rpHCPId
rpHcpI_seqToHcpId
(
rSequence seq
)
{
rpHCPId id = {0};
if( NULL != seq )
{
if( !rSequence_getRU8( seq,
RP_TAGS_HCP_ID_ORG,
&(id.id.orgId) ) ||
!rSequence_getRU8( seq,
RP_TAGS_HCP_ID_SUBNET,
&(id.id.subnetId) ) ||
!rSequence_getRU32( seq,
RP_TAGS_HCP_ID_UNIQUE,
&(id.id.uniqueId) ) ||
!rSequence_getRU8( seq,
RP_TAGS_HCP_ID_PLATFORM,
&(id.id.platformId) ) ||
!rSequence_getRU8( seq,
RP_TAGS_HCP_ID_CONFIG,
&(id.id.configId) ) )
{
id.raw = 0;
}
}
return id;
}
void
test_memmap
(
void
)
{
processLibProcEntry* entries = NULL;
RU32 entryIndex = 0;
rList regions = NULL;
rSequence region = NULL;
RU32 nRegions = 0;
RU8 type = 0;
RU8 protect = 0;
RU64 ptr = 0;
RU64 size = 0;
entries = processLib_getProcessEntries( TRUE );
CU_ASSERT_PTR_NOT_EQUAL_FATAL( entries, NULL );
CU_ASSERT_NOT_EQUAL_FATAL( entries[ entryIndex ].pid, 0 );
regions = processLib_getProcessMemoryMap( entries[ entryIndex ].pid );
CU_ASSERT_PTR_NOT_EQUAL( regions, NULL );
while( rList_getSEQUENCE( regions, RP_TAGS_MEMORY_REGION, ®ion ) )
{
CU_ASSERT_TRUE( rSequence_getRU8( region, RP_TAGS_MEMORY_TYPE, &type ) );
CU_ASSERT_TRUE( rSequence_getRU8( region, RP_TAGS_MEMORY_ACCESS, &protect ) );
CU_ASSERT_TRUE( rSequence_getPOINTER64( region, RP_TAGS_BASE_ADDRESS, &ptr ) );
CU_ASSERT_TRUE( rSequence_getRU64( region, RP_TAGS_MEMORY_SIZE, &size ) );
nRegions++;
}
CU_ASSERT_TRUE( 2 < nRegions );
rSequence_free( regions );
rpal_memory_free( entries );
}
RPRIVATE_TESTABLE
RBOOL
unloadModule
(
rpHCPContext* hcpContext,
rSequence seq
)
{
RBOOL isSuccess = FALSE;
RpHcp_ModuleId moduleId = (RU8)(-1);
RU32 moduleIndex = (RU32)(-1);
if( NULL != seq &&
NULL != hcpContext )
{
if( rSequence_getRU8( seq,
RP_TAGS_HCP_MODULE_ID,
&moduleId ) )
{
for( moduleIndex = 0; moduleIndex < RP_HCP_CONTEXT_MAX_MODULES; moduleIndex++ )
{
if( moduleId == hcpContext->modules[ moduleIndex ].id )
{
break;
}
}
}
}
if( (RU32)(-1) != moduleIndex &&
RP_HCP_CONTEXT_MAX_MODULES != moduleIndex )
{
#ifdef RP_HCP_LOCAL_LOAD
if( hcpContext->modules[ moduleIndex ].isOsLoaded )
{
// We do not unload modules loaded by the OS in debug since
// they are used to debug modules during development.
return FALSE;
}
#endif
if( rEvent_set( hcpContext->modules[ moduleIndex ].isTimeToStop ) &&
rpal_thread_wait( hcpContext->modules[ moduleIndex ].hThread, ( 30 * 1000 ) ) )
{
isSuccess = TRUE;
_cleanupModuleEntry( &( hcpContext->modules[ moduleIndex ] ) );
}
}
return isSuccess;
}
static RBOOL
updateCollectorConfigs
(
rList newConfigs
)
{
RBOOL isSuccess = FALSE;
RU8 unused = 0;
RU32 i = 0;
rSequence tmpConf = NULL;
RU32 confId = 0;
if( rpal_memory_isValid( newConfigs ) )
{
rpal_debug_info( "updating collector configurations." );
for( i = 0; i < ARRAY_N_ELEM( g_collectors ); i++ )
{
if( NULL != g_collectors[ i ].conf )
{
rpal_debug_info( "freeing collector %d config.", i );
rSequence_free( g_collectors[ i ].conf );
g_collectors[ i ].conf = NULL;
}
}
while( rList_getSEQUENCE( newConfigs, RP_TAGS_HBS_CONFIGURATION, &tmpConf ) )
{
if( rSequence_getRU32( tmpConf, RP_TAGS_HBS_CONFIGURATION_ID, &confId ) &&
confId < ARRAY_N_ELEM( g_collectors ) )
{
if( rSequence_getRU8( tmpConf, RP_TAGS_IS_DISABLED, &unused ) )
{
g_collectors[ confId ].isEnabled = FALSE;
}
else
{
g_collectors[ confId ].isEnabled = TRUE;
g_collectors[ confId ].conf = rSequence_duplicate( tmpConf );
rpal_debug_info( "set new collector %d config.", confId );
}
}
}
isSuccess = TRUE;
}
return isSuccess;
}
static
RU32
_scanProcessWith
(
RU32 pid,
YaraMatchContext* matchContext,
YR_RULES* rules,
rEvent isTimeToStop
)
{
RU32 scanError = (RU32)(-1);
rList modules = NULL;
rSequence module = NULL;
_MemRange* memRanges = NULL;
RU32 i = 0;
rList memoryMap = NULL;
rSequence memoryRegion = NULL;
RU8 memAccess = 0;
RU64 mem = 0;
RU64 memSize = 0;
RPU8 buffer = NULL;
// First pass is to scan known modules
if( NULL != ( modules = processLib_getProcessModules( pid ) ) )
{
rpal_debug_info( "scanning process %d module memory with yara", pid );
// We also generate an optimized list of module ranges for later
if( NULL != ( memRanges = rpal_memory_alloc( sizeof( _MemRange ) *
rList_getNumElements( modules ) ) ) )
{
while( ( NULL == isTimeToStop || !rEvent_wait( isTimeToStop, MSEC_FROM_SEC( 5 ) ) ) &&
rList_getSEQUENCE( modules, RP_TAGS_DLL, &module ) )
{
if( rSequence_getPOINTER64( module, RP_TAGS_BASE_ADDRESS, &mem ) &&
rSequence_getRU64( module, RP_TAGS_MEMORY_SIZE, &memSize ) )
{
memRanges[ i ].base = mem;
memRanges[ i ].size = memSize;
i++;
matchContext->regionBase = mem;
matchContext->regionSize = memSize;
matchContext->moduleInfo = module;
if( processLib_getProcessMemory( pid,
(RPVOID)NUMBER_TO_PTR( mem ),
memSize,
(RPVOID*)&buffer,
TRUE ) )
{
rpal_debug_info( "yara scanning module region of size 0x%lx", memSize );
if( NULL != rules ||
rMutex_lock( g_global_rules_mutex ) )
{
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_mem( NULL == rules ? g_global_rules : rules,
buffer,
(size_t)memSize,
SCAN_FLAGS_FAST_MODE |
SCAN_FLAGS_PROCESS_MEMORY,
_yaraMemMatchCallback,
matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara module scan error: %d 0x%lx 0x%lx: %d",
pid,
mem,
memSize,
scanError );
}
if( NULL == rules )
{
rMutex_unlock( g_global_rules_mutex );
}
}
rpal_memory_free( buffer );
rpal_debug_info( "finished region" );
}
}
}
}
rList_free( modules );
}
// Optimize the memory ranges
if( rpal_memory_isValid( memRanges ) &&
!rpal_sort_array( memRanges, i, sizeof( _MemRange ), (rpal_ordering_func)rpal_order_RU64 ) )
{
rpal_memory_free( memRanges );
memRanges = NULL;
}
// Second pass is to go through executable non-module areas
if( NULL != ( memoryMap = processLib_getProcessMemoryMap( pid ) ) )
{
rpal_debug_info( "scanning process %d non-module memory with yara", pid );
while( ( NULL == isTimeToStop || !rEvent_wait(isTimeToStop, MSEC_FROM_SEC( 5 ) ) ) &&
rList_getSEQUENCE( memoryMap, RP_TAGS_MEMORY_REGION, &memoryRegion ) )
{
if( rSequence_getPOINTER64( memoryRegion, RP_TAGS_BASE_ADDRESS, &mem ) &&
rSequence_getRU64( memoryRegion, RP_TAGS_MEMORY_SIZE, &memSize ) &&
rSequence_getRU8( memoryRegion, RP_TAGS_MEMORY_ACCESS, &memAccess ) &&
( PROCESSLIB_MEM_ACCESS_EXECUTE == memAccess ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ == memAccess ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ_WRITE == memAccess ||
PROCESSLIB_MEM_ACCESS_EXECUTE_WRITE_COPY == memAccess ) )
{
// If it's in a known module, skip
if( (RU32)( -1 ) != rpal_binsearch_array_closest( memRanges,
i,
sizeof( _MemRange ),
&mem,
(rpal_ordering_func)rpal_order_RU64,
TRUE ) )
{
continue;
}
matchContext->regionBase = mem;
matchContext->regionSize = memSize;
matchContext->moduleInfo = NULL;
if( processLib_getProcessMemory( pid,
(RPVOID)NUMBER_TO_PTR(mem),
memSize,
(RPVOID*)&buffer,
TRUE ) )
{
rpal_debug_info( "yara scanning memory region of size 0x%lx", memSize );
if( NULL != rules ||
rMutex_lock( g_global_rules_mutex ) )
{
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_mem( NULL == rules ? g_global_rules : rules,
buffer,
(size_t)memSize,
SCAN_FLAGS_FAST_MODE |
SCAN_FLAGS_PROCESS_MEMORY,
_yaraMemMatchCallback,
matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara memory scan error: %d 0x%lx 0x%lx: %d",
pid,
mem,
memSize,
scanError );
}
if( NULL == rules )
{
rMutex_unlock( g_global_rules_mutex );
}
}
rpal_memory_free( buffer );
}
}
}
rList_free( memoryMap );
}
if( rpal_memory_isValid( memRanges ) )
{
rpal_memory_free( memRanges );
}
return scanError;
}
RBOOL
collector_22_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
rList patterns = NULL;
rSequence pattern = NULL;
RPCHAR strA = NULL;
RPWCHAR strW = NULL;
RPNCHAR tmpN = NULL;
RU8 patternId = 0;
RU32 i = 0;
if( NULL != hbsState &&
NULL != ( g_extensions = obsLib_new( 0, 0 ) ) )
{
if( rSequence_getLIST( config, RP_TAGS_PATTERNS, &patterns ) )
{
while( rList_getSEQUENCE( patterns, RP_TAGS_RULE, &pattern ) )
{
if( rSequence_getRU8( pattern, RP_TAGS_RULE_NAME, &patternId ) )
{
if( 64 < patternId || 0 == patternId )
{
rpal_debug_critical( "rule id must be below 64 and 1-based." );
continue;
}
// Base the pattern id to 0
patternId--;
if( rSequence_getSTRINGA( pattern, RP_TAGS_EXTENSION, &strA ) &&
NULL != ( tmpN = rpal_string_aton( strA ) ) )
{
_addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) );
rpal_memory_free( tmpN );
}
if( rSequence_getSTRINGW( pattern, RP_TAGS_EXTENSION, &strW ) &&
NULL != ( tmpN = rpal_string_wton( strW ) ) )
{
_addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) );
rpal_memory_free( tmpN );
}
if( rSequence_getSTRINGA( pattern, RP_TAGS_STRING_PATTERN, &strA ) &&
NULL != ( tmpN = rpal_string_aton( strA ) ) )
{
_addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) );
rpal_memory_free( tmpN );
}
if( rSequence_getSTRINGW( pattern, RP_TAGS_STRING_PATTERN, &strW ) &&
NULL != ( tmpN = rpal_string_wton( strW ) ) )
{
_addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) );
rpal_memory_free( tmpN );
}
}
}
if( NULL != ( g_mutex = rMutex_create() ) &&
NULL != ( g_procContexts = rpal_vector_new() ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, 0, NULL, processFileIo ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, 0, NULL, processFileIo ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, 0, NULL, processFileIo ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, 0, NULL, processFileIo ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, NULL, processNewProcesses ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, 0, NULL, processNewProcesses ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, 0, NULL, processTerminateProcesses ) )
{
isSuccess = TRUE;
}
}
}
if( !isSuccess )
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, processFileIo );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, processFileIo );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, processFileIo );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, processFileIo );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, processNewProcesses );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, processTerminateProcesses );
obsLib_free( g_extensions );
g_extensions = NULL;
if( NULL != g_procContexts )
{
for( i = 0; i < g_procContexts->nElements; i++ )
{
rpal_memory_free( ( (ProcExtInfo*)g_procContexts->elements[ i ] )->processPath );
rpal_memory_free( g_procContexts->elements[ i ] );
}
}
rpal_vector_free( g_procContexts );
g_procContexts = NULL;
rMutex_free( g_mutex );
g_mutex = NULL;
}
return isSuccess;
}
RBOOL
processMessage
(
rSequence seq
)
{
RBOOL isSuccess = FALSE;
RU8 command = 0;
rSequence idSeq = NULL;
rpHCPId tmpId = { 0 };
rpHCPId emptyId = { 0 };
RU64 tmpTime = 0;
rThread hQuitThread = 0;
rpHCPIdentStore identStore = {0};
RPU8 token = NULL;
RU32 tokenSize = 0;
OBFUSCATIONLIB_DECLARE( store, RP_HCP_CONFIG_IDENT_STORE );
if( NULL != seq )
{
if( rSequence_getRU8( seq, RP_TAGS_OPERATION, &command ) )
{
rpal_debug_info( "Received command 0x%0X.", command );
switch( command )
{
case RP_HCP_COMMAND_LOAD_MODULE:
isSuccess = loadModule( &g_hcpContext, seq );
break;
case RP_HCP_COMMAND_UNLOAD_MODULE:
isSuccess = unloadModule( &g_hcpContext, seq );
break;
case RP_HCP_COMMAND_SET_HCP_ID:
if( rSequence_getSEQUENCE( seq, RP_TAGS_HCP_IDENT, &idSeq ) )
{
tmpId = seqToHcpId( idSeq );
if( 0 != rpal_memory_memcmp( &emptyId, &tmpId, sizeof( emptyId ) ) )
{
g_hcpContext.currentId = tmpId;
OBFUSCATIONLIB_TOGGLE( store );
if( rSequence_getBUFFER( seq, RP_TAGS_HCP_ENROLLMENT_TOKEN, &token, &tokenSize ) )
{
identStore.agentId = tmpId;
if( saveHcpId( (RPNCHAR)store, &identStore, token, tokenSize ) )
{
isSuccess = TRUE;
}
if( NULL != g_hcpContext.enrollmentToken )
{
rpal_memory_free( g_hcpContext.enrollmentToken );
g_hcpContext.enrollmentToken = NULL;
}
if( NULL != ( g_hcpContext.enrollmentToken = rpal_memory_alloc( tokenSize ) ) )
{
rpal_memory_memcpy( g_hcpContext.enrollmentToken, token, tokenSize );
g_hcpContext.enrollmentTokenSize = tokenSize;
isSuccess = TRUE;
}
}
else
{
rpal_debug_warning( "hcp id is missing token" );
}
OBFUSCATIONLIB_TOGGLE( store );
}
}
break;
case RP_HCP_COMMAND_SET_GLOBAL_TIME:
if( rSequence_getTIMESTAMP( seq, RP_TAGS_TIMESTAMP, &tmpTime ) )
{
rpal_time_setGlobalOffset( tmpTime - rpal_time_getLocal() );
isSuccess = TRUE;
}
break;
case RP_HCP_COMMAND_QUIT:
if( 0 != ( hQuitThread = rpal_thread_new( thread_quitAndCleanup, NULL ) ) )
{
rpal_thread_free( hQuitThread );
isSuccess = TRUE;
}
break;
case RP_HCP_COMMAND_UPGRADE:
isSuccess = upgradeHcp( seq );
break;
default:
break;
}
if( isSuccess )
{
rpal_debug_info( "Command was successful." );
}
else
{
rpal_debug_warning( "Command was not successful." );
}
}
}
return isSuccess;
}
RPRIVATE_TESTABLE
RBOOL
loadModule
(
rpHCPContext* hcpContext,
rSequence seq
)
{
RBOOL isSuccess = FALSE;
RU32 moduleIndex = (RU32)(-1);
RPU8 tmpBuff = NULL;
RU32 tmpSize = 0;
RPU8 tmpSig = NULL;
RU32 tmpSigSize = 0;
rpal_thread_func pEntry = NULL;
rpHCPModuleContext* modContext = NULL;
OBFUSCATIONLIB_DECLARE( entryName, RP_HCP_CONFIG_MODULE_ENTRY );
OBFUSCATIONLIB_DECLARE( recvMessage, RP_HCP_CONFIG_MODULE_RECV_MESSAGE );
if( NULL != seq &&
NULL != hcpContext )
{
for( moduleIndex = 0; moduleIndex < RP_HCP_CONTEXT_MAX_MODULES; moduleIndex++ )
{
if( 0 == hcpContext->modules[ moduleIndex ].hThread )
{
// Found an empty spot
break;
}
}
}
if( RP_HCP_CONTEXT_MAX_MODULES != moduleIndex &&
(RU32)(-1) != moduleIndex )
{
// We got an empty spot for our module
if( rSequence_getRU8( seq,
RP_TAGS_HCP_MODULE_ID,
&(hcpContext->modules[ moduleIndex ].id ) ) &&
rSequence_getBUFFER( seq,
RP_TAGS_BINARY,
&tmpBuff,
&tmpSize ) &&
rSequence_getBUFFER( seq,
RP_TAGS_SIGNATURE,
&tmpSig,
&tmpSigSize ) &&
CRYPTOLIB_SIGNATURE_SIZE == tmpSigSize )
{
// We got the data, now verify the buffer signature
if( CryptoLib_verify( tmpBuff, tmpSize, getRootPublicKey(), tmpSig ) )
{
// Ready to load the module
rpal_debug_info( "loading module in memory" );
hcpContext->modules[ moduleIndex ].hModule = MemoryLoadLibrary( tmpBuff, tmpSize );
if( NULL != hcpContext->modules[ moduleIndex ].hModule )
{
OBFUSCATIONLIB_TOGGLE( entryName );
pEntry = (rpal_thread_func)MemoryGetProcAddress( hcpContext->modules[ moduleIndex ].hModule,
(RPCHAR)entryName );
OBFUSCATIONLIB_TOGGLE( entryName );
if( NULL != pEntry )
{
modContext = &(hcpContext->modules[ moduleIndex ].context);
modContext->pCurrentId = &( hcpContext->currentId );
modContext->func_sendHome = doSend;
modContext->isTimeToStop = rEvent_create( TRUE );
modContext->rpalContext = rpal_Context_get();
modContext->isOnlineEvent = hcpContext->isCloudOnline;
if( NULL != modContext->isTimeToStop )
{
hcpContext->modules[ moduleIndex ].isTimeToStop = modContext->isTimeToStop;
OBFUSCATIONLIB_TOGGLE( recvMessage );
hcpContext->modules[ moduleIndex ].func_recvMessage =
(rpHCPModuleMsgEntry)MemoryGetProcAddress( hcpContext->modules[ moduleIndex ].hModule,
(RPCHAR)recvMessage );
OBFUSCATIONLIB_TOGGLE( recvMessage );
hcpContext->modules[ moduleIndex ].hThread = rpal_thread_new( pEntry, modContext );
if( 0 != hcpContext->modules[ moduleIndex ].hThread )
{
CryptoLib_hash( tmpBuff, tmpSize, &(hcpContext->modules[ moduleIndex ].hash ) );
hcpContext->modules[ moduleIndex ].isOsLoaded = FALSE;
isSuccess = TRUE;
}
else
{
rpal_debug_warning( "Error creating handler thread for new module." );
}
}
}
else
{
rpal_debug_warning( "Could not find new module's entry point." );
}
}
else
{
rpal_debug_warning( "Error loading module in memory." );
}
}
else
{
rpal_debug_warning( "New module signature invalid." );
}
}
else
{
rpal_debug_warning( "Could not find core module components to load." );
}
// Main cleanup
if( !isSuccess )
{
if( NULL != modContext )
{
IF_VALID_DO( modContext->isTimeToStop, rEvent_free );
}
if( NULL != hcpContext->modules[ moduleIndex ].hModule )
{
MemoryFreeLibrary( hcpContext->modules[ moduleIndex ].hModule );
}
rpal_memory_zero( &(hcpContext->modules[ moduleIndex ] ),
sizeof( hcpContext->modules[ moduleIndex ] ) );
}
}
else
{
rpal_debug_error( "Could not find a spot for new module, or invalid module id!" );
}
return isSuccess;
}
static
RPVOID
lookForHiddenModulesIn
(
rEvent isTimeToStop,
RU32 processId
)
{
rList mods = NULL;
rList map = NULL;
rSequence region = NULL;
RU8 memType = 0;
RU8 memProtect = 0;
RU64 memBase = 0;
RU64 memSize = 0;
RPU8 pMem = NULL;
RBOOL isPrefetched = FALSE;
RBOOL isCurrentExec = FALSE;
RBOOL isHidden = FALSE;
rSequence procInfo = NULL;
#ifdef RPAL_PLATFORM_WINDOWS
PIMAGE_DOS_HEADER pDos = NULL;
PIMAGE_NT_HEADERS pNt = NULL;
#endif
if( NULL != ( mods = processLib_getProcessModules( processId ) ) )
{
if( NULL != ( map = processLib_getProcessMemoryMap( processId ) ) )
{
// Now we got all the info needed for a single process, compare
while( rpal_memory_isValid( isTimeToStop ) &&
!rEvent_wait( isTimeToStop, 0 ) &&
( isPrefetched || rList_getSEQUENCE( map, RP_TAGS_MEMORY_REGION, ®ion ) ) )
{
if( isPrefetched )
{
isPrefetched = FALSE;
}
if( rSequence_getRU8( region, RP_TAGS_MEMORY_TYPE, &memType ) &&
rSequence_getRU8( region, RP_TAGS_MEMORY_ACCESS, &memProtect ) &&
rSequence_getPOINTER64( region, RP_TAGS_BASE_ADDRESS, &memBase ) &&
rSequence_getRU64( region, RP_TAGS_MEMORY_SIZE, &memSize ) )
{
if( PROCESSLIB_MEM_TYPE_PRIVATE == memType ||
PROCESSLIB_MEM_TYPE_MAPPED == memType )
{
if( PROCESSLIB_MEM_ACCESS_EXECUTE == memProtect ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ == memProtect ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ_WRITE == memProtect ||
PROCESSLIB_MEM_ACCESS_EXECUTE_WRITE_COPY == memProtect )
{
isCurrentExec = TRUE;
}
else
{
isCurrentExec = FALSE;
}
if( !isMemInModule( memBase, memSize, mods ) )
{
// Exec memory found outside of a region marked to belong to
// a module, keep looking in for module.
if( ( 1024 * 1024 * 10 ) >= memSize &&
processLib_getProcessMemory( processId,
NUMBER_TO_PTR( memBase ),
memSize,
(RPVOID*)&pMem ) )
{
isHidden = FALSE;
#ifdef RPAL_PLATFORM_WINDOWS
// Let's just check for MZ and PE for now, we can get fancy later.
pDos = (PIMAGE_DOS_HEADER)pMem;
if( IS_WITHIN_BOUNDS( (RPU8)pMem, sizeof( IMAGE_DOS_HEADER ), pMem, memSize ) &&
IMAGE_DOS_SIGNATURE == pDos->e_magic )
{
pNt = (PIMAGE_NT_HEADERS)( (RPU8)pDos + pDos->e_lfanew );
if( IS_WITHIN_BOUNDS( pNt, sizeof( *pNt ), pMem, memSize ) &&
IMAGE_NT_SIGNATURE == pNt->Signature )
{
if( isCurrentExec )
{
// If the current region is exec, we've got a hidden module.
isHidden = TRUE;
}
else
{
// We need to check if the next section in memory is
// executable and outside of known modules since the PE
// headers may have been marked read-only before the .text.
if( rList_getSEQUENCE( map, RP_TAGS_MEMORY_REGION, ®ion ) )
{
isPrefetched = TRUE;
if( ( PROCESSLIB_MEM_TYPE_PRIVATE == memType ||
PROCESSLIB_MEM_TYPE_MAPPED == memType ) &&
( PROCESSLIB_MEM_ACCESS_EXECUTE == memProtect ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ == memProtect ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ_WRITE == memProtect ||
PROCESSLIB_MEM_ACCESS_EXECUTE_WRITE_COPY == memProtect ) )
{
isHidden = TRUE;
}
}
}
}
}
#elif defined( RPAL_PLATFORM_LINUX ) || defined( RPAL_PLATFORM_MACOSX )
if( isCurrentExec &&
0x7F == ( pMem )[ 0 ] &&
'E' == ( pMem )[ 1 ] &&
'L' == ( pMem )[ 2 ] &&
'F' == ( pMem )[ 3 ] )
{
isHidden = TRUE;
}
#endif
rpal_memory_free( pMem );
if( isHidden &&
!rEvent_wait( isTimeToStop, 0 ) )
{
rpal_debug_info( "found a hidden module in %d.", processId );
if( NULL != ( procInfo = processLib_getProcessInfo( processId ) ) )
{
if( !rSequence_addSEQUENCE( region, RP_TAGS_PROCESS, procInfo ) )
{
rSequence_free( procInfo );
}
}
rSequence_addTIMESTAMP( region, RP_TAGS_TIMESTAMP, rpal_time_getGlobal() );
notifications_publish( RP_TAGS_NOTIFICATION_HIDDEN_MODULE_DETECTED, region );
break;
}
rpal_thread_sleep( 10 );
}
}
}
}
}
rList_free( map );
}
rList_free( mods );
}
return NULL;
}
