template<> inline JUINT32 JList<JPER_RECORD>::CopyObject(JList<JPER_RECORD>& rDst,
JList<JPER_RECORD>& rSrc)
{
JPER_RECORD* pDstData = JNULL;
JListItem<JPER_RECORD>* pDstItem = JNULL;
JUINT32 uiLen = 0;
JPER_RECORD* pSrcData = JNULL;
JListItem<JPER_RECORD>* pSrcItem = JNULL;
JListItem<JPER_RECORD>* prevDstItem = JNULL;
rDst.m_pHead = JNULL;
rDst.m_pTail = JNULL;
JLogAutoPtr clsLogAutoPtr(JSingleton<JLog>::instance(),
JLOG_MOD_LIST, "JList::CopyObject");
JListIterator<JPER_RECORD> clsListIter(rSrc);
for (clsListIter.First(); clsListIter.Done(); clsListIter.Next())
{
pSrcItem = clsListIter.Item();
pDstData = JNULL;
pSrcData = pSrcItem->GetData();
uiLen = pSrcItem->GetDataLength();
if (uiLen)
{
//alloc memory for the dst data
pDstData =
reinterpret_cast<JPER_RECORD*>(JSingleton<JStaticMemory>::instance()->Alloc(uiLen+1));
if (pDstData)
{
SafeMemset(reinterpret_cast<JCHAR*>(pDstData), 0, uiLen+1);
SafeMemcpy(reinterpret_cast<JCHAR*>(pDstData),
reinterpret_cast<JCHAR*>(pSrcData), uiLen, uiLen+1);
}
else
{
JSingleton<JLog>::instance2() << set(JLOG_MOD_LIST, JLOG_ERROR_LEVEL)
<< "JList::CopyObject memory alloc failure\n";
return JFAILURE;
}
}
//construct the dst item
pDstItem = new JListItem<JPER_RECORD>(pDstData);
pDstItem->SetDataLength(uiLen);
rDst.InsertItem(pDstItem, prevDstItem);
prevDstItem = pDstItem;
}
return JSUCCESS;
}
void Slave::StartNode(IKernel * kernel, const char * cmd) {
char process[MAX_CMD_LEN];
#ifdef WIN32
SafeSprintf(process, sizeof(process), "%s/%s.exe", tools::GetAppPath(), EXECUTE_NAME);
STARTUPINFO si = { sizeof(si) };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = TRUE;
si.lpTitle = (char*)cmd;
PROCESS_INFORMATION pi;
BOOL ret = CreateProcess(process, (char*)cmd, nullptr, nullptr, false, CREATE_NEW_CONSOLE, nullptr, nullptr, &si, &pi);
OASSERT(ret, "create process failed");
::CloseHandle(pi.hThread);
::CloseHandle(pi.hProcess);
#else
SafeSprintf(process, sizeof(process), "%s/%s", tools::GetAppPath(), EXECUTE_NAME);
char args[MAX_CMD_LEN];
SafeSprintf(args, sizeof(args), cmd);
char * p[MAX_CMD_ARGS_COUNT];
SafeMemset(p, sizeof(p), 0, sizeof(p));
p[0] = EXECUTE_NAME;
s32 idx = 1;
char * checkPtr = args;
char * innderPtr = nullptr;
while ((p[idx] = strtok_r(checkPtr, " ", &innderPtr)) != nullptr) {
++idx;
checkPtr = nullptr;
}
pid_t pid;
pid = fork();
if (pid < 0) {
OASSERT(false, "start process failed");
}
else if (pid == 0) {
pid = fork();
if (pid == 0)
execv(process, p);
else
exit(0);
}
else {
s32 status;
waitpid(pid, &status, 0);
}
#endif
}
Connection::Connection(const SOCKET fd, const s32 sendSize, const s32 recvSize)
: _fd(fd)
, _session(nullptr)
, _remotePort(0)
#ifdef _DEBUG
, _establish(false)
#endif
, _closing(false)
, _sending(false)
, _recving(false)
, _isSocketClosed(false) {
OASSERT(recvSize > SINGLE_RECV_SIZE, "wtf");
_sendBuf = RingBufferAlloc(sendSize);
_recvBuf = RingBufferAlloc(recvSize);
SafeMemset(&_addr, sizeof(_addr), 0, sizeof(_addr));
SafeMemset(&_connect, sizeof(_connect), 0, sizeof(_connect));
_connect.opt = IOCP_OPT_CONNECT;
_connect.socket = _fd;
_connect.bytes = 0;
_connect.context = this;
SafeMemset(&_recv, sizeof(_recv), 0, sizeof(_recv));
_recv.opt = IOCP_OPT_RECV;
_recv.socket = _fd;
_recv.bytes = 0;
_recv.context = this;
_recv.buf.buf = (char*)MALLOC(SINGLE_RECV_SIZE);
_recv.buf.len = SINGLE_RECV_SIZE;
SafeMemset(&_send, sizeof(_send), 0, sizeof(_send));
_send.opt = IOCP_OPT_SEND;
_send.socket = _fd;
_send.bytes = 0;
_send.context = this;
}
/*******************************************************************************
* Function: GetObfuscationPayloadCallback()
*
* ObfuscationCallback for returning an allocated obfuscated payload.
*
* Arguments
* DAQ_PktHdr_t *pkth
* The pcap header information associated with the payload being
* obfuscated.
* uint8_t *packet_data
* Pointer to the packet data to be obfuscated
* ob_char_t ob_char
* The obfuscation character
* ob_size_t length
* The length of the portion of packet payload to use
* void *user_data
* The ObfuscatedPayload data
*
* Returns
* OB_RET_ERROR if copying obfuscation data is not successful
* OB_RET_SUCCESS if successful copying data to payload
*
******************************************************************************/
static ObRet GetObfuscatedPayloadCallback(const DAQ_PktHdr_t *pkth,
const uint8_t *packet_data, ob_size_t length,
ob_char_t ob_char, void *user_data)
{
ObfuscatedPayload *ob_payload = (ObfuscatedPayload *)user_data;
uint8_t *payload;
ob_size_t payload_len, payload_size;
if (ob_payload == NULL)
return OB_RET_ERROR;
if ((ob_payload->payload == NULL) || (ob_payload->payload_len == NULL))
return OB_RET_ERROR;
payload = *ob_payload->payload;
payload_len = *ob_payload->payload_len;
payload_size = ob_payload->payload_size;
if ((payload_len + length) > payload_size)
{
/* Allocate extra so we don't have to reallocate every time in */
ob_size_t new_size = payload_len + length + 100;
uint8_t *tmp = (uint8_t *)SnortAlloc(new_size);
if (payload != NULL)
{
if (SafeMemcpy(tmp, payload, payload_len,
tmp, tmp + new_size) != SAFEMEM_SUCCESS)
{
free(tmp);
free(payload);
return OB_RET_ERROR;
}
free(payload);
}
payload_size = new_size;
ob_payload->payload_size = new_size;
*ob_payload->payload = tmp;
payload = tmp;
}
if (packet_data != NULL)
{
if (SafeMemcpy(payload + payload_len, packet_data, length,
payload, payload + payload_size) != SAFEMEM_SUCCESS)
{
free(payload);
return OB_RET_ERROR;
}
}
else
{
if (SafeMemset(payload + payload_len, (uint8_t)ob_char, length,
payload, payload + payload_size) != SAFEMEM_SUCCESS)
{
free(payload);
return OB_RET_ERROR;
}
}
*ob_payload->payload_len += length;
return OB_RET_SUCCESS;
}
/*******************************************************************************
* Function: TraverseObfuscationList()
*
* This is the main function for obfuscating a payload or stream segments.
* It walks through a packet and obfuscation entries, calling the user
* callback with obfuscated and non-obfuscated instructions.
*
* Arguments
* ObfuscationCallbackData *data
* The state tracking data structure. Has the packet being obfuscated,
* current obfuscation entry and total number of bytes obfuscated thus
* far.
* DAQ_PktHdr_t *pkth
* The pcap header information associated with the payload being
* obfuscated.
* uint8_t *pkt
* The start of the packet including Ethernet headers, etc.
* uint8_t *payload
* Pointer to the payload data to be obfuscated
* ob_size_t
* The size of the payload data
*
* Returns
* OB_RET_SUCCESS if successfully completed
* OB_RET_ERROR if the user callback doesn't return OB_RET_SUCCESS
*
******************************************************************************/
static ObRet TraverseObfuscationList(ObfuscationCallbackData *data,
const DAQ_PktHdr_t *pkth, const uint8_t *payload_data,
ob_size_t payload_size)
{
int i;
ob_size_t total_offset = data->total_offset;
ob_size_t payload_offset = 0;
const DAQ_PktHdr_t *pkth_tmp = pkth;
#ifdef OBFUSCATION_TEST
uint8_t print_array[OB_LENGTH_MAX];
ob_size_t start_total_offset = 0;
ob_size_t start_payload_offset = 0;
#endif
if ((payload_data == NULL) || (payload_size == 0))
return OB_RET_ERROR;
#ifdef OBFUSCATION_TEST
LogMessage("Payload data: %u bytes\n", payload_size);
LogMessage("==============================================================="
"=================\n");
#endif
/* Start from current saved obfuscation entry index */
for (i = data->entry_index; i < ob_struct.num_entries; i++)
{
/* Get the entry from the sorted array */
const ObfuscationEntry *entry = ob_struct.sort_entries[i];
ob_size_t ob_offset = entry->offset;
ob_size_t ob_length = entry->length;
/* Make sure it's for the right packet */
if (entry->p != data->packet)
{
#ifdef OBFUSCATION_TEST
LogMessage("flags1: %08x, flags2: %08x\n", entry->p->packet_flags, data->packet->packet_flags);
#endif
continue;
}
/* We've already obfuscated this part of the packet payload
* Account for overflow */
if (((ob_offset + ob_length) <= total_offset)
&& ((ob_offset + ob_length) > ob_offset))
{
continue;
}
#ifdef OBFUSCATION_TEST
LogMessage(" Total offset: %u\n\n", total_offset);
start_total_offset = total_offset;
start_payload_offset = payload_offset;
#endif
/* Note the obfuscation offset is only used at this point to determine
* the amount of data that does not need to be obfuscated up to the
* offset or the length of what needs to be obfuscated if the offset
* is less than what's already been logged */
if (ob_offset > total_offset)
{
/* Get the amount of non-obfuscated data - need to log straight
* packet data up to obfuscation offset */
ob_size_t length = ob_offset - total_offset;
/* If there is more length than what's left in the packet,
* truncate it, do we don't overflow */
if (length > (payload_size - payload_offset))
length = payload_size - payload_offset;
/* Call the user callback and tell it not to obfuscate the data
* by passing in a non-NULL packet pointer */
if (data->user_callback(pkth_tmp, payload_data + payload_offset,
length, 0, data->user_data) != OB_RET_SUCCESS)
{
return OB_RET_ERROR;
}
#ifdef OBFUSCATION_TEST
SafeMemcpy(print_array + payload_offset, payload_data + payload_offset,
length, print_array, print_array + sizeof(print_array));
#endif
/* Only the first payload call sends the pcap_pkthdr */
pkth_tmp = NULL;
/* Adjust offsets */
payload_offset += length;
total_offset += length;
/* If there is no more packet data, break out of the loop */
if (payload_offset == payload_size)
{
#ifdef OBFUSCATION_TEST
PrintPacketData(print_array + start_payload_offset, length);
LogMessage("\n");
#endif
break;
}
}
else if (ob_offset < total_offset)
{
/* If the entries offset is less than the current total offset,
* decrease the length. */
ob_length -= (total_offset - ob_offset);
}
/* Adjust the amount of data to obfuscate if it exceeds the amount of
* data left in the packet. Account for overflow */
if (((payload_offset + ob_length) > payload_size)
|| ((payload_offset + ob_length) <= payload_offset))
{
ob_length = payload_size - payload_offset;
}
/* Call the user callback and tell it to obfuscate the data by passing
* in a NULL packet pointer */
if (data->user_callback(pkth_tmp, NULL, ob_length,
entry->ob_char, data->user_data) != OB_RET_SUCCESS)
{
return OB_RET_ERROR;
}
#ifdef OBFUSCATION_TEST
LogMessage(" Entry: %d\n", i);
LogMessage(" --------------------------\n");
PrintObfuscationEntry(entry, 4);
LogMessage("\n");
SafeMemset(print_array + payload_offset, entry->ob_char,
ob_length, print_array, print_array + sizeof(print_array));
if (ob_length < entry->length)
{
if (ob_offset < start_total_offset)
{
if (payload_offset + ob_length == payload_size)
{
LogMessage(" Obfuscating beyond already obfuscated "
"(%u bytes) and to end of payload: %u bytes\n\n",
(start_total_offset - ob_offset), ob_length);
}
else
{
LogMessage(" Obfuscating beyond already obfuscated "
"(%u bytes): %u bytes\n\n",
(start_total_offset - ob_offset), ob_length);
}
}
else
{
LogMessage(" Obfuscating to end of payload: "
"%u bytes\n\n", ob_length);
}
}
else
{
LogMessage(" Obfuscating: %u bytes\n\n", ob_length);
}
PrintPacketData(print_array + start_payload_offset,
(payload_offset - start_payload_offset) + ob_length);
if (((entry->offset + entry->length) - (total_offset + ob_length)) > 0)
{
LogMessage("\n Remaining amount to obfuscate: %u bytes\n",
(entry->offset + entry->length) - (total_offset + ob_length));
}
LogMessage("\n");
#endif
/* Only the first payload call sends the pcap_pkthdr */
pkth_tmp = NULL;
/* Adjust offsets */
payload_offset += ob_length;
total_offset += ob_length;
/* If there is no more packet data, break out of the loop */
if (payload_offset == payload_size)
break;
}
/* There's more data in the packet left, meaning we ran out of
* obfuscation entries */
if (payload_size > payload_offset)
{
ob_size_t length = payload_size - payload_offset;
/* Call the user callback and tell it not to obfuscate the data
* by passing in a non-NULL packet pointer */
if (data->user_callback(pkth_tmp, payload_data + payload_offset,
length, 0, data->user_data) != OB_RET_SUCCESS)
{
return OB_RET_ERROR;
}
#ifdef OBFUSCATION_TEST
SafeMemcpy(print_array + payload_offset, payload_data + payload_offset,
length, print_array, print_array + sizeof(print_array));
#endif
/* Adjust offsets - don't need to adjust packet offset since
* we're done with the packet */
total_offset += length;
}
#ifdef OBFUSCATION_TEST
LogMessage("Obfuscated payload\n");
LogMessage("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
"~~~~~~~~~~\n");
PrintPacketData(print_array, payload_size);
LogMessage("\n\n");
#endif
/* Save these for next time we come in if necessary. Mainly for
* traversing stream segments */
data->entry_index = i;
data->total_offset = total_offset;
return OB_RET_SUCCESS;
}
JCHAR* JEvent::Serialize(JUINT32 *uiLen)
{
JUINT32 uiAllocLen = 0;
JUINT32 uiLeaveLen = 0;
JCHAR* pBuf = JNULL;
JCHAR* pTmpBuf = JNULL;
JEVT_TYPE* pEvtType = JNULL;
JUINT32* pLen = JNULL;
JUINT32* pBodyLen = JNULL;
JLogAutoPtr clsLogAutoPtr(JSingleton<JLog>::instance(),
JLOG_MOD_EVENT, "JEvent::Serialize");
//calcualte the total event message length
uiAllocLen += sizeof(JEVT_TYPE);
//m_strFromProc size
uiAllocLen += sizeof(JUINT32);
uiAllocLen += m_strFromProc.GetLength();
//m_strFromThrd size
uiAllocLen += sizeof(JUINT32);
uiAllocLen += m_strFromThrd.GetLength();
//m_strFromMod size
uiAllocLen += sizeof(JUINT32);
uiAllocLen += m_strFromMod.GetLength();
//m_strToProc size
uiAllocLen += sizeof(JUINT32);
uiAllocLen += m_strToProc.GetLength();
//m_strToThrd size
uiAllocLen += sizeof(JUINT32);
uiAllocLen += m_strToThrd.GetLength();
//m_strToMod size
uiAllocLen += sizeof(JUINT32);
uiAllocLen += m_strToMod.GetLength();
//m_pBody size
uiAllocLen += sizeof(JUINT32);
if (m_pBody)
{
uiAllocLen += m_pBody->GetLength();
}
pBuf = JSingleton<JStaticMemory>::instance()->Alloc(uiAllocLen+1);
if (pBuf)
{
SafeMemset(pBuf, 0, uiAllocLen+1);
pTmpBuf = pBuf;
uiLeaveLen = uiAllocLen+1;
//store the event type into the buffer
pEvtType = reinterpret_cast<JEVT_TYPE*>(pTmpBuf);
*pEvtType = m_eType;
pTmpBuf += sizeof(JEVT_TYPE);
uiLeaveLen -= sizeof(JEVT_TYPE);
//first store the from process length into the buffer
pLen = reinterpret_cast<JUINT32*>(pTmpBuf);
*pLen = m_strFromProc.GetLength();
pTmpBuf += sizeof(JUINT32);
uiLeaveLen -= sizeof(JUINT32);
//then store the from process into the buffer
if (*pLen)
{
SafeStrcpy(pTmpBuf, m_strFromProc.c_str(), uiLeaveLen);
pTmpBuf += *pLen;
uiLeaveLen -= *pLen;
}
//first store the from thread length into the buffer
pLen = reinterpret_cast<JUINT32*>(pTmpBuf);
*pLen = m_strFromThrd.GetLength();
pTmpBuf += sizeof(JUINT32);
uiLeaveLen -= sizeof(JUINT32);
//then store the from thread into the buffer
if (*pLen)
{
SafeStrcpy(pTmpBuf, m_strFromThrd.c_str(), uiLeaveLen);
pTmpBuf += *pLen;
uiLeaveLen -= *pLen;
}
//first store the from module length into the buffer
pLen = reinterpret_cast<JUINT32*>(pTmpBuf);
*pLen = m_strFromMod.GetLength();
pTmpBuf += sizeof(JUINT32);
uiLeaveLen -= sizeof(JUINT32);
//then store the from module into the buffer
if (*pLen)
{
SafeStrcpy(pTmpBuf, m_strFromMod.c_str(), uiLeaveLen);
pTmpBuf += *pLen;
uiLeaveLen -= *pLen;
}
//first store the to process length into the buffer
pLen = reinterpret_cast<JUINT32*>(pTmpBuf);
*pLen = m_strToProc.GetLength();
pTmpBuf += sizeof(JUINT32);
uiLeaveLen -= sizeof(JUINT32);
//then store the to process into the buffer
if (*pLen)
{
SafeStrcpy(pTmpBuf, m_strToProc.c_str(), uiLeaveLen);
pTmpBuf += *pLen;
uiLeaveLen -= *pLen;
}
//first store the to thread length into the buffer
pLen = reinterpret_cast<JUINT32*>(pTmpBuf);
*pLen = m_strToThrd.GetLength();
pTmpBuf += sizeof(JUINT32);
uiLeaveLen -= sizeof(JUINT32);
//then store the to thread into the buffer
if (*pLen)
{
SafeStrcpy(pTmpBuf, m_strToThrd.c_str(), uiLeaveLen);
pTmpBuf += *pLen;
uiLeaveLen -= *pLen;
}
//first store the to module length into the buffer
pLen = reinterpret_cast<JUINT32*>(pTmpBuf);
*pLen = m_strToMod.GetLength();
pTmpBuf += sizeof(JUINT32);
uiLeaveLen -= sizeof(JUINT32);
//then store the to module into the buffer
if (*pLen)
{
SafeStrcpy(pTmpBuf, m_strToMod.c_str(), uiLeaveLen);
pTmpBuf += *pLen;
uiLeaveLen -= *pLen;
}
//first store the body length into the buffer
pBodyLen = reinterpret_cast<JUINT32*>(pTmpBuf);
if (m_pBody)
{
*pBodyLen = m_pBody->GetLength();
pTmpBuf += sizeof(JUINT32);
uiLeaveLen -= sizeof(JUINT32);
//then store the body into the buffer
if (*pBodyLen)
{
m_pBody->Serialize(pTmpBuf, uiLeaveLen);
}
}
else
{
*pBodyLen = 0;
pTmpBuf += sizeof(JUINT32);
uiLeaveLen -= sizeof(JUINT32);
}
*uiLen = uiAllocLen;
return pBuf;
}
return JNULL;
}
