RBOOL collector_18_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, createQueue, NULL ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, getDocument ); rQueue_free( createQueue ); createQueue = NULL; obsLib_free( matcherA ); obsLib_free( matcherW ); HbsRingBuffer_free( documentCache ); matcherA = NULL; matcherW = NULL; documentCache = NULL; rMutex_free( cacheMutex ); cacheMutex = NULL; isSuccess = TRUE; } return isSuccess; }
RBOOL collector_15_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( hbsState ); UNREFERENCED_PARAMETER( config ); if( notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, g_newProcessNotifications, NULL ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_MEM_DISK_MISMATCH_REQ, NULL, scan_for_hollowing ) ) { if( rQueue_free( g_newProcessNotifications ) ) { isSuccess = TRUE; g_newProcessNotifications = NULL; } } return isSuccess; }
RBOOL collector_10_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( notifications_subscribe( RP_TAGS_NOTIFICATION_MEM_MAP_REQ, NULL, 0, NULL, mem_map ) && notifications_subscribe( RP_TAGS_NOTIFICATION_MEM_READ_REQ, NULL, 0, NULL, mem_read ) && notifications_subscribe( RP_TAGS_NOTIFICATION_MEM_HANDLES_REQ, NULL, 0, NULL, mem_handles ) && notifications_subscribe( RP_TAGS_NOTIFICATION_MEM_FIND_HANDLE_REQ, NULL, 0, NULL, mem_find_handle ) && notifications_subscribe( RP_TAGS_NOTIFICATION_MEM_STRINGS_REQ, NULL, 0, NULL, mem_strings ) && notifications_subscribe( RP_TAGS_NOTIFICATION_MEM_FIND_STRING_REQ, NULL, 0, NULL, mem_find_string ) ) { isSuccess = TRUE; } else { notifications_unsubscribe( RP_TAGS_NOTIFICATION_MEM_MAP_REQ, NULL, mem_map ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_MEM_READ_REQ, NULL, mem_read ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_MEM_HANDLES_REQ, NULL, mem_handles ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_MEM_FIND_HANDLE_REQ, NULL, mem_find_handle ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_MEM_STRINGS_REQ, NULL, mem_strings ); } } return isSuccess; }
RBOOL collector_3_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule ) ) { isSuccess = TRUE; } rpal_bloom_destroy( knownCode ); knownCode = NULL; } return isSuccess; }
RBOOL collector_3_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_SERVICE_CHANGE, NULL, processHashedEvent ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_DRIVER_CHANGE, NULL, processHashedEvent ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_AUTORUN_CHANGE, NULL, processHashedEvent ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_SERVICES_REP, NULL, processGenericSnapshot ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_DRIVERS_REP, NULL, processGenericSnapshot ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_PROCESSES_REP, NULL, processGenericSnapshot ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_AUTORUNS_REP, NULL, processGenericSnapshot ) ) { isSuccess = TRUE; } rpal_bloom_destroy( g_knownCode ); g_knownCode = NULL; rMutex_free( g_mutex ); g_mutex = NULL; } return isSuccess; }
RBOOL collector_3_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( NULL != ( knownCode = rpal_bloom_create( 50000, 0.00001 ) ) ) { isSuccess = FALSE; if( notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, NULL, processNewProcesses ) && notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, 0, NULL, processNewModule ) ) { isSuccess = TRUE; } else { notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule ); rpal_bloom_destroy( knownCode ); } } } return isSuccess; }
RBOOL collector_5_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( notifications_subscribe( RP_TAGS_NOTIFICATION_HIDDEN_MODULE_REQ, NULL, 0, NULL, scan_for_hidden_module ) && rThreadPool_task( hbsState->hThreadPool, lookForHiddenModulesConstantly, NULL ) ) { isSuccess = TRUE; } else { notifications_unsubscribe( RP_TAGS_NOTIFICATION_HIDDEN_MODULE_REQ, NULL, scan_for_hidden_module ); } } return isSuccess; }
RBOOL collector_15_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( rQueue_create( &g_newProcessNotifications, _freeEvt, 20 ) ) { if( notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, g_newProcessNotifications, NULL ) && notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_MEM_DISK_MISMATCH_REQ, NULL, 0, NULL, scan_for_hollowing ) && rThreadPool_task( hbsState->hThreadPool, spotCheckProcessConstantly, NULL ) && rThreadPool_task( hbsState->hThreadPool, spotCheckNewProcesses, NULL ) ) { isSuccess = TRUE; } else { notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, g_newProcessNotifications, NULL ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_MEM_DISK_MISMATCH_REQ, NULL, scan_for_hollowing ); rQueue_free( g_newProcessNotifications ); g_newProcessNotifications = NULL; } } } return isSuccess; }
RBOOL collector_16_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL ); if( rMutex_lock( g_global_rules_mutex ) ) { if( NULL != g_global_rules ) { yr_rules_destroy( g_global_rules ); g_global_rules = NULL; } rMutex_unlock( g_global_rules_mutex ); } rQueue_free( g_async_files_to_scan ); g_async_files_to_scan = NULL; rMutex_free( g_global_rules_mutex ); g_global_rules_mutex = NULL; yr_finalize(); isSuccess = TRUE; } return isSuccess; }
RBOOL collector_14_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( hbsState ); UNREFERENCED_PARAMETER( config ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_DENY_TREE_REQ, NULL, denyNewTree ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, denyNewProcesses ); rMutex_lock( g_deniedMutex ); rpal_blob_free( g_denied ); g_denied = NULL; rMutex_free( g_deniedMutex ); g_deniedMutex = NULL; isSuccess = TRUE; return isSuccess; }
RBOOL collector_5_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { notifications_unsubscribe( RP_TAGS_NOTIFICATION_HIDDEN_MODULE_REQ, NULL, scan_for_hidden_module ); isSuccess = TRUE; } return isSuccess; }
RBOOL collector_22_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; RU32 i = 0; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, processNewProcesses ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, processTerminateProcesses ); obsLib_free( g_extensions ); g_extensions = NULL; if( NULL != g_procContexts ) { for( i = 0; i < g_procContexts->nElements; i++ ) { rpal_memory_free( ( (ProcExtInfo*)g_procContexts->elements[ i ] )->processPath ); rpal_memory_free( g_procContexts->elements[ i ] ); } } rpal_vector_free( g_procContexts ); g_procContexts = NULL; rMutex_free( g_mutex ); g_mutex = NULL; isSuccess = TRUE; } return isSuccess; }
RBOOL collector_5_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; RU64 timeDelta = 0; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( rpal_memory_isValid( config ) || !rSequence_getTIMEDELTA( config, RP_TAGS_TIMEDELTA, &timeDelta ) ) { timeDelta = _DEFAULT_TIME_DELTA; } if( notifications_subscribe( RP_TAGS_NOTIFICATION_HIDDEN_MODULE_REQ, NULL, 0, NULL, scan_for_hidden_module ) && rThreadPool_scheduleRecurring( hbsState->hThreadPool, timeDelta, lookForHiddenModules, NULL, TRUE ) ) { isSuccess = TRUE; } else { notifications_unsubscribe( RP_TAGS_NOTIFICATION_HIDDEN_MODULE_REQ, NULL, scan_for_hidden_module ); } } return isSuccess; }
RBOOL collector_16_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( 0 == yr_initialize() ) { if( NULL != ( g_global_rules_mutex = rMutex_create() ) ) { if( rQueue_create( &g_async_files_to_scan, _freeSeq, 100 ) ) { if( notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, 0, NULL, updateSignatures ) && notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, 0, NULL, doScan ) && notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, 0, g_async_files_to_scan, NULL ) ) { isSuccess = TRUE; if( !rThreadPool_task( hbsState->hThreadPool, continuousMemScan, NULL ) || !rThreadPool_task( hbsState->hThreadPool, continuousFileScan, NULL ) ) { isSuccess = FALSE; } } } } } } if( !isSuccess ) { notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL); rQueue_free( g_async_files_to_scan ); g_async_files_to_scan = NULL; rMutex_free( g_global_rules_mutex ); g_global_rules_mutex = NULL; yr_finalize(); } return isSuccess; }
RBOOL collector_18_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; rList extensions = NULL; rList patterns = NULL; RPCHAR strA = NULL; RPCHAR tmpA = NULL; RPWCHAR strW = NULL; RPWCHAR tmpW = NULL; RU32 maxSize = 0; RBOOL isCaseInsensitive = FALSE; if( NULL != hbsState ) { #ifdef RPAL_PLATFORM_WINDOWS // On Windows files and paths are not case sensitive. isCaseInsensitive = TRUE; #endif if( NULL == config || rSequence_getLIST( config, RP_TAGS_EXTENSIONS, &extensions ) || rSequence_getLIST( config, RP_TAGS_PATTERNS, &patterns ) ) { if( NULL != ( cacheMutex = rMutex_create() ) && NULL != ( matcherA = obsLib_new( 0, 0 ) ) && NULL != ( matcherW = obsLib_new( 0, 0 ) ) ) { cacheSize = 0; if( NULL != config && rSequence_getRU32( config, RP_TAGS_MAX_SIZE, &maxSize ) ) { cacheMaxSize = maxSize; } else { cacheMaxSize = MAX_CACHE_SIZE; } if( NULL != ( documentCache = HbsRingBuffer_new( 0, cacheMaxSize ) ) ) { if( NULL == config ) { // As a default we'll cache all new files obsLib_addPattern( matcherA, (RPU8)"", sizeof( RCHAR ), NULL ); obsLib_addPattern( matcherW, (RPU8)_WCH(""), sizeof( RWCHAR ), NULL ); } else { // If a config was provided we'll cache only certain extensions // specified. while( rList_getSTRINGA( extensions, RP_TAGS_EXTENSION, &strA ) ) { if( rpal_string_expand( strA, &tmpA ) ) { obsLib_addStringPatternA( matcherA, tmpA, TRUE, isCaseInsensitive, NULL ); rpal_memory_free( tmpA ); } if( NULL != ( strW = rpal_string_atow( strA ) ) ) { if( rpal_string_expandw( strW, &tmpW ) ) { obsLib_addStringPatternW( matcherW, tmpW, TRUE, isCaseInsensitive, NULL ); rpal_memory_free( tmpW ); } rpal_memory_free( strW ); } } while( rList_getSTRINGW( extensions, RP_TAGS_EXTENSION, &strW ) ) { if( rpal_string_expandw( strW, &tmpW ) ) { obsLib_addStringPatternW( matcherW, tmpW, TRUE, isCaseInsensitive, NULL ); rpal_memory_free( tmpW ); } if( NULL != ( strA = rpal_string_wtoa( strW ) ) ) { if( rpal_string_expand( strA, &tmpA ) ) { obsLib_addStringPatternA( matcherA, tmpA, TRUE, isCaseInsensitive, NULL ); rpal_memory_free( tmpA ); } rpal_memory_free( strA ); } } while( rList_getSTRINGA( patterns, RP_TAGS_STRING_PATTERN, &strA ) ) { if( rpal_string_expand( strA, &tmpA ) ) { obsLib_addStringPatternA( matcherA, tmpA, FALSE, isCaseInsensitive, NULL ); rpal_memory_free( tmpA ); } if( NULL != ( strW = rpal_string_atow( strA ) ) ) { if( rpal_string_expandw( strW, &tmpW ) ) { obsLib_addStringPatternW( matcherW, tmpW, FALSE, isCaseInsensitive, NULL ); rpal_memory_free( tmpW ); } rpal_memory_free( strW ); } } while( rList_getSTRINGW( patterns, RP_TAGS_STRING_PATTERN, &strW ) ) { if( rpal_string_expandw( strW, &tmpW ) ) { obsLib_addStringPatternW( matcherW, tmpW, FALSE, isCaseInsensitive, NULL ); rpal_memory_free( tmpW ); } if( NULL != ( strA = rpal_string_wtoa( strW ) ) ) { if( rpal_string_expand( strA, &tmpA ) ) { obsLib_addStringPatternA( matcherA, tmpA, FALSE, isCaseInsensitive, NULL ); rpal_memory_free( tmpA ); } rpal_memory_free( strA ); } } } if( rQueue_create( &createQueue, _freeEvt, 200 ) && notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, 0, createQueue, NULL ) && notifications_subscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, 0, NULL, getDocument ) && rThreadPool_task( hbsState->hThreadPool, parseDocuments, NULL ) ) { isSuccess = TRUE; } } } if( !isSuccess ) { notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, createQueue, NULL ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, getDocument ); rQueue_free( createQueue ); createQueue = NULL; obsLib_free( matcherA ); obsLib_free( matcherW ); HbsRingBuffer_free( documentCache ); matcherA = NULL; matcherW = NULL; documentCache = NULL; rMutex_free( cacheMutex ); cacheMutex = NULL; } } } return isSuccess; }
RBOOL collector_22_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; rList patterns = NULL; rSequence pattern = NULL; RPCHAR strA = NULL; RPWCHAR strW = NULL; RPNCHAR tmpN = NULL; RU8 patternId = 0; RU32 i = 0; if( NULL != hbsState && NULL != ( g_extensions = obsLib_new( 0, 0 ) ) ) { if( rSequence_getLIST( config, RP_TAGS_PATTERNS, &patterns ) ) { while( rList_getSEQUENCE( patterns, RP_TAGS_RULE, &pattern ) ) { if( rSequence_getRU8( pattern, RP_TAGS_RULE_NAME, &patternId ) ) { if( 64 < patternId || 0 == patternId ) { rpal_debug_critical( "rule id must be below 64 and 1-based." ); continue; } // Base the pattern id to 0 patternId--; if( rSequence_getSTRINGA( pattern, RP_TAGS_EXTENSION, &strA ) && NULL != ( tmpN = rpal_string_aton( strA ) ) ) { _addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) ); rpal_memory_free( tmpN ); } if( rSequence_getSTRINGW( pattern, RP_TAGS_EXTENSION, &strW ) && NULL != ( tmpN = rpal_string_wton( strW ) ) ) { _addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) ); rpal_memory_free( tmpN ); } if( rSequence_getSTRINGA( pattern, RP_TAGS_STRING_PATTERN, &strA ) && NULL != ( tmpN = rpal_string_aton( strA ) ) ) { _addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) ); rpal_memory_free( tmpN ); } if( rSequence_getSTRINGW( pattern, RP_TAGS_STRING_PATTERN, &strW ) && NULL != ( tmpN = rpal_string_wton( strW ) ) ) { _addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) ); rpal_memory_free( tmpN ); } } } if( NULL != ( g_mutex = rMutex_create() ) && NULL != ( g_procContexts = rpal_vector_new() ) && notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, 0, NULL, processFileIo ) && notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, 0, NULL, processFileIo ) && notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, 0, NULL, processFileIo ) && notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, 0, NULL, processFileIo ) && notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, NULL, processNewProcesses ) && notifications_subscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, 0, NULL, processNewProcesses ) && notifications_subscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, 0, NULL, processTerminateProcesses ) ) { isSuccess = TRUE; } } } if( !isSuccess ) { notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, processNewProcesses ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, processTerminateProcesses ); obsLib_free( g_extensions ); g_extensions = NULL; if( NULL != g_procContexts ) { for( i = 0; i < g_procContexts->nElements; i++ ) { rpal_memory_free( ( (ProcExtInfo*)g_procContexts->elements[ i ] )->processPath ); rpal_memory_free( g_procContexts->elements[ i ] ); } } rpal_vector_free( g_procContexts ); g_procContexts = NULL; rMutex_free( g_mutex ); g_mutex = NULL; } return isSuccess; }