template<> inline JUINT32 JList<JPER_RECORD>::CopyObject(JList<JPER_RECORD>& rDst, JList<JPER_RECORD>& rSrc) { JPER_RECORD* pDstData = JNULL; JListItem<JPER_RECORD>* pDstItem = JNULL; JUINT32 uiLen = 0; JPER_RECORD* pSrcData = JNULL; JListItem<JPER_RECORD>* pSrcItem = JNULL; JListItem<JPER_RECORD>* prevDstItem = JNULL; rDst.m_pHead = JNULL; rDst.m_pTail = JNULL; JLogAutoPtr clsLogAutoPtr(JSingleton<JLog>::instance(), JLOG_MOD_LIST, "JList::CopyObject"); JListIterator<JPER_RECORD> clsListIter(rSrc); for (clsListIter.First(); clsListIter.Done(); clsListIter.Next()) { pSrcItem = clsListIter.Item(); pDstData = JNULL; pSrcData = pSrcItem->GetData(); uiLen = pSrcItem->GetDataLength(); if (uiLen) { //alloc memory for the dst data pDstData = reinterpret_cast<JPER_RECORD*>(JSingleton<JStaticMemory>::instance()->Alloc(uiLen+1)); if (pDstData) { SafeMemset(reinterpret_cast<JCHAR*>(pDstData), 0, uiLen+1); SafeMemcpy(reinterpret_cast<JCHAR*>(pDstData), reinterpret_cast<JCHAR*>(pSrcData), uiLen, uiLen+1); } else { JSingleton<JLog>::instance2() << set(JLOG_MOD_LIST, JLOG_ERROR_LEVEL) << "JList::CopyObject memory alloc failure\n"; return JFAILURE; } } //construct the dst item pDstItem = new JListItem<JPER_RECORD>(pDstData); pDstItem->SetDataLength(uiLen); rDst.InsertItem(pDstItem, prevDstItem); prevDstItem = pDstItem; } return JSUCCESS; }
void Slave::StartNode(IKernel * kernel, const char * cmd) { char process[MAX_CMD_LEN]; #ifdef WIN32 SafeSprintf(process, sizeof(process), "%s/%s.exe", tools::GetAppPath(), EXECUTE_NAME); STARTUPINFO si = { sizeof(si) }; si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = TRUE; si.lpTitle = (char*)cmd; PROCESS_INFORMATION pi; BOOL ret = CreateProcess(process, (char*)cmd, nullptr, nullptr, false, CREATE_NEW_CONSOLE, nullptr, nullptr, &si, &pi); OASSERT(ret, "create process failed"); ::CloseHandle(pi.hThread); ::CloseHandle(pi.hProcess); #else SafeSprintf(process, sizeof(process), "%s/%s", tools::GetAppPath(), EXECUTE_NAME); char args[MAX_CMD_LEN]; SafeSprintf(args, sizeof(args), cmd); char * p[MAX_CMD_ARGS_COUNT]; SafeMemset(p, sizeof(p), 0, sizeof(p)); p[0] = EXECUTE_NAME; s32 idx = 1; char * checkPtr = args; char * innderPtr = nullptr; while ((p[idx] = strtok_r(checkPtr, " ", &innderPtr)) != nullptr) { ++idx; checkPtr = nullptr; } pid_t pid; pid = fork(); if (pid < 0) { OASSERT(false, "start process failed"); } else if (pid == 0) { pid = fork(); if (pid == 0) execv(process, p); else exit(0); } else { s32 status; waitpid(pid, &status, 0); } #endif }
Connection::Connection(const SOCKET fd, const s32 sendSize, const s32 recvSize) : _fd(fd) , _session(nullptr) , _remotePort(0) #ifdef _DEBUG , _establish(false) #endif , _closing(false) , _sending(false) , _recving(false) , _isSocketClosed(false) { OASSERT(recvSize > SINGLE_RECV_SIZE, "wtf"); _sendBuf = RingBufferAlloc(sendSize); _recvBuf = RingBufferAlloc(recvSize); SafeMemset(&_addr, sizeof(_addr), 0, sizeof(_addr)); SafeMemset(&_connect, sizeof(_connect), 0, sizeof(_connect)); _connect.opt = IOCP_OPT_CONNECT; _connect.socket = _fd; _connect.bytes = 0; _connect.context = this; SafeMemset(&_recv, sizeof(_recv), 0, sizeof(_recv)); _recv.opt = IOCP_OPT_RECV; _recv.socket = _fd; _recv.bytes = 0; _recv.context = this; _recv.buf.buf = (char*)MALLOC(SINGLE_RECV_SIZE); _recv.buf.len = SINGLE_RECV_SIZE; SafeMemset(&_send, sizeof(_send), 0, sizeof(_send)); _send.opt = IOCP_OPT_SEND; _send.socket = _fd; _send.bytes = 0; _send.context = this; }
/******************************************************************************* * Function: GetObfuscationPayloadCallback() * * ObfuscationCallback for returning an allocated obfuscated payload. * * Arguments * DAQ_PktHdr_t *pkth * The pcap header information associated with the payload being * obfuscated. * uint8_t *packet_data * Pointer to the packet data to be obfuscated * ob_char_t ob_char * The obfuscation character * ob_size_t length * The length of the portion of packet payload to use * void *user_data * The ObfuscatedPayload data * * Returns * OB_RET_ERROR if copying obfuscation data is not successful * OB_RET_SUCCESS if successful copying data to payload * ******************************************************************************/ static ObRet GetObfuscatedPayloadCallback(const DAQ_PktHdr_t *pkth, const uint8_t *packet_data, ob_size_t length, ob_char_t ob_char, void *user_data) { ObfuscatedPayload *ob_payload = (ObfuscatedPayload *)user_data; uint8_t *payload; ob_size_t payload_len, payload_size; if (ob_payload == NULL) return OB_RET_ERROR; if ((ob_payload->payload == NULL) || (ob_payload->payload_len == NULL)) return OB_RET_ERROR; payload = *ob_payload->payload; payload_len = *ob_payload->payload_len; payload_size = ob_payload->payload_size; if ((payload_len + length) > payload_size) { /* Allocate extra so we don't have to reallocate every time in */ ob_size_t new_size = payload_len + length + 100; uint8_t *tmp = (uint8_t *)SnortAlloc(new_size); if (payload != NULL) { if (SafeMemcpy(tmp, payload, payload_len, tmp, tmp + new_size) != SAFEMEM_SUCCESS) { free(tmp); free(payload); return OB_RET_ERROR; } free(payload); } payload_size = new_size; ob_payload->payload_size = new_size; *ob_payload->payload = tmp; payload = tmp; } if (packet_data != NULL) { if (SafeMemcpy(payload + payload_len, packet_data, length, payload, payload + payload_size) != SAFEMEM_SUCCESS) { free(payload); return OB_RET_ERROR; } } else { if (SafeMemset(payload + payload_len, (uint8_t)ob_char, length, payload, payload + payload_size) != SAFEMEM_SUCCESS) { free(payload); return OB_RET_ERROR; } } *ob_payload->payload_len += length; return OB_RET_SUCCESS; }
/******************************************************************************* * Function: TraverseObfuscationList() * * This is the main function for obfuscating a payload or stream segments. * It walks through a packet and obfuscation entries, calling the user * callback with obfuscated and non-obfuscated instructions. * * Arguments * ObfuscationCallbackData *data * The state tracking data structure. Has the packet being obfuscated, * current obfuscation entry and total number of bytes obfuscated thus * far. * DAQ_PktHdr_t *pkth * The pcap header information associated with the payload being * obfuscated. * uint8_t *pkt * The start of the packet including Ethernet headers, etc. * uint8_t *payload * Pointer to the payload data to be obfuscated * ob_size_t * The size of the payload data * * Returns * OB_RET_SUCCESS if successfully completed * OB_RET_ERROR if the user callback doesn't return OB_RET_SUCCESS * ******************************************************************************/ static ObRet TraverseObfuscationList(ObfuscationCallbackData *data, const DAQ_PktHdr_t *pkth, const uint8_t *payload_data, ob_size_t payload_size) { int i; ob_size_t total_offset = data->total_offset; ob_size_t payload_offset = 0; const DAQ_PktHdr_t *pkth_tmp = pkth; #ifdef OBFUSCATION_TEST uint8_t print_array[OB_LENGTH_MAX]; ob_size_t start_total_offset = 0; ob_size_t start_payload_offset = 0; #endif if ((payload_data == NULL) || (payload_size == 0)) return OB_RET_ERROR; #ifdef OBFUSCATION_TEST LogMessage("Payload data: %u bytes\n", payload_size); LogMessage("===============================================================" "=================\n"); #endif /* Start from current saved obfuscation entry index */ for (i = data->entry_index; i < ob_struct.num_entries; i++) { /* Get the entry from the sorted array */ const ObfuscationEntry *entry = ob_struct.sort_entries[i]; ob_size_t ob_offset = entry->offset; ob_size_t ob_length = entry->length; /* Make sure it's for the right packet */ if (entry->p != data->packet) { #ifdef OBFUSCATION_TEST LogMessage("flags1: %08x, flags2: %08x\n", entry->p->packet_flags, data->packet->packet_flags); #endif continue; } /* We've already obfuscated this part of the packet payload * Account for overflow */ if (((ob_offset + ob_length) <= total_offset) && ((ob_offset + ob_length) > ob_offset)) { continue; } #ifdef OBFUSCATION_TEST LogMessage(" Total offset: %u\n\n", total_offset); start_total_offset = total_offset; start_payload_offset = payload_offset; #endif /* Note the obfuscation offset is only used at this point to determine * the amount of data that does not need to be obfuscated up to the * offset or the length of what needs to be obfuscated if the offset * is less than what's already been logged */ if (ob_offset > total_offset) { /* Get the amount of non-obfuscated data - need to log straight * packet data up to obfuscation offset */ ob_size_t length = ob_offset - total_offset; /* If there is more length than what's left in the packet, * truncate it, do we don't overflow */ if (length > (payload_size - payload_offset)) length = payload_size - payload_offset; /* Call the user callback and tell it not to obfuscate the data * by passing in a non-NULL packet pointer */ if (data->user_callback(pkth_tmp, payload_data + payload_offset, length, 0, data->user_data) != OB_RET_SUCCESS) { return OB_RET_ERROR; } #ifdef OBFUSCATION_TEST SafeMemcpy(print_array + payload_offset, payload_data + payload_offset, length, print_array, print_array + sizeof(print_array)); #endif /* Only the first payload call sends the pcap_pkthdr */ pkth_tmp = NULL; /* Adjust offsets */ payload_offset += length; total_offset += length; /* If there is no more packet data, break out of the loop */ if (payload_offset == payload_size) { #ifdef OBFUSCATION_TEST PrintPacketData(print_array + start_payload_offset, length); LogMessage("\n"); #endif break; } } else if (ob_offset < total_offset) { /* If the entries offset is less than the current total offset, * decrease the length. */ ob_length -= (total_offset - ob_offset); } /* Adjust the amount of data to obfuscate if it exceeds the amount of * data left in the packet. Account for overflow */ if (((payload_offset + ob_length) > payload_size) || ((payload_offset + ob_length) <= payload_offset)) { ob_length = payload_size - payload_offset; } /* Call the user callback and tell it to obfuscate the data by passing * in a NULL packet pointer */ if (data->user_callback(pkth_tmp, NULL, ob_length, entry->ob_char, data->user_data) != OB_RET_SUCCESS) { return OB_RET_ERROR; } #ifdef OBFUSCATION_TEST LogMessage(" Entry: %d\n", i); LogMessage(" --------------------------\n"); PrintObfuscationEntry(entry, 4); LogMessage("\n"); SafeMemset(print_array + payload_offset, entry->ob_char, ob_length, print_array, print_array + sizeof(print_array)); if (ob_length < entry->length) { if (ob_offset < start_total_offset) { if (payload_offset + ob_length == payload_size) { LogMessage(" Obfuscating beyond already obfuscated " "(%u bytes) and to end of payload: %u bytes\n\n", (start_total_offset - ob_offset), ob_length); } else { LogMessage(" Obfuscating beyond already obfuscated " "(%u bytes): %u bytes\n\n", (start_total_offset - ob_offset), ob_length); } } else { LogMessage(" Obfuscating to end of payload: " "%u bytes\n\n", ob_length); } } else { LogMessage(" Obfuscating: %u bytes\n\n", ob_length); } PrintPacketData(print_array + start_payload_offset, (payload_offset - start_payload_offset) + ob_length); if (((entry->offset + entry->length) - (total_offset + ob_length)) > 0) { LogMessage("\n Remaining amount to obfuscate: %u bytes\n", (entry->offset + entry->length) - (total_offset + ob_length)); } LogMessage("\n"); #endif /* Only the first payload call sends the pcap_pkthdr */ pkth_tmp = NULL; /* Adjust offsets */ payload_offset += ob_length; total_offset += ob_length; /* If there is no more packet data, break out of the loop */ if (payload_offset == payload_size) break; } /* There's more data in the packet left, meaning we ran out of * obfuscation entries */ if (payload_size > payload_offset) { ob_size_t length = payload_size - payload_offset; /* Call the user callback and tell it not to obfuscate the data * by passing in a non-NULL packet pointer */ if (data->user_callback(pkth_tmp, payload_data + payload_offset, length, 0, data->user_data) != OB_RET_SUCCESS) { return OB_RET_ERROR; } #ifdef OBFUSCATION_TEST SafeMemcpy(print_array + payload_offset, payload_data + payload_offset, length, print_array, print_array + sizeof(print_array)); #endif /* Adjust offsets - don't need to adjust packet offset since * we're done with the packet */ total_offset += length; } #ifdef OBFUSCATION_TEST LogMessage("Obfuscated payload\n"); LogMessage("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" "~~~~~~~~~~\n"); PrintPacketData(print_array, payload_size); LogMessage("\n\n"); #endif /* Save these for next time we come in if necessary. Mainly for * traversing stream segments */ data->entry_index = i; data->total_offset = total_offset; return OB_RET_SUCCESS; }
JCHAR* JEvent::Serialize(JUINT32 *uiLen) { JUINT32 uiAllocLen = 0; JUINT32 uiLeaveLen = 0; JCHAR* pBuf = JNULL; JCHAR* pTmpBuf = JNULL; JEVT_TYPE* pEvtType = JNULL; JUINT32* pLen = JNULL; JUINT32* pBodyLen = JNULL; JLogAutoPtr clsLogAutoPtr(JSingleton<JLog>::instance(), JLOG_MOD_EVENT, "JEvent::Serialize"); //calcualte the total event message length uiAllocLen += sizeof(JEVT_TYPE); //m_strFromProc size uiAllocLen += sizeof(JUINT32); uiAllocLen += m_strFromProc.GetLength(); //m_strFromThrd size uiAllocLen += sizeof(JUINT32); uiAllocLen += m_strFromThrd.GetLength(); //m_strFromMod size uiAllocLen += sizeof(JUINT32); uiAllocLen += m_strFromMod.GetLength(); //m_strToProc size uiAllocLen += sizeof(JUINT32); uiAllocLen += m_strToProc.GetLength(); //m_strToThrd size uiAllocLen += sizeof(JUINT32); uiAllocLen += m_strToThrd.GetLength(); //m_strToMod size uiAllocLen += sizeof(JUINT32); uiAllocLen += m_strToMod.GetLength(); //m_pBody size uiAllocLen += sizeof(JUINT32); if (m_pBody) { uiAllocLen += m_pBody->GetLength(); } pBuf = JSingleton<JStaticMemory>::instance()->Alloc(uiAllocLen+1); if (pBuf) { SafeMemset(pBuf, 0, uiAllocLen+1); pTmpBuf = pBuf; uiLeaveLen = uiAllocLen+1; //store the event type into the buffer pEvtType = reinterpret_cast<JEVT_TYPE*>(pTmpBuf); *pEvtType = m_eType; pTmpBuf += sizeof(JEVT_TYPE); uiLeaveLen -= sizeof(JEVT_TYPE); //first store the from process length into the buffer pLen = reinterpret_cast<JUINT32*>(pTmpBuf); *pLen = m_strFromProc.GetLength(); pTmpBuf += sizeof(JUINT32); uiLeaveLen -= sizeof(JUINT32); //then store the from process into the buffer if (*pLen) { SafeStrcpy(pTmpBuf, m_strFromProc.c_str(), uiLeaveLen); pTmpBuf += *pLen; uiLeaveLen -= *pLen; } //first store the from thread length into the buffer pLen = reinterpret_cast<JUINT32*>(pTmpBuf); *pLen = m_strFromThrd.GetLength(); pTmpBuf += sizeof(JUINT32); uiLeaveLen -= sizeof(JUINT32); //then store the from thread into the buffer if (*pLen) { SafeStrcpy(pTmpBuf, m_strFromThrd.c_str(), uiLeaveLen); pTmpBuf += *pLen; uiLeaveLen -= *pLen; } //first store the from module length into the buffer pLen = reinterpret_cast<JUINT32*>(pTmpBuf); *pLen = m_strFromMod.GetLength(); pTmpBuf += sizeof(JUINT32); uiLeaveLen -= sizeof(JUINT32); //then store the from module into the buffer if (*pLen) { SafeStrcpy(pTmpBuf, m_strFromMod.c_str(), uiLeaveLen); pTmpBuf += *pLen; uiLeaveLen -= *pLen; } //first store the to process length into the buffer pLen = reinterpret_cast<JUINT32*>(pTmpBuf); *pLen = m_strToProc.GetLength(); pTmpBuf += sizeof(JUINT32); uiLeaveLen -= sizeof(JUINT32); //then store the to process into the buffer if (*pLen) { SafeStrcpy(pTmpBuf, m_strToProc.c_str(), uiLeaveLen); pTmpBuf += *pLen; uiLeaveLen -= *pLen; } //first store the to thread length into the buffer pLen = reinterpret_cast<JUINT32*>(pTmpBuf); *pLen = m_strToThrd.GetLength(); pTmpBuf += sizeof(JUINT32); uiLeaveLen -= sizeof(JUINT32); //then store the to thread into the buffer if (*pLen) { SafeStrcpy(pTmpBuf, m_strToThrd.c_str(), uiLeaveLen); pTmpBuf += *pLen; uiLeaveLen -= *pLen; } //first store the to module length into the buffer pLen = reinterpret_cast<JUINT32*>(pTmpBuf); *pLen = m_strToMod.GetLength(); pTmpBuf += sizeof(JUINT32); uiLeaveLen -= sizeof(JUINT32); //then store the to module into the buffer if (*pLen) { SafeStrcpy(pTmpBuf, m_strToMod.c_str(), uiLeaveLen); pTmpBuf += *pLen; uiLeaveLen -= *pLen; } //first store the body length into the buffer pBodyLen = reinterpret_cast<JUINT32*>(pTmpBuf); if (m_pBody) { *pBodyLen = m_pBody->GetLength(); pTmpBuf += sizeof(JUINT32); uiLeaveLen -= sizeof(JUINT32); //then store the body into the buffer if (*pBodyLen) { m_pBody->Serialize(pTmpBuf, uiLeaveLen); } } else { *pBodyLen = 0; pTmpBuf += sizeof(JUINT32); uiLeaveLen -= sizeof(JUINT32); } *uiLen = uiAllocLen; return pBuf; } return JNULL; }