feat(alertsender): Systray alert sender (#237)

Author: rabbitstack

configs/fibratus.yml

@@ -16,6 +16,20 @@ aggregator:
 
 # Alert senders deal with emitting alerts via different channels.
 alertsenders:
+  # Systray sender sends alerts as notifications to the taskbar status area.
+  systray:
+    # Enables/disables systray alert sender
+    enabled: true
+
+    # Indicates if the associated sound is played when the balloon notification is shown
+    sound: true
+
+    # Instructs not to display the balloon notification if the current user is in quiet time.
+    # During this time, most notifications should not be sent or shown. This lets a user become
+    # accustomed to a new computer system without those distractions. Quiet time also occurs for
+    # each user after an operating system upgrade or clean installation.
+    quiet-mode: false
+
   # Mail sender transports the alerts via SMTP protocol.
   mail:
     # Enables/disables mail alert sender
@@ -27,7 +41,7 @@ alertsenders:
     # Represents the port of the SMTP server
     #port: 587
 
-    # Specifies the user name when authenticating to the SMTP server
+    # Specifies the username when authenticating to the SMTP server
     #user:
 
     # Specifies the password when authenticating to the SMTP server

internal/bootstrap/bootstrap.go

@@ -423,6 +423,9 @@ func (f *App) Shutdown() error {
 	if err := api.CloseServer(); err != nil {
 		errs = append(errs, err)
 	}
+	if err := alertsender.ShutdownAll(); err != nil {
+		errs = append(errs, err)
+	}
 	return multierror.Wrap(errs...)
 }
 

pkg/aggregator/aggregator.go

@@ -40,6 +40,7 @@ import (
 	// initialize alert senders
 	_ "github.com/rabbitstack/fibratus/pkg/alertsender/mail"
 	_ "github.com/rabbitstack/fibratus/pkg/alertsender/slack"
+	_ "github.com/rabbitstack/fibratus/pkg/alertsender/systray"
 
 	// initialize transformers
 	_ "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/remove"

pkg/alertsender/mail/mail.go

@@ -52,6 +52,8 @@ func (s mail) Send(alert alertsender.Alert) error {
 }
 
 func (s mail) Type() alertsender.Type { return alertsender.Mail }
+func (s mail) Shutdown() error        { return nil }
+func (s mail) SupportsMarkdown() bool { return true }
 
 func (s mail) composeMessage(from string, to []string, alert alertsender.Alert) *gomail.Message {
 	msg := gomail.NewMessage()

pkg/alertsender/sender.go

@@ -18,7 +18,10 @@
 
 package alertsender
 
-import "fmt"
+import (
+	"fmt"
+	"github.com/rabbitstack/fibratus/pkg/util/multierror"
+)
 
 // ErrInvalidConfig signals an invalid sender config
 var ErrInvalidConfig = func(name Type) error { return fmt.Errorf("invalid config for %q sender", name) }
@@ -39,6 +42,8 @@ const (
 	Slack
 	// Noop is a noop alert sender. Useful for testing.
 	Noop
+	// Systray designates the systray notification alert sender
+	Systray
 	// None is the type for unknown alert sender
 	None
 )
@@ -52,6 +57,8 @@ func (s Type) String() string {
 		return "slack"
 	case Noop:
 		return "noop"
+	case Systray:
+		return "systray"
 	default:
 		return "none"
 	}
@@ -63,6 +70,12 @@ type Sender interface {
 	Send(Alert) error
 	// Type returns the type that identifies a particular sender.
 	Type() Type
+	// Shutdown performs cleanup tasks possibly disposing any resources
+	// allocated by the sender.
+	Shutdown() error
+	// SupportsMarkdown indicates if the sender supports Markdown
+	// rendering in alert text string.
+	SupportsMarkdown() bool
 }
 
 // ToType converts the string representation of the alert sender to its corresponding type.
@@ -74,6 +87,8 @@ func ToType(s string) Type {
 		return Slack
 	case "noop":
 		return Noop
+	case "systray":
+		return Systray
 	default:
 		return None
 	}
@@ -101,6 +116,18 @@ func FindAll() []Sender {
 	return senders
 }
 
+// ShutdownAll shutdowns all registered senders.
+func ShutdownAll() error {
+	errs := make([]error, 0)
+	for _, s := range alertsenders {
+		err := s.Shutdown()
+		if err != nil {
+			errs = append(errs, err)
+		}
+	}
+	return multierror.Wrap(errs...)
+}
+
 // Load loads an alert sender from the registry.
 func Load(config Config) (Sender, error) {
 	typ := config.Type

pkg/alertsender/slack/slack.go

@@ -128,3 +128,5 @@ func (s slack) Send(alert alertsender.Alert) error {
 }
 
 func (s slack) Type() alertsender.Type { return alertsender.Slack }
+func (s slack) Shutdown() error        { return nil }
+func (s slack) SupportsMarkdown() bool { return true }

pkg/alertsender/systray/_fixtures/fibratus.ico

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2021-2022 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package systray
+
+import "github.com/spf13/pflag"
+
+const (
+	enabled   = "alertsenders.systray.enabled"
+	sound     = "alertsenders.systray.sound"
+	quietMode = "alertsenders.systray.quiet-mode"
+)
+
+// Config contains the configuration for the systray alert sender.
+type Config struct {
+	// Enabled indicates whether systray alert sender is enabled.
+	Enabled bool `mapstructure:"enabled"`
+	// Sound indicates if the associated sound is played
+	// when the balloon notification is shown.
+	Sound bool `mapstructure:"sound"`
+	// QuietMode instructs not to display the balloon notification
+	// if the current user is in quiet time.
+	QuietMode bool `mapstructure:"quiet"`
+}
+
+// AddFlags registers persistent flags.
+func AddFlags(flags *pflag.FlagSet) {
+	flags.Bool(enabled, true, "Determines whether systray alert sender is enabled")
+	flags.Bool(sound, true, "Indicates if the associated sound is played when the balloon notification is shown")
+	flags.Bool(quietMode, false, "Instructs not to display the balloon notification if the current user is in quiet time")
+}

pkg/alertsender/systray/config.go

@@ -0,0 +1,166 @@
+/*
+ * Copyright 2021-2022 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package systray
+
+import (
+	"errors"
+	"fmt"
+	"github.com/rabbitstack/fibratus/pkg/alertsender"
+	"github.com/rabbitstack/fibratus/pkg/sys"
+	"golang.org/x/sys/windows"
+	"os"
+	"path/filepath"
+	"unsafe"
+)
+
+var (
+	// ErrSystrayIconRegisterClass is raised when the systray window class fails o register
+	ErrSystrayIconRegisterClass = errors.New("unable to register systray icon window class")
+	// ErrSystrayIconWindow is raised when the systray icon window can't be created
+	ErrSystrayIconWindow = errors.New("unable to create systray icon window")
+
+	className = windows.StringToUTF16Ptr("fibratus")
+)
+
+// systray interops with the status area
+// to show balloon notifications with the
+// desired title and text. Both, regular
+// and balloon icons are also rendered when
+// displaying the notification message.
+type systray struct {
+	wnd         sys.Hwnd // systray icon window handle
+	systrayIcon *sys.SystrayIcon
+	config      Config
+}
+
+func init() {
+	alertsender.Register(alertsender.Systray, makeSender)
+}
+
+// makeSender constructs a new instance of the systray alert sender.
+func makeSender(config alertsender.Config) (alertsender.Sender, error) {
+	c, ok := config.Sender.(Config)
+	if !ok {
+		return nil, alertsender.ErrInvalidConfig(alertsender.Systray)
+	}
+
+	if !c.Enabled {
+		return &systray{}, nil
+	}
+
+	var mod windows.Handle
+	err := windows.GetModuleHandleEx(0, nil, &mod)
+	if err != nil {
+		return nil, err
+	}
+	// register notification icon window class
+	var wc sys.WndClassEx
+	wc.Size = uint32(unsafe.Sizeof(wc))
+	wc.Instance = mod
+	wc.WndProc = windows.NewCallback(wndProc)
+	wc.ClassName = className
+	err = sys.RegisterClass(&wc)
+	if err != nil {
+		return nil, errors.Join(ErrSystrayIconRegisterClass, err)
+	}
+	// create the notification icon window
+	hwnd, err := sys.CreateWindowEx(
+		0,
+		className,
+		className,
+		sys.WindowStyleOverlapped,
+		sys.CwUseDefault,
+		sys.CwUseDefault,
+		100,
+		100,
+		0,
+		0,
+		mod,
+		0,
+	)
+	if err != nil {
+		return nil, errors.Join(ErrSystrayIconWindow, err)
+	}
+
+	systrayIcon, err := sys.NewSystrayIcon(hwnd)
+	if err != nil {
+		return nil, err
+	}
+	// find the icon in the same directory where the binary is loaded
+	exe, err := os.Executable()
+	if err != nil {
+		return nil, err
+	}
+	ico, err := sys.LoadImage(
+		mod,
+		windows.StringToUTF16Ptr(filepath.Join(filepath.Dir(exe), "fibratus.ico")),
+		1, // load icon
+		0,
+		0,
+		sys.LoadResourceDefaultSize|sys.LoadResourceFromFile,
+	)
+	if err != nil {
+		// load stock informational system icon
+		var icon sys.ShStockIcon
+		icon.Size = uint32(unsafe.Sizeof(icon))
+		err := sys.SHGetStockIconInfo(79, 0x000000100, &icon)
+		if err != nil {
+			return nil, fmt.Errorf("unable to load systray icon resource: %v", err)
+		}
+		ico = windows.Handle(icon.Icon)
+	}
+
+	// set systray icon and tooltip
+	if err := systrayIcon.SetIcon(sys.Hicon(ico)); err != nil {
+		return nil, fmt.Errorf("unable to set systray icon: %v", err)
+	}
+	if err := systrayIcon.SetTooltip("Fibratus"); err != nil {
+		return nil, fmt.Errorf("unable to set systray icon tooltip: %v", err)
+	}
+	s := &systray{
+		wnd:         hwnd,
+		systrayIcon: systrayIcon,
+		config:      c,
+	}
+	return s, nil
+}
+
+func (s systray) Send(alert alertsender.Alert) error {
+	if s.systrayIcon == nil {
+		return nil
+	}
+	return s.systrayIcon.ShowBalloonNotification(alert.Title, alert.Text, s.config.Sound, s.config.QuietMode)
+}
+
+func (s systray) Type() alertsender.Type { return alertsender.Systray }
+func (s systray) SupportsMarkdown() bool { return false }
+
+func (s systray) Shutdown() error {
+	if s.wnd.IsValid() {
+		s.wnd.Destroy()
+	}
+	if s.systrayIcon != nil {
+		return s.systrayIcon.Delete()
+	}
+	return nil
+}
+
+func wndProc(hwnd uintptr, msg uint32, wparam, lparam uintptr) uintptr {
+	return sys.DefWindowProc(hwnd, msg, wparam, lparam)
+}

pkg/alertsender/systray/systray.go

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2021-2022 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package systray
+
+import (
+	"github.com/rabbitstack/fibratus/pkg/alertsender"
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestSystraySender(t *testing.T) {
+	s, err := alertsender.Load(alertsender.Config{Type: alertsender.Systray, Sender: Config{Enabled: true, Sound: false, QuietMode: false}})
+	require.NoError(t, err)
+	require.NotNil(t, s)
+	require.NoError(t, s.Send(alertsender.Alert{
+		Title: "LSASS memory dumping via legitimate or offensive tools",
+		Text: `Detected an attempt by mimikatz.exe process to access and read
+the memory of the Local Security And Authority Subsystem Service
+and subsequently write the C:\\temp\lsass.dmp dump file to the disk device`}))
+}