admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add configuration file support to CLI

Browse Source
This commit is contained in:
Adir Shitrit
2025-11-08 12:43:11 +02:00
parent d89444a268
commit cdb294a365
2 changed files with 44 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
ghost-cli/src/main.rs
View File

@@ -1,6 +1,6 @@
use anyhow::Result; use anyhow::Result;
use clap::{Arg, Command}; use clap::{Arg, Command};
use ghost_core::{memory, process, thread, DetectionEngine, ThreatLevel}; use ghost_core::{memory, process, thread, DetectionEngine, DetectionConfig, ThreatLevel};
use log::{debug, error, info, warn}; use log::{debug, error, info, warn};
use serde_json; use serde_json;
use std::time::Instant; use std::time::Instant;
@@ -64,6 +64,13 @@ fn main() -> Result<()> {
.action(clap::ArgAction::SetTrue) .action(clap::ArgAction::SetTrue)
.help("Suppress all output except errors"), .help("Suppress all output except errors"),
) )
.arg(
Arg::new("config")
.short('c')
.long("config")
.value_name("FILE")
.help("Load configuration from file"),
)
.get_matches(); .get_matches();
// Initialize logging based on debug flag // Initialize logging based on debug flag
@@ -84,16 +91,41 @@ fn main() -> Result<()> {
let target_pid = matches.get_one::<String>("pid"); let target_pid = matches.get_one::<String>("pid");
let target_process = matches.get_one::<String>("process"); let target_process = matches.get_one::<String>("process");
let output_file = matches.get_one::<String>("output"); let output_file = matches.get_one::<String>("output");
let config_file = matches.get_one::<String>("config");
// Load configuration if specified
let config = if let Some(config_path) = config_file {
info!("Loading configuration from: {}", config_path);
match DetectionConfig::load(config_path) {
Ok(cfg) => {
debug!("Configuration loaded successfully");
Some(cfg)
}
Err(e) => {
error!("Failed to load configuration from {}: {}", config_path, e);
if !quiet {
eprintln!("Error: Failed to load configuration: {}", e);
}
return Err(e.into());
}
}
} else {
None
};
info!("Starting Ghost process injection detection"); info!("Starting Ghost process injection detection");
debug!("Configuration - Format: {}, Verbose: {}, Quiet: {}, Target PID: {:?}, Target Process: {:?}", format, verbose, quiet, target_pid, target_process); debug!("Configuration - Format: {}, Verbose: {}, Quiet: {}, Target PID: {:?}, Target Process: {:?}, Config: {:?}",
format, verbose, quiet, target_pid, target_process, config_file);
if !quiet { if !quiet {
println!("Ghost v0.1.0 - Process Injection Detection\n"); println!("Ghost v0.1.0 - Process Injection Detection\n");
} }
let scan_start = Instant::now(); let scan_start = Instant::now();
let mut engine = DetectionEngine::new(); let mut engine = DetectionEngine::with_config(config).map_err(|e| {
error!("Failed to initialize detection engine: {}", e);
anyhow::anyhow!("Detection engine initialization failed: {}", e)
})?;
let processes = if let Some(pid_str) = target_pid { let processes = if let Some(pid_str) = target_pid {
let pid: u32 = pid_str.parse().map_err(|e| { let pid: u32 = pid_str.parse().map_err(|e| {

12
ghost-core/src/detection.rs
View File

@@ -1,7 +1,7 @@
use crate::{ use crate::{
detect_hook_injection, AnomalyDetector, MemoryProtection, MemoryRegion, detect_hook_injection, AnomalyDetector, MemoryProtection, MemoryRegion,
ProcessInfo, ShellcodeDetector, ThreadInfo, ThreatIntelligence, ThreatContext, ProcessInfo, ShellcodeDetector, ThreadInfo, ThreatIntelligence, ThreatContext,
EvasionDetector, EvasionResult EvasionDetector, EvasionResult, DetectionConfig, GhostError
}; };
#[cfg(target_os = "linux")] #[cfg(target_os = "linux")]
use crate::EbpfDetector; use crate::EbpfDetector;
@@ -32,6 +32,7 @@ pub struct DetectionEngine {
anomaly_detector: AnomalyDetector, anomaly_detector: AnomalyDetector,
threat_intelligence: ThreatIntelligence, threat_intelligence: ThreatIntelligence,
evasion_detector: EvasionDetector, evasion_detector: EvasionDetector,
config: Option<DetectionConfig>,
#[cfg(target_os = "linux")] #[cfg(target_os = "linux")]
ebpf_detector: Option<EbpfDetector>, ebpf_detector: Option<EbpfDetector>,
} }
@@ -43,7 +44,11 @@ struct ProcessBaseline {
} }
impl DetectionEngine { impl DetectionEngine {
pub fn new() -> Result<Self, DetectionError> { pub fn new() -> Result<Self, GhostError> {
Self::with_config(None)
}
pub fn with_config(config: Option<DetectionConfig>) -> Result<Self, GhostError> {
let baseline = ProcessBaseline::new(); let baseline = ProcessBaseline::new();
let shellcode_detector = ShellcodeDetector::new(); let shellcode_detector = ShellcodeDetector::new();
let hollowing_detector = HollowingDetector::new(); let hollowing_detector = HollowingDetector::new();
@@ -74,6 +79,7 @@ impl DetectionEngine {
anomaly_detector, anomaly_detector,
threat_intelligence, threat_intelligence,
evasion_detector, evasion_detector,
config,
#[cfg(target_os = "linux")] #[cfg(target_os = "linux")]
ebpf_detector, ebpf_detector,
}) })
@@ -304,7 +310,7 @@ impl DetectionEngine {
/// Process eBPF detection events (Linux only) /// Process eBPF detection events (Linux only)
#[cfg(target_os = "linux")] #[cfg(target_os = "linux")]
pub fn process_ebpf_events(&mut self) -> Result<Vec<DetectionResult>, DetectionError> { pub fn process_ebpf_events(&mut self) -> Result<Vec<DetectionResult>, GhostError> {
if let Some(ref mut ebpf_detector) = self.ebpf_detector { if let Some(ref mut ebpf_detector) = self.ebpf_detector {
match ebpf_detector.process_events() { match ebpf_detector.process_events() {
Ok(ebpf_events) => { Ok(ebpf_events) => {