RBOOL
collector_3_cleanup
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
if( notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses ) &&
notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule ) )
{
isSuccess = TRUE;
}
rpal_bloom_destroy( knownCode );
knownCode = NULL;
}
return isSuccess;
}
RBOOL
collector_3_cleanup
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
if( notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses ) &&
notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule ) &&
notifications_unsubscribe( RP_TAGS_NOTIFICATION_SERVICE_CHANGE, NULL, processHashedEvent ) &&
notifications_unsubscribe( RP_TAGS_NOTIFICATION_DRIVER_CHANGE, NULL, processHashedEvent ) &&
notifications_unsubscribe( RP_TAGS_NOTIFICATION_AUTORUN_CHANGE, NULL, processHashedEvent ) &&
notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_SERVICES_REP, NULL, processGenericSnapshot ) &&
notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_DRIVERS_REP, NULL, processGenericSnapshot ) &&
notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_PROCESSES_REP, NULL, processGenericSnapshot ) &&
notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_AUTORUNS_REP, NULL, processGenericSnapshot ) )
{
isSuccess = TRUE;
}
rpal_bloom_destroy( g_knownCode );
g_knownCode = NULL;
rMutex_free( g_mutex );
g_mutex = NULL;
}
return isSuccess;
}
RBOOL
collector_3_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
if( NULL != ( knownCode = rpal_bloom_create( 50000, 0.00001 ) ) )
{
isSuccess = FALSE;
if( notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, NULL, processNewProcesses ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, 0, NULL, processNewModule ) )
{
isSuccess = TRUE;
}
else
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule );
rpal_bloom_destroy( knownCode );
}
}
}
return isSuccess;
}
static
RPVOID
continuousFileScan
(
rEvent isTimeToStop,
RPVOID ctx
)
{
rSequence event = NULL;
RU32 timeout = 0;
RPWCHAR strW = NULL;
RPCHAR strA = NULL;
YaraMatchContext matchContext = { 0 };
RU32 scanError = 0;
rBloom knownFiles = NULL;
UNREFERENCED_PARAMETER( ctx );
if( NULL == ( knownFiles = rpal_bloom_create( 100000, 0.00001 ) ) )
{
return NULL;
}
while( !rEvent_wait( isTimeToStop, timeout ) )
{
if( rQueue_remove( g_async_files_to_scan, (RPVOID*)&event, NULL, MSEC_FROM_SEC( 2 ) ) )
{
if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &strW ) )
{
strA = rpal_string_wtoa( strW );
}
else
{
rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &strA );
}
if( NULL != strA &&
rpal_bloom_addIfNew( knownFiles, strA, rpal_string_strlen( strA ) ) )
{
rpal_debug_info( "yara scanning %s", strA );
matchContext.fileInfo = event;
if( rMutex_lock( g_global_rules_mutex ) )
{
if( NULL != g_global_rules )
{
rpal_debug_info( "scanning continuous file with yara" );
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_file( g_global_rules,
strA,
SCAN_FLAGS_FAST_MODE,
_yaraFileMatchCallback,
&matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara file scan error: %d", scanError );
}
}
rMutex_unlock( g_global_rules_mutex );
}
}
if( NULL != strA && NULL != strW )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( strA );
}
strA = NULL;
strW = NULL;
rSequence_free( event );
timeout = _TIMEOUT_BETWEEN_FILE_SCANS;
}
else
{
timeout = 0;
}
}
rpal_bloom_destroy( knownFiles );
yr_finalize_thread();
return NULL;
}
static
HObs
_getModuleDiskStringSample
(
RPNCHAR modulePath,
RU32* pLastScratch,
rEvent isTimeToStop,
LibOsPerformanceProfile* perfProfile
)
{
HObs sample = NULL;
RPU8 scratch = NULL;
rFile hFile = NULL;
RU32 read = 0;
RPU8 start = NULL;
RPU8 end = NULL;
RU32 toSkip = 0;
RU32 longestLength = 0;
RBOOL isUnicode = FALSE;
RPU8 sampleNumber = 0;
rBloom stringsSeen = NULL;
RU64 readOffset = 0;
UNREFERENCED_PARAMETER( isTimeToStop );
if( NULL != modulePath &&
NULL != pLastScratch )
{
readOffset = *pLastScratch * _SCRATCH_SIZE;
if( NULL != ( stringsSeen = rpal_bloom_create( _MAX_DISK_SAMPLE_SIZE, 0.0001 ) ) )
{
if( NULL != ( scratch = rpal_memory_alloc( _SCRATCH_SIZE ) ) )
{
if( rFile_open( modulePath, &hFile, RPAL_FILE_OPEN_EXISTING |
RPAL_FILE_OPEN_READ ) )
{
if( readOffset == rFile_seek( hFile,
readOffset,
rFileSeek_SET ) &&
0 != ( read = rFile_readUpTo( hFile, _SCRATCH_SIZE, scratch ) ) )
{
if( NULL != ( sample = obsLib_new( _MAX_DISK_SAMPLE_SIZE, 0 ) ) )
{
( *pLastScratch )++;
start = scratch;
end = scratch + read;
// We parse for strings up to 'read', we don't care about the
// memory boundary, we might truncate some strings but we're
// sampling anyway.
while( !rEvent_wait( isTimeToStop, 0 ) &&
( start >= scratch ) && ( start >= scratch ) &&
( start + _MIN_SAMPLE_STR_LEN ) < ( scratch + read ) &&
_MAX_DISK_SAMPLE_SIZE >= PTR_TO_NUMBER( sampleNumber ) )
{
libOs_timeoutWithProfile( perfProfile, TRUE, isTimeToStop );
isUnicode = FALSE;
if( _longestString( (RPCHAR)start,
(RU32)( end - start ),
&toSkip,
&longestLength,
&isUnicode ) &&
_MIN_SAMPLE_STR_LEN <= longestLength &&
_MAX_SAMPLE_STR_LEN >= longestLength )
{
if( rpal_bloom_addIfNew( stringsSeen,
start,
longestLength ) )
{
if( obsLib_addPattern( sample,
start,
longestLength,
sampleNumber ) )
{
sampleNumber++;
}
}
}
start += toSkip;
}
}
}
rFile_close( hFile );
}
rpal_memory_free( scratch );
}
rpal_bloom_destroy( stringsSeen );
}
}
return sample;
}
