Print infected for hidden nodes

dmknght · Oct 27, 2024 · fb21211 · fb21211
1 parent 22f0e40
commit fb21211
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/src/engine/scan_file.nim b/src/engine/scan_file.nim
@@ -135,9 +135,10 @@ proc fscanner_scan_file*(scan_ctx: var FileScanCtx, scan_path: string, virname:
     1. If file name is too long, we can't parse the name of next node
     2. If 2 hidden nodes are next to each other, 1 node is not going to be detected
 ]#
-proc fscanner_check_hidden_node(ptr_dir: ptr Dirent, current_node_name: string, next_node_name: var string) =
+proc fscanner_check_hidden_node(scan_ctx: var FileScanCtx, ptr_dir: ptr Dirent, current_node_name, full_node_path: string, next_node_name: var string) =
   if not isEmptyOrWhiteSpace(next_node_name) and next_node_name != current_node_name:
-    discard # TODO show this is a hidden node
+    scan_ctx.file_infected += 1
+    print_file_infected("Heur:Rootkit.HiddenOnDisk", full_node_path)
 
   # Get name of the next node
   if ptr_dir.d_reclen >= 256:
@@ -180,10 +181,10 @@ proc fscanner_walk_dir_rec*(scan_ctx: var FileScanCtx, scan_dir: string, virname
     if current_node_name == "." or current_node_name == "..":
       continue
 
-    fscanner_check_hidden_node(ptr_dir, current_node_name, next_node_name)
-
     full_node_path = if scan_dir.endsWith("/"): scan_dir & current_node_name else: scan_dir & "/" & current_node_name
 
+    fscanner_check_hidden_node(scan_ctx, ptr_dir, current_node_name, full_node_path, next_node_name)
+
     case ptr_dir.d_type
       of DT_DIR:
         # Recursive walk. Current node is a folder so it should ends with "/"