This PR adds the ability to scan the [unique] commands of running processes if the command is a valid, absolute path.
go-yara provides a ScanProc method; however, it was proving difficult to use (at least on MacOS where SIP may be a contributing factor), so this implementation focuses on the binaries of running processes which is actually easier to fit into our current scan pattern (loading file descriptors).
To support the scanning of several hundred process paths, I had to track down and address a bug with the scanPathFindingssync.Map. We were not removing keys as they were used so we'd endlessly iterate through them as the Map elements grew. This wasn't originally apparent because we would provide a single scan path (even if it was a directory).
Finally, I also fixed the brief terminal output and made it a bit easier to read when accounting for multiple lines:
This PR adds the ability to scan the [unique] commands of running processes if the command is a valid, absolute path.
go-yara
provides aScanProc
method; however, it was proving difficult to use (at least on MacOS where SIP may be a contributing factor), so this implementation focuses on the binaries of running processes which is actually easier to fit into our current scan pattern (loading file descriptors).To support the scanning of several hundred process paths, I had to track down and address a bug with the
scanPathFindings
sync.Map
. We were not removing keys as they were used so we'd endlessly iterate through them as the Map elements grew. This wasn't originally apparent because we would provide a single scan path (even if it was a directory).Finally, I also fixed the brief terminal output and made it a bit easier to read when accounting for multiple lines: