Example #1
        int message,
        void* message_data,
        void* user_data
    YR_RULE* rule = (YR_RULE*)message_data;
    YaraMatchContext* context = (YaraMatchContext*)user_data;
    rSequence event = NULL;

    if( CALLBACK_MSG_RULE_MATCHING == message &&
        NULL != message_data &&
        NULL != user_data )
        if( NULL != ( event = rSequence_new() ) )
            rSequence_addRU32( event, RP_TAGS_PROCESS_ID, context->pid );
            rSequence_addPOINTER64( event, RP_TAGS_BASE_ADDRESS, context->regionBase );
            rSequence_addRU64( event, RP_TAGS_MEMORY_SIZE, context->regionSize );

            hbs_markAsRelated( context->fileInfo, event );

            if( NULL == context->processInfo )
                context->processInfo = processLib_getProcessInfo( context->pid, NULL );

            if( NULL != context->processInfo )
                rSequence_addSEQUENCE( event, RP_TAGS_PROCESS, rSequence_duplicate( context->processInfo ) );

            if( NULL != context->moduleInfo )
                rSequence_addSEQUENCE( event, RP_TAGS_DLL, rSequence_duplicate( context->moduleInfo ) );

            rSequence_addSTRINGA( event, RP_TAGS_RULE_NAME, (char*)rule->identifier );

            notifications_publish( RP_TAGS_NOTIFICATION_YARA_DETECTION, event );

            rSequence_free( event );
            rpal_debug_warning( "error creating event from Yara match" );

static RBOOL
        KernelAcqModule* module
    RBOOL isSuccess = FALSE;
    rSequence notif = NULL;
    RU32 pathLength = 0;
    RU32 i = 0;
    RPNCHAR cleanPath = NULL;
    Atom parentAtom = { 0 };
    if( NULL != module )
        if( NULL != ( notif = rSequence_new() ) )
            module->ts += MSEC_FROM_SEC( rpal_time_getGlobalFromLocal( 0 ) );

            hbs_timestampEvent( notif, module->ts );
            parentAtom.key.category = RP_TAGS_NOTIFICATION_NEW_PROCESS;
            parentAtom.key.process.pid = module->pid;
            if( atoms_query( &parentAtom, module->ts ) )
                HbsSetParentAtom( notif, parentAtom.id );

            rSequence_addRU32( notif, RP_TAGS_PROCESS_ID, module->pid );
            rSequence_addPOINTER64( notif, RP_TAGS_BASE_ADDRESS, (RU64)module->baseAddress );
            rSequence_addRU64( notif, RP_TAGS_MEMORY_SIZE, module->imageSize );

            if( 0 != ( pathLength = rpal_string_strlen( module->path ) ) )
                cleanPath = rpal_file_clean( module->path );
                rSequence_addSTRINGN( notif, RP_TAGS_FILE_PATH, cleanPath ? cleanPath : module->path );
                rpal_memory_free( cleanPath );

                // For compatibility with user mode we extract the module name.
                for( i = pathLength - 1; i != 0; i-- )
                    if( dirSep[ 0 ] == module->path[ i ] )

                rSequence_addSTRINGN( notif, RP_TAGS_MODULE_NAME, &( module->path[ i ] ) );

                if( hbs_publish( RP_TAGS_NOTIFICATION_MODULE_LOAD,
                                 notif ) )
                    isSuccess = TRUE;

            rSequence_free( notif );

    return isSuccess;
        rList stringsFound,
        rList searchStrings,
        RPU8 pBuff,
        RU64 size,
        RU64 baseAddr,
        RU32 minLength,
        RU32 maxLength
    RPU8 pCurr;
    RPU8 pEnd;
    RPCHAR pStartStr = NULL;
    RBOOL isChar;
    RPU16 pwCurr;
    RPU16 pwEnd;
    RBOOL isWChar;
    RPWCHAR pwStartStr = NULL;
    RPWCHAR thisStrW = NULL;
    rSequence newFoundStr;

    pCurr = pBuff;
    pEnd = pBuff + size;

    // currently we only deal with NULL terminated strings
    // start with ascii strings...
    while( pCurr < pEnd )
        isChar = rpal_string_isprint( *pCurr );

        if( NULL == pStartStr && isChar )  // found the begining of a string
            pStartStr = (RPCHAR)pCurr;
        else if( NULL != pStartStr && ( !isChar || 0 == *pCurr ) ) // found the end of a string
            // is string NULL or Non-Ascii terminated
            if( 0 == *pCurr || !rpal_string_charIsAscii( *pCurr ) )
                // Null terminate it so we can use it like a normal string
                *pCurr = 0;

                // strlen is really pCurr - pStartStr
                if( (RU32)( (RPCHAR)pCurr - pStartStr ) >= minLength &&
                    (RU32)( (RPCHAR)pCurr - pStartStr ) <= maxLength ) // is string long enough
                    // convert string to wide char for comparision
                    if( NULL != ( thisStrW = rpal_string_atow( pStartStr ) ) )
                        if( _isStringInList( searchStrings, thisStrW ) && NULL != ( newFoundStr = rSequence_new() ) )
                            rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, thisStrW );
                            rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pStartStr - pBuff ) );

                            if( !rList_addSEQUENCE( stringsFound, newFoundStr ) )
                                rSequence_free( newFoundStr );
                        rpal_memory_free( thisStrW );
            pStartStr = NULL;
    // Now look for Unicode strings
    pwCurr = (RPU16)pBuff;
    pwEnd = pwCurr + ( size / 2 );
    while( pwCurr < pwEnd )
        isWChar = rpal_string_isprintW( *pwCurr );

        if( NULL == pwStartStr && isWChar )  // found the begining of a string
            pwStartStr = (RPWCHAR)pwCurr;
        else if( NULL != pwStartStr && ( !isWChar || 0 == *pwCurr ) ) // found the end of a string
            // is string NULL terminated
            if( 0 == *pwCurr )
                // wcslen is really pCurr - pStartStr
                if( (RU32)( (RPWCHAR)pwCurr - pwStartStr ) >= minLength &&
                    (RU32)( (RPWCHAR)pwCurr - pwStartStr ) <= maxLength ) // is string long enough

                    if( _isStringInList( searchStrings, pwStartStr ) && NULL != ( newFoundStr = rSequence_new() ) )
                        rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, pwStartStr );
                        rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pwStartStr - pBuff ) );

                        if( !rList_addSEQUENCE( stringsFound, newFoundStr ) )
                            rSequence_free( newFoundStr );
            pwStartStr = NULL;