@dimzxzzx07/file-watcher 1.0.0

package/src/detectors/PatternMatcher.ts

@@ -0,0 +1,319 @@
+import { Logger } from '../utils/Logger';
+
+export class PatternMatcher {
+    private readonly logger: Logger;
+    private readonly patterns: Map<string, RegExp[]>;
+    private readonly signatures: Map<string, string[]>;
+    private readonly heuristics: Map<string, Function>;
+
+    constructor() {
+        this.logger = Logger.getInstance();
+        this.patterns = new Map();
+        this.signatures = new Map();
+        this.heuristics = new Map();
+        
+        this.initializePatterns();
+        this.initializeSignatures();
+        this.initializeHeuristics();
+    }
+
+    private initializePatterns(): void {
+        this.patterns.set('injection', [
+            /eval\s*\(\s*['"`][^)]*['"`]\s*\)/gi,
+            /Function\s*\(\s*['"`][^)]*['"`]\s*\)/gi,
+            /setTimeout\s*\(\s*['"`][^)]*['"`]\s*\)/gi,
+            /setInterval\s*\(\s*['"`][^)]*['"`]\s*\)/gi,
+            /new\s+Function\s*\(\s*['"`][^)]*['"`]\s*\)/gi,
+            /require\s*\(\s*['"`](?:fs|child_process|vm|cluster)['"`]\s*\)/gi,
+            /process\.(?:binding|dlopen|kill)\s*\(/gi,
+            /child_process\.(?:exec|spawn|fork)\s*\(/gi,
+            /vm\.(?:runIn|create)\s*\(/gi
+        ]);
+
+        this.patterns.set('obfuscation', [
+            /String\.fromCharCode\s*\([^)]+\)/gi,
+            /unescape\s*\([^)]+\)/gi,
+            /escape\s*\([^)]+\)/gi,
+            /decodeURI(?:Component)?\s*\([^)]+\)/gi,
+            /atob\s*\([^)]+\)/gi,
+            /btoa\s*\([^)]+\)/gi,
+            /Buffer\.from\s*\([^)]+\)/gi,
+            /new\s+Buffer\s*\([^)]+\)/gi,
+            /\[[A-Za-z0-9+/]{50,}\]/g,
+            /\\x[0-9a-f]{2,50}/gi
+        ]);
+
+        this.patterns.set('backdoor', [
+            /net\.(?:createServer|connect)\s*\(/gi,
+            /http\.(?:createServer|request)\s*\(/gi,
+            /tls\.(?:createServer|connect)\s*\(/gi,
+            /dgram\.createSocket\s*\(/gi,
+            /WebSocket\s*\(/gi,
+            /Socket\.(?:connect|bind|listen)\s*\(/gi,
+            /server\.listen\s*\(\s*(?:[0-9]+|['"`][^)]*['"`])\s*\)/gi
+        ]);
+
+        this.patterns.set('malware', [
+            /crypto\.(?:miner|monero)/gi,
+            /xmr\./gi,
+            /coinhive/gi,
+            /Crypt(?:o)?Night/gi,
+            /webchain/gi,
+            /miner\./gi
+        ]);
+
+        this.patterns.set('anti-debug', [
+            /debugger;/g,
+            /--inspect/g,
+            /--debug/g,
+            /process\.(?:_getActiveRequests|_getActiveHandles)/g,
+            /Error\.captureStackTrace/g,
+            /process\.binding\(['"`]debug['"`]\)/g
+        ]);
+
+        this.patterns.set('self-modify', [
+            /fs\.(?:writeFile|unlink|rename)Sync?\s*\(\s*__filename/gi,
+            /fs\.(?:writeFile|unlink|rename)Sync?\s*\(\s*module\.filename/gi,
+            /process\.argv\s*\[\s*1\s*\]/gi,
+            /module\.exports\s*=\s*\{/gi,
+            /exports\.[a-zA-Z_]+\s*=/gi
+        ]);
+    }
+
+    private initializeSignatures(): void {
+        this.signatures.set('malware', [
+            '4d5a90',
+            '7f454c46',
+            'cafebabe',
+            '1f8b08',
+            '504b0304',
+            '25504446',
+            'd0cf11e0',
+            '38425053'
+        ]);
+
+        this.signatures.set('injection', [
+            'eval(atob(',
+            'new Function(atob(',
+            'process.binding',
+            'Reflect.construct',
+            'Object.defineProperty',
+            '__defineGetter__',
+            '__defineSetter__'
+        ]);
+
+        this.signatures.set('backdoor', [
+            'reverse shell',
+            'bind shell',
+            'backconnect',
+            'command injection',
+            'remote access'
+        ]);
+    }
+
+    private initializeHeuristics(): void {
+        this.heuristics.set('suspicious_structure', (content: string) => {
+            let score = 0;
+            
+            const tryCount = (content.match(/try\s*{/g) || []).length;
+            const catchCount = (content.match(/catch\s*\(/g) || []).length;
+            if (tryCount > catchCount) score += 10;
+            
+            const concatCount = (content.match(/\+/g) || []).length;
+            if (concatCount > 100) score += 20;
+            
+            const functionCount = (content.match(/function\s*\(/g) || []).length;
+            if (functionCount > 20) score += 15;
+            
+            return score > 30;
+        });
+
+        this.heuristics.set('weird_variables', (content: string) => {
+            const varPattern = /(?:var|let|const)\s+([a-zA-Z_$][0-9a-zA-Z_$]*)/g;
+            const matches = content.match(varPattern) || [];
+            
+            let weirdCount = 0;
+            for (const match of matches) {
+                const varName = match.split(/\s+/)[1];
+                if (varName && (
+                    varName.length > 30 ||
+                    /^_+$/.test(varName) ||
+                    /^[0-9]+$/.test(varName) ||
+                    varName.includes('_0x')
+                )) {
+                    weirdCount++;
+                }
+            }
+            
+            return weirdCount > 5;
+        });
+
+        this.heuristics.set('suspicious_strings', (content: string) => {
+            const suspiciousStrings = [
+                'eval', 'Function', 'constructor', 'prototype',
+                '__proto__', 'defineProperty', 'getOwnProperty',
+                'caller', 'callee', 'arguments', 'apply', 'bind',
+                'toString', 'valueOf', 'hasOwnProperty',
+                'isPrototypeOf', 'propertyIsEnumerable',
+                'toLocaleString', 'watch', 'unwatch'
+            ];
+            
+            let suspiciousCount = 0;
+            for (const str of suspiciousStrings) {
+                const regex = new RegExp(`['"\`]${str}['"\`]`, 'g');
+                const matches = content.match(regex) || [];
+                suspiciousCount += matches.length;
+            }
+            
+            return suspiciousCount > 10;
+        });
+
+        this.heuristics.set('encoded_content', (content: string) => {
+            const base64Matches = content.match(/[A-Za-z0-9+/]{100,}={0,2}/g) || [];
+            const hexMatches = content.match(/[0-9a-fA-F]{100,}/g) || [];
+            const unicodeMatches = content.match(/\\u[0-9a-fA-F]{4}/g) || [];
+            
+            return base64Matches.length > 0 || 
+                   hexMatches.length > 0 || 
+                   unicodeMatches.length > 20;
+        });
+    }
+
+    public matchPatterns(content: string, type: string): boolean {
+        const patterns = this.patterns.get(type);
+        if (!patterns) return false;
+
+        for (const pattern of patterns) {
+            if (pattern.test(content)) {
+                this.logger.debug(`Pattern matched: ${type}`, { pattern: pattern.source });
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public matchSignatures(content: string, type: string): boolean {
+        const signatures = this.signatures.get(type);
+        if (!signatures) return false;
+
+        for (const signature of signatures) {
+            if (content.includes(signature)) {
+                this.logger.debug(`Signature matched: ${type}`, { signature });
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public applyHeuristics(content: string): Map<string, boolean> {
+        const results = new Map<string, boolean>();
+
+        for (const [name, heuristic] of this.heuristics) {
+            try {
+                const result = heuristic(content);
+                results.set(name, result);
+                
+                if (result) {
+                    this.logger.debug(`Heuristic triggered: ${name}`);
+                }
+            } catch (error) {
+                this.logger.error(`Heuristic failed: ${name}`, { error });
+                results.set(name, false);
+            }
+        }
+
+        return results;
+    }
+
+    public comprehensiveScan(content: string): {
+        matched: boolean;
+        findings: Array<{ type: string; pattern: string; severity: string }>;
+        score: number;
+    } {
+        const findings: Array<{ type: string; pattern: string; severity: string }> = [];
+        let totalScore = 0;
+
+        for (const [type, patterns] of this.patterns) {
+            for (const pattern of patterns) {
+                const matches = content.match(new RegExp(pattern.source, 'g')) || [];
+                if (matches.length > 0) {
+                    findings.push({
+                        type,
+                        pattern: pattern.source,
+                        severity: this.getSeverity(type, matches.length)
+                    });
+                    totalScore += matches.length * this.getWeight(type);
+                }
+            }
+        }
+
+        for (const [type, signatures] of this.signatures) {
+            for (const signature of signatures) {
+                if (content.includes(signature)) {
+                    findings.push({
+                        type,
+                        pattern: signature,
+                        severity: 'high'
+                    });
+                    totalScore += 20;
+                }
+            }
+        }
+
+        const heuristicResults = this.applyHeuristics(content);
+        for (const [name, result] of heuristicResults) {
+            if (result) {
+                findings.push({
+                    type: 'heuristic',
+                    pattern: name,
+                    severity: 'medium'
+                });
+                totalScore += 10;
+            }
+        }
+
+        return {
+            matched: findings.length > 0,
+            findings,
+            score: totalScore
+        };
+    }
+
+    private getSeverity(type: string, count: number): string {
+        if (type === 'malware' || type === 'backdoor') return 'critical';
+        if (type === 'injection') return 'high';
+        if (type === 'anti-debug' || type === 'self-modify') return 'high';
+        if (type === 'obfuscation') return 'medium';
+        
+        if (count > 10) return 'high';
+        if (count > 5) return 'medium';
+        return 'low';
+    }
+
+    private getWeight(type: string): number {
+        const weights: Record<string, number> = {
+            'malware': 10,
+            'backdoor': 10,
+            'injection': 8,
+            'anti-debug': 6,
+            'self-modify': 6,
+            'obfuscation': 4
+        };
+        
+        return weights[type] || 1;
+    }
+
+    public getPatterns(): string[] {
+        return Array.from(this.patterns.keys());
+    }
+
+    public getSignatures(): string[] {
+        return Array.from(this.signatures.keys());
+    }
+
+    public getHeuristics(): string[] {
+        return Array.from(this.heuristics.keys());
+    }
+}

package/src/guards/FileGuard.ts

@@ -0,0 +1,385 @@
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as crypto from 'crypto';
+import { Logger } from '../utils/Logger';
+
+export class FileGuard {
+    private static instance: FileGuard;
+    private readonly logger: Logger;
+    private readonly fileLocks: Map<string, { locked: boolean; pid: number }>;
+    private readonly filePermissions: Map<string, number>;
+    private readonly watchedFiles: Set<string>;
+    private readonly quarantineDir: string;
+    private isActive: boolean = true;
+
+    private constructor() {
+        this.logger = Logger.getInstance();
+        this.fileLocks = new Map();
+        this.filePermissions = new Map();
+        this.watchedFiles = new Set();
+        this.quarantineDir = path.join(process.cwd(), '.quarantine');
+        
+        this.initializeQuarantine();
+        this.startFileMonitoring();
+    }
+
+    public static getInstance(): FileGuard {
+        if (!FileGuard.instance) {
+            FileGuard.instance = new FileGuard();
+        }
+        return FileGuard.instance;
+    }
+
+    private async initializeQuarantine(): Promise<void> {
+        try {
+            await fs.mkdir(this.quarantineDir, { recursive: true, mode: 0o700 });
+        } catch (error) {
+            this.logger.error('Failed to create quarantine directory', { error });
+        }
+    }
+
+    private startFileMonitoring(): void {
+        setInterval(() => {
+            this.checkFileIntegrity();
+        }, 10000);
+    }
+
+    public async protectFile(filePath: string): Promise<boolean> {
+        try {
+            if (!await this.fileExists(filePath)) {
+                this.logger.warning(`File not found: ${filePath}`);
+                return false;
+            }
+
+            const stats = await fs.stat(filePath);
+            
+            this.filePermissions.set(filePath, stats.mode);
+            
+            await fs.chmod(filePath, 0o444);
+            
+            this.watchedFiles.add(filePath);
+            
+            await this.createBackup(filePath);
+            
+            await this.calculateFileHash(filePath);
+            this.fileLocks.set(filePath, { locked: true, pid: process.pid });
+            
+            this.logger.info(`File protected: ${filePath}`);
+            return true;
+            
+        } catch (error) {
+            this.logger.error(`Failed to protect file: ${filePath}`, { error });
+            return false;
+        }
+    }
+
+    public async lockFile(filePath: string): Promise<boolean> {
+        try {
+            const lock = this.fileLocks.get(filePath);
+            if (lock && lock.pid !== process.pid) {
+                this.logger.warning(`File already locked by process ${lock.pid}: ${filePath}`);
+                return false;
+            }
+
+            await fs.chmod(filePath, 0o444);
+            
+            this.fileLocks.set(filePath, { locked: true, pid: process.pid });
+            
+            this.logger.debug(`File locked: ${filePath}`);
+            return true;
+            
+        } catch (error) {
+            this.logger.error(`Failed to lock file: ${filePath}`, { error });
+            return false;
+        }
+    }
+
+    public async unlockFile(filePath: string): Promise<boolean> {
+        try {
+            const lock = this.fileLocks.get(filePath);
+            if (lock && lock.pid !== process.pid) {
+                this.logger.warning(`File locked by different process: ${filePath}`);
+                return false;
+            }
+
+            const originalMode = this.filePermissions.get(filePath) || 0o644;
+            await fs.chmod(filePath, originalMode);
+            
+            this.fileLocks.delete(filePath);
+            
+            this.logger.debug(`File unlocked: ${filePath}`);
+            return true;
+            
+        } catch (error) {
+            this.logger.error(`Failed to unlock file: ${filePath}`, { error });
+            return false;
+        }
+    }
+
+    public async quarantineFile(filePath: string, reason: string): Promise<string> {
+        try {
+            const quarantineName = `${path.basename(filePath)}.${Date.now()}.quarantine`;
+            const quarantinePath = path.join(this.quarantineDir, quarantineName);
+            
+            await fs.copyFile(filePath, quarantinePath);
+            
+            await fs.chmod(quarantinePath, 0o400);
+            
+            const metadata = {
+                originalPath: filePath,
+                quarantinedAt: new Date().toISOString(),
+                reason,
+                pid: process.pid,
+                hash: await this.calculateFileHash(filePath)
+            };
+            
+            const metadataPath = quarantinePath + '.meta';
+            await fs.writeFile(metadataPath, JSON.stringify(metadata, null, 2));
+            
+            this.logger.warning(`File quarantined: ${filePath} -> ${quarantinePath}`);
+            
+            return quarantinePath;
+            
+        } catch (error) {
+            this.logger.error(`Failed to quarantine file: ${filePath}`, { error });
+            throw error;
+        }
+    }
+
+    public async restoreFromQuarantine(quarantinePath: string): Promise<boolean> {
+        try {
+            const metadataPath = quarantinePath + '.meta';
+            const metadata = JSON.parse(await fs.readFile(metadataPath, 'utf8'));
+            
+            await fs.copyFile(quarantinePath, metadata.originalPath);
+            
+            await fs.chmod(metadata.originalPath, 0o644);
+            
+            this.logger.info(`File restored from quarantine: ${metadata.originalPath}`);
+            return true;
+            
+        } catch (error) {
+            this.logger.error(`Failed to restore from quarantine: ${quarantinePath}`, { error });
+            return false;
+        }
+    }
+
+    public async verifyFileIntegrity(filePath: string): Promise<boolean> {
+        try {
+            if (!await this.fileExists(filePath)) {
+                return false;
+            }
+
+            const lock = this.fileLocks.get(filePath);
+            if (lock && lock.locked) {
+                if (lock.pid !== process.pid) {
+                    this.logger.warning(`File locked by different process: ${filePath}`);
+                    return false;
+                }
+            }
+
+            const stats = await fs.stat(filePath);
+            if ((stats.mode & 0o222) !== 0) {
+                this.logger.warning(`File is writable: ${filePath}`);
+                return false;
+            }
+
+            const currentHash = await this.calculateFileHash(filePath);
+            const storedHash = await this.getStoredHash(filePath);
+            
+            if (storedHash && currentHash !== storedHash) {
+                this.logger.warning(`File hash mismatch: ${filePath}`);
+                return false;
+            }
+
+            return true;
+            
+        } catch (error) {
+            this.logger.error(`Integrity check failed: ${filePath}`, { error });
+            return false;
+        }
+    }
+
+    public async createBackup(filePath: string): Promise<string> {
+        const backupDir = path.join(process.cwd(), '.backups');
+        await fs.mkdir(backupDir, { recursive: true });
+        
+        const backupName = `${path.basename(filePath)}.${Date.now()}.backup`;
+        const backupPath = path.join(backupDir, backupName);
+        
+        await fs.copyFile(filePath, backupPath);
+        
+        const hash = await this.calculateFileHash(filePath);
+        const hashPath = backupPath + '.hash';
+        await fs.writeFile(hashPath, hash);
+        
+        return backupPath;
+    }
+
+    public async restoreFromBackup(backupPath: string, targetPath: string): Promise<boolean> {
+        try {
+            const hashPath = backupPath + '.hash';
+            const storedHash = await fs.readFile(hashPath, 'utf8');
+            const currentHash = await this.calculateFileHash(backupPath);
+            
+            if (currentHash !== storedHash) {
+                this.logger.error(`Backup integrity check failed: ${backupPath}`);
+                return false;
+            }
+
+            await fs.copyFile(backupPath, targetPath);
+            
+            this.logger.info(`File restored from backup: ${targetPath}`);
+            return true;
+            
+        } catch (error) {
+            this.logger.error(`Failed to restore from backup: ${backupPath}`, { error });
+            return false;
+        }
+    }
+
+    public async monitorFile(filePath: string): Promise<void> {
+        try {
+            const watcher = require('fs').watch(filePath, (eventType: string) => {
+                if (eventType === 'change') {
+                    this.handleFileChange(filePath);
+                } else if (eventType === 'rename') {
+                    this.handleFileDelete(filePath);
+                }
+            });
+            
+            this.logger.debug(`Monitoring file: ${filePath}`);
+            
+            (global as any).fileWatchers = (global as any).fileWatchers || new Map();
+            (global as any).fileWatchers.set(filePath, watcher);
+            
+        } catch (error) {
+            this.logger.error(`Failed to monitor file: ${filePath}`, { error });
+        }
+    }
+
+    private async handleFileChange(filePath: string): Promise<void> {
+        this.logger.info(`File changed: ${filePath}`);
+        
+        const isValid = await this.verifyFileIntegrity(filePath);
+        
+        if (!isValid) {
+            this.logger.critical(`File integrity compromised: ${filePath}`);
+            await this.quarantineFile(filePath, 'integrity_violation');
+            
+            const backups = await this.findBackups(filePath);
+            if (backups.length > 0) {
+                await this.restoreFromBackup(backups[0] as string, filePath);
+            }
+        }
+    }
+
+    private async handleFileDelete(filePath: string): Promise<void> {
+        this.logger.warning(`File deleted: ${filePath}`);
+        
+        const backups = await this.findBackups(filePath);
+        if (backups.length > 0) {
+            await this.restoreFromBackup(backups[0] as string, filePath);
+            this.logger.info(`File restored after deletion: ${filePath}`);
+        }
+    }
+
+    private async checkFileIntegrity(): Promise<void> {
+        for (const filePath of this.watchedFiles) {
+            if (!await this.verifyFileIntegrity(filePath)) {
+                this.logger.critical(`Integrity check failed for: ${filePath}`);
+                
+                await this.quarantineFile(filePath, 'periodic_check_failed');
+                
+                this.watchedFiles.delete(filePath);
+            }
+        }
+    }
+
+    private async fileExists(filePath: string): Promise<boolean> {
+        try {
+            await fs.access(filePath);
+            return true;
+        } catch {
+            return false;
+        }
+    }
+
+    private async calculateFileHash(filePath: string): Promise<string> {
+        const content = await fs.readFile(filePath);
+        return crypto.createHash('sha512')
+            .update(content)
+            .digest('hex');
+    }
+
+    private async getStoredHash(filePath: string): Promise<string | null> {
+        const hashFile = filePath + '.hash';
+        try {
+            return await fs.readFile(hashFile, 'utf8');
+        } catch {
+            return null;
+        }
+    }
+
+    private async findBackups(filePath: string): Promise<string[]> {
+        const backupDir = path.join(process.cwd(), '.backups');
+        const baseName = path.basename(filePath);
+        const pattern = new RegExp(`^${baseName}\\.[0-9]+\\.backup$`);
+        
+        try {
+            const files = await fs.readdir(backupDir);
+            return files
+                .filter(f => pattern.test(f))
+                .map(f => path.join(backupDir, f))
+                .sort()
+                .reverse();
+        } catch {
+            return [];
+        }
+    }
+
+    public getLockedFiles(): string[] {
+        return Array.from(this.fileLocks.entries())
+            .filter(([_, lock]) => lock.pid === process.pid)
+            .map(([file]) => file);
+    }
+
+    public getWatchedFiles(): string[] {
+        return Array.from(this.watchedFiles);
+    }
+
+    public async getQuarantinedFiles(): Promise<string[]> {
+        try {
+            const files = await fs.readdir(this.quarantineDir);
+            return files.filter(f => !f.endsWith('.meta'));
+        } catch {
+            return [];
+        }
+    }
+
+    public deactivate(): void {
+        this.isActive = false;
+        
+        for (const [filePath, lock] of this.fileLocks) {
+            if (lock.pid === process.pid) {
+                this.unlockFile(filePath);
+            }
+        }
+        
+        const watchers = (global as any).fileWatchers;
+        if (watchers) {
+            for (const [_, watcher] of watchers) {
+                watcher.close();
+            }
+        }
+    }
+
+    public getStatus(): any {
+        return {
+            isActive: this.isActive,
+            lockedFiles: this.fileLocks.size,
+            watchedFiles: this.watchedFiles.size,
+            quarantineDir: this.quarantineDir
+        };
+    }
+}