Closed egibs closed 2 months ago
Closes: https://github.com/chainguard-dev/bincapz/issues/184
The samples/ directory is a convenient way to test functionality. Currently, ignoreSelf automatically excludes it since we ignore all bincapz paths.
samples/
ignoreSelf
bincapz
This PR excludes samples from being ignored.
samples
Example:
❯ go run . --format simple . # # samples/Linux/2021.ua-parser-js/preinstall.js exec/program kernel/uname/get shell/exec techniques/code_eval third_party/mthcht_thk_yara_rules # samples/Linux/2021.ua-parser-js/preinstall.sh 3P/signature_base/pua/crypto combo/dropper/shell crypto/mining/generic fs/file/make_executable fs/permission/modify net/download net/fetch net/fetch/insecure net/fetch/suspicious net/geoip process/find ref/ip ref/path/relative ref/site/http/ip ref/site/url third_party/mthcht_thk_yara_rules # samples/Linux/2022.Magneto/magnet_goblin_dropper.sh combo/dropper/shell fs/file/make_executable fs/permission/modify net/fetch process/chdir ref/path/relative ref/site/url third_party/mthcht_thk_yara_rules # samples/Linux/2022.bpfdoor/bpfdoor_1 3P/elastic/bpfdoor 3P/signature_base/redmenshen/bpfdoor combo/backdoor/net_term device/pseudo_terminal exec/program exec/program/background exec/shell_command fd/multiplex fs/file/delete fs/file/times/set net/ip/byte/order net/ip/string net/socket/connect net/socket/listen net/socket/receive net/socket/send process/chroot process/create random/insecure ref/path/dev ref/path/usr/sbin ref/program/ancient_gcc third_party/mthcht_thk_yara_rules tty/vhangup # # samples/Linux/2022.bpfdoor/bpfdoor_2 3P/elastic/bpfdoor combo/backdoor/net_shell combo/backdoor/socket_filter_exec device/pseudo_terminal evasion/hide_shell_history exec/program exec/program/background fs/file/delete fs/file/times/set net/sniffer net/socket/connect net/socket_filter process/create ref/path/usr/bin ref/path/usr/local ref/path/var shell/exec third_party/mthcht_thk_yara_rules tty/vhangup # # # samples/Linux/2023.FreeDownloadManager/freedownloadmanager_clear_postinst admin/add_apt_key data/embedded/pgp/key net/download ref/path/etc ref/path/usr/bin ref/site/url shell/ignore_output third_party/mthcht_thk_yara_rules # samples/Linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst admin/add_apt_key data/embedded/base64/terms data/embedded/base64/url data/embedded/pgp/key encoding/base64 evasion/base64/eval evasion/base64/external/decoder evasion/base64/http evasion/base64/shell/commands fs/directory/create fs/file/delete/forcibly fs/file/make_executable fs/file/times/set fs/permission/modify net/download persist/crontab ref/path/etc ref/path/tmp ref/path/usr/bin ref/path/var ref/path/var/tmp ref/site/url shell/exec shell/ignore_output third_party/mthcht_thk_yara_rules # samples/Linux/2024.Mirai_Nomi/mirai.crontab persist/crontab ref/path/tmp ref/path/var ref/path/var/tmp # samples/Linux/2024.Mirai_Nomi/mirai_dnsconfigs.service ref/path/tmp ref/path/var ref/path/var/tmp systemd/execstart/elsewhere systemd/no_blank_lines systemd/no_docs_or_comments systemd/out_of_dependency_tree systemd/restart/always third_party/mthcht_thk_yara_rules # samples/Linux/2024.PAN-OS.Upstyle/dropper.sh combo/dropper/shell net/fetch ref/ip shell/pipe_sh # # samples/Linux/2024.PAN-OS.Upstyle/dropper2.sh combo/dropper/shell net/fetch ref/ip # # samples/Linux/2024.PAN-OS.Upstyle/update.py 3P/volexity/py/upstyle encoding/base64 evasion/base64/decode evasion/base64/eval evasion/base64/python fs/file/delete fs/file/stat fs/file/times/set ref/path/usr/lib/python third_party/mthcht_thk_yara_rules # samples/Linux/2024.PAN-OS.Upstyle/update_base64_payload1.py 3P/volexity/py/upstyle encoding/base64 evasion/base64/decode evasion/base64/eval evasion/base64/python exec/program fd/read fd/write fs/file/delete fs/file/read fs/file/write procfs/self/cmdline ref/path/usr/lib/python ref/path/usr/local third_party/mthcht_thk_yara_rules # # samples/Linux/2024.PAN-OS.Upstyle/update_base64_payload2.py 3P/volexity/py/upstyle encoding/base64 env/SHELL evasion/base64/command evasion/base64/decode exec/pipe fd/read fd/write fs/file/read fs/file/stat fs/file/times/set fs/file/write process/multithreaded ref/path/var ref/path/var/log third_party/mthcht_thk_yara_rules # # samples/Linux/2024.Spinning.YARN/yarn_fragments.sh admin/system_directories combo/degrader/selinux_firewall data/embedded/base64/url encoding/base64 evasion/base64/eval evasion/base64/external/decoder evasion/base64/http evasion/base64/python evasion/base64/shell/commands evasion/hide_shell_history evasion/rename_system_binary fd/read fs/file/delete/forcibly fs/file/make_executable fs/permission/modify kernel/sysctl/nmi_watchdog net/url net/url/request persist/crontab ref/ip/dns_resolver ref/path/etc ref/path/etc/resolv.conf ref/path/hidden ref/path/tmp ref/path/usr/bin ref/path/usr/local ref/path/var ref/path/var/tmp ref/program/masscan ref/program/sshd ref/program/sudo security_controls/linux/iptables security_controls/linux/selinux security_controls/linux/selinux_disable service/stop service/systemd systemd/execstart/elsewhere techniques/code_eval third_party/mthcht_thk_yara_rules # samples/Linux/2024.Spinning.YARN/yarn_w.sh admin/system_directories data/embedded/base64/url encoding/base64 evasion/base64/eval evasion/base64/external/decoder evasion/bash_tcp evasion/rename_system_binary net/http/request ref/path/dev ref/path/usr/bin shell/bash_dev_tcp shell/exec third_party/mthcht_thk_yara_rules # samples/Linux/2024.sbcl.market/sbcl.clean compression/zstd dylib/address/check dylib/symbol/address env/HOME env/USER exec/program exec/program/background exec/shell_echo fs/file/delete fs/file/truncate fs/link/read fs/permission/modify fs/symlink/resolve procfs/self/exe ref/path/dev ref/path/tmp ref/path/var ref/path/var/tmp ref/site/url third_party/mthcht_thk_yara_rules # samples/Linux/2024.sbcl.market/sbcl.dirty compression/zstd data/embedded/zstd dylib/address/check dylib/symbol/address env/HOME env/USER evasion/packer/high_entropy exec/program exec/program/background exec/shell_echo fs/file/delete fs/file/truncate fs/link/read fs/permission/modify fs/symlink/resolve net/dns/txt procfs/self/exe ref/path/dev ref/path/tmp ref/path/var ref/path/var/tmp ref/site/url third_party/mthcht_thk_yara_rules # # samples/Linux/clean/ls.x86_64 env/TERM fs/link/read kernel/hostname/get process/name/set ref/site/url third_party/mthcht_thk_yara_rules # samples/Linux/clean/ping.x86_64 combo/recon/system_network net/hostport/parse net/icmp net/interface/get net/interface/list net/ip/multicast/send net/ip/parse net/ip/send/unicast net/ip/string net/raw_sockets net/socket/local/address net/socket/receive net/socket/send process/userid/set third_party/mthcht_thk_yara_rules # samples/Linux/clean/redis-server.aarch64 combo/recon/system_network dylib/address/check dylib/symbol/address env/USER exec/program exec/program/background exec/shell_echo fd/epoll fs/directory/create fs/directory/remove fs/file/delete fs/file/times/set fs/file/truncate fs/lock/update fs/permission/modify fs/tempfile/create kernel/uname/get net/hostport/parse net/http/post net/ip/parse net/ip/string net/reuseport net/socket/listen net/socket/local/address net/socket/peer/address net/socket/receive net/socket/send process/multithreaded process/name/set process/username/get procfs/arbitrary/pid random/insecure ref/path/etc ref/path/relative ref/path/tmp ref/path/var ref/site/url ref/words/password third_party/mthcht_thk_yara_rules # samples/Linux/synthetic/cnc-dns-over-https.aarch64 archives/zip compression/gzip crypto/aes crypto/ecdsa crypto/ed25519 crypto/tls encoding/base64 encoding/json encoding/json/decode encoding/json/encode evasion/content/length/0 exec/program fs/directory/list fs/file/read fs/link/read fs/permission/chown fs/permission/modify kernel/cpu/info kernel/hostname/get kernel/netlink kernel/uname/get net/dns net/dns/over/https net/dns/txt net/hostname/resolve net/http/accept/encoding net/http/auth net/http/cookies net/http/post net/http/request net/http2 net/http_proxy net/ip/parse net/sendfile net/socket/listen net/socket/local/address net/socket/peer/address net/socket/receive net/socket/send net/udp/receive net/udp/send net/url net/url/encode net/url/request process/chdir ref/ip/dns_resolver ref/path/etc ref/path/etc/hosts ref/path/etc/resolv.conf ref/path/home ref/path/relative ref/site/http/ip ref/site/url ref/words/password secrets/private_key third_party/mthcht_thk_yara_rules # samples/Linux/synthetic/github-attach-fetch.sh fs/permission/modify net/fetch ref/site/github_comment_attachment ref/site/url ref/words/backdoor shell/background_launcher shell/exec third_party/mthcht_thk_yara_rules # # samples/Python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py combo/backdoor/py_setuptools combo/recon/system_network exec/pipe exec/program exec/shell_command fd/read fs/file/times/set kernel/uname/get net/fetch net/http/post net/interface/list net/public_ip process/username/get ref/path/hidden ref/path/tmp ref/site/url third_party/mthcht_thk_yara_rules # # samples/Python/2023.JokerSpy/shared.dat combo/dropper/python combo/recon/system_network encoding/base64 evasion/base64/decode evasion/codecs_decode exec/program fd/read fd/write fs/tempdir kernel/uname/get net/interface/list net/url/request process/username/get ref/path/hidden ref/site/url techniques/code_eval third_party/mthcht_thk_yara_rules tty/getpass # # samples/Windows/2024.GitHub.Clipper/main.exe 3P/ditekshen/exe/discordurl 3P/ditekshen/exe/rawgithub/url 3P/ditekshen/vm/evasion/macaddrcomb archives/zip combo/net/scan_tool combo/stealer/browser combo/stealer/creds combo/stealer/discord combo/stealer/office combo/stealer/wallet compression/gzip crypto/aes crypto/ecdsa crypto/ed25519 crypto/tls databases/leveldb databases/sqlite encoding/base64 encoding/json encoding/json/decode encoding/json/encode env/TEMP env/TERM exec/program exfil/discord fs/directory/list fs/file/read fs/permission/chown fs/permission/modify kernel/cpu/info malware/family/skuld net/dns net/dns/txt net/download net/geoip net/hostname/resolve net/http/accept/encoding net/http/auth net/http/cookies net/http/post net/http/request net/http2 net/http_proxy net/ip/parse net/mac/address net/public_ip net/sendfile net/socket/listen net/socket/local/address net/socket/peer/address net/socket/receive net/socket/send net/udp/receive net/udp/send net/upload net/url net/url/request net/vnc privesc/uac_bypass process/list ref/extensions/office ref/path/dev ref/path/etc ref/path/etc/hosts ref/path/etc/resolv.conf ref/site/download ref/site/github_raw ref/site/http/dynamic ref/site/url ref/words/password secrets/chromium_credit_cards secrets/chromium_master_password secrets/firefox/cookies secrets/firefox/master_password secrets/private_key third_party/mthcht_thk_yara_rules ui/clipboard # # samples/Windows/2024.GitHub.Clipper/raw.py combo/dropper/python exec/program fs/tempdir net/url/request ref/site/download ref/site/url third_party/mthcht_thk_yara_rules # # samples/Windows/2024.Sharp/sharpil_RAT.exe 3P/ditekshen/exe/telegramchatbot data/emdedded/app/manifest net/download net/wireless ref/words/password third_party/mthcht_thk_yara_rules # # samples/does-nothing/does-nothing encoding/base64 encoding/json encoding/json/encode exec/program fs/directory/remove fs/file/delete fs/file/read fs/permission/chown fs/permission/modify kernel/cpu/info kernel/hostname/get kernel/uname/get net/socket/receive net/socket/send process/multithreaded ref/path/etc ref/path/home third_party/mthcht_thk_yara_rules # samples/does-nothing/does-nothing.go third_party/mthcht_thk_yara_rules # # samples/macOS/2023.3CX/libffmpeg.dirty.dylib 3P/signature_base/3cxdesktopapp/backdoor 3P/signature_base/nk/3cx 3P/signature_base/susp/xored 3P/volexity/iconic compression/gzip crypto/aes encoding/base64 env/HOME env/TERM evasion/xor/user_agent exec/pipe fs/directory/create fs/lock/update fs/permission/modify kernel/dispatch/semaphore kernel/hostname/get net/http/accept/encoding net/http/cookies net/http/post net/url net/url/request process/multithreaded random/insecure ref/path/hidden ref/path/home_library ref/path/tmp ref/words/agent shell/arbitrary_command/dev_null sync/semaphore/user third_party/mthcht_thk_yara_rules # # samples/macOS/2023.3CX/libffmpeg.dylib crypto/aes encoding/base64 env/TERM fs/directory/create net/http/post net/url process/multithreaded ref/path/tmp ref/words/agent third_party/mthcht_thk_yara_rules # samples/macOS/2024.Previewers/Previewers archives/zip combo/net/tunnel_proxy combo/recon/system_network combo/stealer/upload/keychain/zip compression/bzip2 compression/zstd crypto/aes data/embedded/zstd device/disk/info dylib/symbol/address encoding/base64 env/USER exec/program exec/program/background fs/directory/create fs/directory/list fs/directory/remove fs/file/delete fs/tempfile/create kernel/cpu/info kernel/dispatch/semaphore kernel/hardware/info kernel/hostname/get kernel/sysinfo net/dns/txt net/download net/hostport/parse net/http/auth net/http/post net/http/request net/http2 net/http_proxy net/interface/get net/socket/connect net/socket/listen net/socket/local/address net/socket/peer/address net/socket/receive net/socket/send net/upload persist/launch/agent process/create process/groupid/set process/groups/set process/multithreaded process/userid/set ref/ip ref/path/etc ref/path/hidden ref/path/home_library ref/site/http/ip ref/site/url ref/words/dropper ref/words/intercept ref/words/password secrets/keychain sync/semaphore/user third_party/mthcht_thk_yara_rules # samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare combo/backdoor/net_term device/pseudo_terminal env/SHELL exec/program exec/program/background fs/file/delete fs/symlink/resolve kernel/uname/get net/download net/hostname/resolve net/ip/parse net/ip/string net/socket/connect net/socket/receive net/socket/send net/upload process/create process/multithreaded process/username/get random/insecure shell/exec third_party/mthcht_thk_yara_rules # # samples/macOS/clean/ls env/TERM fs/directory/traverse fs/link/read third_party/mthcht_thk_yara_rules # # # # # samples/samples_test.go encoding/json encoding/json/decode net/download ref/words/infected third_party/mthcht_thk_yara_rules
Updated comment to mention idea of using os.Args[0].
os.Args[0]
Closing in favor of #190.
Closes: https://github.com/chainguard-dev/bincapz/issues/184
The
samples/
directory is a convenient way to test functionality. Currently,ignoreSelf
automatically excludes it since we ignore allbincapz
paths.This PR excludes
samples
from being ignored.Example: