artifact detection cleanup

kcq · kcq · commit a60daa6b1196 · 2024-11-08T20:00:34.000-08:00
Signed-off-by: Kyle Quest &lt;kcq.public@gmail.com&gt;
diff --git a/pkg/app/sensor/artifact/artifact.go b/pkg/app/sensor/artifact/artifact.go
@@ -191,15 +191,25 @@ func isAppMetadataFile(filePath string) bool {
 }
 
 var binDataReplace = []fsutil.ReplaceInfo{
+	{
+		PathSuffix: "/curl",
+		Match:      "curl/",
+		Replace:    "kerl/",
+	},
 	{
 		PathSuffix: "/node",
 		Match:      "node.js/v",
 		Replace:    "done,xu/v",
 	},
 	{
-		PathSuffix: "/curl",
-		Match:      "curl/",
-		Replace:    "kerl/",
+		PathSuffix: "/bash",
+		Match:      "@(#)Bash version",
+		Replace:    "@(#)Nash wersion",
+	},
+	{
+		PathSuffix: "/nginx",
+		Match:      "nginx version: ",
+		Replace:    "xginn wersion: ",
 	},
 }
 
@@ -223,6 +233,10 @@ const (
 	OMPObfuscateAPN = "obfuscate_apn"
 )
 
+var (
+	BinFileExtra = []byte("OFH")
+)
+
 func init() {
 	rand.Seed(time.Now().UnixNano())
 }
@@ -2192,16 +2206,17 @@ copyFiles:
 				} else {
 					//NOTE: this covers the main file set (doesn't cover the extra includes)
 					binProps, err := binfile.Detected(filePath)
-					if err == nil && binProps != nil && binProps.IsBin && binProps.IsExe {
-						if err := fsutil.AppendToFile(filePath, []byte("KCQ"), true); err != nil {
+					if err == nil && binProps != nil && binProps.IsBin {
+						//not checking binProps.IsExe because Go's ELF header type decoding is unreliable...
+						if err := fsutil.AppendToFile(filePath, BinFileExtra, true); err != nil {
 							logger.Debugf("[%s,%s] - fsutil.AppendToFile error => %v", srcFileName, filePath, err)
 						} else {
 							logger.Tracef("binfile.Detected[IsExe]/fsutil.AppendToFile - %s", filePath)
+						}
 
-							err := fsutil.ReplaceFileData(filePath, binDataReplace, true)
-							if err != nil {
-								logger.Debugf("[%s,%s] - fsutil.ReplaceFileData error => %v", srcFileName, filePath, err)
-							}
+						err := fsutil.ReplaceFileData(filePath, binDataReplace, true)
+						if err != nil {
+							logger.Debugf("[%s,%s] - fsutil.ReplaceFileData error => %v", srcFileName, filePath, err)
 						}
 					}
 				}
diff --git a/pkg/app/sensor/detector/binfile/binfile.go b/pkg/app/sensor/detector/binfile/binfile.go
@@ -20,6 +20,7 @@ func Detected(filePath string) (*BinProps, error) {
 			IsBin: true,
 		}
 
+		//note: Go elf header decoding bug... ET_EXEC gets decoded as ET_DYN sometimes
 		switch binFile.Type {
 		case elf.ET_EXEC:
 			binProps.IsExe = true

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ func Detected(filePath string) (*BinProps, error) {`
`20`	`20`	`IsBin: true,`
`21`	`21`	`}`
`22`	`22`
	`23`	`+ //note: Go elf header decoding bug... ET_EXEC gets decoded as ET_DYN sometimes`
`23`	`24`	`switch binFile.Type {`
`24`	`25`	`case elf.ET_EXEC:`
`25`	`26`	`binProps.IsExe = true`