From a60daa6b11969b64b7b220784104f36e9acec183 Mon Sep 17 00:00:00 2001
From: Kyle Quest <kcq.public@gmail.com>
Date: Fri, 8 Nov 2024 20:00:34 -0800
Subject: [PATCH] artifact detection cleanup

Signed-off-by: Kyle Quest <kcq.public@gmail.com>
---
 pkg/app/sensor/artifact/artifact.go        | 33 ++++++++++++++++------
 pkg/app/sensor/detector/binfile/binfile.go |  1 +
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/pkg/app/sensor/artifact/artifact.go b/pkg/app/sensor/artifact/artifact.go
index ef10f0d3..fe499258 100644
--- a/pkg/app/sensor/artifact/artifact.go
+++ b/pkg/app/sensor/artifact/artifact.go
@@ -191,15 +191,25 @@ func isAppMetadataFile(filePath string) bool {
 }
 
 var binDataReplace = []fsutil.ReplaceInfo{
+	{
+		PathSuffix: "/curl",
+		Match:      "curl/",
+		Replace:    "kerl/",
+	},
 	{
 		PathSuffix: "/node",
 		Match:      "node.js/v",
 		Replace:    "done,xu/v",
 	},
 	{
-		PathSuffix: "/curl",
-		Match:      "curl/",
-		Replace:    "kerl/",
+		PathSuffix: "/bash",
+		Match:      "@(#)Bash version",
+		Replace:    "@(#)Nash wersion",
+	},
+	{
+		PathSuffix: "/nginx",
+		Match:      "nginx version: ",
+		Replace:    "xginn wersion: ",
 	},
 }
 
@@ -223,6 +233,10 @@ const (
 	OMPObfuscateAPN = "obfuscate_apn"
 )
 
+var (
+	BinFileExtra = []byte("OFH")
+)
+
 func init() {
 	rand.Seed(time.Now().UnixNano())
 }
@@ -2192,16 +2206,17 @@ copyFiles:
 				} else {
 					//NOTE: this covers the main file set (doesn't cover the extra includes)
 					binProps, err := binfile.Detected(filePath)
-					if err == nil && binProps != nil && binProps.IsBin && binProps.IsExe {
-						if err := fsutil.AppendToFile(filePath, []byte("KCQ"), true); err != nil {
+					if err == nil && binProps != nil && binProps.IsBin {
+						//not checking binProps.IsExe because Go's ELF header type decoding is unreliable...
+						if err := fsutil.AppendToFile(filePath, BinFileExtra, true); err != nil {
 							logger.Debugf("[%s,%s] - fsutil.AppendToFile error => %v", srcFileName, filePath, err)
 						} else {
 							logger.Tracef("binfile.Detected[IsExe]/fsutil.AppendToFile - %s", filePath)
+						}
 
-							err := fsutil.ReplaceFileData(filePath, binDataReplace, true)
-							if err != nil {
-								logger.Debugf("[%s,%s] - fsutil.ReplaceFileData error => %v", srcFileName, filePath, err)
-							}
+						err := fsutil.ReplaceFileData(filePath, binDataReplace, true)
+						if err != nil {
+							logger.Debugf("[%s,%s] - fsutil.ReplaceFileData error => %v", srcFileName, filePath, err)
 						}
 					}
 				}
diff --git a/pkg/app/sensor/detector/binfile/binfile.go b/pkg/app/sensor/detector/binfile/binfile.go
index 15f579eb..9992e894 100644
--- a/pkg/app/sensor/detector/binfile/binfile.go
+++ b/pkg/app/sensor/detector/binfile/binfile.go
@@ -20,6 +20,7 @@ func Detected(filePath string) (*BinProps, error) {
 			IsBin: true,
 		}
 
+		//note: Go elf header decoding bug... ET_EXEC gets decoded as ET_DYN sometimes
 		switch binFile.Type {
 		case elf.ET_EXEC:
 			binProps.IsExe = true