Implement File Path Classification for POSIX, Windows, and Registry Paths

[unclesp1d3r]

Overview

Implement comprehensive file path pattern matching and classification for the StringyMcStringFace binary analyzer. This feature will enable automatic detection and tagging of file system paths across different operating systems and Windows registry paths.

Background

The classification system (documented in docs/src/classification.md) defines patterns for file paths but lacks the actual implementation in src/classification/mod.rs. This feature is critical for malware analysis, as file paths often indicate:

• Persistence mechanisms (startup folders, system directories)
• Data exfiltration targets
• Configuration file locations
• Temporary file usage patterns

Technical Requirements

1. POSIX File Path Detection

Pattern: /[^\0\n\r]*

Characteristics:

• Must start with forward slash /
• May contain multiple path components separated by /
• Valid characters: alphanumeric, dots, underscores, hyphens, spaces
• Should handle both absolute and relative paths
• Common prefixes: /usr/, /etc/, /var/, /home/, /tmp/

Examples:

• /usr/bin/malware
• /etc/passwd
• /var/log/system.log
• /home/user/.config/app

Validation Rules:

• Minimum length: 2 characters (e.g., /a)
• No null bytes, carriage returns, or line feeds
• Path components should not be empty (no //)
• Should detect common system directories for confidence boosting

2. Windows File Path Detection

Pattern: [A-Za-z]:\\[^\0\n\r]*

Characteristics:

• Must start with drive letter followed by :\
• Backslashes as path separators
• Case-insensitive drive letters
• May contain spaces in path components
• Common prefixes: C:\Windows, C:\Program Files, C:\Users

Examples:

• C:\Windows\System32\evil.dll
• D:\Data\config.ini
• C:\Program Files (x86)\App\binary.exe

UNC Path Support (stretch goal):

• Pattern: \\\\[a-zA-Z0-9.-]+\\[^\0\n\r]*
• Example: \\server\share\file.txt

Validation Rules:

• Minimum length: 3 characters (e.g., C:\)
• Drive letter must be A-Z (case insensitive)
• Must use backslashes, not forward slashes
• Should detect common system directories

3. Windows Registry Path Detection

Pattern: HKEY_[A-Z_]+\\[^\0\n\r]*

Root Keys:

• HKEY_LOCAL_MACHINE (HKLM)
• HKEY_CURRENT_USER (HKCU)
• HKEY_CLASSES_ROOT (HKCR)
• HKEY_USERS (HKU)
• HKEY_CURRENT_CONFIG (HKCC)

Examples:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\App\Settings
• HKLM\System\CurrentControlSet\Services (abbreviated form)

Validation Rules:

• Must start with valid HKEY root
• Support both full names and abbreviations (HKLM, HKCU, etc.)
• Backslash path separator
• Keys associated with persistence should boost confidence score

Implementation Structure

Proposed Module Structure

// src/classification/mod.rs

mod file_path;
mod registry;
mod url;
mod network;
// ... other classifiers

pub use file_path::FilePathClassifier;
pub use registry::RegistryPathClassifier;

pub struct SemanticClassifier {
    file_path: FilePathClassifier,
    registry: RegistryPathClassifier,
    // ... other classifiers
}

impl SemanticClassifier {
    pub fn new() -> Result<Self> {
        Ok(Self {
            file_path: FilePathClassifier::new()?,
            registry: RegistryPathClassifier::new()?,
        })
    }

    pub fn classify(&self, text: &str, context: &StringContext) -> Vec<ClassificationResult> {
        let mut results = Vec::new();
        
        // Try file path classification
        if let Some(result) = self.file_path.classify(text, context) {
            results.push(result);
        }
        
        // Try registry path classification
        if let Some(result) = self.registry.classify(text, context) {
            results.push(result);
        }
        
        results
    }
}

File Path Classifier

// src/classification/file_path.rs

use regex::Regex;
use crate::types::{Tag, ClassificationResult, StringContext, BinaryFormat};

pub struct FilePathClassifier {
    posix_regex: Regex,
    windows_regex: Regex,
    unc_regex: Regex,
    suspicious_posix_paths: HashSet<&'static str>,
    suspicious_windows_paths: HashSet<&'static str>,
}

impl FilePathClassifier {
    pub fn new() -> Result<Self> {
        Ok(Self {
            posix_regex: Regex::new(r"^/[^\0\n\r]*")?,
            windows_regex: Regex::new(r"^[A-Za-z]:\\[^\0\n\r]*")?,
            unc_regex: Regex::new(r"^\\\\[a-zA-Z0-9.-]+\\[^\0\n\r]*")?,
            suspicious_posix_paths: Self::init_suspicious_posix_paths(),
            suspicious_windows_paths: Self::init_suspicious_windows_paths(),
        })
    }

    pub fn classify(&self, text: &str, context: &StringContext) -> Option<ClassificationResult> {
        // Try POSIX first
        if let Some(result) = self.classify_posix(text, context) {
            return Some(result);
        }
        
        // Try Windows
        if let Some(result) = self.classify_windows(text, context) {
            return Some(result);
        }
        
        None
    }

    fn classify_posix(&self, text: &str, context: &StringContext) -> Option<ClassificationResult> {
        if !self.posix_regex.is_match(text) {
            return None;
        }
        
        let confidence = self.calculate_posix_confidence(text, context);
        
        Some(ClassificationResult {
            tag: Tag::FilePath,
            confidence,
            evidence: vec!["POSIX path pattern".to_string()],
        })
    }

    fn calculate_posix_confidence(&self, text: &str, context: &StringContext) -> f32 {
        let mut confidence = 0.6; // Base confidence
        
        // Boost for known system directories
        if text.starts_with("/usr/") || text.starts_with("/etc/") {
            confidence += 0.2;
        }
        
        // Boost for suspicious persistence locations
        if self.is_suspicious_posix_path(text) {
            confidence += 0.15;
        }
        
        // Context-based boosting
        if matches!(context.binary_format, BinaryFormat::Elf | BinaryFormat::MachO) {
            confidence += 0.1;
        }
        
        confidence.min(1.0)
    }
}

Confidence Scoring Criteria

High Confidence (0.8-1.0)

• Matches pattern AND starts with known system directory
• Found in appropriate binary format (POSIX paths in ELF/Mach-O, Windows paths in PE)
• Contains file extension matching context
• Part of known persistence location

Medium Confidence (0.5-0.8)

• Matches pattern with valid structure
• Contains multiple path components
• Has reasonable length (not too short)

Low Confidence (0.3-0.5)

• Matches pattern but very short
• Found in unexpected context
• Potential false positive (e.g., C:\x could be format string)

Acceptance Criteria

• FilePathClassifier struct implemented with regex patterns
• POSIX path detection with validation
• Windows path detection with validation
• Registry path detection with all root keys
• UNC path detection (Windows network paths)
• Confidence scoring based on context and known paths
• Integration with SemanticClassifier
• Comprehensive unit tests covering:
  • Valid POSIX paths
  • Valid Windows paths
  • Valid registry paths
  • Edge cases (short paths, special characters)
  • False positive prevention
  • Confidence score calculations
  • Context-aware classification
• Documentation updates in classification.md
• Performance benchmarks for regex matching

Test Cases

POSIX Tests

#[test]
fn test_posix_absolute_path() {
    assert!(classifier.is_posix_path("/usr/bin/bash"));
    assert!(classifier.is_posix_path("/etc/passwd"));
}

#[test]
fn test_posix_home_directory() {
    assert!(classifier.is_posix_path("/home/user/.bashrc"));
}

#[test]
fn test_posix_with_spaces() {
    assert!(classifier.is_posix_path("/Users/John Doe/Documents/file.txt"));
}

Windows Tests

#[test]
fn test_windows_absolute_path() {
    assert!(classifier.is_windows_path("C:\\Windows\\System32\\cmd.exe"));
}

#[test]
fn test_windows_program_files() {
    assert!(classifier.is_windows_path("C:\\Program Files (x86)\\App"));
}

Registry Tests

#[test]
fn test_registry_run_key() {
    assert!(classifier.is_registry_path("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"));
}

#[test]
fn test_registry_abbreviated() {
    assert!(classifier.is_registry_path("HKLM\\System\\CurrentControlSet"));
}

Dependencies

• Previously blocked by: Issue Implement IPv4 and IPv6 Address Pattern Detection in Semantic Classifier #16 - Semantic Classification Framework ✅ RESOLVED - Base SemanticClassifier structure is now implemented with IPv4/IPv6 and URL detection
• Related: Requirements 3.4 (File System Pattern Detection), 3.5 (Registry Path Detection)

Security Implications

File paths in binaries often indicate:

• Persistence mechanisms: Startup folders, cron jobs, LaunchDaemons
• Data exfiltration: Sensitive file locations
• Configuration: Where malware stores settings
• Logs: Forensic artifacts

High-confidence classification enables analysts to quickly identify these indicators.

Performance Considerations

• Compile regexes once at initialization (lazy_static or once_cell)
• Short-circuit on first match to avoid unnecessary regex evaluations
• Consider string length pre-filtering before regex matching
• Profile regex performance with criterion benchmarks

Related Documentation

• Classification System: docs/src/classification.md
• Type Definitions: src/types.rs
• Examples: Requirements 3.4, 3.5

Task ID

stringy-analyzer/file-path-classification

[unclesp1d3r]

@coderabbitai Enhance this issue body with additional context and a proposed solution. Improve the issue title and assign the proper labels and other metadata.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch current issue details
gh issue view 17 --json title,body,labels,assignees,milestone,projectItems

# Get repository structure to understand the codebase
echo -e "\n=== Repository Structure ==="
fd -t f -e py -e rs -e go -e java --max-depth 3 | head -30

# Look for existing classification or path-related files
echo -e "\n=== Classification Related Files ==="
fd -t f -i "classif"

# Look for path-related files
echo -e "\n=== Path Related Files ==="
fd -t f -i "path"

# Check for test directories
echo -e "\n=== Test Directories ==="
fd -t d -i "test"

# Look for semantic or framework files
echo -e "\n=== Semantic/Framework Files ==="
fd -t f -i "semantic\|framework"

Length of output: 1763

---

🏁 Script executed:

#!/bin/bash
# Read the classification module to understand the framework
echo "=== Classification Module ==="
cat src/classification/mod.rs

# Read classification documentation
echo -e "\n=== Classification Documentation ==="
cat docs/src/classification.md

# Check if there are any existing examples or patterns
echo -e "\n=== Check README for context ==="
cat README.md | head -50

# Look at the types to understand data structures
echo -e "\n=== Types ==="
cat src/types.rs

Length of output: 16762

---

🏁 Script executed:

#!/bin/bash
# Update the issue with enhanced content
gh issue edit 17 \
  --title "Implement File Path Classification for POSIX, Windows, and Registry Paths" \
  --body "## Overview

Implement comprehensive file path pattern matching and classification for the StringyMcStringFace binary analyzer. This feature will enable automatic detection and tagging of file system paths across different operating systems and Windows registry paths.

## Background

The classification system (documented in \`docs/src/classification.md\`) defines patterns for file paths but lacks the actual implementation in \`src/classification/mod.rs\`. This feature is critical for malware analysis, as file paths often indicate:
- Persistence mechanisms (startup folders, system directories)
- Data exfiltration targets
- Configuration file locations
- Temporary file usage patterns

## Technical Requirements

### 1. POSIX File Path Detection

**Pattern**: \`/[^\0\n\r]*\`

**Characteristics**:
- Must start with forward slash \`/\`
- May contain multiple path components separated by \`/\`
- Valid characters: alphanumeric, dots, underscores, hyphens, spaces
- Should handle both absolute and relative paths
- Common prefixes: \`/usr/\`, \`/etc/\`, \`/var/\`, \`/home/\`, \`/tmp/\`

**Examples**:
- \`/usr/bin/malware\`
- \`/etc/passwd\`
- \`/var/log/system.log\`
- \`/home/user/.config/app\`

**Validation Rules**:
- Minimum length: 2 characters (e.g., \`/a\`)
- No null bytes, carriage returns, or line feeds
- Path components should not be empty (no \`//\`)
- Should detect common system directories for confidence boosting

### 2. Windows File Path Detection

**Pattern**: \`[A-Za-z]:\\\\[^\0\n\r]*\`

**Characteristics**:
- Must start with drive letter followed by \`:\\\`
- Backslashes as path separators
- Case-insensitive drive letters
- May contain spaces in path components
- Common prefixes: \`C:\\Windows\`, \`C:\\Program Files\`, \`C:\\Users\`

**Examples**:
- \`C:\\Windows\\System32\\evil.dll\`
- \`D:\\Data\\config.ini\`
- \`C:\\Program Files (x86)\\App\\binary.exe\`

**UNC Path Support** (stretch goal):
- Pattern: \`\\\\\\\\[a-zA-Z0-9.-]+\\\\[^\0\n\r]*\`
- Example: \`\\\\\\\\server\\share\\file.txt\`

**Validation Rules**:
- Minimum length: 3 characters (e.g., \`C:\\\`)
- Drive letter must be A-Z (case insensitive)
- Must use backslashes, not forward slashes
- Should detect common system directories

### 3. Windows Registry Path Detection

**Pattern**: \`HKEY_[A-Z_]+\\\\[^\0\n\r]*\`

**Root Keys**:
- \`HKEY_LOCAL_MACHINE\` (HKLM)
- \`HKEY_CURRENT_USER\` (HKCU)
- \`HKEY_CLASSES_ROOT\` (HKCR)
- \`HKEY_USERS\` (HKU)
- \`HKEY_CURRENT_CONFIG\` (HKCC)

**Examples**:
- \`HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\`
- \`HKEY_CURRENT_USER\\Software\\App\\Settings\`
- \`HKLM\\System\\CurrentControlSet\\Services\` (abbreviated form)

**Validation Rules**:
- Must start with valid HKEY root
- Support both full names and abbreviations (HKLM, HKCU, etc.)
- Backslash path separator
- Keys associated with persistence should boost confidence score

## Implementation Structure

### Proposed Module Structure

\`\`\`rust
// src/classification/mod.rs

mod file_path;
mod registry;
mod url;
mod network;
// ... other classifiers

pub use file_path::FilePathClassifier;
pub use registry::RegistryPathClassifier;

pub struct SemanticClassifier {
    file_path: FilePathClassifier,
    registry: RegistryPathClassifier,
    // ... other classifiers
}

impl SemanticClassifier {
    pub fn new() -> Result<Self> {
        Ok(Self {
            file_path: FilePathClassifier::new()?,
            registry: RegistryPathClassifier::new()?,
        })
    }

    pub fn classify(&self, text: &str, context: &StringContext) -> Vec<ClassificationResult> {
        let mut results = Vec::new();
        
        // Try file path classification
        if let Some(result) = self.file_path.classify(text, context) {
            results.push(result);
        }
        
        // Try registry path classification
        if let Some(result) = self.registry.classify(text, context) {
            results.push(result);
        }
        
        results
    }
}
\`\`\`

### File Path Classifier

\`\`\`rust
// src/classification/file_path.rs

use regex::Regex;
use crate::types::{Tag, ClassificationResult, StringContext, BinaryFormat};

pub struct FilePathClassifier {
    posix_regex: Regex,
    windows_regex: Regex,
    unc_regex: Regex,
    suspicious_posix_paths: HashSet<&'static str>,
    suspicious_windows_paths: HashSet<&'static str>,
}

impl FilePathClassifier {
    pub fn new() -> Result<Self> {
        Ok(Self {
            posix_regex: Regex::new(r\"^/[^\0\n\r]*\")?,
            windows_regex: Regex::new(r\"^[A-Za-z]:\\\\[^\0\n\r]*\")?,
            unc_regex: Regex::new(r\"^\\\\\\\\[a-zA-Z0-9.-]+\\\\[^\0\n\r]*\")?,
            suspicious_posix_paths: Self::init_suspicious_posix_paths(),
            suspicious_windows_paths: Self::init_suspicious_windows_paths(),
        })
    }

    pub fn classify(&self, text: &str, context: &StringContext) -> Option<ClassificationResult> {
        // Try POSIX first
        if let Some(result) = self.classify_posix(text, context) {
            return Some(result);
        }
        
        // Try Windows
        if let Some(result) = self.classify_windows(text, context) {
            return Some(result);
        }
        
        None
    }

    fn classify_posix(&self, text: &str, context: &StringContext) -> Option<ClassificationResult> {
        if !self.posix_regex.is_match(text) {
            return None;
        }
        
        let confidence = self.calculate_posix_confidence(text, context);
        
        Some(ClassificationResult {
            tag: Tag::FilePath,
            confidence,
            evidence: vec![\"POSIX path pattern\".to_string()],
        })
    }

    fn calculate_posix_confidence(&self, text: &str, context: &StringContext) -> f32 {
        let mut confidence = 0.6; // Base confidence
        
        // Boost for known system directories
        if text.starts_with(\"/usr/\") || text.starts_with(\"/etc/\") {
            confidence += 0.2;
        }
        
        // Boost for suspicious persistence locations
        if self.is_suspicious_posix_path(text) {
            confidence += 0.15;
        }
        
        // Context-based boosting
        if matches!(context.binary_format, BinaryFormat::Elf | BinaryFormat::MachO) {
            confidence += 0.1;
        }
        
        confidence.min(1.0)
    }
}
\`\`\`

## Confidence Scoring Criteria

### High Confidence (0.8-1.0)
- Matches pattern AND starts with known system directory
- Found in appropriate binary format (POSIX paths in ELF/Mach-O, Windows paths in PE)
- Contains file extension matching context
- Part of known persistence location

### Medium Confidence (0.5-0.8)
- Matches pattern with valid structure
- Contains multiple path components
- Has reasonable length (not too short)

### Low Confidence (0.3-0.5)
- Matches pattern but very short
- Found in unexpected context
- Potential false positive (e.g., \`C:\\x\` could be format string)

## Acceptance Criteria

- [ ] \`FilePathClassifier\` struct implemented with regex patterns
- [ ] POSIX path detection with validation
- [ ] Windows path detection with validation
- [ ] Registry path detection with all root keys
- [ ] UNC path detection (Windows network paths)
- [ ] Confidence scoring based on context and known paths
- [ ] Integration with \`SemanticClassifier\`
- [ ] Comprehensive unit tests covering:
  - [ ] Valid POSIX paths
  - [ ] Valid Windows paths
  - [ ] Valid registry paths
  - [ ] Edge cases (short paths, special characters)
  - [ ] False positive prevention
  - [ ] Confidence score calculations
  - [ ] Context-aware classification
- [ ] Documentation updates in \`classification.md\`
- [ ] Performance benchmarks for regex matching

## Test Cases

### POSIX Tests
\`\`\`rust
#[test]
fn test_posix_absolute_path() {
    assert!(classifier.is_posix_path(\"/usr/bin/bash\"));
    assert!(classifier.is_posix_path(\"/etc/passwd\"));
}

#[test]
fn test_posix_home_directory() {
    assert!(classifier.is_posix_path(\"/home/user/.bashrc\"));
}

#[test]
fn test_posix_with_spaces() {
    assert!(classifier.is_posix_path(\"/Users/John Doe/Documents/file.txt\"));
}
\`\`\`

### Windows Tests
\`\`\`rust
#[test]
fn test_windows_absolute_path() {
    assert!(classifier.is_windows_path(\"C:\\\\Windows\\\\System32\\\\cmd.exe\"));
}

#[test]
fn test_windows_program_files() {
    assert!(classifier.is_windows_path(\"C:\\\\Program Files (x86)\\\\App\"));
}
\`\`\`

### Registry Tests
\`\`\`rust
#[test]
fn test_registry_run_key() {
    assert!(classifier.is_registry_path(\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"));
}

#[test]
fn test_registry_abbreviated() {
    assert!(classifier.is_registry_path(\"HKLM\\\\System\\\\CurrentControlSet\"));
}
\`\`\`

## Dependencies

- **Blocked by**: Issue #16 - Semantic Classification Framework (implement base \`SemanticClassifier\` structure)
- **Related**: Requirements 3.4 (File System Pattern Detection), 3.5 (Registry Path Detection)

## Security Implications

File paths in binaries often indicate:
- **Persistence mechanisms**: Startup folders, cron jobs, LaunchDaemons
- **Data exfiltration**: Sensitive file locations
- **Configuration**: Where malware stores settings
- **Logs**: Forensic artifacts

High-confidence classification enables analysts to quickly identify these indicators.

## Performance Considerations

- Compile regexes once at initialization (\`lazy_static\` or \`once_cell\`)
- Short-circuit on first match to avoid unnecessary regex evaluations
- Consider string length pre-filtering before regex matching
- Profile regex performance with \`criterion\` benchmarks

## Related Documentation

- Classification System: \`docs/src/classification.md\`
- Type Definitions: \`src/types.rs\`
- Examples: Requirements 3.4, 3.5

## Task ID

\`stringy-analyzer/file-path-classification\`"

# Check current labels
echo "Current labels:"
gh issue view 17 --json labels --jq '.labels[].name'

Length of output: 145

---

🏁 Script executed:

#!/bin/bash
# Check all available labels in the repository
echo "Available repository labels:"
gh label list --json name,description --jq '.[] | "\(.name): \(.description)"'

Length of output: 1293

---

🏁 Script executed:

#!/bin/bash
# Add MVP and priority labels to the issue
gh issue edit 17 --add-label "MVP,priority:medium"

# Show final issue state
echo -e "\n=== Final Issue State ==="
gh issue view 17 --json title,labels,milestone,assignees --jq '{title: .title, labels: [.labels[].name], milestone: .milestone.title, assignees: [.assignees[].login]}'

Length of output: 334

---

@unclesp1d3r I've successfully enhanced issue #17 with comprehensive technical details and improved metadata. Here's what was updated:

✅ Enhanced Issue Title

New: "Implement File Path Classification for POSIX, Windows, and Registry Paths"

• More descriptive and actionable than the previous "File Path Classification"

✅ Comprehensive Issue Body

Added extensive technical documentation including:

• Overview & Background: Context about why this feature is critical for malware analysis
• Technical Requirements: Detailed specifications for:
  • POSIX file paths (/usr/bin/malware, /etc/passwd)
  • Windows file paths (C:\Windows\System32\evil.dll)
  • Windows Registry paths (HKEY_LOCAL_MACHINE\SOFTWARE\...)
  • UNC paths (stretch goal)
• Implementation Structure: Proposed Rust code architecture with:
  • Module organization (file_path.rs, registry.rs)
  • FilePathClassifier struct with regex patterns
  • Integration with SemanticClassifier
• Confidence Scoring: Criteria for high/medium/low confidence classification
• Acceptance Criteria: Complete checklist with 14 specific items
• Test Cases: Ready-to-implement unit tests for all path types
• Security Implications: Why file paths matter for threat detection
• Performance Considerations: Regex optimization strategies

✅ Labels & Metadata

Added:

• MVP - Aligns with v0.1 milestone
• priority:medium - Important feature, appropriate priority given it's blocked by Implement IPv4 and IPv6 Address Pattern Detection in Semantic Classifier #16

Existing labels retained:

• area:analyzer
• type:enhancement
• status:backlog
• lang:rust
• needs:tests

Other metadata:

• ✓ Assigned to you (unclesp1d3r)
• ✓ In milestone v0.1
• ✓ References blocking dependency (Semantic Classification Framework)

The issue is now ready for implementation with clear technical specifications, code examples, and test cases! 🚀