static
RVOID
processFile
(
rSequence notif
)
{
RPCHAR fileA = NULL;
RPWCHAR fileW = NULL;
RPU8 fileContent = NULL;
RU32 fileSize = 0;
CryptoLib_Hash hash = { 0 };
if( NULL != notif )
{
obsLib_resetSearchState( matcherA );
obsLib_resetSearchState( matcherW );
if( ( rSequence_getSTRINGA( notif, RP_TAGS_FILE_PATH, &fileA ) &&
obsLib_setTargetBuffer( matcherA,
fileA,
( rpal_string_strlen( fileA ) + 1 ) * sizeof( RCHAR ) ) &&
obsLib_nextHit( matcherA, NULL, NULL ) ) ||
( rSequence_getSTRINGW( notif, RP_TAGS_FILE_PATH, &fileW ) &&
obsLib_setTargetBuffer( matcherW,
fileW,
( rpal_string_strlenw( fileW ) + 1 ) * sizeof( RWCHAR ) ) &&
obsLib_nextHit( matcherW, NULL, NULL ) ) )
{
// This means it's a file of interest.
if( ( NULL != fileA &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSize( fileA, TRUE ) &&
rpal_file_read( fileA, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileA( fileA, &hash, TRUE ) ) ) ||
( NULL != fileW &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSizew( fileW, TRUE ) &&
rpal_file_readw( fileW, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileW( fileW, &hash, TRUE ) ) ) )
{
// We acquired the hash, either by reading the entire file in memory
// which we will use for caching, or if it was too big by hashing it
// sequentially on disk.
rSequence_unTaintRead( notif );
rSequence_addBUFFER( notif, RP_TAGS_HASH, (RPU8)&hash, sizeof( hash ) );
notifications_publish( RP_TAGS_NOTIFICATION_NEW_DOCUMENT, notif );
}
if( rMutex_lock( cacheMutex ) )
{
if( NULL == fileContent ||
!rSequence_addBUFFER( notif, RP_TAGS_FILE_CONTENT, fileContent, fileSize ) ||
!HbsRingBuffer_add( documentCache, notif ) )
{
rSequence_free( notif );
}
rMutex_unlock( cacheMutex );
}
else
{
rSequence_free( notif );
}
if( NULL != fileContent )
{
rpal_memory_free( fileContent );
}
}
else
{
rSequence_free( notif );
}
}
}
static
rList
_spotCheckProcess
(
rEvent isTimeToStop,
RU32 pid,
LibOsPerformanceProfile* perfProfile
)
{
rList hollowedModules = NULL;
rList modules = NULL;
rSequence module = NULL;
RPNCHAR modulePath = NULL;
RU32 fileSize = 0;
RU64 moduleBase = 0;
RU64 moduleSize = 0;
HObs diskSample = NULL;
rSequence hollowedModule = NULL;
RU32 lastScratchIndex = 0;
RU32 nSamplesFound = 0;
RU32 nSamplesTotal = 0;
RU32 tmpSamplesFound = 0;
RU32 tmpSamplesSize = 0;
RTIME runTime = 0;
rpal_debug_info( "spot checking process %d", pid );
if( NULL != ( modules = processLib_getProcessModules( pid ) ) )
{
while( !rEvent_wait( isTimeToStop, 0 ) &&
rList_getSEQUENCE( modules, RP_TAGS_DLL, &module ) )
{
libOs_timeoutWithProfile( perfProfile, FALSE, isTimeToStop );
runTime = rpal_time_getLocal();
modulePath = NULL;
lastScratchIndex = 0;
if( ( rSequence_getSTRINGN( module,
RP_TAGS_FILE_PATH,
&modulePath ) ) &&
rSequence_getPOINTER64( module, RP_TAGS_BASE_ADDRESS, &moduleBase ) &&
rSequence_getRU64( module, RP_TAGS_MEMORY_SIZE, &moduleSize ) )
{
if( 0 != ( fileSize = rpal_file_getSize( modulePath, TRUE ) ) )
{
nSamplesFound = 0;
nSamplesTotal = 0;
tmpSamplesFound = (RU32)( -1 );
while( !rEvent_wait( isTimeToStop, 0 ) &&
NULL != ( diskSample = _getModuleDiskStringSample( modulePath,
&lastScratchIndex,
isTimeToStop,
perfProfile ) ) )
{
libOs_timeoutWithProfile( perfProfile, TRUE, isTimeToStop );
tmpSamplesSize = obsLib_getNumPatterns( diskSample );
if( 0 != tmpSamplesSize )
{
tmpSamplesFound = _checkMemoryForStringSample( diskSample,
pid,
NUMBER_TO_PTR( moduleBase ),
moduleSize,
isTimeToStop,
perfProfile );
obsLib_free( diskSample );
if( (RU32)( -1 ) == tmpSamplesFound )
{
break;
}
nSamplesFound += tmpSamplesFound;
nSamplesTotal += tmpSamplesSize;
if( _MIN_DISK_SAMPLE_SIZE <= nSamplesTotal &&
( _MIN_SAMPLE_MATCH_PERCENT < ( (RFLOAT)nSamplesFound /
nSamplesTotal ) * 100 ) &&
_MIN_DISK_BIN_COVERAGE_PERCENT <= (RFLOAT)( ( lastScratchIndex *
_SCRATCH_SIZE ) /
fileSize ) * 100 )
{
break;
}
}
else
{
obsLib_free( diskSample );
}
}
}
else
{
rpal_debug_info( "could not get file information, not checking" );
}
rpal_debug_info( "process hollowing check found a match in %d ( %d / %d ) from %d passes in %d sec",
pid,
nSamplesFound,
nSamplesTotal,
lastScratchIndex,
rpal_time_getLocal() - runTime );
if( !rEvent_wait( isTimeToStop, 0 ) &&
(RU32)(-1) != tmpSamplesFound &&
_MIN_DISK_SAMPLE_SIZE <= nSamplesTotal &&
( ( (RFLOAT)nSamplesFound / nSamplesTotal ) * 100 ) < _MIN_SAMPLE_MATCH_PERCENT )
{
rpal_debug_info( "sign of process hollowing found in process %d", pid );
if( NULL != ( hollowedModule = rSequence_duplicate( module ) ) )
{
if( !rList_addSEQUENCE( hollowedModules, hollowedModule ) )
{
rSequence_free( hollowedModule );
}
}
}
}
else
{
rpal_debug_info( "module missing characteristic" );
}
}
rList_free( modules );
}
else
{
rpal_debug_info( "failed to get process modules, might be dead" );
}
return hollowedModules;
}
static
RVOID
processHashedEvent
(
rpcm_tag notifType,
rSequence event
)
{
RPWCHAR nameW = NULL;
RPCHAR nameA = NULL;
CryptoLib_Hash* pHash = NULL;
CryptoLib_Hash localHash = { 0 };
UNREFERENCED_PARAMETER( notifType );
if( rpal_memory_isValid( event ) )
{
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ||
rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) ||
rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) )
{
rSequence_getBUFFER( event, RP_TAGS_HASH, (RPU8*)&pHash, NULL );
if( NULL != nameA )
{
if( NULL == pHash )
{
if( _MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) )
{
rSequence_unTaintRead( event );
rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE );
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) ||
rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) )
{
// Find the name again with shortcircuit
}
}
else if( CryptoLib_hashFileA( nameA, &localHash, TRUE ) )
{
pHash = &localHash;
}
}
processCodeIdentA( nameA, pHash, 0, event );
}
else if( NULL != nameW )
{
if( NULL == pHash )
{
if( _MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) )
{
rSequence_unTaintRead( event );
rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE );
if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ||
rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) ||
rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) )
{
// Find the name again with shortcircuit
}
}
else if( CryptoLib_hashFileW( nameW, &localHash, TRUE ) )
{
pHash = &localHash;
}
}
processCodeIdentW( nameW, pHash, 0, event );
}
}
}
}
static RVOID
injectIntoProcess
(
)
{
RNCHAR strSeDebug[] = _NC( "SeDebugPrivilege" );
processLibProcEntry* procIds = NULL;
processLibProcEntry* tmpProcId = NULL;
rSequence targetProc = NULL;
RU32 targetPid = 0;
RPWCHAR procName = NULL;
RWCHAR targetProcName[] = _WCH( "EXPLORER.EXE" );
HANDLE hProc = NULL;
RU32 selfSize = 0;
RPVOID remoteDest = NULL;
SIZE_T payloadSize = 0;
RPU8 payloadBuff = NULL;
rpal_debug_info( "getting debug privilege to inject..." );
if( !Get_Privilege( strSeDebug ) )
{
rpal_debug_error( "could not get debug privilege, are we running as admin?" );
return;
}
rpal_debug_info( "getting process list to find explorer.exe" );
procIds = processLib_getProcessEntries( FALSE );
tmpProcId = procIds;
while( NULL != tmpProcId )
{
if( NULL != ( targetProc = processLib_getProcessInfo( tmpProcId->pid, NULL ) ) )
{
if( rSequence_getSTRINGN( targetProc, RP_TAGS_FILE_PATH, &procName ) )
{
rpal_string_toupper( procName );
if( NULL != rpal_string_strstr( procName, targetProcName ) )
{
rpal_debug_info( "found the target process: %d", tmpProcId->pid );
targetPid = tmpProcId->pid;
}
else
{
rpal_debug_info( "not target process, next..." );
}
}
else
{
rpal_debug_warning( "process without file path, odd..." );
}
rSequence_free( targetProc );
targetProc = NULL;
if( 0 != targetPid )
{
break;
}
}
tmpProcId++;
}
rpal_memory_free( procIds );
if( 0 != targetPid )
{
rpal_debug_info( "getting size of self..." );
if( (RU32)(-1) != ( selfSize = rpal_file_getSize( g_self_path, FALSE ) ) )
{
rpal_debug_info( "opening target process with right privileges..." );
if( NULL != ( hProc = OpenProcess( PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, targetPid ) ) )
{
rpal_debug_info( "allocating required memory in remote process..." );
if( NULL != ( remoteDest = VirtualAllocEx( hProc, NULL, selfSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE ) ) )
{
rpal_debug_info( "reading payload to memory before writing it to remote." );
if( rpal_file_read( g_self_path, (RPVOID*)&payloadBuff, (RU32*)&payloadSize, FALSE ) )
{
rpal_debug_info( "writing payload to remote process." );
if( WriteProcessMemory( hProc, remoteDest, payloadBuff, payloadSize, &payloadSize ) &&
payloadSize == selfSize )
{
rpal_debug_info( "successfully written payload to remote process. This should look like an injected PE although no thread was started." );
}
else
{
rpal_debug_error( "error writing payload to remote process." );
}
rpal_memory_free( payloadBuff );
}
else
{
rpal_debug_error( "error reading ourselves as payload." );
}
}
else
{
rpal_debug_error( "error allocating memory in remote process." );
}
CloseHandle( hProc );
}
else
{
rpal_debug_error( "error opening process with VM privilges." );
}
}
else
{
rpal_debug_error( "error getting size of self." );
}
}
}
static
RVOID
processNewModule
(
rpcm_tag notifType,
rSequence event
)
{
RPWCHAR nameW = NULL;
RPCHAR nameA = NULL;
CryptoLib_Hash fileHash = { 0 };
RU64 size = 0;
UNREFERENCED_PARAMETER( notifType );
if( rpal_memory_isValid( event ) )
{
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) )
{
if( ( NULL != nameA &&
_MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) ) ||
( NULL != nameW &&
_MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) ) )
{
// We already read from the event, but we will be careful.
rSequence_unTaintRead( event );
rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE );
// We need to re-get the paths in case adding the error triggered
// a change in the structure.
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) )
{
// Find the name again with shortcircuit
}
}
else
{
if( NULL != nameA &&
!CryptoLib_hashFileA( nameA, &fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
if( NULL != nameW &&
!CryptoLib_hashFileW( nameW, &fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
}
rSequence_getRU64( event, RP_TAGS_MEMORY_SIZE, &size );
if( NULL != nameA )
{
processCodeIdentA( nameA, &fileHash, size, event );
}
else if( NULL != nameW )
{
processCodeIdentW( nameW, &fileHash, size, event );
}
}
}
}
