static RVOID
relaunchInPermanentLocation
(
)
{
RPWCHAR bootstrapLocations[] = { _WCH( "%SYSTEMDRIVE%\\$Recycle.Bin\\MALWARE_DEMO_WINDOWS_1.exe" ),
_WCH( "%SYSTEMDRIVE%\\RECYCLER\\MALWARE_DEMO_WINDOWS_1.exe" ),
_WCH( "%windir%\\system32\\tasks\\MALWARE_DEMO_WINDOWS_1.exe" ),
_WCH( "%USERPROFILE%\\MALWARE_DEMO_WINDOWS_1.exe" ) };
RU32 i = 0;
STARTUPINFOW startupInfo = {0};
PROCESS_INFORMATION procInfo = {0};
RPWCHAR expandedPath = NULL;
for( i = 0; i < ARRAY_N_ELEM( bootstrapLocations ); i++ )
{
rpal_debug_info( "trying to move to bootstrap location %d...", i );
rpal_file_delete( bootstrapLocations[ i ], FALSE );
if( rpal_file_move( g_self_path, bootstrapLocations[ i ] ) )
{
rpal_debug_info( "successfully moved to bootstrap location!" );
rpal_debug_info( "launching in new location (%ls)...", bootstrapLocations[ i ] );
if( rpal_string_expand( bootstrapLocations[ i ], &expandedPath ) &&
0 != CreateProcessW( expandedPath,
NULL,
NULL,
NULL,
FALSE,
CREATE_NO_WINDOW,
NULL,
NULL,
&startupInfo,
&procInfo ) )
{
rpal_debug_info( "successfully launched from new location." );
}
else
{
rpal_debug_error( "error launching from permanent location: %d.", GetLastError() );
}
if( NULL != expandedPath )
{
rpal_memory_free( expandedPath );
}
break;
}
else
{
rpal_debug_warning( "could not move to new bootstrap location, may not have permission..." );
}
}
}
static
RBOOL
_addPattern
(
HObs matcher,
RPNCHAR pattern,
RBOOL isSuffix,
RPVOID context
)
{
RBOOL isSuccess = FALSE;
RBOOL isCaseInsensitive = FALSE;
RPNCHAR tmpN = NULL;
#ifdef RPAL_PLATFORM_WINDOWS
// On Windows files and paths are not case sensitive.
isCaseInsensitive = TRUE;
#endif
if( rpal_string_expand( pattern, &tmpN ) )
{
obsLib_addStringPatternN( matcher, tmpN, isSuffix, isCaseInsensitive, context );
rpal_memory_free( tmpN );
}
return isSuccess;
}
RBOOL
collector_18_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
rList extensions = NULL;
rList patterns = NULL;
RPCHAR strA = NULL;
RPCHAR tmpA = NULL;
RPWCHAR strW = NULL;
RPWCHAR tmpW = NULL;
RU32 maxSize = 0;
RBOOL isCaseInsensitive = FALSE;
if( NULL != hbsState )
{
#ifdef RPAL_PLATFORM_WINDOWS
// On Windows files and paths are not case sensitive.
isCaseInsensitive = TRUE;
#endif
if( NULL == config ||
rSequence_getLIST( config, RP_TAGS_EXTENSIONS, &extensions ) ||
rSequence_getLIST( config, RP_TAGS_PATTERNS, &patterns ) )
{
if( NULL != ( cacheMutex = rMutex_create() ) &&
NULL != ( matcherA = obsLib_new( 0, 0 ) ) &&
NULL != ( matcherW = obsLib_new( 0, 0 ) ) )
{
cacheSize = 0;
if( NULL != config &&
rSequence_getRU32( config, RP_TAGS_MAX_SIZE, &maxSize ) )
{
cacheMaxSize = maxSize;
}
else
{
cacheMaxSize = MAX_CACHE_SIZE;
}
if( NULL != ( documentCache = HbsRingBuffer_new( 0, cacheMaxSize ) ) )
{
if( NULL == config )
{
// As a default we'll cache all new files
obsLib_addPattern( matcherA, (RPU8)"", sizeof( RCHAR ), NULL );
obsLib_addPattern( matcherW, (RPU8)_WCH(""), sizeof( RWCHAR ), NULL );
}
else
{
// If a config was provided we'll cache only certain extensions
// specified.
while( rList_getSTRINGA( extensions, RP_TAGS_EXTENSION, &strA ) )
{
if( rpal_string_expand( strA, &tmpA ) )
{
obsLib_addStringPatternA( matcherA, tmpA, TRUE, isCaseInsensitive, NULL );
rpal_memory_free( tmpA );
}
if( NULL != ( strW = rpal_string_atow( strA ) ) )
{
if( rpal_string_expandw( strW, &tmpW ) )
{
obsLib_addStringPatternW( matcherW, tmpW, TRUE, isCaseInsensitive, NULL );
rpal_memory_free( tmpW );
}
rpal_memory_free( strW );
}
}
while( rList_getSTRINGW( extensions, RP_TAGS_EXTENSION, &strW ) )
{
if( rpal_string_expandw( strW, &tmpW ) )
{
obsLib_addStringPatternW( matcherW, tmpW, TRUE, isCaseInsensitive, NULL );
rpal_memory_free( tmpW );
}
if( NULL != ( strA = rpal_string_wtoa( strW ) ) )
{
if( rpal_string_expand( strA, &tmpA ) )
{
obsLib_addStringPatternA( matcherA, tmpA, TRUE, isCaseInsensitive, NULL );
rpal_memory_free( tmpA );
}
rpal_memory_free( strA );
}
}
while( rList_getSTRINGA( patterns, RP_TAGS_STRING_PATTERN, &strA ) )
{
if( rpal_string_expand( strA, &tmpA ) )
{
obsLib_addStringPatternA( matcherA, tmpA, FALSE, isCaseInsensitive, NULL );
rpal_memory_free( tmpA );
}
if( NULL != ( strW = rpal_string_atow( strA ) ) )
{
if( rpal_string_expandw( strW, &tmpW ) )
{
obsLib_addStringPatternW( matcherW, tmpW, FALSE, isCaseInsensitive, NULL );
rpal_memory_free( tmpW );
}
rpal_memory_free( strW );
}
}
while( rList_getSTRINGW( patterns, RP_TAGS_STRING_PATTERN, &strW ) )
{
if( rpal_string_expandw( strW, &tmpW ) )
{
obsLib_addStringPatternW( matcherW, tmpW, FALSE, isCaseInsensitive, NULL );
rpal_memory_free( tmpW );
}
if( NULL != ( strA = rpal_string_wtoa( strW ) ) )
{
if( rpal_string_expand( strA, &tmpA ) )
{
obsLib_addStringPatternA( matcherA, tmpA, FALSE, isCaseInsensitive, NULL );
rpal_memory_free( tmpA );
}
rpal_memory_free( strA );
}
}
}
if( rQueue_create( &createQueue, _freeEvt, 200 ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, 0, createQueue, NULL ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, 0, NULL, getDocument ) &&
rThreadPool_task( hbsState->hThreadPool, parseDocuments, NULL ) )
{
isSuccess = TRUE;
}
}
}
if( !isSuccess )
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, createQueue, NULL );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, getDocument );
rQueue_free( createQueue );
createQueue = NULL;
obsLib_free( matcherA );
obsLib_free( matcherW );
HbsRingBuffer_free( documentCache );
matcherA = NULL;
matcherW = NULL;
documentCache = NULL;
rMutex_free( cacheMutex );
cacheMutex = NULL;
}
}
}
return isSuccess;
}
