static
RBOOL
getStoreConf
(
)
{
RBOOL isSuccess = FALSE;
RPU8 storeFile = NULL;
RU32 storeFileSize = 0;
rpHCPIdentStore* storeV2 = NULL;
OBFUSCATIONLIB_DECLARE( store, RP_HCP_CONFIG_IDENT_STORE );
OBFUSCATIONLIB_TOGGLE( store );
if( rpal_file_read( (RPNCHAR)store, (RPVOID)&storeFile, &storeFileSize, FALSE ) )
{
if( sizeof( rpHCPIdentStore ) <= storeFileSize )
{
storeV2 = (rpHCPIdentStore*)storeFile;
if( storeV2->enrollmentTokenSize == storeFileSize - sizeof( rpHCPIdentStore ) )
{
isSuccess = TRUE;
rpal_debug_info( "ident store found" );
if( NULL != ( g_hcpContext.enrollmentToken = rpal_memory_alloc( storeV2->enrollmentTokenSize ) ) )
{
rpal_memory_memcpy( g_hcpContext.enrollmentToken, storeV2->enrollmentToken, storeV2->enrollmentTokenSize );
g_hcpContext.enrollmentTokenSize = storeV2->enrollmentTokenSize;
}
g_hcpContext.currentId = storeV2->agentId;
}
else
{
rpal_debug_warning( "inconsistent ident store, reseting" );
rpal_file_delete( (RPNCHAR)store, FALSE );
}
}
rpal_memory_free( storeFile );
}
OBFUSCATIONLIB_TOGGLE( store );
// Set some always-correct defaults
g_hcpContext.currentId.id.platformId = RP_HCP_ID_MAKE_PLATFORM( RP_HCP_PLATFORM_CURRENT_CPU, RP_HCP_PLATFORM_CURRENT_MAJOR, RP_HCP_PLATFORM_CURRENT_MINOR );
return isSuccess;
}
static
RVOID
processFile
(
rSequence notif
)
{
RPCHAR fileA = NULL;
RPWCHAR fileW = NULL;
RPU8 fileContent = NULL;
RU32 fileSize = 0;
CryptoLib_Hash hash = { 0 };
if( NULL != notif )
{
obsLib_resetSearchState( matcherA );
obsLib_resetSearchState( matcherW );
if( ( rSequence_getSTRINGA( notif, RP_TAGS_FILE_PATH, &fileA ) &&
obsLib_setTargetBuffer( matcherA,
fileA,
( rpal_string_strlen( fileA ) + 1 ) * sizeof( RCHAR ) ) &&
obsLib_nextHit( matcherA, NULL, NULL ) ) ||
( rSequence_getSTRINGW( notif, RP_TAGS_FILE_PATH, &fileW ) &&
obsLib_setTargetBuffer( matcherW,
fileW,
( rpal_string_strlenw( fileW ) + 1 ) * sizeof( RWCHAR ) ) &&
obsLib_nextHit( matcherW, NULL, NULL ) ) )
{
// This means it's a file of interest.
if( ( NULL != fileA &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSize( fileA, TRUE ) &&
rpal_file_read( fileA, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileA( fileA, &hash, TRUE ) ) ) ||
( NULL != fileW &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSizew( fileW, TRUE ) &&
rpal_file_readw( fileW, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileW( fileW, &hash, TRUE ) ) ) )
{
// We acquired the hash, either by reading the entire file in memory
// which we will use for caching, or if it was too big by hashing it
// sequentially on disk.
rSequence_unTaintRead( notif );
rSequence_addBUFFER( notif, RP_TAGS_HASH, (RPU8)&hash, sizeof( hash ) );
notifications_publish( RP_TAGS_NOTIFICATION_NEW_DOCUMENT, notif );
}
if( rMutex_lock( cacheMutex ) )
{
if( NULL == fileContent ||
!rSequence_addBUFFER( notif, RP_TAGS_FILE_CONTENT, fileContent, fileSize ) ||
!HbsRingBuffer_add( documentCache, notif ) )
{
rSequence_free( notif );
}
rMutex_unlock( cacheMutex );
}
else
{
rSequence_free( notif );
}
if( NULL != fileContent )
{
rpal_memory_free( fileContent );
}
}
else
{
rSequence_free( notif );
}
}
}
static RVOID
injectIntoProcess
(
)
{
RNCHAR strSeDebug[] = _NC( "SeDebugPrivilege" );
processLibProcEntry* procIds = NULL;
processLibProcEntry* tmpProcId = NULL;
rSequence targetProc = NULL;
RU32 targetPid = 0;
RPWCHAR procName = NULL;
RWCHAR targetProcName[] = _WCH( "EXPLORER.EXE" );
HANDLE hProc = NULL;
RU32 selfSize = 0;
RPVOID remoteDest = NULL;
SIZE_T payloadSize = 0;
RPU8 payloadBuff = NULL;
rpal_debug_info( "getting debug privilege to inject..." );
if( !Get_Privilege( strSeDebug ) )
{
rpal_debug_error( "could not get debug privilege, are we running as admin?" );
return;
}
rpal_debug_info( "getting process list to find explorer.exe" );
procIds = processLib_getProcessEntries( FALSE );
tmpProcId = procIds;
while( NULL != tmpProcId )
{
if( NULL != ( targetProc = processLib_getProcessInfo( tmpProcId->pid, NULL ) ) )
{
if( rSequence_getSTRINGN( targetProc, RP_TAGS_FILE_PATH, &procName ) )
{
rpal_string_toupper( procName );
if( NULL != rpal_string_strstr( procName, targetProcName ) )
{
rpal_debug_info( "found the target process: %d", tmpProcId->pid );
targetPid = tmpProcId->pid;
}
else
{
rpal_debug_info( "not target process, next..." );
}
}
else
{
rpal_debug_warning( "process without file path, odd..." );
}
rSequence_free( targetProc );
targetProc = NULL;
if( 0 != targetPid )
{
break;
}
}
tmpProcId++;
}
rpal_memory_free( procIds );
if( 0 != targetPid )
{
rpal_debug_info( "getting size of self..." );
if( (RU32)(-1) != ( selfSize = rpal_file_getSize( g_self_path, FALSE ) ) )
{
rpal_debug_info( "opening target process with right privileges..." );
if( NULL != ( hProc = OpenProcess( PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, targetPid ) ) )
{
rpal_debug_info( "allocating required memory in remote process..." );
if( NULL != ( remoteDest = VirtualAllocEx( hProc, NULL, selfSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE ) ) )
{
rpal_debug_info( "reading payload to memory before writing it to remote." );
if( rpal_file_read( g_self_path, (RPVOID*)&payloadBuff, (RU32*)&payloadSize, FALSE ) )
{
rpal_debug_info( "writing payload to remote process." );
if( WriteProcessMemory( hProc, remoteDest, payloadBuff, payloadSize, &payloadSize ) &&
payloadSize == selfSize )
{
rpal_debug_info( "successfully written payload to remote process. This should look like an injected PE although no thread was started." );
}
else
{
rpal_debug_error( "error writing payload to remote process." );
}
rpal_memory_free( payloadBuff );
}
else
{
rpal_debug_error( "error reading ourselves as payload." );
}
}
else
{
rpal_debug_error( "error allocating memory in remote process." );
}
CloseHandle( hProc );
}
else
{
rpal_debug_error( "error opening process with VM privilges." );
}
}
else
{
rpal_debug_error( "error getting size of self." );
}
}
}
