hippox-drivers 0.3.3

🦛All indivisible atomic driver units in Hippox.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

//! Registry monitor Driver (Windows)

use anyhow::Result;
use serde_json::{Value, json};
use std::collections::HashMap;

use crate::{
    DriverCallback, DriverCategory, DriverContext,
    types::{Driver, DriverParameter},
};

#[cfg(target_os = "windows")]
use crate::operating_system_security::common::monitor_registry_key;

#[derive(Debug)]
pub struct RegistryMonitorDriver;

#[async_trait::async_trait]
impl Driver for RegistryMonitorDriver {
    fn name(&self) -> &str {
        "security_registry_monitor"
    }

    fn description(&self) -> &str {
        "Monitor Windows registry keys for security issues"
    }

    fn usage_hint(&self) -> &str {
        "Use this skill to audit Windows registry keys for security issues like startup persistence and service configurations"
    }

    fn parameters(&self) -> Vec<DriverParameter> {
        vec![
            DriverParameter {
                name: "key".to_string(),
                param_type: "string".to_string(),
                description: "Registry key path to monitor (default: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run)".to_string(),
                required: false,
                default: Some(Value::String("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run".to_string())),
                example: Some(Value::String("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services".to_string())),
                enum_values: None,
            },
        ]
    }

    fn example_call(&self) -> Value {
        json!({
            "action": "security_registry_monitor",
            "parameters": {
                "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
            }
        })
    }

    fn example_output(&self) -> String {
        "Registry Monitor Results:\n\nKey: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nName: startup\nValue: C:\\Program Files\\App\\app.exe\nValue Type: REG_SZ\nSecurity Issues:\n  - Startup registry key - potential persistence".to_string()
    }

    fn category(&self) -> DriverCategory {
        DriverCategory::OperatingSystemSecurity
    }

    async fn execute(
        &self,
        parameters: &HashMap<String, Value>,
        callback: Option<&dyn DriverCallback>,
        context: Option<&DriverContext>,
    ) -> Result<String> {
        #[cfg(not(target_os = "windows"))]
        {
            return Ok("Registry monitor is only supported on Windows systems".to_string());
        }

        #[cfg(target_os = "windows")]
        {
            let key = parameters
                .get("key")
                .and_then(|v| v.as_str())
                .unwrap_or("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run");

            let info = monitor_registry_key(key);

            let mut output = String::new();
            output.push_str(&format!(
                "Registry Monitor Results:\n\nKey: {}\n",
                info.path
            ));
            output.push_str(&format!("Name: {}\n", info.name));
            output.push_str(&format!("Value: {}\n", info.value));
            output.push_str(&format!("Value Type: {}\n", info.value_type));

            if !info.security_issues.is_empty() {
                output.push_str("\nSecurity Issues:\n");
                for issue in &info.security_issues {
                    output.push_str(&format!("  - {}\n", issue));
                }
            } else {
                output.push_str("\nNo security issues found.");
            }

            Ok(output)
        }
    }
}