/** Sur destruction de la connexion.
* @param nfct Structure de la connexion (dans netfilter)
**/
static void hooks_conn_destroy(struct nf_conn* nfct) {
struct hooks_conn* hc = (struct hooks_conn*) __nf_ct_ext_find(nfct, HOOKS_GET_CTEXTID);
struct connection* connection; // Connexion associée
if (unlikely(!hc)) // Non trouvé
return;
connection = hc->connection;
if (!connection) // Sans connexion associée
return;
connection_ref(connection); /// REF
scheduler_interface_onconnterminate(connection);
connection_unref(connection); /// UNREF
}
void profile(struct emu_config *conf, struct connection *con, void *data, unsigned int size, unsigned int offset)
{
struct emu *e = emu_new();
struct emu_env *env = emu_env_new(e);
env->profile = emu_profile_new();
// struct emu_cpu *cpu = emu_cpu_get(e);
struct emu_memory *mem = emu_memory_get(e);
emu_cpu_reg32_set(emu_cpu_get(e), esp, 0x0012fe98);
emu_memory_write_block(mem, CODE_OFFSET, data, size);
emu_cpu_eip_set(emu_cpu_get(e), CODE_OFFSET + offset);
run(e, env);
bool needemu = false;
struct emu_profile_function *function;
for( function = emu_profile_functions_first(env->profile->functions); !emu_profile_functions_istail(function); function = emu_profile_functions_next(function) )
{
if( strcmp("recv", function->fnname) == 0 )
{
g_message("Can not profile %s, emulating instead", function->fnname);
needemu = true;
}
}
if( needemu == true )
{
emulate(conf, con, data, size, offset);
} else
{
GString *str = g_string_new(NULL);
json_profile_debug(env->profile, str);
//printf("%s", str->str);
struct incident *i = incident_new("dionaea.module.emu.profile");
incident_value_string_set(i, "profile", str);
incident_value_con_set(i, "con", con);
connection_ref(con);
GAsyncQueue *aq = g_async_queue_ref(g_dionaea->threads->cmds);
g_async_queue_push(aq, async_cmd_new(async_incident_report, i));
g_async_queue_unref(aq);
ev_async_send(g_dionaea->loop, &g_dionaea->threads->trigger);
}
emu_env_free(env);
emu_free(e);
}
static void session_download_new(struct incident *i, char *url)
{
g_debug("%s incident %p", __PRETTY_FUNCTION__, i);
struct session *session = session_new();
session->type = session_type_download;
session->url = g_strdup(url);
struct connection *con = NULL;
if( incident_value_con_get(i, "con", &con) )
{
session->laddr = g_strdup(con->local.ip_string);
curl_easy_setopt(session->easy, CURLOPT_INTERFACE, session->laddr);
connection_ref(con);
}
curl_easy_setopt(session->easy, CURLOPT_URL, session->url);
curl_easy_setopt(session->easy, CURLOPT_WRITEFUNCTION, curl_writefunction_cb);
curl_easy_setopt(session->easy, CURLOPT_WRITEDATA, session);
curl_easy_setopt(session->easy, CURLOPT_DEBUGFUNCTION, curl_debugfunction_cb);
curl_easy_setopt(session->easy, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(session->easy, CURLOPT_ERRORBUFFER, session->error);
curl_easy_setopt(session->easy, CURLOPT_PRIVATE, session);
curl_easy_setopt(session->easy, CURLOPT_NOPROGRESS, 0L);
curl_easy_setopt(session->easy, CURLOPT_FOLLOWLOCATION, 10);
curl_easy_setopt(session->easy, CURLOPT_PROGRESSFUNCTION, curl_progressfunction_cb);
curl_easy_setopt(session->easy, CURLOPT_PROGRESSDATA, session);
curl_easy_setopt(session->easy, CURLOPT_LOW_SPEED_TIME, 3L);
curl_easy_setopt(session->easy, CURLOPT_LOW_SPEED_LIMIT, 10L);
curl_easy_setopt(session->easy, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
session->action.download.file = tempfile_new(curl_runtime.download_dir, "http-");
session->action.download.ctxcon = con;
g_debug("session %p file %i path %s", session, session->action.download.file->fd, session->action.download.file->path);
g_debug("Adding easy %p to multi %p (%s)", session->easy, curl_runtime.multi, url);
curl_multi_add_handle(curl_runtime.multi, session->easy);
curl_runtime.queued++;
check_run_count();
}
void processor_io_single(struct connection *con, struct processor_data *pd, void *data, int size, enum bistream_direction direction)
{
// g_warning("%s con %p pd %p data %p size %i dir %i", __PRETTY_FUNCTION__, con, pd, data, size, direction);
processor_io io = NULL;
GFunc thread_io = NULL;
if( direction == bistream_in )
{
if( (io = pd->processor->io_in) == NULL)
thread_io = processors_io_in_thread;
}else
{
if( (io = pd->processor->io_out) == NULL)
thread_io = processors_io_out_thread;
}
// g_warning("processor %s io %p thread_io %p", pd->processor->name, io, thread_io);
if( thread_io != NULL )
{
struct bistream *bistream = pd->bistream;
bistream_data_add(bistream, direction, data, size);
g_mutex_lock(&pd->queued.mutex);
if( pd->queued.refs == 0 )
{
pd->queued.refs++;
GError *thread_error;
struct thread *t = thread_new(con, pd, thread_io);
connection_ref(con);
g_thread_pool_push(g_dionaea->threads->pool, t, &thread_error);
}
g_mutex_unlock(&pd->queued.mutex);
}else
if( io != NULL )
{
io(con, pd, data, size);
}
}
static gpointer _connection_ref0 (gpointer self) {
return self ? connection_ref (self) : NULL;
}
void emulate(struct emu_config *conf, struct connection *con, void *data, unsigned int size, unsigned int offset)
{
struct emu_emulate_ctx *ctx = g_malloc0(sizeof(struct emu_emulate_ctx));
ctx->config = conf;
ctx->sockets = g_hash_table_new(g_int_hash, g_int_equal);
ctx->processes = g_hash_table_new(g_int_hash, g_int_equal);
ctx->files = g_hash_table_new(g_int_hash, g_int_equal);
ctx->ctxcon = con;
if( con )
connection_ref(ctx->ctxcon);
ctx->emu = emu_new();
ctx->env = emu_env_new(ctx->emu);
struct emu_env * env = ctx->env;
struct emu *e = ctx->emu;
struct emu_cpu *cpu = emu_cpu_get(ctx->emu);
ctx->env->userdata = ctx;
g_mutex_init(&ctx->mutex);
ctx->serial = 67;
emu_env_w32_load_dll(env->env.win,"ws2_32.dll");
emu_ll_w32_export_hook(env, "accept", ll_win_hook_accept, NULL);
emu_env_w32_export_hook(env, "bind", user_hook_bind, NULL);
emu_env_w32_export_hook(env, "closesocket", user_hook_close, NULL);
emu_env_w32_export_hook(env, "connect", user_hook_connect, NULL);
emu_env_w32_export_hook(env, "listen", user_hook_listen, NULL);
emu_ll_w32_export_hook(env, "recv", ll_win_hook_recv, NULL);
emu_env_w32_export_hook(env, "send", user_hook_send, NULL);
emu_env_w32_export_hook(env, "socket", user_hook_socket, NULL);
emu_env_w32_export_hook(env, "WSASocketA", user_hook_WSASocket, NULL);
emu_env_w32_export_hook(env, "CreateProcessA", user_hook_CreateProcess, NULL);
emu_env_w32_export_hook(env, "WaitForSingleObject", user_hook_WaitForSingleObject, NULL);
emu_env_w32_export_hook(env, "CreateFileA", user_hook_CreateFile, NULL);
emu_env_w32_export_hook(env, "WriteFile", user_hook_WriteFile, NULL);
emu_env_w32_export_hook(env, "CloseHandle", user_hook_CloseHandle, NULL);
emu_env_w32_export_hook(env, "_lcreat", user_hook__lcreat, NULL);
emu_env_w32_export_hook(env, "_lwrite", user_hook__lwrite, NULL);
emu_env_w32_export_hook(env, "_lclose", user_hook__lclose, NULL);
// emu_env_linux_syscall_hook(env, "exit", user_hook_exit, NULL);
// emu_env_linux_syscall_hook(env, "socket", user_hook_socket, NULL);
// emu_env_linux_syscall_hook(env, "bind", user_hook_bind, NULL);
// emu_env_linux_syscall_hook(env, "listen", user_hook_listen, NULL);
// emu_env_linux_syscall_hook(env, "accept", user_hook_accept, NULL);
#define CODE_OFFSET 0x417000
int j;
for( j=0; j<8; j++ )
emu_cpu_reg32_set(cpu,j , 0);
// set flags
emu_cpu_eflags_set(cpu, 0);
// write code to offset
emu_memory_write_block(emu_memory_get(ctx->emu), CODE_OFFSET, data, size);
// set eip to code
emu_cpu_eip_set(emu_cpu_get(e), CODE_OFFSET + offset);
emu_cpu_reg32_set(emu_cpu_get(e), esp, 0x0012fe98);
emulate_thread(NULL, ctx);
}
