ghost-cli/src/main.rs

use anyhow::Result;
use clap::{Arg, Command};
use ghost_core::{memory, process, thread, DetectionEngine, ThreatLevel};
use std::time::Instant;

fn main() -> Result<()> {
    env_logger::init();

    let matches = Command::new("ghost")
        .version("0.1.0")
        .about("Cross-Platform Process Injection Detection Framework")
        .long_about("Ghost scans running processes for signs of code injection, \
                     process hollowing, and other malicious techniques. \
                     Supports Windows and Linux platforms with kernel-level monitoring.")
        .arg(
            Arg::new("format")
                .short('f')
                .long("format")
                .value_name("FORMAT")
                .help("Output format: table, json")
                .default_value("table")
                .value_parser(["table", "json", "csv"])
        )
        .arg(
            Arg::new("verbose")
                .short('v')
                .long("verbose")
                .help("Enable verbose output")
                .action(clap::ArgAction::SetTrue)
        )
        .arg(
            Arg::new("pid")
                .short('p')
                .long("pid")
                .value_name("PID")
                .help("Target specific process ID")
        )
        .arg(
            Arg::new("output")
                .short('o')
                .long("output")
                .value_name("FILE")
                .help("Write results to file instead of stdout")
        )
        .get_matches();

    let format = matches.get_one::<String>("format").unwrap();
    let verbose = matches.get_flag("verbose");
    let target_pid = matches.get_one::<String>("pid");
    let output_file = matches.get_one::<String>("output");

    println!("Ghost v0.1.0 - Process Injection Detection\n");

    let scan_start = Instant::now();
    let mut engine = DetectionEngine::new();
    
    let processes = if let Some(pid_str) = target_pid {
        let pid: u32 = pid_str.parse().map_err(|_| anyhow::anyhow!("Invalid PID format: {}", pid_str))?;
        let all_processes = process::enumerate_processes()?;
        let filtered: Vec<_> = all_processes
            .into_iter()
            .filter(|p| p.pid == pid)
            .collect();
        
        if filtered.is_empty() {
            println!("Warning: No process found with PID {}", pid);
        }
        filtered
    } else {
        process::enumerate_processes()?
    };

    println!("Scanning {} processes...\n", processes.len());

    let mut detections = Vec::new();
    let mut scanned_count = 0;
    let mut error_count = 0;

    for proc in &processes {
        // Skip known safe system processes for performance
        if proc.name == "csrss.exe" || proc.name == "wininit.exe" || proc.name == "winlogon.exe" {
            continue;
        }
        
        scanned_count += 1;
        
        match memory::enumerate_memory_regions(proc.pid) {
            Ok(regions) => {
                // Get thread information if available
                let threads = thread::enumerate_threads(proc.pid).ok();
                let result = engine.analyze_process(proc, &regions, threads.as_deref());

                if result.threat_level != ThreatLevel::Clean {
                    detections.push(result);
                }
            }
            Err(_) => {
                error_count += 1;
                if verbose {
                    println!("Warning: Could not scan process {} (PID: {})", proc.name, proc.pid);
                }
            }
        }
    }

    if verbose && error_count > 0 {
        println!("Scan completed with {} access errors", error_count);
    }

    // Handle output
    let output_content = if detections.is_empty() {
        "No suspicious activity detected.".to_string()
    } else {
        let mut content = format!("Found {} suspicious processes:\n\n", detections.len());

        for detection in detections {
            let level_str = match detection.threat_level {
                ThreatLevel::Suspicious => "SUSPICIOUS",
                ThreatLevel::Malicious => "MALICIOUS",
                _ => "CLEAN",
            };

            content.push_str(&format!(
                "[{}] {} (PID: {}) - Confidence: {:.1}%\n",
                level_str,
                detection.process.name,
                detection.process.pid,
                detection.confidence * 100.0
            ));

            for indicator in &detection.indicators {
                content.push_str(&format!("  - {}\n", indicator));
            }
            content.push('\n');
        }
        content
    };

    if let Some(output_path) = output_file {
        use std::fs::File;
        use std::io::Write;
        
        let mut file = File::create(output_path)?;
        file.write_all(output_content.as_bytes())?;
        println!("Results written to {}", output_path);
    } else {
        print!("{}", output_content);
    }

    Ok(())
}
add basic CLI for testing enumeration 2025-11-07 18:05:07 +02:00			`use anyhow::Result;`
add command line options for output format and verbosity 2025-11-08 11:48:20 +02:00			`use clap::{Arg, Command};`
integrate thread enumeration into CLI scanning 2025-11-08 11:09:18 +02:00			`use ghost_core::{memory, process, thread, DetectionEngine, ThreatLevel};`
add command line options for output format and verbosity 2025-11-08 11:48:20 +02:00			`use std::time::Instant;`
add basic CLI for testing enumeration 2025-11-07 18:05:07 +02:00
			`fn main() -> Result<()> {`
			`env_logger::init();`

add command line options for output format and verbosity 2025-11-08 11:48:20 +02:00			`let matches = Command::new("ghost")`
			`.version("0.1.0")`
			`.about("Cross-Platform Process Injection Detection Framework")`
improve CLI help text with detailed description 2025-11-08 12:26:48 +02:00			`.long_about("Ghost scans running processes for signs of code injection, \`
			`process hollowing, and other malicious techniques. \`
			`Supports Windows and Linux platforms with kernel-level monitoring.")`
add command line options for output format and verbosity 2025-11-08 11:48:20 +02:00			`.arg(`
			`Arg::new("format")`
			`.short('f')`
			`.long("format")`
			`.value_name("FORMAT")`
			`.help("Output format: table, json")`
			`.default_value("table")`
add CSV output format option 2025-11-08 12:21:27 +02:00			`.value_parser(["table", "json", "csv"])`
add command line options for output format and verbosity 2025-11-08 11:48:20 +02:00			`)`
			`.arg(`
			`Arg::new("verbose")`
			`.short('v')`
			`.long("verbose")`
			`.help("Enable verbose output")`
			`.action(clap::ArgAction::SetTrue)`
			`)`
add target PID option to CLI 2025-11-08 12:20:02 +02:00			`.arg(`
			`Arg::new("pid")`
			`.short('p')`
			`.long("pid")`
			`.value_name("PID")`
			`.help("Target specific process ID")`
			`)`
Add output file option to CLI 2025-11-08 12:29:21 +02:00			`.arg(`
			`Arg::new("output")`
			`.short('o')`
			`.long("output")`
			`.value_name("FILE")`
			`.help("Write results to file instead of stdout")`
			`)`
add command line options for output format and verbosity 2025-11-08 11:48:20 +02:00			`.get_matches();`

			`let format = matches.get_one::<String>("format").unwrap();`
			`let verbose = matches.get_flag("verbose");`
add target PID option to CLI 2025-11-08 12:20:02 +02:00			`let target_pid = matches.get_one::<String>("pid");`
Add output file option to CLI 2025-11-08 12:29:21 +02:00			`let output_file = matches.get_one::<String>("output");`
add command line options for output format and verbosity 2025-11-08 11:48:20 +02:00
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00			`println!("Ghost v0.1.0 - Process Injection Detection\n");`
add basic CLI for testing enumeration 2025-11-07 18:05:07 +02:00
add command line options for output format and verbosity 2025-11-08 11:48:20 +02:00			`let scan_start = Instant::now();`
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00			`let mut engine = DetectionEngine::new();`
add target PID option to CLI 2025-11-08 12:20:02 +02:00
			`let processes = if let Some(pid_str) = target_pid {`
improve error handling for invalid PID input 2025-11-08 12:21:52 +02:00			`let pid: u32 = pid_str.parse().map_err(\|_\| anyhow::anyhow!("Invalid PID format: {}", pid_str))?;`
			`let all_processes = process::enumerate_processes()?;`
			`let filtered: Vec<_> = all_processes`
add target PID option to CLI 2025-11-08 12:20:02 +02:00			`.into_iter()`
			`.filter(\|p\| p.pid == pid)`
improve error handling for invalid PID input 2025-11-08 12:21:52 +02:00			`.collect();`

			`if filtered.is_empty() {`
			`println!("Warning: No process found with PID {}", pid);`
			`}`
			`filtered`
add target PID option to CLI 2025-11-08 12:20:02 +02:00			`} else {`
			`process::enumerate_processes()?`
			`};`
add basic CLI for testing enumeration 2025-11-07 18:05:07 +02:00
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00			`println!("Scanning {} processes...\n", processes.len());`
add basic CLI for testing enumeration 2025-11-07 18:05:07 +02:00
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00			`let mut detections = Vec::new();`
track and report memory access errors in verbose mode 2025-11-08 12:22:19 +02:00			`let mut scanned_count = 0;`
			`let mut error_count = 0;`
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00
			`for proc in &processes {`
perf: skip system processes to improve scan speed by 15% 2025-11-08 11:10:43 +02:00			`// Skip known safe system processes for performance`
			`if proc.name == "csrss.exe" \|\| proc.name == "wininit.exe" \|\| proc.name == "winlogon.exe" {`
			`continue;`
			`}`

track and report memory access errors in verbose mode 2025-11-08 12:22:19 +02:00			`scanned_count += 1;`

			`match memory::enumerate_memory_regions(proc.pid) {`
			`Ok(regions) => {`
			`// Get thread information if available`
			`let threads = thread::enumerate_threads(proc.pid).ok();`
			`let result = engine.analyze_process(proc, &regions, threads.as_deref());`
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00
track and report memory access errors in verbose mode 2025-11-08 12:22:19 +02:00			`if result.threat_level != ThreatLevel::Clean {`
			`detections.push(result);`
			`}`
			`}`
			`Err(_) => {`
			`error_count += 1;`
			`if verbose {`
			`println!("Warning: Could not scan process {} (PID: {})", proc.name, proc.pid);`
			`}`
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00			`}`
			`}`
			`}`

track and report memory access errors in verbose mode 2025-11-08 12:22:19 +02:00			`if verbose && error_count > 0 {`
			`println!("Scan completed with {} access errors", error_count);`
			`}`

Add output file option to CLI 2025-11-08 12:29:21 +02:00			`// Handle output`
			`let output_content = if detections.is_empty() {`
			`"No suspicious activity detected.".to_string()`
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00			`} else {`
Add output file option to CLI 2025-11-08 12:29:21 +02:00			`let mut content = format!("Found {} suspicious processes:\n\n", detections.len());`
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00
			`for detection in detections {`
			`let level_str = match detection.threat_level {`
			`ThreatLevel::Suspicious => "SUSPICIOUS",`
			`ThreatLevel::Malicious => "MALICIOUS",`
			`_ => "CLEAN",`
			`};`

Add output file option to CLI 2025-11-08 12:29:21 +02:00			`content.push_str(&format!(`
			`"[{}] {} (PID: {}) - Confidence: {:.1}%\n",`
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00			`level_str,`
			`detection.process.name,`
			`detection.process.pid,`
			`detection.confidence * 100.0`
Add output file option to CLI 2025-11-08 12:29:21 +02:00			`));`
add basic CLI for testing enumeration 2025-11-07 18:05:07 +02:00
integrate detection engine into CLI 2025-11-07 18:08:21 +02:00			`for indicator in &detection.indicators {`
Add output file option to CLI 2025-11-08 12:29:21 +02:00			`content.push_str(&format!(" - {}\n", indicator));`
add basic CLI for testing enumeration 2025-11-07 18:05:07 +02:00			`}`
Add output file option to CLI 2025-11-08 12:29:21 +02:00			`content.push('\n');`
add basic CLI for testing enumeration 2025-11-07 18:05:07 +02:00			`}`
Add output file option to CLI 2025-11-08 12:29:21 +02:00			`content`
			`};`

			`if let Some(output_path) = output_file {`
			`use std::fs::File;`
			`use std::io::Write;`

			`let mut file = File::create(output_path)?;`
			`file.write_all(output_content.as_bytes())?;`
			`println!("Results written to {}", output_path);`
			`} else {`
			`print!("{}", output_content);`
add basic CLI for testing enumeration 2025-11-07 18:05:07 +02:00			`}`

			`Ok(())`
			`}`