Evan Hosinski
64 lines
1.3 KiB
Go
64 lines
1.3 KiB
Go
package common
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
)
|
|
|
|
func AnalyzeExecutablePath(command string) (bool, string) {
|
|
// Extract executable path from command
|
|
var execPath string
|
|
if strings.HasPrefix(command, "\"") {
|
|
// Handle quoted paths
|
|
endQuote := strings.Index(command[1:], "\"")
|
|
if endQuote != -1 {
|
|
execPath = command[1 : endQuote+1]
|
|
}
|
|
} else {
|
|
// Handle unquoted paths
|
|
parts := strings.Fields(command)
|
|
if len(parts) > 0 {
|
|
execPath = parts[0]
|
|
}
|
|
}
|
|
|
|
execPathLower := strings.ToLower(execPath)
|
|
|
|
// Check for suspicious installation paths
|
|
suspiciousPaths := []string{
|
|
"\\temp\\", "\\tmp\\", "\\appdata\\local\\temp\\",
|
|
"\\users\\public\\", "\\programdata\\",
|
|
"\\windows\\temp\\", "\\%temp%\\",
|
|
}
|
|
|
|
for _, suspPath := range suspiciousPaths {
|
|
if strings.Contains(execPathLower, suspPath) {
|
|
// Check for trusted publishers/companies
|
|
trustedPublishers := []string{
|
|
"\\microsoft\\",
|
|
"\\adobe\\",
|
|
"\\google\\",
|
|
"\\intel\\",
|
|
"\\nvidia\\",
|
|
"\\oracle\\",
|
|
"\\citrix\\",
|
|
"\\vmware\\",
|
|
}
|
|
|
|
isTrusted := false
|
|
for _, publisher := range trustedPublishers {
|
|
if strings.Contains(execPathLower, publisher) {
|
|
isTrusted = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !isTrusted {
|
|
return true, fmt.Sprintf("Suspicious installation path: %s", suspPath)
|
|
}
|
|
}
|
|
}
|
|
|
|
return false, ""
|
|
}
|