, match)
 					seen[match] = true
 				}
 			}
 		} else {
 			// Exact match
 			if _, err := os.Stat(dir); err == nil {
 				if !seen[dir] {
 					fmt.Printf("   [?] Found %s\n", dir)
 					suspiciousDirectories = append(suspiciousDirectories, dir)
 					seen[dir] = true
 				}
 			}
 		}
 	}
 	fmt.Printf("[+] Found %d Suspicious Directories\n", len(suspiciousDirectories))
@@ -27,6 +46,7 @@ func Detect() []string {
 	return suspiciousDirectories
 }
 // replaceAppData replaces {{APPDATA}} with the actual APPDATA path
 func replaceAppData(path string) string {
 	if strings.Contains(path, "{{APPDATA}}") {
 		p := strings.Replace(path, "{{APPDATA}}", "", -1)
@@ -34,3 +54,44 @@ func replaceAppData(path string) string {
 	}
 	return path
 }
 // isPrefix checks if a path is a prefix pattern (incomplete path for matching)
 func isPrefix(path string) bool {
 	// If path ends with "(" or other incomplete patterns, it's a prefix
 	return strings.HasSuffix(path, "(") || strings.HasSuffix(path, "\\")
 }
 // findPrefixMatches finds all directories that start with the given prefix
 func findPrefixMatches(prefix string) []string {
 	var matches []string
 	// Get the parent directory to search in
 	parentDir := filepath.Dir(prefix)
 	// Check if parent directory exists
 	if _, err := os.Stat(parentDir); os.IsNotExist(err) {
 		return matches
 	}
 	// Read all entries in the parent directory
 	entries, err := os.ReadDir(parentDir)
 	if err != nil {
 		return matches
 	}
 	// Get the base name prefix
 	basePrefix := filepath.Base(prefix)
 	// Check each entry
 	for _, entry := range entries {
 		if entry.IsDir() {
 			// Check if this directory name starts with our prefix
 			if strings.HasPrefix(entry.Name(), basePrefix) {
 				fullPath := filepath.Join(parentDir, entry.Name())
 				matches = append(matches, fullPath)
 			}
 		}
 	}
 	return matches
 }
Author	SHA1	Message	Date
Evan Hosinski	7cdee4b62c	Enhance directory detection to handle prefix matching and eliminate duplicates Helps to discover directories with a prefix instead of just by exact match	2025-10-10 16:57:12 -04:00
Evan Hosinski	9512022a73	Standardize and fix README code block formatting for improved readability	2025-10-10 16:48:43 -04:00
Evan Hosinski	967b0c1de1	Fix README formatting for consistent code block styling and improve clarity in usage examples	2025-10-10 16:47:27 -04:00