nox-openclaw-hunter 1.0.0

package/dist/mdm/templates/detect.ps1.js

@@ -0,0 +1,463 @@
+/**
+ * PowerShell detection script template for MDM deployment.
+ * Targets Windows systems.
+ */
+import { VERSION, COMPANY } from '../../branding.js';
+/**
+ * Escape a string for safe use in PowerShell scripts.
+ * Escapes characters that could enable script injection.
+ */
+function escapePowerShellString(str) {
+    // Remove null bytes
+    let escaped = str.replace(/\0/g, '');
+    // Escape backticks (PowerShell escape character)
+    escaped = escaped.replace(/`/g, '``');
+    // Escape dollar signs (variable interpolation)
+    escaped = escaped.replace(/\$/g, '`$');
+    // Escape double quotes
+    escaped = escaped.replace(/"/g, '`"');
+    return escaped;
+}
+/**
+ * Validate URL format for MDM scripts.
+ */
+function validateMdmUrl(url) {
+    try {
+        const parsed = new URL(url);
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            throw new Error('Invalid protocol');
+        }
+        return escapePowerShellString(url);
+    }
+    catch {
+        throw new Error(`Invalid webhook URL: ${url}`);
+    }
+}
+/**
+ * Generate detection PowerShell script.
+ */
+export function generateDetectPowerShellScript(options = {}) {
+    const { webhookUrl, webhookToken, gatewayPort = 18789, verbose = false } = options;
+    // Validate and sanitize inputs to prevent script injection
+    const safeWebhookUrl = webhookUrl ? validateMdmUrl(webhookUrl) : undefined;
+    const safeWebhookToken = webhookToken ? escapePowerShellString(webhookToken) : undefined;
+    // Validate gateway port
+    if (gatewayPort < 1 || gatewayPort > 65535 || !Number.isInteger(gatewayPort)) {
+        throw new Error(`Invalid gateway port: ${gatewayPort}`);
+    }
+    const webhookSection = safeWebhookUrl
+        ? `
+# Webhook configuration
+$WebhookUrl = "${safeWebhookUrl}"
+$WebhookToken = "${safeWebhookToken || ''}"
+
+function Send-Webhook {
+    param(
+        [string]$Status,
+        [string]$Severity,
+        [string]$Details
+    )
+    
+    $payload = @{
+        event = "openclaw.detection"
+        version = "1.0"
+        timestamp = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
+        status = $Status
+        severity = $Severity
+        host = @{
+            hostname = $env:COMPUTERNAME
+            os = "Windows"
+            osVersion = [System.Environment]::OSVersion.VersionString
+            arch = $env:PROCESSOR_ARCHITECTURE
+            user = $env:USERNAME
+            domain = $env:USERDOMAIN
+        }
+        details = $Details
+        source = @{
+            tool = "nox-openclaw-detector"
+            version = "${VERSION}"
+            vendor = "${COMPANY}"
+        }
+    } | ConvertTo-Json -Depth 10
+    
+    try {
+        $headers = @{
+            "Content-Type" = "application/json"
+        }
+        if ($WebhookToken) {
+            $headers["Authorization"] = "Bearer $WebhookToken"
+        }
+        
+        Invoke-RestMethod -Uri $WebhookUrl -Method Post -Headers $headers -Body $payload -TimeoutSec 30 -ErrorAction SilentlyContinue | Out-Null
+    } catch {
+        # Silently ignore webhook errors
+    }
+}
+`
+        : '';
+    const verboseLog = verbose
+        ? `
+function Write-VerboseLog {
+    param([string]$Message)
+    Write-Host "[DEBUG] $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') $Message" -ForegroundColor Gray
+}
+`
+        : `
+function Write-VerboseLog {
+    param([string]$Message)
+    # No-op when not verbose
+}
+`;
+    return `<#
+.SYNOPSIS
+    Nox OpenClaw Detection Script for Windows
+    
+.DESCRIPTION
+    This script detects OpenClaw AI agent installations on Windows systems.
+    Generated by nox-openclaw-detector v${VERSION}
+    ${COMPANY} - https://nox.security
+    
+.OUTPUTS
+    Exit Code 0 - OpenClaw NOT detected (clean)
+    Exit Code 1 - OpenClaw DETECTED
+    Exit Code 2 - Script error
+    
+.EXAMPLE
+    .\\detect-openclaw.ps1
+    
+.NOTES
+    Version: ${VERSION}
+    Author: ${COMPANY}
+#>
+
+#Requires -Version 5.1
+
+[CmdletBinding()]
+param()
+
+$ErrorActionPreference = "SilentlyContinue"
+
+# Configuration
+$GatewayPort = ${gatewayPort}
+$OpenClawFound = $false
+$DetectionDetails = [System.Collections.ArrayList]::new()
+${verboseLog}
+${webhookSection}
+
+# Add detection detail
+function Add-Detail {
+    param([string]$Detail)
+    [void]$script:DetectionDetails.Add($Detail)
+    Write-VerboseLog "Detection: $Detail"
+}
+
+# Check environment
+function Test-Environment {
+    Write-VerboseLog "Running as user: $env:USERNAME"
+    Write-VerboseLog "Computer: $env:COMPUTERNAME"
+    Write-VerboseLog "OS: $([System.Environment]::OSVersion.VersionString)"
+    Write-VerboseLog "Architecture: $env:PROCESSOR_ARCHITECTURE"
+    Write-VerboseLog "Running as Admin: $([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)"
+}
+
+# Check for CLI binary in common locations
+function Test-CliBinary {
+    Write-VerboseLog "Checking for CLI binary..."
+    
+    $cliPaths = @(
+        "$env:LOCALAPPDATA\\Programs\\openclaw\\openclaw.exe",
+        "$env:ProgramFiles\\OpenClaw\\openclaw.exe",
+        "\${env:ProgramFiles(x86)}\\OpenClaw\\openclaw.exe",
+        "$env:USERPROFILE\\AppData\\Local\\Programs\\openclaw\\openclaw.exe",
+        "$env:USERPROFILE\\.local\\bin\\openclaw.exe"
+    )
+    
+    foreach ($cliPath in $cliPaths) {
+        if (Test-Path $cliPath) {
+            $script:OpenClawFound = $true
+            
+            # Try to get version
+            $version = ""
+            try {
+                $versionOutput = & $cliPath --version 2>$null
+                if ($versionOutput) {
+                    $version = $versionOutput.Trim()
+                }
+            } catch {}
+            
+            if ($version) {
+                Add-Detail "CLI binary found at $cliPath (version: $version)"
+            } else {
+                Add-Detail "CLI binary found at $cliPath"
+            }
+            return
+        }
+    }
+    
+    # Check PATH
+    $cliInPath = Get-Command "openclaw" -ErrorAction SilentlyContinue
+    if ($cliInPath) {
+        $script:OpenClawFound = $true
+        Add-Detail "CLI binary found in PATH: $($cliInPath.Source)"
+    }
+}
+
+# Check for configuration directories
+function Test-ConfigDirectory {
+    Write-VerboseLog "Checking for configuration directories..."
+    
+    $configPaths = @(
+        "$env:USERPROFILE\\.openclaw",
+        "$env:APPDATA\\OpenClaw",
+        "$env:LOCALAPPDATA\\OpenClaw"
+    )
+    
+    foreach ($configPath in $configPaths) {
+        if (Test-Path $configPath -PathType Container) {
+            $script:OpenClawFound = $true
+            
+            $configFile = Join-Path $configPath "openclaw.json"
+            if (Test-Path $configFile) {
+                Add-Detail "Config directory found at $configPath (with config file)"
+            } else {
+                Add-Detail "Config directory found at $configPath"
+            }
+        }
+    }
+    
+    # Check other user profiles (requires admin)
+    if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+        $userProfiles = Get-ChildItem "C:\\Users" -Directory -ErrorAction SilentlyContinue | Where-Object { $_.Name -notin @("Public", "Default", "Default User", "All Users") }
+        foreach ($profile in $userProfiles) {
+            $otherConfigPath = Join-Path $profile.FullName ".openclaw"
+            if ((Test-Path $otherConfigPath) -and ($otherConfigPath -ne "$env:USERPROFILE\\.openclaw")) {
+                $script:OpenClawFound = $true
+                Add-Detail "Config directory found for user $($profile.Name): $otherConfigPath"
+            }
+        }
+    }
+}
+
+# Check for running processes
+function Test-Processes {
+    Write-VerboseLog "Checking for running processes..."
+    
+    $processes = Get-Process -Name "*openclaw*" -ErrorAction SilentlyContinue
+    if ($processes) {
+        $script:OpenClawFound = $true
+        $processInfo = $processes | ForEach-Object { "$($_.Name) (PID: $($_.Id))" }
+        Add-Detail "OpenClaw processes running: $($processInfo -join ', ')"
+    }
+    
+    # Also check by path/command line
+    $wmiProcesses = Get-CimInstance Win32_Process -ErrorAction SilentlyContinue | 
+        Where-Object { $_.CommandLine -like "*openclaw*" -or $_.ExecutablePath -like "*openclaw*" }
+    
+    if ($wmiProcesses) {
+        foreach ($proc in $wmiProcesses) {
+            if (-not ($processes | Where-Object { $_.Id -eq $proc.ProcessId })) {
+                $script:OpenClawFound = $true
+                Add-Detail "OpenClaw-related process: $($proc.Name) (PID: $($proc.ProcessId))"
+            }
+        }
+    }
+}
+
+# Check for gateway port
+function Test-GatewayPort {
+    Write-VerboseLog "Checking for gateway port $GatewayPort..."
+    
+    # Use Test-NetConnection (Windows 8+/Server 2012+)
+    try {
+        $portTest = Test-NetConnection -ComputerName localhost -Port $GatewayPort -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
+        if ($portTest.TcpTestSucceeded) {
+            $script:OpenClawFound = $true
+            Add-Detail "Gateway port $GatewayPort is listening"
+            return
+        }
+    } catch {}
+    
+    # Fallback: check listening ports via netstat
+    try {
+        $listening = netstat -an | Select-String ":$GatewayPort.*LISTENING"
+        if ($listening) {
+            $script:OpenClawFound = $true
+            Add-Detail "Gateway port $GatewayPort is listening (via netstat)"
+        }
+    } catch {}
+}
+
+# Check for Windows service
+function Test-WindowsService {
+    Write-VerboseLog "Checking for Windows services..."
+    
+    $serviceNames = @(
+        "openclaw",
+        "OpenClawGateway",
+        "bot.molt.gateway"
+    )
+    
+    foreach ($serviceName in $serviceNames) {
+        $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
+        if ($service) {
+            $script:OpenClawFound = $true
+            Add-Detail "Windows service found: $($service.Name) (Status: $($service.Status))"
+        }
+    }
+    
+    # Also search by display name
+    $services = Get-Service -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like "*openclaw*" -or $_.Name -like "*openclaw*" }
+    foreach ($service in $services) {
+        if ($service.Name -notin $serviceNames) {
+            $script:OpenClawFound = $true
+            Add-Detail "Windows service found: $($service.DisplayName) ($($service.Name)) - Status: $($service.Status)"
+        }
+    }
+}
+
+# Check for scheduled tasks
+function Test-ScheduledTasks {
+    Write-VerboseLog "Checking for scheduled tasks..."
+    
+    try {
+        $tasks = Get-ScheduledTask -ErrorAction SilentlyContinue | 
+            Where-Object { $_.TaskName -like "*openclaw*" -or $_.TaskPath -like "*openclaw*" }
+        
+        foreach ($task in $tasks) {
+            $script:OpenClawFound = $true
+            Add-Detail "Scheduled task found: $($task.TaskName) (State: $($task.State))"
+        }
+    } catch {}
+}
+
+# Check for registry entries
+function Test-Registry {
+    Write-VerboseLog "Checking registry entries..."
+    
+    $registryPaths = @(
+        "HKLM:\\SOFTWARE\\OpenClaw",
+        "HKCU:\\SOFTWARE\\OpenClaw",
+        "HKLM:\\SOFTWARE\\WOW6432Node\\OpenClaw"
+    )
+    
+    foreach ($regPath in $registryPaths) {
+        if (Test-Path $regPath) {
+            $script:OpenClawFound = $true
+            Add-Detail "Registry key found: $regPath"
+        }
+    }
+    
+    # Check Run keys for startup entries
+    $runKeys = @(
+        "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
+        "HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
+    )
+    
+    foreach ($runKey in $runKeys) {
+        try {
+            $entries = Get-ItemProperty $runKey -ErrorAction SilentlyContinue
+            $entries.PSObject.Properties | Where-Object { $_.Value -like "*openclaw*" } | ForEach-Object {
+                $script:OpenClawFound = $true
+                Add-Detail "Startup entry found: $($_.Name) in $runKey"
+            }
+        } catch {}
+    }
+}
+
+# Check for Docker containers and images
+function Test-Docker {
+    $dockerCmd = Get-Command "docker" -ErrorAction SilentlyContinue
+    if (-not $dockerCmd) {
+        return
+    }
+    
+    Write-VerboseLog "Checking for Docker artifacts..."
+    
+    try {
+        # Check running containers
+        $containers = docker ps --filter "name=openclaw" --format "{{.Names}}" 2>$null
+        if ($containers) {
+            $script:OpenClawFound = $true
+            Add-Detail "Docker containers running: $($containers -join ', ')"
+        }
+        
+        # Check stopped containers
+        $stoppedContainers = docker ps -a --filter "name=openclaw" --filter "status=exited" --format "{{.Names}}" 2>$null
+        if ($stoppedContainers) {
+            $script:OpenClawFound = $true
+            Add-Detail "Docker containers (stopped): $($stoppedContainers -join ', ')"
+        }
+        
+        # Check images
+        $images = docker images --filter "reference=*openclaw*" --format "{{.Repository}}:{{.Tag}}" 2>$null
+        if ($images) {
+            $script:OpenClawFound = $true
+            Add-Detail "Docker images found: $($images -join ', ')"
+        }
+    } catch {}
+}
+
+# Main detection routine
+function Invoke-Detection {
+    Test-Environment
+    
+    # Run all detection checks
+    Test-CliBinary
+    Test-ConfigDirectory
+    Test-Processes
+    Test-GatewayPort
+    Test-WindowsService
+    Test-ScheduledTasks
+    Test-Registry
+    Test-Docker
+    
+    # Compile results
+    $detailsString = if ($DetectionDetails.Count -gt 0) { $DetectionDetails -join "; " } else { "" }
+    
+    # Send webhook notification
+    ${safeWebhookUrl ? `
+    if ($OpenClawFound) {
+        Send-Webhook -Status "detected" -Severity "high" -Details $detailsString
+    } else {
+        Send-Webhook -Status "clean" -Severity "info" -Details "No OpenClaw installation detected"
+    }
+    ` : ''}
+    
+    # Output results
+    if ($OpenClawFound) {
+        Write-Host "OPENCLAW DETECTED" -ForegroundColor Red
+        Write-Host "Details: $detailsString"
+        exit 1
+    } else {
+        Write-Host "OpenClaw not detected" -ForegroundColor Green
+        exit 0
+    }
+}
+
+# Run main function
+try {
+    Invoke-Detection
+} catch {
+    Write-Host "Detection error: $_" -ForegroundColor Red
+    exit 2
+}
+`;
+}
+/**
+ * Get script metadata for documentation.
+ */
+export function getDetectPowerShellMetadata() {
+    return {
+        filename: 'detect-openclaw.ps1',
+        extension: '.ps1',
+        platform: 'windows',
+        description: 'PowerShell detection script for Windows',
+        requirements: ['PowerShell 5.1+', 'Windows 8/Server 2012 or later'],
+        exitCodes: {
+            0: 'OpenClaw not detected (clean)',
+            1: 'OpenClaw detected',
+            2: 'Script error',
+        },
+    };
+}
+//# sourceMappingURL=detect.ps1.js.map

package/dist/mdm/templates/detect.ps1.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect.ps1.js","sourceRoot":"","sources":["../../../src/mdm/templates/detect.ps1.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AASrD;;;GAGG;AACH,SAAS,sBAAsB,CAAC,GAAW;IACzC,oBAAoB;IACpB,IAAI,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACrC,iDAAiD;IACjD,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACtC,+CAA+C;IAC/C,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACvC,uBAAuB;IACvB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACtC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACtC,CAAC;QACD,OAAO,sBAAsB,CAAC,GAAG,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAAC,UAAmC,EAAE;IAClF,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,GAAG,KAAK,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAEnF,2DAA2D;IAC3D,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC3E,MAAM,gBAAgB,GAAG,YAAY,CAAC,CAAC,CAAC,sBAAsB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAEzF,wBAAwB;IACxB,IAAI,WAAW,GAAG,CAAC,IAAI,WAAW,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7E,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,cAAc,GAAG,cAAc;QACnC,CAAC,CAAC;;iBAEW,cAAc;mBACZ,gBAAgB,IAAI,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;yBA0BhB,OAAO;wBACR,OAAO;;;;;;;;;;;;;;;;;CAiB9B;QACG,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,UAAU,GAAG,OAAO;QACxB,CAAC,CAAC;;;;;CAKL;QACG,CAAC,CAAC;;;;;CAKL,CAAC;IAEA,OAAO;;;;;;0CAMiC,OAAO;MAC3C,OAAO;;;;;;;;;;;eAWE,OAAO;cACR,OAAO;;;;;;;;;;;iBAWJ,WAAW;;;EAG1B,UAAU;EACV,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAiRV,cAAc,CAAC,CAAC,CAAC;;;;;;KAMlB,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;;CAoBT,CAAC;AACF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,2BAA2B;IACzC,OAAO;QACL,QAAQ,EAAE,qBAAqB;QAC/B,SAAS,EAAE,MAAM;QACjB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,yCAAyC;QACtD,YAAY,EAAE,CAAC,iBAAiB,EAAE,gCAAgC,CAAC;QACnE,SAAS,EAAE;YACT,CAAC,EAAE,+BAA+B;YAClC,CAAC,EAAE,mBAAmB;YACtB,CAAC,EAAE,cAAc;SAClB;KACF,CAAC;AACJ,CAAC"}

package/dist/mdm/templates/detect.sh.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Shell detection script template for MDM deployment.
+ * Targets macOS and Linux systems.
+ */
+export interface DetectShellOptions {
+    webhookUrl?: string;
+    webhookToken?: string;
+    gatewayPort?: number;
+    verbose?: boolean;
+}
+/**
+ * Generate detection shell script.
+ */
+export declare function generateDetectShellScript(options?: DetectShellOptions): string;
+/**
+ * Get script metadata for documentation.
+ */
+export declare function getDetectShellMetadata(): {
+    filename: string;
+    extension: string;
+    platform: string;
+    description: string;
+    requirements: string[];
+    exitCodes: {
+        0: string;
+        1: string;
+        2: string;
+    };
+};
+//# sourceMappingURL=detect.sh.d.ts.map

package/dist/mdm/templates/detect.sh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect.sh.d.ts","sourceRoot":"","sources":["../../../src/mdm/templates/detect.sh.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAmCD;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,GAAE,kBAAuB,GAAG,MAAM,CAoalF;AAED;;GAEG;AACH,wBAAgB,sBAAsB;;;;;;;;;;;EAarC"}