integrate detection engine into CLI
This commit is contained in:
Adir Shitrit
@@ -1,28 +1,54 @@
|
|||||||
use anyhow::Result;
|
use anyhow::Result;
|
||||||
use ghost_core::{memory, process};
|
use ghost_core::{memory, process, DetectionEngine, ThreatLevel};
|
||||||
|
|
||||||
fn main() -> Result<()> {
|
fn main() -> Result<()> {
|
||||||
env_logger::init();
|
env_logger::init();
|
||||||
|
|
||||||
println!("Ghost - Process Injection Detection\n");
|
println!("Ghost v0.1.0 - Process Injection Detection\n");
|
||||||
|
|
||||||
|
let mut engine = DetectionEngine::new();
|
||||||
let processes = process::enumerate_processes()?;
|
let processes = process::enumerate_processes()?;
|
||||||
println!("Found {} processes\n", processes.len());
|
|
||||||
|
|
||||||
for proc in processes.iter().take(10) {
|
println!("Scanning {} processes...\n", processes.len());
|
||||||
println!("{}", proc);
|
|
||||||
|
|
||||||
|
let mut detections = Vec::new();
|
||||||
|
|
||||||
|
for proc in &processes {
|
||||||
if let Ok(regions) = memory::enumerate_memory_regions(proc.pid) {
|
if let Ok(regions) = memory::enumerate_memory_regions(proc.pid) {
|
||||||
let rwx_regions: Vec<_> = regions
|
let result = engine.analyze_process(proc, ®ions);
|
||||||
.iter()
|
|
||||||
.filter(|r| r.protection == ghost_core::MemoryProtection::ReadWriteExecute)
|
|
||||||
.collect();
|
|
||||||
|
|
||||||
if !rwx_regions.is_empty() {
|
if result.threat_level != ThreatLevel::Clean {
|
||||||
println!(" RWX regions: {}", rwx_regions.len());
|
detections.push(result);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if detections.is_empty() {
|
||||||
|
println!("No suspicious activity detected.");
|
||||||
|
} else {
|
||||||
|
println!("Found {} suspicious processes:\n", detections.len());
|
||||||
|
|
||||||
|
for detection in detections {
|
||||||
|
let level_str = match detection.threat_level {
|
||||||
|
ThreatLevel::Suspicious => "SUSPICIOUS",
|
||||||
|
ThreatLevel::Malicious => "MALICIOUS",
|
||||||
|
_ => "CLEAN",
|
||||||
|
};
|
||||||
|
|
||||||
|
println!(
|
||||||
|
"[{}] {} (PID: {}) - Confidence: {:.1}%",
|
||||||
|
level_str,
|
||||||
|
detection.process.name,
|
||||||
|
detection.process.pid,
|
||||||
|
detection.confidence * 100.0
|
||||||
|
);
|
||||||
|
|
||||||
|
for indicator in &detection.indicators {
|
||||||
|
println!(" - {}", indicator);
|
||||||
|
}
|
||||||
|
println!();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user