50c 3.9.6 → 3.9.7

package/lib/backdoor-checker.js

@@ -1,1497 +0,0 @@
-/**
- * 50c Backdoor Checker v2 - Aggressive local security audit tool
- * Runs entirely on the user's machine. FREE.
- *
- * v2 additions:
- * - WMI event subscriptions, IFEO, COM hijacking, AppInit_DLLs (Windows)
- * - PowerShell script block logging (Event 4104)
- * - Windows Defender exclusions
- * - BITS transfer jobs
- * - Browser extension scanning (Chrome/Edge/Firefox/Brave - all platforms)
- * - npm/pip/gem global package scanning (supply chain)
- * - Docker container checks
- * - Git hooks scanning
- * - VS Code / IDE extension scanning
- * - IPv6 connection extraction + geo-tagging
- * - Named pipes detection (Windows)
- * - NTFS Alternate Data Streams (Windows)
- * - LD_PRELOAD, kernel modules, systemd timers (Linux)
- * - Authorization plugins, kexts, Spotlight importers (macOS)
- * - Weighted severity scoring
- * - False positive whitelist system
- *
- * Cross-platform: Windows (PowerShell), Linux (bash), macOS (bash)
- */
-
-const { exec, execSync } = require('child_process');
-const os = require('os');
-const fs = require('fs');
-const path = require('path');
-
-const PLATFORM = os.platform(); // win32, linux, darwin
-const HOME = os.homedir();
-
-// Suspicious country indicators in IP geolocation
-const SUSPICIOUS_GEOS = ['CN', 'RU', 'KP', 'IR'];
-
-// Known suspicious IDE directories
-const SUSPICIOUS_IDE_DIRS = [
-  '.verdent', '.verdant', '.verd',
-  '.trae',  // ByteDance IDE
-  '.deveco', // Huawei IDE
-];
-
-// Known suspicious process names
-const SUSPICIOUS_PROCESSES = [
-  'cryptominer', 'xmrig', 'minerd', 'cgminer', 'bfgminer',
-  'nc.exe', 'ncat', 'netcat', 'socat',
-  'mimikatz', 'lazagne', 'procdump', 'rubeus',
-  'psexec', 'wmic', // lateral movement
-  'cobaltstrike', 'beacon', 'meterpreter',
-  'chisel', 'plink', 'ngrok', // tunneling
-];
-
-// False positive whitelist - known safe patterns
-const FP_WHITELIST = {
-  powershell: [
-    /invoke-webrequest.*github\.com/i,
-    /invoke-webrequest.*microsoft\.com/i,
-    /invoke-webrequest.*amazonaws\.com/i,
-    /invoke-webrequest.*chocolatey/i,
-    /invoke-webrequest.*nuget/i,
-  ],
-  browserExtensions: [
-    // Known safe extension IDs (Chrome)
-    'aomjjhallfgjeglblehebfpbcfeobpgk', // 1Password
-    'nngceckbapebfimnlniiiahkandclblb', // Bitwarden
-    'cjpalhdlnbpafiamejdnhcphjbkeiagm', // uBlock Origin
-    'gcbommkclmhbdidlmmcakbaylnkihaoh', // React DevTools
-  ],
-  npmPackages: [
-    // Known safe global npm packages
-    'npm', 'npx', 'yarn', 'pnpm', 'corepack', 'typescript', 'ts-node',
-    'eslint', 'prettier', 'nodemon', 'pm2', 'serve', 'http-server',
-    'create-react-app', 'next', 'vite', 'webpack', 'turbo',
-    'claude-code', '50c', 'vercel', 'netlify-cli', 'firebase-tools',
-  ]
-};
-
-// Severity weights for scoring
-const SEVERITY_WEIGHTS = {
-  CRITICAL: 100,
-  HIGH: 50,
-  MEDIUM: 20,
-  LOW: 5,
-  INFO: 0
-};
-
-/**
- * Run a command and return stdout (or error message)
- */
-function run(cmd, timeout = 30000) {
-  try {
-    return execSync(cmd, {
-      timeout,
-      encoding: 'utf8',
-      stdio: ['pipe', 'pipe', 'pipe'],
-      windowsHide: true,
-      maxBuffer: 10 * 1024 * 1024
-    }).trim();
-  } catch (e) {
-    return `[ERROR] ${e.message}`;
-  }
-}
-
-/**
- * Run PowerShell command (Windows) - pipes script via stdin to avoid:
- * 1. Writing .ps1 temp files → triggers Bitdefender file quarantine
- * 2. Using -EncodedCommand → triggers "Malicious command line" detection
- * Instead: `powershell -Command -` reads from stdin, invisible to AV heuristics
- */
-function ps(script, timeout = 30000) {
-  try {
-    return execSync('powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command -', {
-      input: script,
-      timeout,
-      encoding: 'utf8',
-      stdio: ['pipe', 'pipe', 'pipe'],
-      windowsHide: true,
-      maxBuffer: 10 * 1024 * 1024
-    }).trim();
-  } catch (e) {
-    if (e.stdout && e.stdout.trim()) return e.stdout.trim();
-    return `[ERROR] ${e.message}`;
-  }
-}
-
-/**
- * Geo-IP lookup using free API (ip-api.com)
- */
-async function geoIP(ip) {
-  try {
-    const http = require('http');
-    return new Promise((resolve) => {
-      const req = http.get(`http://ip-api.com/json/${ip}?fields=country,countryCode,city,isp,org`, { timeout: 5000 }, (res) => {
-        let data = '';
-        res.on('data', c => data += c);
-        res.on('end', () => {
-          try { resolve(JSON.parse(data)); }
-          catch { resolve({ country: 'unknown', countryCode: '??' }); }
-        });
-      });
-      req.on('error', () => resolve({ country: 'unknown', countryCode: '??' }));
-      req.on('timeout', () => { req.destroy(); resolve({ country: 'unknown', countryCode: '??' }); });
-    });
-  } catch {
-    return { country: 'unknown', countryCode: '??' };
-  }
-}
-
-/**
- * Batch geo-IP lookup (ip-api.com supports batch of up to 100)
- */
-async function batchGeoIP(ips) {
-  if (ips.length === 0) return {};
-  const uniqueIPs = [...new Set(ips)].slice(0, 100);
-
-  try {
-    const http = require('http');
-    const body = JSON.stringify(uniqueIPs.map(ip => ({ query: ip, fields: 'query,country,countryCode,city,isp,org' })));
-
-    return new Promise((resolve) => {
-      const req = http.request({
-        hostname: 'ip-api.com',
-        path: '/batch',
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) },
-        timeout: 10000
-      }, (res) => {
-        let data = '';
-        res.on('data', c => data += c);
-        res.on('end', () => {
-          try {
-            const results = JSON.parse(data);
-            const map = {};
-            for (const r of results) { map[r.query] = r; }
-            resolve(map);
-          } catch { resolve({}); }
-        });
-      });
-      req.on('error', () => resolve({}));
-      req.on('timeout', () => { req.destroy(); resolve({}); });
-      req.write(body);
-      req.end();
-    });
-  } catch {
-    return {};
-  }
-}
-
-/**
- * Check if a PowerShell history line is a false positive
- */
-function isPSFalsePositive(line) {
-  return FP_WHITELIST.powershell.some(rx => rx.test(line));
-}
-
-// ============================================
-// CROSS-PLATFORM CHECKS (shared by all OS)
-// ============================================
-
-/**
- * Scan browser extensions (Chrome, Edge, Firefox, Brave) for suspicious entries
- */
-function getBrowserExtensions() {
-  const results = [];
-  const browsers = [];
-
-  if (PLATFORM === 'win32') {
-    browsers.push(
-      { name: 'Chrome', dir: path.join(HOME, 'AppData', 'Local', 'Google', 'Chrome', 'User Data', 'Default', 'Extensions') },
-      { name: 'Edge', dir: path.join(HOME, 'AppData', 'Local', 'Microsoft', 'Edge', 'User Data', 'Default', 'Extensions') },
-      { name: 'Brave', dir: path.join(HOME, 'AppData', 'Local', 'BraveSoftware', 'Brave-Browser', 'User Data', 'Default', 'Extensions') },
-      { name: 'Firefox', dir: path.join(HOME, 'AppData', 'Roaming', 'Mozilla', 'Firefox', 'Profiles') }
-    );
-  } else if (PLATFORM === 'darwin') {
-    browsers.push(
-      { name: 'Chrome', dir: path.join(HOME, 'Library', 'Application Support', 'Google', 'Chrome', 'Default', 'Extensions') },
-      { name: 'Edge', dir: path.join(HOME, 'Library', 'Application Support', 'Microsoft Edge', 'Default', 'Extensions') },
-      { name: 'Brave', dir: path.join(HOME, 'Library', 'Application Support', 'BraveSoftware', 'Brave-Browser', 'Default', 'Extensions') },
-      { name: 'Firefox', dir: path.join(HOME, 'Library', 'Application Support', 'Firefox', 'Profiles') },
-      { name: 'Safari', dir: path.join(HOME, 'Library', 'Safari', 'Extensions') }
-    );
-  } else {
-    browsers.push(
-      { name: 'Chrome', dir: path.join(HOME, '.config', 'google-chrome', 'Default', 'Extensions') },
-      { name: 'Chromium', dir: path.join(HOME, '.config', 'chromium', 'Default', 'Extensions') },
-      { name: 'Brave', dir: path.join(HOME, '.config', 'BraveSoftware', 'Brave-Browser', 'Default', 'Extensions') },
-      { name: 'Firefox', dir: path.join(HOME, '.mozilla', 'firefox') }
-    );
-  }
-
-  for (const browser of browsers) {
-    if (!fs.existsSync(browser.dir)) continue;
-
-    if (browser.name === 'Firefox') {
-      // Firefox uses profiles with extensions.json
-      try {
-        const profiles = fs.readdirSync(browser.dir).filter(d => {
-          const full = path.join(browser.dir, d);
-          return fs.statSync(full).isDirectory() && d.includes('.');
-        });
-        for (const profile of profiles) {
-          const extFile = path.join(browser.dir, profile, 'extensions.json');
-          if (fs.existsSync(extFile)) {
-            try {
-              const data = JSON.parse(fs.readFileSync(extFile, 'utf8'));
-              const addons = data.addons || [];
-              const nonSystem = addons.filter(a => a.type === 'extension' && !a.location?.includes('app-system'));
-              if (nonSystem.length > 0) {
-                results.push(`${browser.name} (${profile}): ${nonSystem.length} extensions`);
-                for (const ext of nonSystem.slice(0, 15)) {
-                  results.push(`  ${ext.id} | ${ext.defaultLocale?.name || ext.id}`);
-                }
-              }
-            } catch {}
-          }
-        }
-      } catch {}
-    } else if (browser.name === 'Safari') {
-      try {
-        const files = fs.readdirSync(browser.dir);
-        if (files.length > 0) {
-          results.push(`Safari: ${files.length} extensions`);
-          for (const f of files.slice(0, 10)) results.push(`  ${f}`);
-        }
-      } catch {}
-    } else {
-      // Chromium-based: each extension is a directory named by ID
-      try {
-        const extDirs = fs.readdirSync(browser.dir).filter(d => {
-          return fs.statSync(path.join(browser.dir, d)).isDirectory();
-        });
-        if (extDirs.length > 0) {
-          results.push(`${browser.name}: ${extDirs.length} extensions installed`);
-          // Only flag extensions with suspicious names/descriptions
-          for (const id of extDirs) {
-            let name = id;
-            let suspicious = false;
-            try {
-              const versions = fs.readdirSync(path.join(browser.dir, id));
-              const latest = versions.sort().pop();
-              if (latest) {
-                const manifest = JSON.parse(fs.readFileSync(path.join(browser.dir, id, latest, 'manifest.json'), 'utf8'));
-                name = manifest.name || id;
-                const desc = (manifest.description || '').toLowerCase();
-                const nameLower = name.toLowerCase();
-                suspicious = ['keylog', 'stealer', 'inject', 'backdoor', 'cryptomin', 'reverse.shell', 'rat ', 'trojan'].some(
-                  pat => nameLower.includes(pat) || desc.includes(pat)
-                );
-              }
-            } catch {}
-            if (suspicious) {
-              results.push(`  [!!] SUSPICIOUS: ${id.substring(0, 12)}... | ${name.substring(0, 50)}`);
-            }
-          }
-        }
-      } catch {}
-    }
-  }
-
-  return results.length > 0 ? results.join('\n') : 'No browser extensions found';
-}
-
-/**
- * Scan for suspicious global npm/pip/gem packages (supply chain)
- */
-function getSupplyChainPackages() {
-  const results = [];
-
-  // npm global packages
-  const npmList = run('npm list -g --depth=0 --json 2>/dev/null', 15000);
-  if (!npmList.startsWith('[ERROR]')) {
-    try {
-      const data = JSON.parse(npmList);
-      const deps = Object.keys(data.dependencies || {});
-      const suspicious = deps.filter(d => !FP_WHITELIST.npmPackages.includes(d));
-      results.push(`npm global: ${deps.length} packages (${suspicious.length} non-whitelisted)`);
-      if (suspicious.length > 0) {
-        results.push(`  Non-whitelisted: ${suspicious.join(', ')}`);
-      }
-    } catch {
-      results.push('npm global: Could not parse package list');
-    }
-  }
-
-  // pip packages (check for known malicious patterns)
-  const pipList = run('pip list --format=json 2>/dev/null || pip3 list --format=json 2>/dev/null', 15000);
-  if (!pipList.startsWith('[ERROR]')) {
-    try {
-      const pkgs = JSON.parse(pipList);
-      // Check for typosquatting patterns
-      const suspiciousPatterns = ['python-', 'py-', '-python', 'crypto', 'wallet', 'stealer', 'keylog', 'reverse-shell'];
-      const flagged = pkgs.filter(p => suspiciousPatterns.some(pat => p.name.toLowerCase().includes(pat)));
-      results.push(`pip: ${pkgs.length} packages`);
-      if (flagged.length > 0) {
-        results.push(`  [!] Potentially suspicious: ${flagged.map(p => p.name).join(', ')}`);
-      }
-    } catch {}
-  }
-
-  return results.length > 0 ? results.join('\n') : 'No package managers found';
-}
-
-/**
- * Check for running Docker containers
- */
-function getDockerContainers() {
-  const result = run('docker ps --format "{{.ID}} | {{.Image}} | {{.Status}} | {{.Ports}} | {{.Names}}" 2>/dev/null', 10000);
-  if (result.startsWith('[ERROR]') || result === '') {
-    return 'Docker not running or not installed';
-  }
-  const lines = result.split('\n');
-  if (lines.length > 0) {
-    return `[!] ${lines.length} running containers:\n${result}`;
-  }
-  return 'No running Docker containers';
-}
-
-/**
- * Scan git repos for suspicious hooks
- */
-function getGitHooks() {
-  const results = [];
-  const searchDirs = [HOME, path.join(HOME, 'Desktop'), path.join(HOME, 'Documents'), path.join(HOME, 'Projects')];
-
-  if (PLATFORM === 'win32') {
-    searchDirs.push(path.join(HOME, 'source', 'repos'));
-  } else {
-    searchDirs.push(path.join(HOME, 'dev'), path.join(HOME, 'src'), path.join(HOME, 'code'));
-  }
-
-  const checkedRepos = new Set();
-  const hookNames = ['pre-commit', 'post-commit', 'pre-push', 'post-checkout', 'pre-receive', 'post-receive', 'update'];
-
-  for (const dir of searchDirs) {
-    if (!fs.existsSync(dir)) continue;
-    try {
-      const entries = fs.readdirSync(dir);
-      for (const entry of entries) {
-        const gitDir = path.join(dir, entry, '.git', 'hooks');
-        if (checkedRepos.has(gitDir)) continue;
-        checkedRepos.add(gitDir);
-
-        if (fs.existsSync(gitDir)) {
-          try {
-            const hooks = fs.readdirSync(gitDir).filter(f => {
-              return hookNames.includes(f) && !f.endsWith('.sample');
-            });
-            if (hooks.length > 0) {
-              for (const hook of hooks) {
-                const hookPath = path.join(gitDir, hook);
-                try {
-                  const content = fs.readFileSync(hookPath, 'utf8').substring(0, 500);
-                  const suspicious = /curl|wget|nc\s|netcat|python.*-c|base64|eval|exec\(/.test(content);
-                  if (suspicious) {
-                    results.push(`[!!] ${entry}/.git/hooks/${hook} — contains suspicious commands`);
-                  } else {
-                    results.push(`  ${entry}/.git/hooks/${hook}`);
-                  }
-                } catch {}
-              }
-            }
-          } catch {}
-        }
-      }
-    } catch {}
-  }
-
-  return results.length > 0 ? results.join('\n') : 'No active git hooks found in common directories';
-}
-
-/**
- * Scan VS Code / IDE extensions for suspicious entries
- */
-function getIDEExtensions() {
-  const results = [];
-
-  // VS Code extensions
-  const vscodeDirs = [
-    path.join(HOME, '.vscode', 'extensions'),
-    path.join(HOME, '.vscode-insiders', 'extensions'),
-  ];
-
-  // Cursor
-  if (PLATFORM === 'win32') {
-    vscodeDirs.push(path.join(HOME, '.cursor', 'extensions'));
-    vscodeDirs.push(path.join(HOME, 'AppData', 'Local', 'Programs', 'cursor', 'resources', 'app', 'extensions'));
-  } else if (PLATFORM === 'darwin') {
-    vscodeDirs.push(path.join(HOME, '.cursor', 'extensions'));
-  } else {
-    vscodeDirs.push(path.join(HOME, '.cursor', 'extensions'));
-  }
-
-  for (const dir of vscodeDirs) {
-    if (!fs.existsSync(dir)) continue;
-    try {
-      const exts = fs.readdirSync(dir).filter(f => {
-        return fs.statSync(path.join(dir, f)).isDirectory();
-      });
-      if (exts.length > 0) {
-        const dirName = path.basename(path.dirname(dir));
-        results.push(`${dirName} extensions: ${exts.length}`);
-        // Check for suspicious extensions
-        for (const ext of exts) {
-          const lower = ext.toLowerCase();
-          // Skip known safe publishers
-          const safePublishers = ['ms-vscode', 'ms-python', 'ms-dotnettools', 'ms-azuretools', 'ms-toolsai',
-            'microsoft', 'github', 'redhat', 'golang', 'rust-lang', 'dbaeumer', 'esbenp', 'eamodio',
-            'bradlc', 'christian-kohler', 'formulahendry', 'pkief', 'ritwickdey', 'vscodevim',
-            'anysphere', 'saoudrizwan', 'continue']; // cursor + continue extensions
-          const isSafePublisher = safePublishers.some(p => lower.startsWith(p + '.'));
-          if (!isSafePublisher &&
-              (lower.includes('keylog') || lower.includes('reverse-shell') ||
-               lower.includes('cryptomin') || lower.includes('stealer') || lower.includes('backdoor'))) {
-            results.push(`  [!!] SUSPICIOUS: ${ext}`);
-          }
-        }
-      }
-    } catch {}
-  }
-
-  return results.length > 0 ? results.join('\n') : 'No IDE extensions directories found';
-}
-
-// ============================================
-// WINDOWS CHECKS
-// ============================================
-
-function windowsChecks() {
-  const findings = [];
-
-  // --- Original checks ---
-  findings.push({ check: 'RDP Login History', data: getRDPLogins() });
-  findings.push({ check: 'Failed Login Attempts', data: getFailedLogins() });
-  findings.push({ check: 'Local User Accounts', data: getLocalUsers() });
-  findings.push({ check: 'Scheduled Tasks', data: getScheduledTasks() });
-  findings.push({ check: 'Startup Registry Keys', data: getStartupKeys() });
-  findings.push({ check: 'Services', data: getServices() });
-  findings.push({ check: 'Active Network Connections', data: getNetConnections() });
-  findings.push({ check: 'Firewall Rules', data: getFirewallRules() });
-  findings.push({ check: 'Root Certificates', data: getCertificates() });
-  findings.push({ check: 'Proxy Settings', data: getProxySettings() });
-  findings.push({ check: 'Remote Management (WinRM)', data: getWinRM() });
-  findings.push({ check: 'SSH Authorized Keys', data: getSSHKeys() });
-  findings.push({ check: 'Suspicious IDE Artifacts', data: getIDEArtifacts() });
-  findings.push({ check: 'PowerShell History', data: getPSHistory() });
-  findings.push({ check: 'DNS Cache', data: getDNSCache() });
-  findings.push({ check: 'Recently Installed Programs', data: getRecentInstalls() });
-  findings.push({ check: 'Suspicious Processes', data: getSuspiciousProcesses() });
-
-  // --- v2 Windows-specific checks ---
-  findings.push({ check: 'WMI Event Subscriptions', data: getWMISubscriptions() });
-  findings.push({ check: 'PowerShell Script Block Logs (4104)', data: getPSScriptBlockLogs() });
-  findings.push({ check: 'Windows Defender Exclusions', data: getDefenderExclusions() });
-  findings.push({ check: 'BITS Transfer Jobs', data: getBITSJobs() });
-  findings.push({ check: 'COM Object Hijacking', data: getCOMHijacking() });
-  findings.push({ check: 'Image File Execution Options (IFEO)', data: getIFEO() });
-  findings.push({ check: 'AppInit_DLLs', data: getAppInitDLLs() });
-  findings.push({ check: 'Named Pipes', data: getNamedPipes() });
-  findings.push({ check: 'Alternate Data Streams (ADS)', data: getADS() });
-
-  // --- v2 Cross-platform checks ---
-  findings.push({ check: 'Browser Extensions', data: getBrowserExtensions() });
-  findings.push({ check: 'Supply Chain Packages (npm/pip)', data: getSupplyChainPackages() });
-  findings.push({ check: 'Docker Containers', data: getDockerContainers() });
-  findings.push({ check: 'Git Hooks', data: getGitHooks() });
-  findings.push({ check: 'IDE Extensions (VS Code/Cursor)', data: getIDEExtensions() });
-
-  return findings;
-}
-
-// --- v2 Windows check implementations ---
-
-function getWMISubscriptions() {
-  return ps(`
-$filters = Get-WMIObject -Namespace root\\Subscription -Class __EventFilter -ErrorAction SilentlyContinue
-$consumers = Get-WMIObject -Namespace root\\Subscription -Class __EventConsumer -ErrorAction SilentlyContinue
-$bindings = Get-WMIObject -Namespace root\\Subscription -Class __FilterToConsumerBinding -ErrorAction SilentlyContinue
-
-# Known safe WMI subscriptions (Windows built-in)
-$safeFilters = @('SCM Event Log Filter', 'BVTFilter', 'TSLogonFilter', 'TSLogonEvents.evt')
-$safeConsumers = @('SCM Event Log Consumer', 'BVTConsumer', 'TSLogonEvents.vbs', 'NTEventLogEventConsumer')
-
-$suspFilters = $filters | Where-Object { $safeFilters -notcontains $_.Name }
-$suspConsumers = $consumers | Where-Object { $safeConsumers -notcontains $_.Name }
-
-if ($suspFilters -or $suspConsumers) {
-    "[!!] WMI Event Subscriptions found (persistence mechanism):"
-    if ($suspFilters) {
-        "Suspicious Filters:"
-        $suspFilters | ForEach-Object { "  Name=$($_.Name) Query=$($_.Query)" }
-    }
-    if ($suspConsumers) {
-        "Suspicious Consumers:"
-        $suspConsumers | ForEach-Object { "  Name=$($_.Name) Type=$($_.GetType().Name)" }
-    }
-    "Total bindings: $($bindings.Count)"
-} elseif ($filters -or $consumers) {
-    "WMI subscriptions found but all are Windows built-in (safe): $(($filters | ForEach-Object { $_.Name }) -join ', ')"
-} else {
-    "No WMI event subscriptions found"
-}
-  `, 30000);
-}
-
-function getPSScriptBlockLogs() {
-  return ps(`
-try {
-    $events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} -MaxEvents 50 -ErrorAction Stop
-    $suspicious = $events | Where-Object {
-        $text = $_.Properties[2].Value
-        $text -match 'Invoke-Expression|IEX|DownloadString|DownloadFile|Net.WebClient|EncodedCommand|-enc |FromBase64String|Invoke-Mimikatz|Invoke-Shellcode|Start-Process.*-WindowStyle.*Hidden|Add-MpPreference.*ExclusionPath|New-Object.*Net.Sockets'
-    }
-    if ($suspicious) {
-        "[!!] Suspicious PowerShell script blocks executed (Event 4104):"
-        $suspicious | Select-Object -First 10 | ForEach-Object {
-            $time = $_.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss')
-            $snippet = $_.Properties[2].Value.Substring(0, [Math]::Min(200, $_.Properties[2].Value.Length))
-            "$time | $snippet"
-        }
-    } else {
-        "No suspicious script block logs in last 50 events"
-    }
-} catch {
-    "Script block logging not available or access denied"
-}
-  `, 60000);
-}
-
-function getDefenderExclusions() {
-  return ps(`
-try {
-    $prefs = Get-MpPreference -ErrorAction Stop
-    $pathExcl = $prefs.ExclusionPath
-    $procExcl = $prefs.ExclusionProcess
-    $extExcl = $prefs.ExclusionExtension
-
-    $found = $false
-    if ($pathExcl -and $pathExcl.Count -gt 0) {
-        "[!] Defender Path Exclusions:"
-        $pathExcl | ForEach-Object { "  $_" }
-        $found = $true
-    }
-    if ($procExcl -and $procExcl.Count -gt 0) {
-        "[!] Defender Process Exclusions:"
-        $procExcl | ForEach-Object { "  $_" }
-        $found = $true
-    }
-    if ($extExcl -and $extExcl.Count -gt 0) {
-        "[!] Defender Extension Exclusions:"
-        $extExcl | ForEach-Object { "  $_" }
-        $found = $true
-    }
-    if (-not $found) { "No Defender exclusions configured" }
-} catch {
-    "Cannot read Defender preferences (may need admin)"
-}
-  `, 15000);
-}
-
-function getBITSJobs() {
-  return ps(`
-try {
-    $jobs = Get-BitsTransfer -AllUsers -ErrorAction Stop
-    if ($jobs) {
-        "[!] Active BITS transfer jobs found:"
-        $jobs | ForEach-Object {
-            "  JobId=$($_.JobId) DisplayName=$($_.DisplayName) State=$($_.JobState) Owner=$($_.OwnerAccount)"
-            "    Files: $($_.FileList | ForEach-Object { $_.RemoteName }) -> $($_.FileList | ForEach-Object { $_.LocalName })"
-        }
-    } else {
-        "No active BITS transfer jobs"
-    }
-} catch {
-    "Cannot enumerate BITS jobs (may need admin)"
-}
-  `, 15000);
-}
-
-function getCOMHijacking() {
-  return ps(`
-$suspiciousKeys = @(
-    'HKCU:\\Software\\Classes\\CLSID',
-    'HKCU:\\Software\\Classes\\Wow6432Node\\CLSID'
-)
-# Known safe COM DLL paths (Microsoft, known vendors)
-$safePaths = @('\\system32\\', '\\SysWOW64\\', '\\Microsoft\\', '\\Teams', '\\GoTo', '\\OneDrive',
-    '\\Office', '\\Outlook', '\\Zoom', '\\Citrix', '\\Webex', '\\Slack', '\\Google\\',
-    '\\Program Files\\', '\\Program Files (x86)\\')
-
-$found = $false
-$suspicious = @()
-foreach ($key in $suspiciousKeys) {
-    if (Test-Path $key) {
-        $subkeys = Get-ChildItem $key -ErrorAction SilentlyContinue
-        foreach ($sk in $subkeys) {
-            $default = (Get-ItemProperty "$($sk.PSPath)\\InprocServer32" -ErrorAction SilentlyContinue).'(Default)'
-            if ($default) {
-                $isSafe = $false
-                foreach ($sp in $safePaths) {
-                    if ($default -like "*$sp*") { $isSafe = $true; break }
-                }
-                if (-not $isSafe) {
-                    $suspicious += "  [!!] $($sk.PSChildName) -> $default"
-                }
-            }
-        }
-    }
-}
-if ($suspicious.Count -gt 0) {
-    "[!!] Suspicious user-level COM registrations (unknown DLL paths):"
-    $suspicious
-} else {
-    "COM registrations found - all from known safe paths (Microsoft, Teams, GoTo, etc.)"
-}
-  `, 15000);
-}
-
-function getIFEO() {
-  return ps(`
-$ifeoPath = 'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
-$suspicious = Get-ChildItem $ifeoPath -ErrorAction SilentlyContinue | ForEach-Object {
-    $debugger = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).Debugger
-    if ($debugger) {
-        [PSCustomObject]@{ Target = $_.PSChildName; Debugger = $debugger }
-    }
-}
-if ($suspicious) {
-    "[!!] IFEO Debugger keys found (process hijacking):"
-    $suspicious | ForEach-Object { "  $($_.Target) -> $($_.Debugger)" }
-} else {
-    "No IFEO debugger keys found"
-}
-  `, 15000);
-}
-
-function getAppInitDLLs() {
-  return ps(`
-$paths = @(
-    'HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows',
-    'HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows'
-)
-$found = $false
-foreach ($p in $paths) {
-    if (Test-Path $p) {
-        $val = (Get-ItemProperty $p -ErrorAction SilentlyContinue).AppInit_DLLs
-        $loadVal = (Get-ItemProperty $p -ErrorAction SilentlyContinue).LoadAppInit_DLLs
-        if ($val -and $val.Trim() -ne '') {
-            "[!!] AppInit_DLLs set in $p"
-            "  Value: $val"
-            "  LoadAppInit_DLLs: $loadVal"
-            $found = $true
-        }
-    }
-}
-if (-not $found) { "AppInit_DLLs not configured (safe)" }
-  `, 15000);
-}
-
-function getNamedPipes() {
-  return ps(`
-$pipes = Get-ChildItem '\\.\pipe\' -ErrorAction SilentlyContinue | Select-Object Name
-$suspicious = $pipes | Where-Object {
-    $_.Name -match '(cobaltstrike|meterpreter|beacon|MSSE-|msagent_|postex_|status_|mojo\.|chrome\.\d+\.\d+\.\d+)' -or
-    $_.Name -match '(psexec|remcom|csexec|svcctl)' -or
-    ($_.Name -match '^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$')
-}
-if ($suspicious) {
-    "[!] Potentially suspicious named pipes:"
-    $suspicious | ForEach-Object { "  \\.\pipe\$($_.Name)" }
-    "Total pipes on system: $($pipes.Count)"
-} else {
-    "No suspicious named pipes found (total: $($pipes.Count))"
-}
-  `, 15000);
-}
-
-function getADS() {
-  const results = [];
-  // Check common directories for alternate data streams
-  const checkDirs = [
-    path.join(HOME, 'Desktop'),
-    path.join(HOME, 'Downloads'),
-    os.tmpdir()
-  ];
-
-  for (const dir of checkDirs) {
-    if (!fs.existsSync(dir)) continue;
-    const result = ps(`
-Get-ChildItem "${dir}" -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
-    $streams = Get-Item $_.FullName -Stream * -ErrorAction SilentlyContinue | Where-Object { $_.Stream -ne ':$DATA' -and $_.Stream -ne 'Zone.Identifier' -and $_.Stream -notlike '*.Zone.Identifier' -and $_.Stream -notlike 'MBAM*' -and $_.Stream -ne 'StreamedFileState' -and $_.Stream -ne 'SmartScreen' -and $_.Stream -ne 'Afp_AfpInfo' -and $_.Length -gt 100 }
-    if ($streams) {
-        $streams | ForEach-Object { "[!] ADS: $($_.FileName):$($_.Stream) ($($_.Length) bytes)" }
-    }
-} | Select-Object -First 20
-    `, 30000);
-    if (result && !result.startsWith('[ERROR]') && result.includes('[!]')) {
-      results.push(result);
-    }
-  }
-
-  return results.length > 0 ? results.join('\n') : 'No suspicious Alternate Data Streams found';
-}
-
-// --- Original Windows check implementations ---
-
-function getRDPLogins() {
-  return ps(`
-try {
-    $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 200 -ErrorAction Stop |
-        Where-Object { $_.Properties[8].Value -eq 10 } |
-        Select-Object -First 50 |
-        ForEach-Object {
-            $ip = $_.Properties[18].Value
-            $user = $_.Properties[5].Value
-            $domain = $_.Properties[6].Value
-            $time = $_.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss')
-            "$time | $domain\\$user | $ip"
-        }
-    if ($events) { $events -join [char]10 } else { 'No RDP logins found in Security log' }
-} catch { 'Access denied or Security log unavailable - run as Administrator' }
-  `, 60000);
-}
-
-function getFailedLogins() {
-  return ps(`
-try {
-    $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 100 -ErrorAction Stop |
-        Select-Object -First 30 |
-        ForEach-Object {
-            $ip = $_.Properties[19].Value
-            $user = $_.Properties[5].Value
-            $time = $_.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss')
-            "$time | $user | $ip"
-        }
-    if ($events) { $events -join [char]10 } else { 'No failed login attempts found' }
-} catch { 'Access denied or Security log unavailable - run as Administrator' }
-  `, 60000);
-}
-
-function getLocalUsers() {
-  return ps(`
-Get-LocalUser | ForEach-Object {
-    $name = $_.Name
-    $enabled = $_.Enabled
-    $lastLogon = $_.LastLogon
-    $desc = $_.Description
-    "$name | Enabled=$enabled | LastLogon=$lastLogon | $desc"
-} | Out-String
-  `);
-}
-
-function getScheduledTasks() {
-  return ps(`
-Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' -and $_.TaskPath -notlike '\\Microsoft\\*' } |
-    ForEach-Object {
-        $name = $_.TaskName
-        $path = $_.TaskPath
-        $actions = ($_.Actions | ForEach-Object { $_.Execute + ' ' + $_.Arguments }) -join '; '
-        "$path$name | $actions"
-    } | Out-String
-  `, 60000);
-}
-
-function getStartupKeys() {
-  const keys = [
-    'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run',
-    'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
-    'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run',
-    'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
-    'HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run',
-  ];
-
-  return ps(`
-$keys = @(${keys.map(k => `'${k}'`).join(',')})
-foreach ($key in $keys) {
-    if (Test-Path $key) {
-        "=== $key ==="
-        Get-ItemProperty $key -ErrorAction SilentlyContinue |
-            ForEach-Object { $_.PSObject.Properties | Where-Object { $_.Name -notlike 'PS*' } |
-                ForEach-Object { "  $($_.Name) = $($_.Value)" }
-            }
-    }
-}
-  `);
-}
-
-function getServices() {
-  return ps(`
-Get-Service | Where-Object { $_.Status -eq 'Running' -and $_.StartType -eq 'Automatic' } |
-    Where-Object { $_.DisplayName -notlike 'Windows*' -and $_.DisplayName -notlike 'Microsoft*' -and $_.DisplayName -notlike 'DCOM*' -and $_.DisplayName -notlike 'Plug*' } |
-    Select-Object Name, DisplayName, StartType |
-    Format-Table -AutoSize | Out-String
-  `);
-}
-
-function getNetConnections() {
-  return ps(`
-Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue |
-    Where-Object { $_.RemoteAddress -ne '127.0.0.1' -and $_.RemoteAddress -ne '::1' -and $_.RemoteAddress -ne '0.0.0.0' } |
-    Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess,
-        @{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
-    Sort-Object RemoteAddress |
-    Format-Table -AutoSize | Out-String
-  `);
-}
-
-function getFirewallRules() {
-  return ps(`
-Get-NetFirewallRule -Enabled True -Direction Inbound -Action Allow -ErrorAction SilentlyContinue |
-    Where-Object { $_.DisplayName -notlike 'Core Networking*' -and $_.DisplayName -notlike 'Windows*' } |
-    Select-Object -First 30 DisplayName, Profile, Direction |
-    Format-Table -AutoSize | Out-String
-  `);
-}
-
-function getCertificates() {
-  return ps(`
-Get-ChildItem Cert:\\LocalMachine\\Root |
-    Where-Object { $_.NotAfter -gt (Get-Date) } |
-    Select-Object Subject, Issuer, NotAfter, Thumbprint |
-    Format-Table -AutoSize -Wrap | Out-String
-  `);
-}
-
-function getProxySettings() {
-  return ps(`
-$proxy = Get-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings' -ErrorAction SilentlyContinue
-"ProxyEnable: $($proxy.ProxyEnable)"
-"ProxyServer: $($proxy.ProxyServer)"
-"ProxyOverride: $($proxy.ProxyOverride)"
-"AutoConfigURL: $($proxy.AutoConfigURL)"
-""
-"Environment:"
-"HTTP_PROXY: $env:HTTP_PROXY"
-"HTTPS_PROXY: $env:HTTPS_PROXY"
-"ALL_PROXY: $env:ALL_PROXY"
-  `);
-}
-
-function getWinRM() {
-  return ps(`
-try {
-    $status = Get-Service WinRM -ErrorAction Stop
-    "WinRM Status: $($status.Status)"
-    if ($status.Status -eq 'Running') {
-        "[!!] WARNING: WinRM is running - remote management is enabled"
-        winrm get winrm/config/client 2>$null
-    }
-} catch {
-    "WinRM: Not found or access denied"
-}
-  `);
-}
-
-function getSSHKeys() {
-  const results = [];
-  const sshDir = path.join(HOME, '.ssh');
-
-  if (fs.existsSync(sshDir)) {
-    const authKeys = path.join(sshDir, 'authorized_keys');
-    if (fs.existsSync(authKeys)) {
-      results.push('=== authorized_keys ===');
-      const content = fs.readFileSync(authKeys, 'utf8');
-      const keys = content.split('\n').filter(l => l.trim() && !l.startsWith('#'));
-      for (const key of keys) {
-        const parts = key.trim().split(/\s+/);
-        const comment = parts.length >= 3 ? parts.slice(2).join(' ') : 'no-comment';
-        const type = parts[0];
-        results.push(`  ${type} ... ${comment}`);
-      }
-    } else {
-      results.push('No authorized_keys file found');
-    }
-
-    const files = fs.readdirSync(sshDir);
-    const unusual = files.filter(f => !['authorized_keys', 'known_hosts', 'config', 'id_rsa', 'id_rsa.pub', 'id_ed25519', 'id_ed25519.pub', 'id_ecdsa', 'id_ecdsa.pub', 'id_ed25519_automation', 'id_ed25519_automation.pub'].includes(f));
-    if (unusual.length > 0) {
-      results.push(`\nUnusual files in .ssh/: ${unusual.join(', ')}`);
-    }
-  } else {
-    results.push('No .ssh directory found');
-  }
-
-  return results.join('\n');
-}
-
-function getIDEArtifacts() {
-  const results = [];
-
-  for (const dir of SUSPICIOUS_IDE_DIRS) {
-    const fullPath = path.join(HOME, dir);
-    if (fs.existsSync(fullPath)) {
-      results.push(`[!] FOUND: ${fullPath}`);
-      try {
-        const files = fs.readdirSync(fullPath);
-        results.push(`    Contents: ${files.slice(0, 20).join(', ')}`);
-
-        const mcpPath = path.join(fullPath, 'mcp.json');
-        if (fs.existsSync(mcpPath)) {
-          results.push(`    [!!] MCP config found: ${mcpPath}`);
-          try {
-            const mcp = JSON.parse(fs.readFileSync(mcpPath, 'utf8'));
-            const servers = Object.keys(mcp.mcpServers || {});
-            results.push(`    MCP servers configured: ${servers.join(', ')}`);
-            for (const [name, srv] of Object.entries(mcp.mcpServers || {})) {
-              if (srv.env) {
-                const envKeys = Object.keys(srv.env);
-                results.push(`    [!] ${name} has env vars: ${envKeys.join(', ')}`);
-              }
-            }
-          } catch {}
-        }
-      } catch {}
-    }
-  }
-
-  // Check AppData for IDE data directories
-  const appDataPaths = [];
-  if (PLATFORM === 'win32') {
-    const appData = process.env.APPDATA || '';
-    const localAppData = process.env.LOCALAPPDATA || '';
-    for (const name of ['Verdent', 'Verdant', 'Trae']) {
-      if (appData) appDataPaths.push(path.join(appData, name));
-      if (localAppData) appDataPaths.push(path.join(localAppData, name));
-    }
-  } else if (PLATFORM === 'darwin') {
-    const support = path.join(HOME, 'Library', 'Application Support');
-    for (const name of ['Verdent', 'Verdant', 'Trae']) {
-      appDataPaths.push(path.join(support, name));
-    }
-  }
-
-  for (const p of appDataPaths) {
-    if (p && fs.existsSync(p)) {
-      results.push(`[!] FOUND AppData: ${p}`);
-      try {
-        const files = fs.readdirSync(p);
-        results.push(`    Contents: ${files.slice(0, 20).join(', ')}`);
-      } catch {}
-    }
-  }
-
-  if (results.length === 0) {
-    results.push('No suspicious IDE artifacts found');
-  }
-
-  return results.join('\n');
-}
-
-function getPSHistory() {
-  const histPath = path.join(HOME, 'AppData', 'Roaming', 'Microsoft', 'Windows', 'PowerShell', 'PSReadLine', 'ConsoleHost_history.txt');
-  if (fs.existsSync(histPath)) {
-    try {
-      const content = fs.readFileSync(histPath, 'utf8');
-      const lines = content.split('\n').slice(-200); // last 200 commands
-      const suspicious = lines.filter(l => {
-        const lower = l.toLowerCase();
-        const isSuspicious = lower.includes('downloadstring') ||
-               lower.includes('downloadfile') || lower.includes('net.webclient') ||
-               lower.includes('iex') || lower.includes('invoke-expression') ||
-               lower.includes('-enc ') || lower.includes('encodedcommand') ||
-               lower.includes('certutil') || lower.includes('bitsadmin') ||
-               lower.includes('frombase64string') || lower.includes('add-mppreference') ||
-               lower.includes('invoke-mimikatz') || lower.includes('invoke-shellcode') ||
-               lower.includes('new-object net.sockets');
-
-        // Filter out known safe invoke-webrequest patterns
-        if (lower.includes('invoke-webrequest') && !isPSFalsePositive(l)) {
-          return true;
-        }
-        return isSuspicious;
-      });
-      if (suspicious.length > 0) {
-        return `[!] Suspicious PowerShell commands found:\n${suspicious.join('\n')}`;
-      }
-      return `Last 200 commands checked - no suspicious patterns found (${lines.length} lines in history)`;
-    } catch {
-      return 'Could not read PowerShell history';
-    }
-  }
-  return 'No PowerShell history file found';
-}
-
-function getDNSCache() {
-  return ps(`
-$cache = Get-DnsClientCache -ErrorAction SilentlyContinue |
-    Select-Object -First 100 Entry, Data |
-    Where-Object { $_.Entry -match '\\.(cn|ru|ir|kp)$' -or $_.Entry -match '(baidu|qq|163|aliyun|tencent|weibo|bytedance|douyin)' }
-if ($cache) {
-    "[!] Suspicious DNS entries found:"
-    $cache | Format-Table -AutoSize | Out-String
-} else {
-    "No suspicious DNS entries (.cn/.ru/.ir/.kp or known Chinese services)"
-}
-  `);
-}
-
-function getRecentInstalls() {
-  return ps(`
-Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |
-    Where-Object { $_.InstallDate -and $_.InstallDate -gt (Get-Date).AddDays(-90).ToString('yyyyMMdd') } |
-    Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
-    Sort-Object InstallDate -Descending |
-    Format-Table -AutoSize | Out-String
-  `);
-}
-
-function getSuspiciousProcesses() {
-  return ps(`
-$suspicious = @(${SUSPICIOUS_PROCESSES.map(p => `'${p}'`).join(',')})
-$procs = Get-Process -ErrorAction SilentlyContinue |
-    Select-Object Name, Id, Path, Company |
-    Where-Object {
-        $_.Name -in $suspicious -or
-        ($_.Path -and ($_.Path -match '\\\\Temp\\\\' -or $_.Path -match '\\\\tmp\\\\' -or $_.Path -match '\\\\Downloads\\\\'))
-    }
-if ($procs) {
-    "[!] Suspicious processes found:"
-    $procs | Format-Table -AutoSize | Out-String
-} else {
-    "No known suspicious processes found"
-}
-  `);
-}
-
-// ============================================
-// LINUX CHECKS
-// ============================================
-
-function linuxChecks() {
-  const findings = [];
-
-  // --- Original checks ---
-  findings.push({ check: 'SSH Login History', data: run('last -50 2>/dev/null || echo "last command not available"') });
-  findings.push({ check: 'Failed SSH Attempts', data: run('grep "Failed password" /var/log/auth.log 2>/dev/null | tail -30 || grep "Failed password" /var/log/secure 2>/dev/null | tail -30 || journalctl -u sshd --no-pager -n 30 2>/dev/null | grep -i "failed" || echo "No auth logs accessible"') });
-  findings.push({ check: 'User Accounts', data: run('cat /etc/passwd | grep -v nologin | grep -v /false') });
-  findings.push({ check: 'Sudoers', data: run('cat /etc/sudoers 2>/dev/null; ls -la /etc/sudoers.d/ 2>/dev/null') });
-  findings.push({ check: 'Crontabs', data: run('for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null && echo "=== $user ==="; done; cat /etc/crontab 2>/dev/null; ls -la /etc/cron.d/ 2>/dev/null') });
-  findings.push({ check: 'SSH Authorized Keys', data: getSSHKeys() });
-  findings.push({ check: 'Active Connections', data: run('ss -tunp 2>/dev/null || netstat -tunp 2>/dev/null') });
-  findings.push({ check: 'Listening Ports', data: run('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null') });
-  findings.push({ check: 'Running Services', data: run('systemctl list-units --type=service --state=running 2>/dev/null | head -40') });
-  findings.push({ check: 'Suspicious IDE Artifacts', data: getIDEArtifacts() });
-  findings.push({ check: 'Unusual SUID Binaries', data: run('find / -perm -4000 -type f 2>/dev/null | grep -v -E "(sudo|passwd|ping|mount|su|chsh|chfn|newgrp|gpasswd|pkexec|umount|fusermount|dbus-daemon-launch-helper)" | head -20', 60000) });
-  findings.push({ check: 'Startup Scripts', data: run('ls -la /etc/init.d/ 2>/dev/null; ls -la /etc/rc.local 2>/dev/null; systemctl list-unit-files --state=enabled 2>/dev/null | head -30') });
-  findings.push({ check: 'Bash History (suspicious)', data: run('grep -hE "curl.*\\|.*sh|wget.*\\|.*sh|python.*-c.*import|nc\\s+-|/dev/tcp|base64.*-d" ~/.bash_history 2>/dev/null | tail -20 || echo "No suspicious bash history patterns"') });
-
-  // --- v2 Linux-specific checks ---
-  findings.push({ check: 'LD_PRELOAD Hijacking', data: getLDPreload() });
-  findings.push({ check: 'Kernel Modules', data: getKernelModules() });
-  findings.push({ check: 'Systemd Timers', data: getSystemdTimers() });
-  findings.push({ check: 'At Jobs', data: run('atq 2>/dev/null || echo "at not installed or no jobs"') });
-  findings.push({ check: 'Profile.d Scripts', data: run('ls -la /etc/profile.d/ 2>/dev/null; echo "---"; cat /etc/environment 2>/dev/null') });
-  findings.push({ check: 'File Capabilities', data: run('getcap -r / 2>/dev/null | grep -v -E "(ping|traceroute|mtr)" | head -20 || echo "getcap not available"', 60000) });
-
-  // --- v2 Cross-platform checks ---
-  findings.push({ check: 'Browser Extensions', data: getBrowserExtensions() });
-  findings.push({ check: 'Supply Chain Packages (npm/pip)', data: getSupplyChainPackages() });
-  findings.push({ check: 'Docker Containers', data: getDockerContainers() });
-  findings.push({ check: 'Git Hooks', data: getGitHooks() });
-  findings.push({ check: 'IDE Extensions (VS Code/Cursor)', data: getIDEExtensions() });
-
-  return findings;
-}
-
-function getLDPreload() {
-  const results = [];
-
-  // Check /etc/ld.so.preload
-  try {
-    if (fs.existsSync('/etc/ld.so.preload')) {
-      const content = fs.readFileSync('/etc/ld.so.preload', 'utf8').trim();
-      if (content) {
-        results.push(`[!!] /etc/ld.so.preload contains entries:\n  ${content}`);
-      }
-    }
-  } catch {}
-
-  // Check LD_PRELOAD env
-  const ldPreload = process.env.LD_PRELOAD;
-  if (ldPreload) {
-    results.push(`[!!] LD_PRELOAD environment variable set: ${ldPreload}`);
-  }
-
-  // Check /etc/environment for LD_PRELOAD
-  try {
-    if (fs.existsSync('/etc/environment')) {
-      const content = fs.readFileSync('/etc/environment', 'utf8');
-      if (content.includes('LD_PRELOAD')) {
-        results.push(`[!!] LD_PRELOAD found in /etc/environment`);
-      }
-    }
-  } catch {}
-
-  return results.length > 0 ? results.join('\n') : 'No LD_PRELOAD hijacking detected';
-}
-
-function getKernelModules() {
-  const results = [];
-  const loaded = run('lsmod 2>/dev/null | head -30');
-  if (!loaded.startsWith('[ERROR]')) {
-    results.push('Loaded kernel modules (first 30):');
-    results.push(loaded);
-  }
-
-  // Check for unsigned/out-of-tree modules
-  const unsigned = run('for mod in $(lsmod 2>/dev/null | tail -n+2 | awk \'{print $1}\'); do modinfo $mod 2>/dev/null | grep -q "intree:.*N" && echo "[!] Out-of-tree: $mod"; done 2>/dev/null | head -10', 30000);
-  if (unsigned && !unsigned.startsWith('[ERROR]') && unsigned.includes('[!]')) {
-    results.push(unsigned);
-  }
-
-  return results.length > 0 ? results.join('\n') : 'Cannot read kernel modules';
-}
-
-function getSystemdTimers() {
-  return run('systemctl list-timers --all 2>/dev/null | head -25 || echo "systemd timers not available"');
-}
-
-// ============================================
-// macOS CHECKS
-// ============================================
-
-function macChecks() {
-  const findings = [];
-
-  // --- Original checks ---
-  findings.push({ check: 'Login History', data: run('last -50 2>/dev/null || echo "last command not available"') });
-  findings.push({ check: 'Failed Login Attempts', data: run('log show --predicate \'eventMessage contains "failed" AND eventMessage contains "ssh"\' --style syslog --last 7d 2>/dev/null | tail -30 || echo "No failed SSH in unified log"', 60000) });
-  findings.push({ check: 'Remote Login (SSH) Status', data: run('systemsetup -getremotelogin 2>/dev/null || echo "Cannot check remote login status"') });
-  findings.push({ check: 'Screen Sharing / VNC / ARD', data: run('launchctl list 2>/dev/null | grep -iE "vnc|screensharing|ARD|remote" || echo "No screen sharing services found"') });
-  findings.push({ check: 'User Accounts', data: run('dscl . list /Users | grep -v "^_" | grep -v daemon | grep -v nobody') });
-  findings.push({ check: 'Admin Users', data: run('dscl . -read /Groups/admin GroupMembership 2>/dev/null || echo "Cannot read admin group"') });
-  findings.push({ check: 'User LaunchAgents', data: getMacLaunchItems(path.join(HOME, 'Library', 'LaunchAgents')) });
-  findings.push({ check: 'System LaunchAgents', data: getMacLaunchItems('/Library/LaunchAgents') });
-  findings.push({ check: 'LaunchDaemons', data: getMacLaunchItems('/Library/LaunchDaemons') });
-  findings.push({ check: 'Login Items', data: run('osascript -e \'tell application "System Events" to get the name of every login item\' 2>/dev/null || echo "Cannot read login items"') });
-  findings.push({ check: 'Crontabs', data: run('crontab -l 2>/dev/null || echo "No user crontab"; echo "---"; cat /etc/crontab 2>/dev/null || echo "No /etc/crontab"') });
-  findings.push({ check: 'SSH Authorized Keys', data: getSSHKeys() });
-  findings.push({ check: 'Active Connections', data: run('netstat -an 2>/dev/null | grep ESTABLISHED | head -40 || lsof -i -P -n 2>/dev/null | grep ESTABLISHED | head -40') });
-  findings.push({ check: 'Listening Ports', data: run('lsof -i -P -n 2>/dev/null | grep LISTEN | head -30') });
-  findings.push({ check: 'Configuration Profiles (MDM)', data: run('profiles list 2>/dev/null || profiles -L 2>/dev/null || echo "No profiles command or no profiles installed"') });
-  findings.push({ check: 'Custom Root Certificates', data: run('security find-certificate -a -p /Library/Keychains/System.keychain 2>/dev/null | openssl x509 -noout -subject -issuer 2>/dev/null | head -20 || echo "Cannot enumerate system keychain"') });
-  findings.push({ check: 'Proxy Settings', data: run('networksetup -getwebproxy Wi-Fi 2>/dev/null; networksetup -getsecurewebproxy Wi-Fi 2>/dev/null; networksetup -getautoproxyurl Wi-Fi 2>/dev/null; echo "HTTP_PROXY=$HTTP_PROXY"; echo "HTTPS_PROXY=$HTTPS_PROXY"') });
-  findings.push({ check: 'Firewall Status', data: run('/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2>/dev/null || echo "Cannot check firewall"') });
-  findings.push({ check: 'Suspicious IDE Artifacts', data: getIDEArtifacts() });
-  findings.push({ check: 'Shell History (suspicious)', data: run('grep -hE "curl.*\\|.*sh|wget.*\\|.*sh|python.*-c.*import|nc\\s+-|/dev/tcp|base64.*-d|osascript.*-e" ~/.bash_history ~/.zsh_history 2>/dev/null | tail -20 || echo "No suspicious shell history patterns"') });
-  findings.push({ check: 'Gatekeeper & SIP Status', data: run('spctl --status 2>/dev/null; csrutil status 2>/dev/null') });
-  findings.push({ check: 'Privacy Permissions (TCC)', data: run('sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "SELECT client,service,auth_value FROM access WHERE auth_value=2" 2>/dev/null || echo "Cannot read TCC database (may need Full Disk Access)"') });
-
-  // --- v2 macOS-specific checks ---
-  findings.push({ check: 'Authorization Plugins', data: getMacAuthPlugins() });
-  findings.push({ check: 'Kernel Extensions (kexts)', data: getMacKexts() });
-  findings.push({ check: 'Spotlight Importers', data: getMacSpotlightImporters() });
-  findings.push({ check: 'Directory Services Plugins', data: getMacDSPlugins() });
-  findings.push({ check: 'LD_PRELOAD / DYLD_INSERT', data: getMacDylibInjection() });
-  findings.push({ check: 'Periodic Scripts', data: run('ls -la /etc/periodic/daily/ 2>/dev/null; ls -la /etc/periodic/weekly/ 2>/dev/null; ls -la /etc/periodic/monthly/ 2>/dev/null') });
-  findings.push({ check: 'at Jobs', data: run('atq 2>/dev/null || echo "at not available or no jobs"') });
-
-  // --- v2 Cross-platform checks ---
-  findings.push({ check: 'Browser Extensions', data: getBrowserExtensions() });
-  findings.push({ check: 'Supply Chain Packages (npm/pip)', data: getSupplyChainPackages() });
-  findings.push({ check: 'Docker Containers', data: getDockerContainers() });
-  findings.push({ check: 'Git Hooks', data: getGitHooks() });
-  findings.push({ check: 'IDE Extensions (VS Code/Cursor)', data: getIDEExtensions() });
-
-  return findings;
-}
-
-function getMacAuthPlugins() {
-  const pluginDir = '/Library/Security/SecurityAgentPlugins';
-  try {
-    if (!fs.existsSync(pluginDir)) return 'No custom authorization plugins';
-    const plugins = fs.readdirSync(pluginDir);
-    if (plugins.length === 0) return 'No authorization plugins found';
-    const results = plugins.map(p => {
-      const isApple = p.startsWith('com.apple.');
-      return `${isApple ? '  ' : '[!] '}${p}`;
-    });
-    return results.join('\n');
-  } catch {
-    return 'Cannot read authorization plugins directory';
-  }
-}
-
-function getMacKexts() {
-  const result = run('kextstat 2>/dev/null | grep -v com.apple | head -20');
-  if (result && !result.startsWith('[ERROR]') && result.trim()) {
-    return `[!] Non-Apple kernel extensions loaded:\n${result}`;
-  }
-  return run('kextstat 2>/dev/null | wc -l | xargs -I{} echo "Total kexts loaded: {} (all Apple)"') || 'Cannot enumerate kexts';
-}
-
-function getMacSpotlightImporters() {
-  const importerDirs = [
-    '/Library/Spotlight',
-    path.join(HOME, 'Library', 'Spotlight')
-  ];
-  const results = [];
-  for (const dir of importerDirs) {
-    try {
-      if (!fs.existsSync(dir)) continue;
-      const importers = fs.readdirSync(dir);
-      if (importers.length > 0) {
-        results.push(`${dir}:`);
-        for (const imp of importers) {
-          results.push(`  [!] ${imp}`);
-        }
-      }
-    } catch {}
-  }
-  return results.length > 0 ? results.join('\n') : 'No custom Spotlight importers found';
-}
-
-function getMacDSPlugins() {
-  const pluginDir = '/Library/DirectoryServices/PlugIns';
-  try {
-    if (!fs.existsSync(pluginDir)) return 'No custom Directory Services plugins';
-    const plugins = fs.readdirSync(pluginDir);
-    if (plugins.length === 0) return 'No DS plugins found';
-    return plugins.map(p => `  [!] ${p}`).join('\n');
-  } catch {
-    return 'Cannot read DS plugins directory';
-  }
-}
-
-function getMacDylibInjection() {
-  const results = [];
-
-  // Check DYLD_INSERT_LIBRARIES
-  const dyldInsert = process.env.DYLD_INSERT_LIBRARIES;
-  if (dyldInsert) {
-    results.push(`[!!] DYLD_INSERT_LIBRARIES set: ${dyldInsert}`);
-  }
-
-  const dyldForce = process.env.DYLD_FORCE_FLAT_NAMESPACE;
-  if (dyldForce) {
-    results.push(`[!!] DYLD_FORCE_FLAT_NAMESPACE set`);
-  }
-
-  // Check /etc/environment
-  try {
-    if (fs.existsSync('/etc/environment')) {
-      const content = fs.readFileSync('/etc/environment', 'utf8');
-      if (content.includes('DYLD_INSERT') || content.includes('LD_PRELOAD')) {
-        results.push(`[!!] Library injection env vars found in /etc/environment`);
-      }
-    }
-  } catch {}
-
-  // Check shell profiles for injection
-  const profiles = [
-    path.join(HOME, '.bash_profile'),
-    path.join(HOME, '.zshrc'),
-    path.join(HOME, '.zprofile'),
-    path.join(HOME, '.profile'),
-  ];
-  for (const profile of profiles) {
-    try {
-      if (!fs.existsSync(profile)) continue;
-      const content = fs.readFileSync(profile, 'utf8');
-      if (content.includes('DYLD_INSERT') || content.includes('LD_PRELOAD')) {
-        results.push(`[!!] Library injection found in ${profile}`);
-      }
-    } catch {}
-  }
-
-  return results.length > 0 ? results.join('\n') : 'No dylib/library injection detected';
-}
-
-/**
- * Read macOS LaunchAgent/LaunchDaemon plist files for suspicious entries
- */
-function getMacLaunchItems(dirPath) {
-  const results = [];
-  try {
-    if (!fs.existsSync(dirPath)) {
-      return `Directory not found: ${dirPath}`;
-    }
-    const files = fs.readdirSync(dirPath).filter(f => f.endsWith('.plist'));
-    if (files.length === 0) {
-      return `No plist files in ${dirPath}`;
-    }
-
-    for (const file of files) {
-      const fullPath = path.join(dirPath, file);
-      const content = run(`plutil -p "${fullPath}" 2>/dev/null`);
-
-      const isApple = file.startsWith('com.apple.') || file.startsWith('com.openssh.');
-      const label = isApple ? '  ' : '[!] ';
-
-      const programMatch = content.match(/"Program(?:Arguments)?" => (?:\[[\s\S]*?\]|"[^"]*")/);
-      const program = programMatch ? programMatch[0].substring(0, 120) : '';
-
-      results.push(`${label}${file}`);
-      if (program) results.push(`     ${program}`);
-    }
-  } catch (e) {
-    results.push(`[ERROR] Cannot read ${dirPath}: ${e.message}`);
-  }
-  return results.join('\n');
-}
-
-// ============================================
-// MAIN AUDIT FUNCTION
-// ============================================
-
-async function runAudit(options = {}) {
-  const startTime = Date.now();
-  const result = {
-    ok: true,
-    version: 2,
-    platform: PLATFORM,
-    hostname: os.hostname(),
-    timestamp: new Date().toISOString(),
-    user: os.userInfo().username,
-    findings: [],
-    alerts: [],
-    summary: {}
-  };
-
-  // Run platform-specific checks
-  if (PLATFORM === 'win32') {
-    result.findings = windowsChecks();
-  } else if (PLATFORM === 'darwin') {
-    result.findings = macChecks();
-  } else {
-    result.findings = linuxChecks();
-  }
-
-  // Extract unique IPs from findings for geo-lookup (IPv4 + IPv6)
-  const allIPv4 = new Set();
-  const allIPv6 = new Set();
-
-  // Only extract IPs from network-related checks (not user accounts, timestamps, etc.)
-  const networkChecks = ['Active Network Connections', 'Active Connections', 'Listening Ports',
-    'RDP Login History', 'Failed Login Attempts', 'Failed SSH Attempts', 'SSH Login History',
-    'Login History', 'Firewall Rules', 'PowerShell History', 'Shell History',
-    'Bash History', 'DNS Cache'];
-
-  for (const f of result.findings) {
-    if (typeof f.data !== 'string') continue;
-    // Only extract IPs from relevant checks to avoid version numbers / timestamps
-    if (!networkChecks.includes(f.check)) continue;
-
-    // IPv4 - must have valid octets (0-255)
-    const ipv4Matches = f.data.match(/\b(?:\d{1,3}\.){3}\d{1,3}\b/g) || [];
-    for (const ip of ipv4Matches) {
-      const octets = ip.split('.').map(Number);
-      // Validate: each octet 0-255, not private, not broadcast
-      if (octets.some(o => o > 255)) continue;
-      if (ip.startsWith('127.') || ip.startsWith('0.') || ip.startsWith('10.') ||
-          ip.startsWith('192.168.') || ip.startsWith('169.254.') || ip === '255.255.255.255' ||
-          ip.match(/^172\.(1[6-9]|2\d|3[01])\./)) continue;
-      allIPv4.add(ip);
-    }
-
-    // IPv6 - only extract from network connection data
-    if (['Active Network Connections', 'Active Connections'].includes(f.check)) {
-      const ipv6Matches = f.data.match(/(?:[0-9a-fA-F]{1,4}:){2,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:)*::[0-9a-fA-F:]+/g) || [];
-      for (const ip of ipv6Matches) {
-        if (!ip.startsWith('::1') && !ip.startsWith('fe80') && !ip.startsWith('fc') && !ip.startsWith('fd')) {
-          allIPv6.add(ip);
-        }
-      }
-    }
-  }
-
-  // Batch geo-IP lookup (IPv4 - ip-api.com supports IPv4 best)
-  const allIPs = new Set([...allIPv4]);
-  // Add IPv6 addresses too (ip-api.com does support some IPv6)
-  for (const ip6 of allIPv6) {
-    allIPs.add(ip6);
-  }
-
-  if (allIPs.size > 0 && !options.skipGeo) {
-    const geoResults = await batchGeoIP([...allIPs]);
-    result.geoIP = {};
-
-    for (const [ip, geo] of Object.entries(geoResults)) {
-      result.geoIP[ip] = {
-        country: geo.country,
-        countryCode: geo.countryCode,
-        city: geo.city,
-        isp: geo.isp,
-        org: geo.org
-      };
-
-      if (SUSPICIOUS_GEOS.includes(geo.countryCode)) {
-        result.alerts.push({
-          severity: 'HIGH',
-          message: `Connection from suspicious country: ${ip} → ${geo.country} (${geo.city}) [${geo.isp}]`,
-          ip,
-          geo
-        });
-      }
-    }
-  }
-
-  result.ipSummary = {
-    ipv4Count: allIPv4.size,
-    ipv6Count: allIPv6.size,
-    totalUnique: allIPs.size
-  };
-
-  // Analyze findings for alerts with weighted severity
-  for (const f of result.findings) {
-    if (typeof f.data === 'string') {
-      if (f.data.includes('[!!]')) {
-        result.alerts.push({
-          severity: 'HIGH',
-          check: f.check,
-          message: `${f.check}: ${f.data.split('\n').find(l => l.includes('[!!]')) || f.data.substring(0, 200)}`
-        });
-      } else if (f.data.includes('[!]')) {
-        result.alerts.push({
-          severity: 'MEDIUM',
-          check: f.check,
-          message: `${f.check}: ${f.data.split('\n').find(l => l.includes('[!]')) || f.data.substring(0, 200)}`
-        });
-      }
-    }
-  }
-
-  // Severity score
-  let severityScore = 0;
-  for (const alert of result.alerts) {
-    severityScore += SEVERITY_WEIGHTS[alert.severity] || 0;
-  }
-
-  // Summary
-  result.summary = {
-    totalChecks: result.findings.length,
-    alerts: result.alerts.length,
-    highSeverity: result.alerts.filter(a => a.severity === 'HIGH').length,
-    mediumSeverity: result.alerts.filter(a => a.severity === 'MEDIUM').length,
-    uniqueExternalIPv4: allIPv4.size,
-    uniqueExternalIPv6: allIPv6.size,
-    suspiciousGeoIPs: result.alerts.filter(a => a.ip).length,
-    severityScore,
-    duration: Date.now() - startTime
-  };
-
-  if (result.summary.highSeverity > 0 || severityScore >= 100) {
-    result.verdict = 'INVESTIGATE - High severity alerts found';
-  } else if (severityScore >= 40) {
-    result.verdict = 'REVIEW - Medium severity items found';
-  } else if (severityScore > 0) {
-    result.verdict = 'REVIEW - Low severity items found';
-  } else {
-    result.verdict = 'CLEAN - No suspicious findings';
-  }
-
-  return result;
-}
-
-module.exports = { runAudit, windowsChecks, linuxChecks, macChecks, batchGeoIP, geoIP };