Ejemplo n.º 1
0
RBOOL
    collector_3_init
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;
    UNREFERENCED_PARAMETER( config );

    if( NULL != hbsState )
    {
        if( NULL != ( g_mutex = rMutex_create() ) )
        {
            if( NULL != ( g_knownCode = rpal_bloom_create( 50000, 0.00001 ) ) )
            {
                isSuccess = FALSE;

                if( notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, NULL, processNewProcesses ) &&
                    notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, 0, NULL, processNewModule ) &&
                    notifications_subscribe( RP_TAGS_NOTIFICATION_SERVICE_CHANGE, NULL, 0, NULL, processHashedEvent ) &&
                    notifications_subscribe( RP_TAGS_NOTIFICATION_DRIVER_CHANGE, NULL, 0, NULL, processHashedEvent ) &&
                    notifications_subscribe( RP_TAGS_NOTIFICATION_AUTORUN_CHANGE, NULL, 0, NULL, processHashedEvent ) &&
                    notifications_subscribe( RP_TAGS_NOTIFICATION_OS_SERVICES_REP, NULL, 0, NULL, processGenericSnapshot ) &&
                    notifications_subscribe( RP_TAGS_NOTIFICATION_OS_DRIVERS_REP, NULL, 0, NULL, processGenericSnapshot ) &&
                    notifications_subscribe( RP_TAGS_NOTIFICATION_OS_PROCESSES_REP, NULL, 0, NULL, processGenericSnapshot ) &&
                    notifications_subscribe( RP_TAGS_NOTIFICATION_OS_AUTORUNS_REP, NULL, 0, NULL, processGenericSnapshot ) )
                {
                    isSuccess = TRUE;
                }
                else
                {
                    notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses );
                    notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule );
                    notifications_unsubscribe( RP_TAGS_NOTIFICATION_SERVICE_CHANGE, NULL, processHashedEvent );
                    notifications_unsubscribe( RP_TAGS_NOTIFICATION_DRIVER_CHANGE, NULL, processHashedEvent );
                    notifications_unsubscribe( RP_TAGS_NOTIFICATION_AUTORUN_CHANGE, NULL, processHashedEvent );
                    notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_SERVICES_REP, NULL, processGenericSnapshot );
                    notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_DRIVERS_REP, NULL, processGenericSnapshot );
                    notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_PROCESSES_REP, NULL, processGenericSnapshot );
                    notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_AUTORUNS_REP, NULL, processGenericSnapshot );
                    rpal_bloom_destroy( g_knownCode );
                    rMutex_free( g_mutex );
                    g_mutex = NULL;
                }
            }
            else
            {
                rMutex_free( g_mutex );
                g_mutex = NULL;
            }
        }
    }

    return isSuccess;
}
Ejemplo n.º 2
0
RBOOL
    collector_18_cleanup
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;

    UNREFERENCED_PARAMETER( config );

    if( NULL != hbsState )
    {
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, createQueue, NULL );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, getDocument );
        rQueue_free( createQueue );
        createQueue = NULL;

        obsLib_free( matcherA );
        obsLib_free( matcherW );
        HbsRingBuffer_free( documentCache );
        matcherA = NULL;
        matcherW = NULL;
        documentCache = NULL;

        rMutex_free( cacheMutex );
        cacheMutex = NULL;

        isSuccess = TRUE;
    }

    return isSuccess;
}
//=============================================================================
//  rRwLock API
//=============================================================================
rRwLock
    rRwLock_create
    (

    )
{
    _rRwLock* lock;

    lock = rpal_memory_alloc( sizeof( *lock ) );

    if( rpal_memory_isValid( lock ) )
    {
        lock->evtCanRead = rEvent_create( TRUE );
        lock->evtCanWrite = rEvent_create( TRUE );
        lock->stateLock = rMutex_create();
        lock->readCount = 0;

        if( !rpal_memory_isValid( lock->evtCanRead ) ||
            !rpal_memory_isValid( lock->evtCanWrite ) ||
            !rpal_memory_isValid( lock->stateLock ) )
        {
            rEvent_free( lock->evtCanRead );
            rEvent_free( lock->evtCanWrite );
            rMutex_free( lock->stateLock );
            rpal_memory_free( lock );
            lock = NULL;
        }
        else
        {
            rEvent_set( lock->evtCanRead );
        }
    }

    return (rRwLock)lock;
}
Ejemplo n.º 4
0
RBOOL
    rpHostCommonPlatformLib_stop
    (

    )
{
    if( 0 == rInterlocked_decrement32( &g_hcpContext.isRunning ) )
    {
        stopBeacons();
        stopAllModules();

        rpal_memory_free( g_hcpContext.primaryUrl );
        rpal_memory_free( g_hcpContext.secondaryUrl );

        if( NULL != g_hcpContext.enrollmentToken &&
            0 != g_hcpContext.enrollmentTokenSize )
        {
            rpal_memory_free( g_hcpContext.enrollmentToken );
        }

        freeKeys();

#ifdef RPAL_PLATFORM_WINDOWS
        SetConsoleCtrlHandler( (PHANDLER_ROUTINE)ctrlHandler, FALSE );
#endif

        rMutex_free( g_hcpContext.cloudConnectionMutex );
        rEvent_free( g_hcpContext.isCloudOnline );
        g_hcpContext.cloudConnectionMutex = NULL;
        g_hcpContext.isCloudOnline = NULL;

        rpal_Context_cleanup();

        rpal_Context_deinitialize();

        // If the default crashContext is still present, remove it since
        // we are shutting down properly. If it's non-default leave it since
        // somehow we may have had a higher order crash we want to keep
        // track of but we are still leaving through our normal code path.
        if( 1 == getCrashContextSize() )
        {
            rpal_debug_info( "clearing default crash context" );
            cleanCrashContext();
        }
    }
    else
    {
        rInterlocked_increment32( &g_hcpContext.isRunning );
    }

    rpal_debug_info( "finished stopping hcp" );

    return TRUE;
}
Ejemplo n.º 5
0
RBOOL
    rStack_free
    (
        rStack stack,
        rStack_freeFunc freeFunc
    )
{
    RBOOL isSuccess = FALSE;
    _prStack pStack = (_prStack)stack;
    RPVOID tmpElem = NULL;
    RPVOID tmpBuff = NULL;
    RU32 tmpSize = 0;
    RU32 i = 0;

    if( NULL != stack )
    {
        if( rMutex_lock( pStack->lock ) )
        {
            isSuccess = TRUE;

            tmpElem = rpal_blob_getBuffer( pStack->blob );
            tmpBuff = tmpElem;
            tmpSize = rpal_blob_getSize( pStack->blob );

            for( i = 0; i < pStack->nElements; i++ )
            {
                tmpElem = (RPU8)tmpElem + ( i * pStack->elemSize );

                if( IS_WITHIN_BOUNDS( tmpElem, pStack->elemSize, tmpBuff, tmpSize ) )
                {
                    if( NULL != freeFunc )
                    {
                        if( !freeFunc( tmpElem ) )
                        {
                            isSuccess = FALSE;
                        }
                    }
                }
            }

            rpal_blob_free( pStack->blob );

            rMutex_free( pStack->lock );
            rpal_memory_free( pStack );
        }
    }

    return isSuccess;
}
RVOID
    rRefCount_destroy
    (
        rRefCount ref
    )
{
    _rRefCount* pRef = (_rRefCount*)ref;

    if( rpal_memory_isValid( ref ) )
    {
        rMutex_lock( pRef->mutex );
        rMutex_free( pRef->mutex );
        rpal_memory_free( pRef );
    }
}
RVOID
    rRwLock_free
    (
        rRwLock lock
    )
{
    _rRwLock* lck = (_rRwLock*)lock;

    if( rpal_memory_isValid( lock ) )
    {
        rEvent_free( lck->evtCanRead );
        rEvent_free( lck->evtCanWrite );
        rMutex_free( lck->stateLock );

        rpal_memory_free( lock );
    }
}
RBOOL
    rRefCount_release
    (
        rRefCount ref,
        RBOOL* pIsReleased
    )
{
    RBOOL isSuccess = FALSE;
    RBOOL isReleased = FALSE;
    _rRefCount* pRef = NULL;

    if( rpal_memory_isValid( ref ) )
    {
        pRef = (_rRefCount*)ref;

        if( rMutex_lock( pRef->mutex ) )
        {
            if( 0 == --(pRef->count) )
            {
                if( NULL != pRef->freeFunc )
                {
                    pRef->freeFunc( pRef->pElem, pRef->elemSize );
                }

                rMutex_free( pRef->mutex );
                rpal_memory_free( pRef );

                isReleased = TRUE;
            }
            else
            {
                rMutex_unlock( pRef->mutex );
            }

            if( NULL != pIsReleased )
            {
                *pIsReleased = isReleased;
            }

            isSuccess = TRUE;
        }
    }

    return isSuccess;
}
Ejemplo n.º 9
0
RBOOL
    collector_16_cleanup
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;

    UNREFERENCED_PARAMETER( config );

    if( NULL != hbsState )
    {
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL );

        if( rMutex_lock( g_global_rules_mutex ) )
        {
            if( NULL != g_global_rules )
            {
                yr_rules_destroy( g_global_rules );
                g_global_rules = NULL;
            }

            rMutex_unlock( g_global_rules_mutex );
        }

        rQueue_free( g_async_files_to_scan );
        g_async_files_to_scan = NULL;

        rMutex_free( g_global_rules_mutex );
        g_global_rules_mutex = NULL;

        yr_finalize();

        isSuccess = TRUE;
    }

    return isSuccess;
}
RBOOL
    collector_22_cleanup
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;
    RU32 i = 0;

    UNREFERENCED_PARAMETER( config );

    if( NULL != hbsState )
    {
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, processFileIo );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, processFileIo );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, processFileIo );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, processFileIo );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, processNewProcesses );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, processTerminateProcesses );
        obsLib_free( g_extensions );
        g_extensions = NULL;
        if( NULL != g_procContexts )
        {
            for( i = 0; i < g_procContexts->nElements; i++ )
            {
                rpal_memory_free( ( (ProcExtInfo*)g_procContexts->elements[ i ] )->processPath );
                rpal_memory_free( g_procContexts->elements[ i ] );
            }
        }
        rpal_vector_free( g_procContexts );
        g_procContexts = NULL;
        rMutex_free( g_mutex );
        g_mutex = NULL;

        isSuccess = TRUE;
    }

    return isSuccess;
}
RBOOL
    _kAcq_deinit
    (
        RBOOL isLock
    )
{
    RBOOL isSuccess = FALSE;


    if( !isLock ||
        rMutex_lock( g_km_mutex ) )
    {
        g_is_available = FALSE;

#ifdef RPAL_PLATFORM_MACOSX
        if( ( -1 ) != g_km_socket )
        {
            close( g_km_socket );
            g_km_socket = ( -1 );
            isSuccess = TRUE;
        }
#elif defined( RPAL_PLATFORM_WINDOWS )
        if( INVALID_HANDLE_VALUE != g_km_handle )
        {
            CloseHandle( g_km_handle );
            g_km_handle = INVALID_HANDLE_VALUE;
        }
#endif
        if( isLock )
        {
            rMutex_free( g_km_mutex );
            g_km_mutex = NULL;
        }
    }

    return isSuccess;
}
RBOOL
    collector_14_cleanup
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;

    UNREFERENCED_PARAMETER( hbsState );
    UNREFERENCED_PARAMETER( config );

    notifications_unsubscribe( RP_TAGS_NOTIFICATION_DENY_TREE_REQ, NULL, denyNewTree );
    notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, denyNewProcesses );
    rMutex_lock( g_deniedMutex );
    rpal_blob_free( g_denied );
    g_denied = NULL;
    rMutex_free( g_deniedMutex );
    g_deniedMutex = NULL;
    
    isSuccess = TRUE;

    return isSuccess;
}
Ejemplo n.º 13
0
RBOOL
    collector_16_init
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;

    UNREFERENCED_PARAMETER( config );

    if( NULL != hbsState )
    {
        if( 0 == yr_initialize() )
        {
            if( NULL != ( g_global_rules_mutex = rMutex_create() ) )
            {
                if( rQueue_create( &g_async_files_to_scan, _freeSeq, 100 ) )
                {
                    if( notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE,
                                                 NULL,
                                                 0,
                                                 NULL,
                                                 updateSignatures ) &&
                        notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_SCAN,
                                                 NULL,
                                                 0,
                                                 NULL,
                                                 doScan ) &&
                        notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD,
                                                 NULL,
                                                 0,
                                                 g_async_files_to_scan,
                                                 NULL ) )
                    {
                        isSuccess = TRUE;

                        if( !rThreadPool_task( hbsState->hThreadPool, continuousMemScan, NULL ) ||
                            !rThreadPool_task( hbsState->hThreadPool, continuousFileScan, NULL ) )
                        {
                            isSuccess = FALSE;
                        }
                    }
                }
            }
        }
    }

    if( !isSuccess )
    {
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL);
        rQueue_free( g_async_files_to_scan );
        g_async_files_to_scan = NULL;
        rMutex_free( g_global_rules_mutex );
        g_global_rules_mutex = NULL;

        yr_finalize();
    }

    return isSuccess;
}
Ejemplo n.º 14
0
RBOOL
    rpHostCommonPlatformLib_launch
    (
        RU8 configHint,
        RPNCHAR primaryHomeUrl,
        RPNCHAR secondaryHomeUrl
    )
{
    RBOOL isInitSuccessful = FALSE;
    rSequence staticConfig = NULL;
    RPCHAR tmpStr = NULL;
    rSequence tmpSeq = NULL;
    RPU8 tmpBuffer = NULL;
    RU32 tmpSize = 0;
    RU16 tmpPort = 0;

    rpal_debug_info( "launching hcp" );

#ifdef RPAL_PLATFORM_WINDOWS
    if( setGlobalCrashHandler() &&
        SetConsoleCtrlHandler( (PHANDLER_ROUTINE)ctrlHandler, TRUE ) )
    {
        rpal_debug_info( "global crash handler set" );
    }
    else
    {
        rpal_debug_warning( "error setting global crash handler" );
    }
#endif

    if( 1 == rInterlocked_increment32( &g_hcpContext.isRunning ) )
    {
        if( rpal_initialize( NULL, RPAL_COMPONENT_HCP ) )
        {
            CryptoLib_init();

            if( NULL == ( g_hcpContext.cloudConnectionMutex = rMutex_create() ) ||
                NULL == ( g_hcpContext.isCloudOnline = rEvent_create( TRUE ) ) )
            {
                rMutex_free( g_hcpContext.cloudConnectionMutex );
                rpal_debug_error( "could not create cloud connection mutex or event" );
                return FALSE;
            }

            g_hcpContext.currentId.raw = g_idTemplate.raw;

            // We attempt to load some initial config from the serialized
            // rSequence that can be patched in this binary.
            if( NULL != ( staticConfig = getStaticConfig() ) )
            {
                if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_PRIMARY_URL, &tmpStr ) &&
                    rSequence_getRU16( staticConfig, RP_TAGS_HCP_PRIMARY_PORT, &tmpPort ) )
                {
                    g_hcpContext.primaryUrl = rpal_string_strdupA( tmpStr );
                    g_hcpContext.primaryPort = tmpPort;
                    rpal_debug_info( "loading primary url from static config" );
                }

                if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_SECONDARY_URL, &tmpStr ) &&
                    rSequence_getRU16( staticConfig, RP_TAGS_HCP_SECONDARY_PORT, &tmpPort ) )
                {
                    g_hcpContext.secondaryUrl = rpal_string_strdupA( tmpStr );
                    g_hcpContext.secondaryPort = tmpPort;
                    rpal_debug_info( "loading secondary url from static config" );
                }
                if( rSequence_getSEQUENCE( staticConfig, RP_TAGS_HCP_ID, &tmpSeq ) )
                {
                    g_hcpContext.currentId = seqToHcpId( tmpSeq );
                    rpal_debug_info( "loading default id from static config" );
                }

                if( rSequence_getBUFFER( staticConfig, RP_TAGS_HCP_C2_PUBLIC_KEY, &tmpBuffer, &tmpSize ) )
                {
                    setC2PublicKey( rpal_memory_duplicate( tmpBuffer, tmpSize ) );
                    rpal_debug_info( "loading c2 public key from static config" );
                }

                if( rSequence_getBUFFER( staticConfig, RP_TAGS_HCP_ROOT_PUBLIC_KEY, &tmpBuffer, &tmpSize ) )
                {
                    setRootPublicKey( rpal_memory_duplicate( tmpBuffer, tmpSize ) );
                    rpal_debug_info( "loading root public key from static config" );
                }

                if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_DEPLOYMENT_KEY, &tmpStr ) )
                {
                    g_hcpContext.deploymentKey = rpal_string_strdupA( tmpStr );
                    rpal_debug_info( "loading deployment key from static config" );
                }

                rSequence_free( staticConfig );
            }

            // Now we will override the defaults (if present) with command
            // line parameters.
            if( NULL != primaryHomeUrl &&
                0 != rpal_string_strlen( primaryHomeUrl ) )
            {
                if( NULL != g_hcpContext.primaryUrl )
                {
                    rpal_memory_free( g_hcpContext.primaryUrl );
                    g_hcpContext.primaryUrl = NULL;
                }
                g_hcpContext.primaryUrl = rpal_string_ntoa( primaryHomeUrl );
            }

            if( NULL != secondaryHomeUrl &&
                0 != rpal_string_strlen( secondaryHomeUrl  ) )
            {
                if( NULL != g_hcpContext.secondaryUrl )
                {
                    rpal_memory_free( g_hcpContext.secondaryUrl );
                    g_hcpContext.secondaryUrl = NULL;
                }
                g_hcpContext.secondaryUrl = rpal_string_ntoa( secondaryHomeUrl );
            }

            g_hcpContext.enrollmentToken = NULL;
            g_hcpContext.enrollmentTokenSize = 0;

            getStoreConf();  /* Sets the agent ID platform. */
            
            // Set the current configId
            g_hcpContext.currentId.id.configId = configHint;

            if( startBeacons() )
            {
                isInitSuccessful = TRUE;
            }
            else
            {
                rpal_debug_warning( "error starting beacons" );
            }

            CryptoLib_deinit();
        }
        else
        {
            rpal_debug_warning( "hcp platform could not init rpal" );
        }
    }
    else
    {
        rInterlocked_decrement32( &g_hcpContext.isRunning );
        rpal_debug_info( "hcp already launched" );
    }

    return isInitSuccessful;
}
Ejemplo n.º 15
0
RBOOL
    collector_18_init
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;

    rList extensions = NULL;
    rList patterns = NULL;
    RPCHAR strA = NULL;
    RPCHAR tmpA = NULL;
    RPWCHAR strW = NULL;
    RPWCHAR tmpW = NULL;
    RU32 maxSize = 0;
    RBOOL isCaseInsensitive = FALSE;

    if( NULL != hbsState )
    {
#ifdef RPAL_PLATFORM_WINDOWS
        // On Windows files and paths are not case sensitive.
        isCaseInsensitive = TRUE;
#endif

        if( NULL == config ||
            rSequence_getLIST( config, RP_TAGS_EXTENSIONS, &extensions ) ||
            rSequence_getLIST( config, RP_TAGS_PATTERNS, &patterns ) )
        {
            if( NULL != ( cacheMutex = rMutex_create() ) &&
                NULL != ( matcherA = obsLib_new( 0, 0 ) ) &&
                NULL != ( matcherW = obsLib_new( 0, 0 ) ) )
            {
                cacheSize = 0;
                if( NULL != config &&
                    rSequence_getRU32( config, RP_TAGS_MAX_SIZE, &maxSize ) )
                {
                    cacheMaxSize = maxSize;
                }
                else
                {
                    cacheMaxSize = MAX_CACHE_SIZE;
                }
                
                if( NULL != ( documentCache = HbsRingBuffer_new( 0, cacheMaxSize ) ) )
                {
                    if( NULL == config )
                    {
                        // As a default we'll cache all new files
                        obsLib_addPattern( matcherA, (RPU8)"", sizeof( RCHAR ), NULL );
                        obsLib_addPattern( matcherW, (RPU8)_WCH(""), sizeof( RWCHAR ), NULL );
                    }
                    else
                    {
                        // If a config was provided we'll cache only certain extensions
                        // specified.
                        while( rList_getSTRINGA( extensions, RP_TAGS_EXTENSION, &strA ) )
                        {
                            if( rpal_string_expand( strA, &tmpA ) )
                            {
                                obsLib_addStringPatternA( matcherA, tmpA, TRUE, isCaseInsensitive, NULL );
                                rpal_memory_free( tmpA );
                            }
                            if( NULL != ( strW = rpal_string_atow( strA ) ) )
                            {
                                if( rpal_string_expandw( strW, &tmpW ) )
                                {
                                    obsLib_addStringPatternW( matcherW, tmpW, TRUE, isCaseInsensitive, NULL );
                                    rpal_memory_free( tmpW );
                                }
                                rpal_memory_free( strW );
                            }
                        }

                        while( rList_getSTRINGW( extensions, RP_TAGS_EXTENSION, &strW ) )
                        {
                            if( rpal_string_expandw( strW, &tmpW ) )
                            {
                                obsLib_addStringPatternW( matcherW, tmpW, TRUE, isCaseInsensitive, NULL );
                                rpal_memory_free( tmpW );
                            }
                            if( NULL != ( strA = rpal_string_wtoa( strW ) ) )
                            {
                                if( rpal_string_expand( strA, &tmpA ) )
                                {
                                    obsLib_addStringPatternA( matcherA, tmpA, TRUE, isCaseInsensitive, NULL );
                                    rpal_memory_free( tmpA );
                                }
                                rpal_memory_free( strA );
                            }
                        }

                        while( rList_getSTRINGA( patterns, RP_TAGS_STRING_PATTERN, &strA ) )
                        {
                            if( rpal_string_expand( strA, &tmpA ) )
                            {
                                obsLib_addStringPatternA( matcherA, tmpA, FALSE, isCaseInsensitive, NULL );
                                rpal_memory_free( tmpA );
                            }
                            if( NULL != ( strW = rpal_string_atow( strA ) ) )
                            {
                                if( rpal_string_expandw( strW, &tmpW ) )
                                {
                                    obsLib_addStringPatternW( matcherW, tmpW, FALSE, isCaseInsensitive, NULL );
                                    rpal_memory_free( tmpW );
                                }
                                rpal_memory_free( strW );
                            }
                        }

                        while( rList_getSTRINGW( patterns, RP_TAGS_STRING_PATTERN, &strW ) )
                        {
                            if( rpal_string_expandw( strW, &tmpW ) )
                            {
                                obsLib_addStringPatternW( matcherW, tmpW, FALSE, isCaseInsensitive, NULL );
                                rpal_memory_free( tmpW );
                            }
                            if( NULL != ( strA = rpal_string_wtoa( strW ) ) )
                            {
                                if( rpal_string_expand( strA, &tmpA ) )
                                {
                                    obsLib_addStringPatternA( matcherA, tmpA, FALSE, isCaseInsensitive, NULL );
                                    rpal_memory_free( tmpA );
                                }
                                rpal_memory_free( strA );
                            }
                        }
                    }

                    if( rQueue_create( &createQueue, _freeEvt, 200 ) &&
                        notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, 0, createQueue, NULL ) &&
                        notifications_subscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, 0, NULL, getDocument ) &&
                        rThreadPool_task( hbsState->hThreadPool, parseDocuments, NULL ) )
                    {
                        isSuccess = TRUE;
                    }
                }
            }

            if( !isSuccess )
            {
                notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, createQueue, NULL );
                notifications_unsubscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, getDocument );
                rQueue_free( createQueue );
                createQueue = NULL;

                obsLib_free( matcherA );
                obsLib_free( matcherW );
                HbsRingBuffer_free( documentCache );
                matcherA = NULL;
                matcherW = NULL;
                documentCache = NULL;

                rMutex_free( cacheMutex );
                cacheMutex = NULL;
            }
        }
    }

    return isSuccess;
}
RBOOL
    collector_22_init
    (
        HbsState* hbsState,
        rSequence config
    )
{
    RBOOL isSuccess = FALSE;
    rList patterns = NULL;
    rSequence pattern = NULL;
    RPCHAR strA = NULL;
    RPWCHAR strW = NULL;
    RPNCHAR tmpN = NULL;
    RU8 patternId = 0;
    RU32 i = 0;

    if( NULL != hbsState &&
        NULL != ( g_extensions = obsLib_new( 0, 0 ) ) )
    {
        if( rSequence_getLIST( config, RP_TAGS_PATTERNS, &patterns ) )
        {
            while( rList_getSEQUENCE( patterns, RP_TAGS_RULE, &pattern ) )
            {
                if( rSequence_getRU8( pattern, RP_TAGS_RULE_NAME, &patternId ) )
                {
                    if( 64 < patternId || 0 == patternId )
                    {
                        rpal_debug_critical( "rule id must be below 64 and 1-based." );
                        continue;
                    }

                    // Base the pattern id to 0
                    patternId--;

                    if( rSequence_getSTRINGA( pattern, RP_TAGS_EXTENSION, &strA ) &&
                        NULL != ( tmpN = rpal_string_aton( strA ) ) )
                    {
                        _addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) );
                        rpal_memory_free( tmpN );
                    }

                    if( rSequence_getSTRINGW( pattern, RP_TAGS_EXTENSION, &strW ) &&
                        NULL != ( tmpN = rpal_string_wton( strW ) ) )
                    {
                        _addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) );
                        rpal_memory_free( tmpN );
                    }

                    if( rSequence_getSTRINGA( pattern, RP_TAGS_STRING_PATTERN, &strA ) &&
                        NULL != ( tmpN = rpal_string_aton( strA ) ) )
                    {
                        _addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) );
                        rpal_memory_free( tmpN );
                    }

                    if( rSequence_getSTRINGW( pattern, RP_TAGS_STRING_PATTERN, &strW ) &&
                        NULL != ( tmpN = rpal_string_wton( strW ) ) )
                    {
                        _addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) );
                        rpal_memory_free( tmpN );
                    }
                }
            }

            if( NULL != ( g_mutex = rMutex_create() ) &&
                NULL != ( g_procContexts = rpal_vector_new() ) &&
                notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, 0, NULL, processFileIo ) &&
                notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, 0, NULL, processFileIo ) &&
                notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, 0, NULL, processFileIo ) &&
                notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, 0, NULL, processFileIo ) &&
                notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, NULL, processNewProcesses ) &&
                notifications_subscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, 0, NULL, processNewProcesses ) &&
                notifications_subscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, 0, NULL, processTerminateProcesses ) )
            {
                isSuccess = TRUE;
            }
        }
    }

    if( !isSuccess )
    {
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, processFileIo );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, processFileIo );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, processFileIo );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, processFileIo );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, processNewProcesses );
        notifications_unsubscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, processTerminateProcesses );
        obsLib_free( g_extensions );
        g_extensions = NULL;
        if( NULL != g_procContexts )
        {
            for( i = 0; i < g_procContexts->nElements; i++ )
            {
                rpal_memory_free( ( (ProcExtInfo*)g_procContexts->elements[ i ] )->processPath );
                rpal_memory_free( g_procContexts->elements[ i ] );
            }
        }
        rpal_vector_free( g_procContexts );
        g_procContexts = NULL;
        rMutex_free( g_mutex );
        g_mutex = NULL;
    }

    return isSuccess;
}
RBOOL
    _kAcq_init
    (
        RBOOL isLock
    )
{
    RBOOL isSuccess = FALSE;

#ifdef RPAL_PLATFORM_MACOSX
    int result = 0;
    struct ctl_info info = { 0 };
    struct sockaddr_ctl addr = { 0 };
    if( ( -1 ) == g_km_socket )
    {
        g_is_available = FALSE;

        if( !isLock ||
            NULL != ( g_km_mutex = rMutex_create() ) )
        {
            if( ( -1 ) != ( g_km_socket = socket( PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL ) ) )
            {
                strncpy( info.ctl_name, ACQUISITION_COMMS_NAME, sizeof( info.ctl_name ) );
                if( 0 == ioctl( g_km_socket, CTLIOCGINFO, &info ) )
                {
                    addr.sc_id = info.ctl_id;
                    addr.sc_unit = 0;
                    addr.sc_len = sizeof( struct sockaddr_ctl );
                    addr.sc_family = AF_SYSTEM;
                    addr.ss_sysaddr = AF_SYS_CONTROL;
                    if( 0 == ( result = connect( g_km_socket, ( struct sockaddr * )&addr, sizeof( addr ) ) ) )
                    {
                        g_is_available = TRUE;
                        isSuccess = TRUE;
                    }
                }

                if( !isSuccess )
                {
                    close( g_km_socket );
                    g_km_socket = ( -1 );
                }
            }

            if( !isSuccess &&
                isLock )
            {
                rMutex_free( g_km_mutex );
                g_km_mutex = NULL;
            }
        }
    }
    else
    {
        isSuccess = TRUE;
    }
#elif defined( RPAL_PLATFORM_WINDOWS )
    if( INVALID_HANDLE_VALUE == g_km_handle )
    {
        g_is_available = FALSE;

        if( !isLock ||
            NULL != ( g_km_mutex = rMutex_create() ) )
        {
            if( INVALID_HANDLE_VALUE != ( g_km_handle = CreateFileW( LOCAL_COMMS_NAME,
                                                                     GENERIC_READ,
                                                                     0,
                                                                     NULL,
                                                                     OPEN_EXISTING,
                                                                     FILE_ATTRIBUTE_NORMAL,
                                                                     NULL ) ) )
            {
                g_is_available = TRUE;
                isSuccess = TRUE;
            }
            else if( isLock )
            {
                rMutex_free( g_km_mutex );
                g_km_mutex = NULL;
            }
        }
    }
    else
    {
        g_is_available = TRUE;
        isSuccess = TRUE;
    }
#endif

    return isSuccess;
}