gatariee
diff --git a/‎README.md
+46-40 b/‎README.md
+46-40
diff --git a/‎bin/gocheck32.exe
-284 KB b/‎bin/gocheck32.exe
-284 KB
diff --git a/‎bin/gocheck64.exe
17 KB b/‎bin/gocheck64.exe
17 KB
diff --git a/‎cmd/check.go
+33-12 b/‎cmd/check.go
+33-12
diff --git a/‎cmd/root.go
+5 b/‎cmd/root.go
+5
@@ -7,17 +7,32 @@ I also wrote a blog post showcasing this project: [Identifying Malicious Bytes i
 
 ![GoCheck2](./assets/cobalt.gif)
 
+## Installation
+You can install `gocheck` from `go install`
+```bash
+go install github.com/gatariee/gocheck@latest
+```
+
+Alternatively, you can download the precompiled binaries from the [releases](https://github.com/gatariee/gocheck/releases) or build it yourself.
+```bash
+git clone https://github.com/gatariee/gocheck
+make [ windows / win64 / win32 ]
+```
+
 ## Usage
 ```cmd
 $ gocheck check --help
 Usage:
-  gocheck check [flags]
+  gocheck check [path_to_bin] /optional [flags]
 
 Flags:
-  -a, --amsi          Use AMSI to scan a file
-  -d, --defender      Use Windows Defender to scan a binary
-  -f, --file string   Binary to check
-  -h, --help          help for check
+  -a, --amsi        Use AMSI to scan the binary
+  -D, --debug       Enable debug mode
+  -d, --defender    Use Windows Defender to scan the binary
+  -h, --help        help for check
+
+  [!] UNSTABLE
+  -k, --kaspersky   Use Kaspersky's AV Engine to scan the binary
 ```
 
 ## Quick Use
@@ -49,54 +64,45 @@ Add-MpPreference -ExclusionPath [path_to_folder]
 ```
 ![amsi](https://i.gyazo.com/0c0a437eafe2c945c7d1188fdd9ec86d.png)
 
-## Both Windows Defender & AMSI
-You can also scan using both Windows Defender and AMSI at the same time.
-```cmd
-gocheck [path_to_file] /optional: --defender --amsi
-```
-![both](https://i.gyazo.com/5bb7681b57cd8736329ccd22ac7e9d7c.png)
+## External Scanners
+There is currently only support for [Kaspersky](https://www.kaspersky.com/security-cloud)'s Security Cloud AV Engine. The `--kaspersky` flag can be used to scan the binary using Kaspersky's AV Engine.
 
-## Debug
-Gocheck is in heavy WIP and may not work as expected. If you encounter any issues, please run the tool with `--debug` to provide more information about the issue. The `--debug` flag prints out which portions of the binary are being scanned, as well as sanity checks to ensure that the signatured portions are being correctly scanned. 
+There **are** plans to integrate more AV engines in the future.
+
+> It is normal for Kaspersky's AV engine to take a little longer than Windows Defender to scan the binary.
 ```cmd
-gocheck [path_to_file] /optional: --debug
+gocheck [path_to_file] /optional: --kaspersky
 ```
-![debug](https://i.gyazo.com/c6bb797e5b507b2ba7fc0d007575a410.png)
+![kaspersky](https://i.gyazo.com/346a57bb13a2b6fef5f6ae889c9e45d2.png)
 
-## Installation
-You can install `gocheck` from `go install`
-```bash
-go install github.com/gatariee/gocheck@latest
-```
+## Concurrency
+`gocheck` allows you to scan a binary using multiple AV engines simultaneously. This is done by passing multiple flags to `gocheck`. 
 
-Alternatively, you can download the precompiled binaries from the [releases](https://github.com/gatariee/gocheck/releases) or build it yourself.
-```bash
-git clone https://github.com/gatariee/gocheck
-make [ windows / win64 / win32 ]
+For example, to scan a binary using both **Windows Defender** and **Kaspersky's AV Engine**, you can pass the following flags to `gocheck` & the results will be returned at runtime.
+```cmd
+gocheck [path_to_file] /optional: --defender --kaspersky
 ```
+![kaspersky2](https://i.gyazo.com/3cd9b23ab285c33804a11c7440b1cdfc.png)
 
-### Evasion Usage
-You can use `gocheck` to identify bad bytes, and then pass the identified offset of bad bytes into [ghidra](https://github.com/NationalSecurityAgency/ghidra) (or, any other decompiler) to hopefully decompile the binary and locate the bad bytes in a function.
-
-I'll be using `ghidra` to decompile the binary since I'm more familiar with it. (and, it's free)
-#### 1. Check for Bad Bytes
+## Debug
+Gocheck is in heavy WIP and may not work as expected. If you encounter any issues, please run the tool with `--debug` to provide more information about the issue. The `--debug` flag prints out which portions of the binary are being scanned, as well as sanity checks to ensure that the signatured portions are being correctly scanned. 
 ```cmd
-$ gocheck <file> /optional:args
+gocheck [path_to_file] /optional: --debug
 ```
+![debug](https://i.gyazo.com/c6bb797e5b507b2ba7fc0d007575a410.png)
 
-![1](./assets/f14b57d0ca353d1de97ec67c98512cd1.png)
-* Identified bad bytes at offset **0x9DD** (from start of binary)
-* 16 bytes **before & after** the bad bytes are also printed for context, but doesn't help much in this case.
-
-#### 2. Open the binary in Ghidra
-* Navigation -> Go To... -> **FILE ( 0x9DD )**
-  * Alternatively, `G` also brings up the same dialog.
+## Common Pitfalls
+1. You may need to set exclusions when using `gocheck` to prevent the file from being nuked on first scan, here's how `gocheck` works under the hood:
+    * `gocheck` first passes the original file to `MpCmdRun.exe` to scan the file using Windows Defender -> (e.g ./mimikatz.exe)
+    * If the scan comes back malicious, we create a folder in the **current working directory** with the respective name of the scanner (e.g `windef`).
+    * Then, we start splitting the file (with reference to the original file), and writing the split bytes to the respective folder (e.g `windef`).
 
-![2](./assets/587cc1659ee36bfb12a9f2525fac40cb.png)
+      > There are multiple exclusions you need to set, or you can exclude the entire folder where `gocheck` is located.
+  
+2. Where possible, we try to pass in flags that are not destructive such as `-DisableRemediation` for Windows Defender and `/i0` for Kaspersky's AV Engine. However, whether the file gets sent to the cloud for further analysis **is not** within our control.
+    * It is ultimately the responsibility of the operator to assume that the AV engine **will** try it's best to send all binaries to the cloud for further analysis; and to take the necessary precautions to prevent this from happening such as disabling internet access.
 
-* The bad bytes are identified after a call to `VirtualAlloc` and before a call to `VirtualProtect` in this case, which should be easy to find in the artifact kit.
 
-![3](./assets/f6386e807de01acfa9bc301e2c0920c9.png)
 
 ## Benchmark
 > ⚠️ I am not an expert in benchmarking, and the following benchmarks are conducted on a single machine, and the results may vary on different machines. The benchmarks are conducted on a single machine to provide a rough estimate of the performance difference between `gocheck` and `DefenderCheck`.
 
@@ -29,16 +29,12 @@ var checkCmd = &cobra.Command{
 		amsi, _ := cmd.Flags().GetBool("amsi")
 		defender, _ := cmd.Flags().GetBool("defender")
 		debug, _ := cmd.Flags().GetBool("debug")
+		kaspersky, _ := cmd.Flags().GetBool("kaspersky")
 
 		if debug {
 			utils.PrintInfo("Debug mode enabled, verbose output will be displayed")
 		}
 
-		if !amsi && !defender {
-			/* Assume that the user wants to use defender */
-			defender = true
-		}
-
 		var (
 			defender_path string
 			err           error
@@ -56,11 +52,36 @@ var checkCmd = &cobra.Command{
 			defender_path = ""
 		}
 
+		var avp string
+		if kaspersky {
+			avp, err = scanner.FindKaspersky()
+			if err != nil {
+				utils.PrintErr(err.Error())
+				return
+			}
+
+			if avp == "" {
+				utils.PrintErr("Kaspersky not found, please ensure it's installed and the path is correct")
+				utils.PrintInfo("Kaspersky is probably installed at > ")
+				fmt.Println("\t", scanner.ScanPath)
+				fmt.Println("\t", scanner.AltScanPath)
+				return
+			}
+
+			utils.PrintInfo(fmt.Sprintf("Found Kaspersky at %s", avp))
+		}
+
+		additionals := make(map[string]string)
+		if kaspersky {
+			additionals["kaspersky"] = avp
+		}
+
 		token := scanner.Scanner{
 			File:       file,
 			Amsi:       amsi,
 			Defender:   defender,
 			EnginePath: defender_path,
+			Additional: additionals,
 		}
 
 		start := time.Now()
@@ -71,13 +92,6 @@ var checkCmd = &cobra.Command{
 	},
 }
 
-func init() {
-	rootCmd.AddCommand(checkCmd)
-	checkCmd.Flags().BoolP("amsi", "a", false, "Use AMSI to scan the binary")
-	checkCmd.Flags().BoolP("defender", "d", false, "Use Windows Defender to scan the binary")
-	checkCmd.Flags().BoolP("debug", "D", false, "Enable debug mode")
-}
-
 func GetFileSize(file string) (int64, error) {
 	fileInfo, err := os.Stat(file)
 	if err != nil {
@@ -123,3 +137,10 @@ func FindDefenderPath(root string) (string, error) {
 	})
 	return defenderPath, err
 }
+
+func init() {
+	checkCmd.Flags().BoolP("amsi", "a", false, "Use AMSI to scan the binary")
+	checkCmd.Flags().BoolP("defender", "d", false, "Use Windows Defender to scan the binary")
+	checkCmd.Flags().BoolP("kaspersky", "k", false, "Use Kaspersky to scan the binary")
+	checkCmd.Flags().BoolP("debug", "D", false, "Enable debug mode")
+}
@@ -44,6 +44,11 @@ func Execute() {
 }
 
 func init() {
+	rootCmd.AddCommand(checkCmd)
 	rootCmd.Version = VERSION
 	rootCmd.SetVersionTemplate("GoCheck version {{.Version}}\n")
+
+	rootCmd.Root().CompletionOptions.DisableDefaultCmd = true
+	rootCmd.Root().CompletionOptions.DisableDescriptions = true
+	rootCmd.SetHelpCommand(&cobra.Command{Use: "no-help", Run: func(cmd *cobra.Command, args []string) { /* Do nothing */ }})
 }
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,11 @@ func Execute() {`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`func init() {`
	`47`	`+ rootCmd.AddCommand(checkCmd)`
`47`	`48`	`rootCmd.Version = VERSION`
`48`	`49`	`rootCmd.SetVersionTemplate("GoCheck version {{.Version}}\n")`
	`50`	`+`
	`51`	`+ rootCmd.Root().CompletionOptions.DisableDefaultCmd = true`
	`52`	`+ rootCmd.Root().CompletionOptions.DisableDescriptions = true`
	`53`	`+ rootCmd.SetHelpCommand(&cobra.Command{Use: "no-help", Run: func(cmd cobra.Command, args []string) { / Do nothing */ }})`
`49`	`54`	`}`