void
FileMonitor::start()
{
if(!isMonitorRunning() && isDriverInstalled())
{
fileEvents = (BYTE*)malloc(FILE_EVENTS_BUFFER_SIZE);
fileMonitorThread = new Thread(this);
fileMonitorThread->start("FileMonitor");
}
}
void
RegistryMonitor::start()
{
if(!isMonitorRunning() && isDriverInstalled())
{
registryEventsBuffer = (BYTE*)malloc(REGISTRY_EVENTS_BUFFER_SIZE);
registryMonitorThread = new Thread(this);
registryMonitorThread->start("RegistryMonitor");
}
}
void
FileMonitor::stop()
{
if(isMonitorRunning() && isDriverInstalled())
{
monitorRunning = false;
WaitForSingleObject(hMonitorStoppedEvent, 1000);
fileMonitorThread->stop();
delete fileMonitorThread;
free(fileEvents);
}
}
void
RegistryMonitor::stop()
{
if(isMonitorRunning() && isDriverInstalled())
{
monitorRunning = false;
WaitForSingleObject(hMonitorStoppedEvent, 1000);
registryMonitorThread->stop();
delete registryMonitorThread;
free(registryEventsBuffer);
}
}
void
NetworkPacketDumper::stop()
{
if(isMonitorRunning() && isDriverInstalled())
{
std::list<NetworkAdapter*>::iterator it;
for(it = adapterList.begin(); it != adapterList.end(); it++)
{
(*it)->stop();
}
monitorRunning = false;
}
}
void
NetworkPacketDumper::start()
{
if(!isMonitorRunning() && isDriverInstalled())
{
std::list<NetworkAdapter*>::iterator it;
for(it = adapterList.begin(); it != adapterList.end(); it++)
{
(*it)->start();
LOG(INFO, "Started network dumper");
}
monitorRunning = true;
}
}
void
FileMonitor::run()
{
HRESULT hResult;
DWORD bytesReturned = 0;
monitorRunning = true;
while(isMonitorRunning())
{
FILEMONITOR_MESSAGE command;
command.Command = GetFileEvents;
ZeroMemory(fileEvents, FILE_EVENTS_BUFFER_SIZE);
hResult = FilterSendMessage( communicationPort,
&command,
sizeof( FILEMONITOR_COMMAND ),
fileEvents,
FILE_EVENTS_BUFFER_SIZE,
&bytesReturned );
if(bytesReturned >= sizeof(FILE_EVENT))
{
UINT offset = 0;
do {
PFILE_EVENT e = (PFILE_EVENT)(fileEvents + offset);
wstring fileEventName;
wstring fileEventPath;
wstring processModuleName;
wstring processPath;
vector<wstring> extraData;
//file event extra.at(0) == PID
wchar_t processIdString[11];
swprintf(processIdString, 11, L"%ld", e->processId);
extraData.push_back(processIdString);
if(getFileEventName(e, &fileEventName))
{
processPath = ProcessManager::getInstance()->getProcessPath(e->processId);
processModuleName = ProcessManager::getInstance()->getProcessModuleName(e->processId);
fileEventPath = e->filePath;
fileEventPath = convertFileObjectNameToDosName(fileEventPath);
if((fileEventPath != L"UNKNOWN"))
{
if(!Monitor::isEventAllowed(fileEventName, processPath, fileEventPath))
{
if(monitorModifiedFiles)
{
if(!isDirectory(fileEventPath))
{
if(e->majorFileEventType == IRP_MJ_CREATE ||
e->majorFileEventType == IRP_MJ_WRITE )
{
modifiedFiles.insert(fileEventPath);
} else if(e->majorFileEventType == IRP_MJ_DELETE)
{
modifiedFiles.erase(fileEventPath);
}
}
}
wchar_t szTempTime[256];
convertTimefieldsToString(e->time, szTempTime, 256);
wstring time = szTempTime;
signal_onFileEvent(fileEventName, time, processPath, fileEventPath, extraData);
}
}
}
offset += sizeof(FILE_EVENT) + e->filePathLength;
} while(offset < bytesReturned);
}
if(bytesReturned == FILE_EVENTS_BUFFER_SIZE)
{
Sleep(FILE_EVENT_BUFFER_FULL_WAIT_TIME);
} else {
Sleep(FILE_EVENT_WAIT_TIME);
}
}
SetEvent(hMonitorStoppedEvent);
}
void
RegistryMonitor::run()
{
DWORD dwReturn;
monitorRunning = true;
int waitTime = REGISTRY_DEFAULT_WAIT_TIME;
while(isMonitorRunning())
{
ZeroMemory(registryEventsBuffer, REGISTRY_EVENTS_BUFFER_SIZE);
DeviceIoControl(hDriver,
IOCTL_GET_REGISTRY_EVENTS,
0,
0,
registryEventsBuffer,
REGISTRY_EVENTS_BUFFER_SIZE,
&dwReturn,
NULL);
/* Go through all the registry events received. Events are variable sized
so the starts of them are calculated by adding the lengths of the various
data stored in it */
if(dwReturn >= sizeof(REGISTRY_EVENT))
{
UINT offset = 0;
do {
/* e->registryData contains the registry path first and then optionally
some data */
PREGISTRY_EVENT e = (PREGISTRY_EVENT)(registryEventsBuffer + offset);
BYTE* registryData = NULL;
wchar_t* szRegistryPath = NULL;
wstring registryEventName = getRegistryEventName(e->eventType);
/* Get the registry string */
szRegistryPath = (wchar_t*)malloc(e->registryPathLengthB);
CopyMemory(szRegistryPath, e->registryData, e->registryPathLengthB);
wstring registryPath = convertRegistryObjectNameToHiveName(szRegistryPath);
wstring processPath = ProcessManager::getInstance()->getProcessPath((DWORD)e->processId);
wchar_t processIdString[11];
swprintf_s(processIdString, 11, L"%ld", e->processId);
/* If there is data stored retrieve it */
if(e->dataLengthB > 0)
{
registryData = (BYTE*)malloc(e->dataLengthB);
CopyMemory(registryData, e->registryData+e->registryPathLengthB, e->dataLengthB);
}
/* Is the event excluded */
if(!Monitor::isEventAllowed(registryEventName,processPath,registryPath))
{
wchar_t szTempTime[256];
convertTimefieldsToString(e->time, szTempTime, 256);
wstring time = szTempTime;
//Handle all the post-processing to format the data
wchar_t szTemp[256];
wstring other;
size_t tmp_len;
vector<wstring> extraData;
//registry event extra.at(0) == PID
extraData.push_back(processIdString);
//registry event extra.at(1) == name of registry value
if(e->valueNameLength > 0){
extraData.push_back(e->valueName);
}
else{
extraData.push_back(L"");
}
//registry event extra.at(2) == registry value type
//registry event extra.at(3) == registry value data (if any)
//MS description of data types:
//http://support.microsoft.com/kb/256986
switch(e->dataType){
case REG_NONE:
extraData.push_back(L"REG_NONE");
extraData.push_back(L""); //This is so that the logger adds an extra blank value
break;
case REG_SZ:
extraData.push_back(L"REG_SZ");
if(registryData != NULL){
extraData.push_back((wchar_t *)registryData);
}
else{
extraData.push_back(L"");
}
break;
case REG_EXPAND_SZ:
extraData.push_back(L"REG_EXPAND_SZ");
if(registryData != NULL){
extraData.push_back((wchar_t *)registryData);
}
else{
extraData.push_back(L"");
}
break;
case REG_BINARY:
extraData.push_back(L"REG_BINARY");
if(registryData != NULL){
for(DWORD n = 0; n < e->dataLengthB; n++){
swprintf(szTemp, L"%x", registryData[n]);
other.append(szTemp);
}
extraData.push_back(other);
}
else{
extraData.push_back(L"");
}
break;
case REG_DWORD:
extraData.push_back(L"REG_DWORD");
if(registryData != NULL){
swprintf_s(szTemp, 256, L"%lx", ((DWORD *)registryData)[0]);
extraData.push_back(szTemp);
}
else{
extraData.push_back(L"");
}
break;
//TODO: Untested
case REG_DWORD_BIG_ENDIAN:
extraData.push_back(L"REG_DWORD_BIG_ENDIAN");
if(registryData != NULL){
swprintf_s(szTemp, 256, L"%x%x%x%x", registryData[0],registryData[1],registryData[2],registryData[3]);
extraData.push_back(szTemp);
}
else{
extraData.push_back(L"");
}
break;
//From MS: "A Unicode string naming a symbolic link."
//TODO: Untested
case REG_LINK:
extraData.push_back(L"REG_LINK");
if(registryData != NULL){
extraData.push_back((wchar_t *)registryData);
}
else{
extraData.push_back(L"");
}
break;
//TODO: regedit won't let me make a string,empty string, string, but that
// doesn't mean something else might not be able to do it. Look into it as it would
// break the while condition into ending early.
case REG_MULTI_SZ:
extraData.push_back(L"REG_MULTI_SZ");
if(registryData != NULL){
while(((wchar_t *)registryData)[0] != '\0' ){
other.append((wchar_t *)registryData);
other.append(L"-|-");
tmp_len = wcsnlen((wchar_t *)registryData, 512); //This doesn't count the null char in the length
registryData = (BYTE *)((wchar_t *)registryData + (tmp_len + 1));
}
extraData.push_back(other);
}
else{
extraData.push_back(L"");
}
break;
//TODO: Untested, "A series of nested arrays..."
case REG_RESOURCE_LIST:
extraData.push_back(L"REG_RESOURCE_LIST");
if(registryData != NULL){
extraData.push_back(L"FILL IN");
}
else{
extraData.push_back(L"");
}
break;
//TODO: Untested, "A series of nested arrays..."
case REG_FULL_RESOURCE_DESCRIPTOR:
extraData.push_back(L"REG_FULL_RESOURCE_DESCRIPTOR");
if(registryData != NULL){
extraData.push_back(L"FILL IN");
}
else{
extraData.push_back(L"");
}
break;
//TODO: Untested, "A series of nested arrays..."
case REG_RESOURCE_REQUIREMENTS_LIST:
extraData.push_back(L"REG_RESOURCE_REQUIREMENTS_LIST");
if(registryData != NULL){
extraData.push_back(L"FILL IN");
}
else{
extraData.push_back(L"");
}
break;
case REG_QWORD_LITTLE_ENDIAN:
extraData.push_back(L"REG_QWORD");
if(registryData != NULL){
swprintf_s(szTemp, 256, L"%lx%lx", ((DWORD *)registryData)[0],((DWORD *)registryData)[1]);
extraData.push_back(szTemp);
}
else{
extraData.push_back(L"");
}
break;
default:
extraData.push_back(L"UNKNOWN TYPE!");
if(registryData != NULL){
swprintf_s(szTemp, 256, L"%ld", e->dataType);
extraData.push_back(szTemp);
}
else{
extraData.push_back(L"");
}
break;
}
signal_onRegistryEvent(registryEventName, time, processPath, registryPath, extraData);
}
if(registryData != NULL)
free(registryData);
if(szRegistryPath != NULL)
free(szRegistryPath);
offset += sizeof(REGISTRY_EVENT) + e->registryPathLengthB + e->dataLengthB;
}while(offset < dwReturn);
}
if(dwReturn == (REGISTRY_EVENTS_BUFFER_SIZE))
{
waitTime = REGISTRY_BUFFER_FULL_WAIT_TIME;
} else {
waitTime = REGISTRY_DEFAULT_WAIT_TIME;
}
Sleep(waitTime);
}
SetEvent(hMonitorStoppedEvent);
}
