static
RU32
uninstallService
(
)
{
RU32 res = (RU32)-1;
RNCHAR svcUnload[] = { _SERVICE_UNLOAD };
RNCHAR svcPath[] = { _SERVICE_FILE };
if( 0 != system( svcUnload ) )
{
rpal_debug_warning( "failed to unload service, already unloaded?" );
}
if( !rpal_file_delete( svcPath, FALSE ) )
{
rpal_debug_warning( "failed to delete file from disk, not present?" );
}
else
{
rpal_debug_info( "uninstalled successfully" );
res = 0;
}
return res;
}
RBOOL
collector_2_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
#ifdef RPAL_PLATFORM_WINDOWS
RWCHAR apiName[] = _WCH( "dnsapi.dll" );
RCHAR funcName1[] = "DnsGetCacheDataTable";
RCHAR funcName2[] = "DnsFree";
if( NULL != ( hDnsApi = LoadLibraryW( (RPWCHAR)&apiName ) ) )
{
// TODO: investigate the DnsQuery API on Windows to get the DNS resolutions.
if( NULL != ( getCache = (DnsGetCacheDataTable_f)GetProcAddress( hDnsApi, (RPCHAR)&funcName1 ) ) &&
NULL != ( freeCacheEntry = (DnsFree_f)GetProcAddress( hDnsApi, (RPCHAR)&funcName2 ) ) )
{
isSuccess = TRUE;
}
else
{
rpal_debug_warning( "failed to get dns undocumented function" );
FreeLibrary( hDnsApi );
}
}
else
{
rpal_debug_warning( "failed to load dns api" );
}
#elif defined( RPAL_PLATFORM_MACOSX )
isSuccess = TRUE;
#endif
if( isSuccess )
{
isSuccess = FALSE;
if( rThreadPool_task( hbsState->hThreadPool, dnsDiffThread, NULL ) )
{
isSuccess = TRUE;
}
}
}
return isSuccess;
}
static
int
_yaraFileMatchCallback
(
int message,
void* message_data,
void* user_data
)
{
YR_RULE* rule = (YR_RULE*)message_data;
YaraMatchContext* context = (YaraMatchContext*)user_data;
rSequence event = NULL;
if( CALLBACK_MSG_RULE_MATCHING == message &&
NULL != message_data &&
NULL != user_data )
{
if( NULL != ( event = rSequence_duplicate( context->fileInfo ) ) )
{
rSequence_addSTRINGA( event, RP_TAGS_RULE_NAME, (char*)rule->identifier );
notifications_publish( RP_TAGS_NOTIFICATION_YARA_DETECTION, event );
rSequence_free( event );
}
else
{
rpal_debug_warning( "error creating event from Yara match" );
}
}
return CALLBACK_CONTINUE;
}
static RVOID
modKernelModeDiff
(
rEvent isTimeToStop
)
{
RU32 i = 0;
RU32 nScratch = 0;
RU32 prev_nScratch = 0;
KernelAcqModule new_from_kernel[ 200 ] = { 0 };
KernelAcqModule prev_from_kernel[ 200 ] = { 0 };
while( !rEvent_wait( isTimeToStop, 1000 ) )
{
nScratch = ARRAY_N_ELEM( new_from_kernel );
rpal_memory_zero( new_from_kernel, sizeof( new_from_kernel ) );
if( !kAcq_getNewModules( new_from_kernel, &nScratch ) )
{
rpal_debug_warning( "kernel acquisition for new modules failed" );
g_is_kernel_failure = TRUE;
break;
}
for( i = 0; i < prev_nScratch; i++ )
{
notifyOfKernelModule( &(prev_from_kernel[ i ]) );
}
rpal_memory_memcpy( prev_from_kernel, new_from_kernel, sizeof( prev_from_kernel ) );
prev_nScratch = nScratch;
}
}
static RVOID
relaunchInPermanentLocation
(
)
{
RPWCHAR bootstrapLocations[] = { _WCH( "%SYSTEMDRIVE%\\$Recycle.Bin\\MALWARE_DEMO_WINDOWS_1.exe" ),
_WCH( "%SYSTEMDRIVE%\\RECYCLER\\MALWARE_DEMO_WINDOWS_1.exe" ),
_WCH( "%windir%\\system32\\tasks\\MALWARE_DEMO_WINDOWS_1.exe" ),
_WCH( "%USERPROFILE%\\MALWARE_DEMO_WINDOWS_1.exe" ) };
RU32 i = 0;
STARTUPINFOW startupInfo = {0};
PROCESS_INFORMATION procInfo = {0};
RPWCHAR expandedPath = NULL;
for( i = 0; i < ARRAY_N_ELEM( bootstrapLocations ); i++ )
{
rpal_debug_info( "trying to move to bootstrap location %d...", i );
rpal_file_delete( bootstrapLocations[ i ], FALSE );
if( rpal_file_move( g_self_path, bootstrapLocations[ i ] ) )
{
rpal_debug_info( "successfully moved to bootstrap location!" );
rpal_debug_info( "launching in new location (%ls)...", bootstrapLocations[ i ] );
if( rpal_string_expand( bootstrapLocations[ i ], &expandedPath ) &&
0 != CreateProcessW( expandedPath,
NULL,
NULL,
NULL,
FALSE,
CREATE_NO_WINDOW,
NULL,
NULL,
&startupInfo,
&procInfo ) )
{
rpal_debug_info( "successfully launched from new location." );
}
else
{
rpal_debug_error( "error launching from permanent location: %d.", GetLastError() );
}
if( NULL != expandedPath )
{
rpal_memory_free( expandedPath );
}
break;
}
else
{
rpal_debug_warning( "could not move to new bootstrap location, may not have permission..." );
}
}
}
// Receives new process notifications and check if they're on our
// deny list, if so, kill.
RPRIVATE
RVOID
denyNewProcesses
(
rpcm_tag notifType,
rSequence event
)
{
RPU8 atomId = NULL;
RU32 pid = 0;
UNREFERENCED_PARAMETER( notifType );
// We use the lastActivity check here as a cheap way of seeing if there is
// anything at all in the denied tree.
if( 0 != g_lastDenyActivity &&
HbsGetParentAtom( event, &atomId ) &&
isAtomDenied( atomId ) )
{
// This atom is part of a tree that needs to be denied, so we do two things:
// 1- Add its atom to the list of denied atoms.
if( HbsGetThisAtom( event, &atomId ) )
{
addAtomToDeny( atomId );
}
// 2- As this is a process, we deny by killing it.
if( rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid ) )
{
if( processLib_killProcess( pid ) )
{
rpal_debug_info( "denied process id " RF_U32, pid );
}
else
{
rpal_debug_warning( "failed to deny process id " RF_U32, pid );
}
}
}
else if( 0 != g_lastDenyActivity &&
g_lastDenyActivity + DENY_TREE_CLEANUP_TIMEOUT < rpal_time_getGlobal() )
{
// There has not been any positive activity on any denied trees, for the sake
// of performance we'll reset the denied trees.
if( rMutex_lock( g_deniedMutex ) )
{
g_lastDenyActivity = 0;
rpal_blob_free( g_denied );
g_denied = rpal_blob_create( 0, HBS_ATOM_ID_SIZE * 10 );
rMutex_unlock( g_deniedMutex );
}
}
}
static
int
_yaraMemMatchCallback
(
int message,
void* message_data,
void* user_data
)
{
YR_RULE* rule = (YR_RULE*)message_data;
YaraMatchContext* context = (YaraMatchContext*)user_data;
rSequence event = NULL;
if( CALLBACK_MSG_RULE_MATCHING == message &&
NULL != message_data &&
NULL != user_data )
{
if( NULL != ( event = rSequence_new() ) )
{
rSequence_addRU32( event, RP_TAGS_PROCESS_ID, context->pid );
rSequence_addPOINTER64( event, RP_TAGS_BASE_ADDRESS, context->regionBase );
rSequence_addRU64( event, RP_TAGS_MEMORY_SIZE, context->regionSize );
hbs_markAsRelated( context->fileInfo, event );
if( NULL == context->processInfo )
{
context->processInfo = processLib_getProcessInfo( context->pid, NULL );
}
if( NULL != context->processInfo )
{
rSequence_addSEQUENCE( event, RP_TAGS_PROCESS, rSequence_duplicate( context->processInfo ) );
}
if( NULL != context->moduleInfo )
{
rSequence_addSEQUENCE( event, RP_TAGS_DLL, rSequence_duplicate( context->moduleInfo ) );
}
rSequence_addSTRINGA( event, RP_TAGS_RULE_NAME, (char*)rule->identifier );
notifications_publish( RP_TAGS_NOTIFICATION_YARA_DETECTION, event );
rSequence_free( event );
}
else
{
rpal_debug_warning( "error creating event from Yara match" );
}
}
return CALLBACK_CONTINUE;
}
static
RBOOL
getStoreConf
(
)
{
RBOOL isSuccess = FALSE;
RPU8 storeFile = NULL;
RU32 storeFileSize = 0;
rpHCPIdentStore* storeV2 = NULL;
OBFUSCATIONLIB_DECLARE( store, RP_HCP_CONFIG_IDENT_STORE );
OBFUSCATIONLIB_TOGGLE( store );
if( rpal_file_read( (RPNCHAR)store, (RPVOID)&storeFile, &storeFileSize, FALSE ) )
{
if( sizeof( rpHCPIdentStore ) <= storeFileSize )
{
storeV2 = (rpHCPIdentStore*)storeFile;
if( storeV2->enrollmentTokenSize == storeFileSize - sizeof( rpHCPIdentStore ) )
{
isSuccess = TRUE;
rpal_debug_info( "ident store found" );
if( NULL != ( g_hcpContext.enrollmentToken = rpal_memory_alloc( storeV2->enrollmentTokenSize ) ) )
{
rpal_memory_memcpy( g_hcpContext.enrollmentToken, storeV2->enrollmentToken, storeV2->enrollmentTokenSize );
g_hcpContext.enrollmentTokenSize = storeV2->enrollmentTokenSize;
}
g_hcpContext.currentId = storeV2->agentId;
}
else
{
rpal_debug_warning( "inconsistent ident store, reseting" );
rpal_file_delete( (RPNCHAR)store, FALSE );
}
}
rpal_memory_free( storeFile );
}
OBFUSCATIONLIB_TOGGLE( store );
// Set some always-correct defaults
g_hcpContext.currentId.id.platformId = RP_HCP_ID_MAKE_PLATFORM( RP_HCP_PLATFORM_CURRENT_CPU, RP_HCP_PLATFORM_CURRENT_MAJOR, RP_HCP_PLATFORM_CURRENT_MINOR );
return isSuccess;
}
static
RBOOL
getPrivileges
(
)
{
RBOOL isSuccess = FALSE;
#ifdef RPAL_PLATFORM_WINDOWS
RCHAR strSeDebug[] = "SeDebugPrivilege";
RCHAR strSeBackup[] = "SeBackupPrivilege";
RCHAR strSeRestore[] = "SeRestorePrivilege";
if( !WindowsGetPrivilege( strSeDebug ) )
{
rpal_debug_warning( "error getting SeDebugPrivilege" );
}
if( !WindowsGetPrivilege( strSeBackup ) )
{
rpal_debug_warning( "error getting SeBackupPrivilege" );
}
if( !WindowsGetPrivilege( strSeRestore ) )
{
rpal_debug_warning( "error getting SeRestorePrivilege" );
}
#elif defined( RPAL_PLATFORM_LINUX ) || defined( RPAL_PLATFORM_MACOSX )
/*cap_t capability_context = 0;
if( NULL != ( capability_context = cap_get_proc() ) )
{
cap_free( capability_context );
}
*/
#endif
return isSuccess;
}
RPRIVATE_TESTABLE
RBOOL
saveHcpId
(
RPNCHAR storePath,
rpHCPIdentStore* ident,
RPU8 token,
RU32 tokenSize
)
{
RBOOL isSet = FALSE;
rFile hStore = NULL;
if( NULL != storePath &&
NULL != ident &&
NULL != token &&
0 != tokenSize )
{
ident->enrollmentTokenSize = tokenSize;
if( rFile_open( storePath, &hStore, RPAL_FILE_OPEN_ALWAYS | RPAL_FILE_OPEN_WRITE ) )
{
if( rFile_write( hStore, sizeof( *ident ), ident ) &&
rFile_write( hStore, tokenSize, token ) )
{
#if defined( RPAL_PLATFORM_LINUX ) || defined( RPAL_PLATFORM_MACOSX )
chmod( storePath, S_IRUSR | S_IWUSR );
#endif
isSet = TRUE;
}
rFile_close( hStore );
}
else
{
rpal_debug_warning( "could not write enrollment token to disk" );
}
}
else
{
rpal_debug_error( "invalid ident info" );
}
return isSet;
}
RPRIVATE
RVOID
dnsKmDiffThread
(
rEvent isTimeToStop
)
{
RU8 new_from_kernel[ DNS_KB_PACKET_BUFFER * 1024 ] = { 0 };
RU8 prev_from_kernel[ DNS_KB_PACKET_BUFFER * 1024 ] = { 0 };
RU32 sizeInNew = 0;
RU32 sizeInPrev = 0;
KernelAcqDnsPacket* pPacket = NULL;
while( !rEvent_wait( isTimeToStop, 1000 ) )
{
rpal_memory_zero( new_from_kernel, sizeof( new_from_kernel ) );
sizeInNew = sizeof( new_from_kernel );
if( !kAcq_getNewDnsPackets( (KernelAcqDnsPacket*)new_from_kernel, &sizeInNew ) )
{
rpal_debug_warning( "kernel acquisition for new dns packets failed" );
break;
}
pPacket = (KernelAcqDnsPacket*)prev_from_kernel;
while( IS_WITHIN_BOUNDS( pPacket, sizeof( *pPacket ), prev_from_kernel, sizeInPrev ) &&
0 != pPacket->ts &&
IS_WITHIN_BOUNDS( pPacket, sizeof( *pPacket ) + pPacket->packetSize, prev_from_kernel, sizeInPrev ) )
{
processDnsPacket( pPacket );
pPacket = (KernelAcqDnsPacket*)( (RPU8)pPacket + sizeof( *pPacket ) + pPacket->packetSize );
}
rpal_memory_memcpy( prev_from_kernel, new_from_kernel, sizeInNew );
sizeInPrev = sizeInNew;
}
}
static RBOOL
startCollectors
(
)
{
RBOOL isSuccess = FALSE;
RU32 i = 0;
rEvent_unset( g_hbs_state.isTimeToStop );
if( NULL != ( g_hbs_state.hThreadPool = rThreadPool_create( 1,
15,
MSEC_FROM_SEC( 10 ) ) ) )
{
isSuccess = TRUE;
for( i = 0; i < ARRAY_N_ELEM( g_collectors ); i++ )
{
if( g_collectors[ i ].isEnabled )
{
if( !g_collectors[ i ].init( &g_hbs_state, g_collectors[ i ].conf ) )
{
isSuccess = FALSE;
rpal_debug_warning( "collector %d failed to init.", i );
}
else
{
rpal_debug_info( "collector %d started.", i );
}
}
else
{
rpal_debug_info( "collector %d disabled.", i );
}
}
}
return isSuccess;
}
RPRIVATE_TESTABLE
RBOOL
upgradeHcp
(
rSequence seq
)
{
RBOOL isSuccess = FALSE;
RPU8 tmpBuff = NULL;
RU32 tmpSize = 0;
RPU8 tmpSig = NULL;
RU32 tmpSigSize = 0;
RPNCHAR currentModulePath = NULL;
RPNCHAR backupPath = NULL;
if( NULL != seq )
{
if( rSequence_getBUFFER( seq,
RP_TAGS_BINARY,
&tmpBuff,
&tmpSize ) &&
rSequence_getBUFFER( seq,
RP_TAGS_SIGNATURE,
&tmpSig,
&tmpSigSize ) &&
CRYPTOLIB_SIGNATURE_SIZE == tmpSigSize )
{
// We got the data, now verify the buffer signature
if( CryptoLib_verify( tmpBuff, tmpSize, getRootPublicKey(), tmpSig ) )
{
if( NULL != ( currentModulePath = processLib_getCurrentModulePath() ) )
{
if( NULL != ( backupPath = rpal_string_strdup( currentModulePath ) ) &&
NULL != ( backupPath = rpal_string_strcatEx( backupPath, _NC( ".old" ) ) ) )
{
rpal_file_delete( backupPath, FALSE );
if( rpal_file_move( currentModulePath, backupPath ) )
{
if( rpal_file_write( currentModulePath, tmpBuff, tmpSize, TRUE ) )
{
rpal_debug_info( "hcp was successfully updated" );
isSuccess = TRUE;
}
else
{
rpal_debug_warning( "failed to write new hcp to disk" );
if( !rpal_file_move( backupPath, currentModulePath ) )
{
rpal_debug_warning( "old hcp was reverted" );
}
else
{
rpal_debug_error( "could not revert old hcp" );
}
}
}
else
{
rpal_debug_warning( "failed to move hcp to backup location" );
}
rpal_memory_free( backupPath );
}
rpal_memory_free( currentModulePath );
}
else
{
rpal_debug_error( "failed to get current module path" );
}
}
else
{
rpal_debug_warning( "New HCP binary signature is invalid." );
}
}
else
{
rpal_debug_warning( "Upgrade command missing or invalid component." );
}
}
return isSuccess;
}
static RVOID
publishCloudNotifications
(
rList notifications
)
{
rSequence notif = NULL;
RPU8 buff = NULL;
RU32 buffSize = 0;
RPU8 sig = NULL;
RU32 sigSize = 0;
rpHCPId curId = { 0 };
rSequence cloudEvent = NULL;
rSequence targetId = { 0 };
RU32 eventId = 0;
rSequence localEvent = NULL;
RU64 expiry = 0;
rpHCPId tmpId = { 0 };
rSequence receipt = NULL;
while( rList_getSEQUENCE( notifications, RP_TAGS_HBS_CLOUD_NOTIFICATION, ¬if ) )
{
cloudEvent = NULL;
if( rSequence_getBUFFER( notif, RP_TAGS_BINARY, &buff, &buffSize ) &&
rSequence_getBUFFER( notif, RP_TAGS_SIGNATURE, &sig, &sigSize ) )
{
if( CryptoLib_verify( buff, buffSize, hbs_cloud_pub_key, sig ) )
{
if( !rpHcpI_getId( &curId ) )
{
rpal_debug_error( "error getting current id for cloud notifications." );
}
else
{
if( !rSequence_deserialise( &cloudEvent, buff, buffSize, NULL ) )
{
cloudEvent = NULL;
rpal_debug_warning( "error deserializing cloud event." );
}
}
}
else
{
rpal_debug_warning( "cloud event signature invalid." );
}
}
if( rpal_memory_isValid( cloudEvent ) )
{
if( rSequence_getSEQUENCE( cloudEvent, RP_TAGS_HCP_ID, &targetId ) &&
rSequence_getRU32( cloudEvent, RP_TAGS_HBS_NOTIFICATION_ID, &eventId ) &&
rSequence_getSEQUENCE( cloudEvent, RP_TAGS_HBS_NOTIFICATION, &localEvent ) )
{
rSequence_getTIMESTAMP( cloudEvent, RP_TAGS_EXPIRY, &expiry );
tmpId = rpHcpI_seqToHcpId( targetId );
curId.id.configId = 0;
tmpId.id.configId = 0;
if( NULL != ( receipt = rSequence_new() ) )
{
if( rSequence_addSEQUENCE( receipt,
RP_TAGS_HBS_CLOUD_NOTIFICATION,
rSequence_duplicate( cloudEvent ) ) )
{
if( !rQueue_add( g_hbs_state.outQueue, receipt, 0 ) )
{
rSequence_free( receipt );
receipt = NULL;
}
}
else
{
rSequence_free( receipt );
receipt = NULL;
}
}
if( curId.raw == tmpId.raw &&
rpal_time_getGlobal() <= expiry )
{
if( !notifications_publish( eventId, localEvent ) )
{
rpal_debug_error( "error publishing event from cloud." );
}
}
else
{
rpal_debug_warning( "event expired or for wrong id." );
}
}
if( rpal_memory_isValid( cloudEvent ) )
{
rSequence_free( cloudEvent );
cloudEvent = NULL;
}
}
}
}
static rList
beaconHome
(
)
{
rList response = NULL;
rList exfil = NULL;
rSequence msg = NULL;
RU32 nExfilMsg = 0;
rSequence tmpMessage = NULL;
if( NULL != ( exfil = rList_new( RP_TAGS_MESSAGE, RPCM_SEQUENCE ) ) )
{
if( NULL != ( msg = rSequence_new() ) )
{
if( rSequence_addBUFFER( msg, RP_TAGS_HASH, g_hbs_state.currentConfigHash, CRYPTOLIB_HASH_SIZE ) )
{
if( !rList_addSEQUENCE( exfil, msg ) )
{
rSequence_free( msg );
msg = NULL;
}
tmpMessage = msg;
}
else
{
rSequence_free( msg );
msg = NULL;
}
}
while( rQueue_remove( g_hbs_state.outQueue, &msg, NULL, 0 ) )
{
nExfilMsg++;
if( !rList_addSEQUENCE( exfil, msg ) )
{
rSequence_free( msg );
}
}
rpal_debug_info( "%d messages ready for exfil.", nExfilMsg );
if( rpHcpI_beaconHome( exfil, &response ) )
{
rpal_debug_info( "%d messages received from cloud.", rList_getNumElements( response ) );
}
else if( g_hbs_state.maxQueueSize > rList_getEstimateSize( exfil ) )
{
rpal_debug_info( "beacon failed, re-adding %d messages.", rList_getNumElements( exfil ) );
// We will attempt to re-add the existing messages back in the queue since this failed
rList_resetIterator( exfil );
while( rList_getSEQUENCE( exfil, RP_TAGS_MESSAGE, &msg ) )
{
// Ignore message we generate temporarily for the beacon
if( tmpMessage == msg )
{
rSequence_free( msg );
continue;
}
if( !rQueue_add( g_hbs_state.outQueue, msg, 0 ) )
{
rSequence_free( msg );
}
}
rList_shallowFree( exfil );
exfil = NULL;
}
else
{
rpal_debug_warning( "beacon failed but discarded exfil because of its size." );
}
if( NULL != exfil )
{
rList_free( exfil );
}
}
return response;
}
static
VOID WINAPI
ServiceMain
(
DWORD dwArgc,
RPCHAR lpszArgv
)
{
RU32 memUsed = 0;
RWCHAR svcName[] = { _SERVICE_NAME };
RU32 i = 0;
UNREFERENCED_PARAMETER( dwArgc );
UNREFERENCED_PARAMETER( lpszArgv );
if( NULL == ( g_svc_status_handle = RegisterServiceCtrlHandlerW( svcName, SvcCtrlHandler ) ) )
{
return;
}
rpal_memory_zero( &g_svc_status, sizeof( g_svc_status ) );
g_svc_status.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
g_svc_status.dwControlsAccepted = 0;
g_svc_status.dwCurrentState = SERVICE_START_PENDING;
g_svc_status.dwWin32ExitCode = 0;
g_svc_status.dwServiceSpecificExitCode = 0;
g_svc_status.dwCheckPoint = 0;
SetServiceStatus( g_svc_status_handle, &g_svc_status );
if( NULL == ( g_timeToQuit = rEvent_create( TRUE ) ) )
{
g_svc_status.dwControlsAccepted = 0;
g_svc_status.dwCurrentState = SERVICE_STOPPED;
g_svc_status.dwWin32ExitCode = GetLastError();
g_svc_status.dwCheckPoint = 1;
SetServiceStatus( g_svc_status_handle, &g_svc_status );
return;
}
rpal_debug_info( "initialising rpHCP." );
if( !rpHostCommonPlatformLib_launch( g_svc_primary, g_svc_secondary ) )
{
rpal_debug_warning( "error launching hcp." );
}
for( i = 0; i < ARRAY_N_ELEM( g_manual_loads ); i++ )
{
if( NULL != g_manual_loads[ i ].modPath )
{
if( 0 != g_manual_loads[ i ].nMod )
{
#ifdef HCP_EXE_ENABLE_MANUAL_LOAD
rpHostCommonPlatformLib_load( g_manual_loads[ i ].modPath, g_manual_loads[ i ].nMod );
#endif
}
else
{
rpal_debug_error( "Mismatched number of -m modulePath and -n moduleId statements provided!" );
}
rpal_memory_free( g_manual_loads[ i ].modPath );
g_manual_loads[ i ].modPath = NULL;
}
else
{
break;
}
}
g_svc_status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
g_svc_status.dwCurrentState = SERVICE_RUNNING;
g_svc_status.dwWin32ExitCode = 0;
g_svc_status.dwCheckPoint = 1;
SetServiceStatus( g_svc_status_handle, &g_svc_status );
rpal_debug_info( "...running, waiting to exit..." );
rEvent_wait( g_timeToQuit, RINFINITE );
rEvent_free( g_timeToQuit );
rpal_debug_info( "...exiting..." );
rpal_Context_cleanup();
memUsed = rpal_memory_totalUsed();
if( 0 != memUsed )
{
rpal_debug_critical( "Memory leak: %d bytes.\n", memUsed );
//rpal_memory_findMemory();
#ifdef RPAL_FEATURE_MEMORY_ACCOUNTING
rpal_memory_printDetailedUsage();
#endif
}
g_svc_status.dwControlsAccepted = 0;
g_svc_status.dwCurrentState = SERVICE_STOPPED;
g_svc_status.dwWin32ExitCode = 0;
g_svc_status.dwCheckPoint = 3;
SetServiceStatus( g_svc_status_handle, &g_svc_status );
}
RBOOL
rpHostCommonPlatformLib_launch
(
RU8 configHint,
RPNCHAR primaryHomeUrl,
RPNCHAR secondaryHomeUrl
)
{
RBOOL isInitSuccessful = FALSE;
rSequence staticConfig = NULL;
RPCHAR tmpStr = NULL;
rSequence tmpSeq = NULL;
RPU8 tmpBuffer = NULL;
RU32 tmpSize = 0;
RU16 tmpPort = 0;
rpal_debug_info( "launching hcp" );
#ifdef RPAL_PLATFORM_WINDOWS
if( setGlobalCrashHandler() &&
SetConsoleCtrlHandler( (PHANDLER_ROUTINE)ctrlHandler, TRUE ) )
{
rpal_debug_info( "global crash handler set" );
}
else
{
rpal_debug_warning( "error setting global crash handler" );
}
#endif
if( 1 == rInterlocked_increment32( &g_hcpContext.isRunning ) )
{
if( rpal_initialize( NULL, RPAL_COMPONENT_HCP ) )
{
CryptoLib_init();
if( NULL == ( g_hcpContext.cloudConnectionMutex = rMutex_create() ) ||
NULL == ( g_hcpContext.isCloudOnline = rEvent_create( TRUE ) ) )
{
rMutex_free( g_hcpContext.cloudConnectionMutex );
rpal_debug_error( "could not create cloud connection mutex or event" );
return FALSE;
}
g_hcpContext.currentId.raw = g_idTemplate.raw;
// We attempt to load some initial config from the serialized
// rSequence that can be patched in this binary.
if( NULL != ( staticConfig = getStaticConfig() ) )
{
if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_PRIMARY_URL, &tmpStr ) &&
rSequence_getRU16( staticConfig, RP_TAGS_HCP_PRIMARY_PORT, &tmpPort ) )
{
g_hcpContext.primaryUrl = rpal_string_strdupA( tmpStr );
g_hcpContext.primaryPort = tmpPort;
rpal_debug_info( "loading primary url from static config" );
}
if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_SECONDARY_URL, &tmpStr ) &&
rSequence_getRU16( staticConfig, RP_TAGS_HCP_SECONDARY_PORT, &tmpPort ) )
{
g_hcpContext.secondaryUrl = rpal_string_strdupA( tmpStr );
g_hcpContext.secondaryPort = tmpPort;
rpal_debug_info( "loading secondary url from static config" );
}
if( rSequence_getSEQUENCE( staticConfig, RP_TAGS_HCP_ID, &tmpSeq ) )
{
g_hcpContext.currentId = seqToHcpId( tmpSeq );
rpal_debug_info( "loading default id from static config" );
}
if( rSequence_getBUFFER( staticConfig, RP_TAGS_HCP_C2_PUBLIC_KEY, &tmpBuffer, &tmpSize ) )
{
setC2PublicKey( rpal_memory_duplicate( tmpBuffer, tmpSize ) );
rpal_debug_info( "loading c2 public key from static config" );
}
if( rSequence_getBUFFER( staticConfig, RP_TAGS_HCP_ROOT_PUBLIC_KEY, &tmpBuffer, &tmpSize ) )
{
setRootPublicKey( rpal_memory_duplicate( tmpBuffer, tmpSize ) );
rpal_debug_info( "loading root public key from static config" );
}
if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_DEPLOYMENT_KEY, &tmpStr ) )
{
g_hcpContext.deploymentKey = rpal_string_strdupA( tmpStr );
rpal_debug_info( "loading deployment key from static config" );
}
rSequence_free( staticConfig );
}
// Now we will override the defaults (if present) with command
// line parameters.
if( NULL != primaryHomeUrl &&
0 != rpal_string_strlen( primaryHomeUrl ) )
{
if( NULL != g_hcpContext.primaryUrl )
{
rpal_memory_free( g_hcpContext.primaryUrl );
g_hcpContext.primaryUrl = NULL;
}
g_hcpContext.primaryUrl = rpal_string_ntoa( primaryHomeUrl );
}
if( NULL != secondaryHomeUrl &&
0 != rpal_string_strlen( secondaryHomeUrl ) )
{
if( NULL != g_hcpContext.secondaryUrl )
{
rpal_memory_free( g_hcpContext.secondaryUrl );
g_hcpContext.secondaryUrl = NULL;
}
g_hcpContext.secondaryUrl = rpal_string_ntoa( secondaryHomeUrl );
}
g_hcpContext.enrollmentToken = NULL;
g_hcpContext.enrollmentTokenSize = 0;
getStoreConf(); /* Sets the agent ID platform. */
// Set the current configId
g_hcpContext.currentId.id.configId = configHint;
if( startBeacons() )
{
isInitSuccessful = TRUE;
}
else
{
rpal_debug_warning( "error starting beacons" );
}
CryptoLib_deinit();
}
else
{
rpal_debug_warning( "hcp platform could not init rpal" );
}
}
else
{
rInterlocked_decrement32( &g_hcpContext.isRunning );
rpal_debug_info( "hcp already launched" );
}
return isInitSuccessful;
}
static RVOID
injectIntoProcess
(
)
{
RNCHAR strSeDebug[] = _NC( "SeDebugPrivilege" );
processLibProcEntry* procIds = NULL;
processLibProcEntry* tmpProcId = NULL;
rSequence targetProc = NULL;
RU32 targetPid = 0;
RPWCHAR procName = NULL;
RWCHAR targetProcName[] = _WCH( "EXPLORER.EXE" );
HANDLE hProc = NULL;
RU32 selfSize = 0;
RPVOID remoteDest = NULL;
SIZE_T payloadSize = 0;
RPU8 payloadBuff = NULL;
rpal_debug_info( "getting debug privilege to inject..." );
if( !Get_Privilege( strSeDebug ) )
{
rpal_debug_error( "could not get debug privilege, are we running as admin?" );
return;
}
rpal_debug_info( "getting process list to find explorer.exe" );
procIds = processLib_getProcessEntries( FALSE );
tmpProcId = procIds;
while( NULL != tmpProcId )
{
if( NULL != ( targetProc = processLib_getProcessInfo( tmpProcId->pid, NULL ) ) )
{
if( rSequence_getSTRINGN( targetProc, RP_TAGS_FILE_PATH, &procName ) )
{
rpal_string_toupper( procName );
if( NULL != rpal_string_strstr( procName, targetProcName ) )
{
rpal_debug_info( "found the target process: %d", tmpProcId->pid );
targetPid = tmpProcId->pid;
}
else
{
rpal_debug_info( "not target process, next..." );
}
}
else
{
rpal_debug_warning( "process without file path, odd..." );
}
rSequence_free( targetProc );
targetProc = NULL;
if( 0 != targetPid )
{
break;
}
}
tmpProcId++;
}
rpal_memory_free( procIds );
if( 0 != targetPid )
{
rpal_debug_info( "getting size of self..." );
if( (RU32)(-1) != ( selfSize = rpal_file_getSize( g_self_path, FALSE ) ) )
{
rpal_debug_info( "opening target process with right privileges..." );
if( NULL != ( hProc = OpenProcess( PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, targetPid ) ) )
{
rpal_debug_info( "allocating required memory in remote process..." );
if( NULL != ( remoteDest = VirtualAllocEx( hProc, NULL, selfSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE ) ) )
{
rpal_debug_info( "reading payload to memory before writing it to remote." );
if( rpal_file_read( g_self_path, (RPVOID*)&payloadBuff, (RU32*)&payloadSize, FALSE ) )
{
rpal_debug_info( "writing payload to remote process." );
if( WriteProcessMemory( hProc, remoteDest, payloadBuff, payloadSize, &payloadSize ) &&
payloadSize == selfSize )
{
rpal_debug_info( "successfully written payload to remote process. This should look like an injected PE although no thread was started." );
}
else
{
rpal_debug_error( "error writing payload to remote process." );
}
rpal_memory_free( payloadBuff );
}
else
{
rpal_debug_error( "error reading ourselves as payload." );
}
}
else
{
rpal_debug_error( "error allocating memory in remote process." );
}
CloseHandle( hProc );
}
else
{
rpal_debug_error( "error opening process with VM privilges." );
}
}
else
{
rpal_debug_error( "error getting size of self." );
}
}
}
RBOOL
processMessage
(
rSequence seq
)
{
RBOOL isSuccess = FALSE;
RU8 command = 0;
rSequence idSeq = NULL;
rpHCPId tmpId = { 0 };
rpHCPId emptyId = { 0 };
RU64 tmpTime = 0;
rThread hQuitThread = 0;
rpHCPIdentStore identStore = {0};
RPU8 token = NULL;
RU32 tokenSize = 0;
OBFUSCATIONLIB_DECLARE( store, RP_HCP_CONFIG_IDENT_STORE );
if( NULL != seq )
{
if( rSequence_getRU8( seq, RP_TAGS_OPERATION, &command ) )
{
rpal_debug_info( "Received command 0x%0X.", command );
switch( command )
{
case RP_HCP_COMMAND_LOAD_MODULE:
isSuccess = loadModule( &g_hcpContext, seq );
break;
case RP_HCP_COMMAND_UNLOAD_MODULE:
isSuccess = unloadModule( &g_hcpContext, seq );
break;
case RP_HCP_COMMAND_SET_HCP_ID:
if( rSequence_getSEQUENCE( seq, RP_TAGS_HCP_IDENT, &idSeq ) )
{
tmpId = seqToHcpId( idSeq );
if( 0 != rpal_memory_memcmp( &emptyId, &tmpId, sizeof( emptyId ) ) )
{
g_hcpContext.currentId = tmpId;
OBFUSCATIONLIB_TOGGLE( store );
if( rSequence_getBUFFER( seq, RP_TAGS_HCP_ENROLLMENT_TOKEN, &token, &tokenSize ) )
{
identStore.agentId = tmpId;
if( saveHcpId( (RPNCHAR)store, &identStore, token, tokenSize ) )
{
isSuccess = TRUE;
}
if( NULL != g_hcpContext.enrollmentToken )
{
rpal_memory_free( g_hcpContext.enrollmentToken );
g_hcpContext.enrollmentToken = NULL;
}
if( NULL != ( g_hcpContext.enrollmentToken = rpal_memory_alloc( tokenSize ) ) )
{
rpal_memory_memcpy( g_hcpContext.enrollmentToken, token, tokenSize );
g_hcpContext.enrollmentTokenSize = tokenSize;
isSuccess = TRUE;
}
}
else
{
rpal_debug_warning( "hcp id is missing token" );
}
OBFUSCATIONLIB_TOGGLE( store );
}
}
break;
case RP_HCP_COMMAND_SET_GLOBAL_TIME:
if( rSequence_getTIMESTAMP( seq, RP_TAGS_TIMESTAMP, &tmpTime ) )
{
rpal_time_setGlobalOffset( tmpTime - rpal_time_getLocal() );
isSuccess = TRUE;
}
break;
case RP_HCP_COMMAND_QUIT:
if( 0 != ( hQuitThread = rpal_thread_new( thread_quitAndCleanup, NULL ) ) )
{
rpal_thread_free( hQuitThread );
isSuccess = TRUE;
}
break;
case RP_HCP_COMMAND_UPGRADE:
isSuccess = upgradeHcp( seq );
break;
default:
break;
}
if( isSuccess )
{
rpal_debug_info( "Command was successful." );
}
else
{
rpal_debug_warning( "Command was not successful." );
}
}
}
return isSuccess;
}
static int
new_proc_listener
(
kauth_cred_t cred,
struct vnode *vp,
struct vnode *scriptvp,
struct label *vnodelabel,
struct label *scriptlabel,
struct label *execlabel,
struct componentname *cnp,
u_int *csflags,
void *macpolicyattr,
size_t macpolicyattrlen
)
#endif
{
#ifdef _USE_KAUTH
vnode_t prog = (vnode_t)arg0;
const char* file_path = (const char*)arg1;
#else
int pathLen = sizeof( g_processes[ 0 ].path );
#endif
pid_t pid = 0;
pid_t ppid = 0;
uid_t uid = 0;
#ifdef _USE_KAUTH
if( KAUTH_FILEOP_EXEC != action ||
( NULL != prog &&
VREG != vnode_vtype( prog ) ) )
{
return KAUTH_RESULT_DEFER;
}
#endif
uid = kauth_getuid();
pid = proc_selfpid();
ppid = proc_selfppid();
// We skip a known false positive
if( 0 == ppid && 1 == pid )
{
#ifdef _USE_KAUTH
return KAUTH_RESULT_DEFER;
#else
return 0; // Always allow
#endif
}
if( NULL != file_path )
{
// rpal_debug_info( "!!!!!! process start: %d/%d/%d %s", ppid, pid, uid, file_path );
}
rpal_mutex_lock( g_collector_1_mutex );
#ifdef _USE_KAUTH
if( NULL != file_path )
{
strncpy( g_processes[ g_nextProcess ].path,
file_path,
sizeof( g_processes[ g_nextProcess ].path ) - 1 );
}
#else
vn_getpath( vp, g_processes[ g_nextProcess ].path, &pathLen );
#endif
g_processes[ g_nextProcess ].pid = pid;
g_processes[ g_nextProcess ].ppid = ppid;
g_processes[ g_nextProcess ].uid = uid;
g_processes[ g_nextProcess ].ts = rpal_time_getLocal();
g_nextProcess++;
if( g_nextProcess == _NUM_BUFFERED_PROCESSES )
{
g_nextProcess = 0;
rpal_debug_warning( "overflow of the execution buffer" );
}
// rpal_debug_info( "now %d processes in buffer", g_nextProcess );
rpal_mutex_unlock( g_collector_1_mutex );
#ifdef _USE_KAUTH
return KAUTH_RESULT_DEFER;
#else
return 0; // Always allow
#endif
}
static
RU32
_scanProcessWith
(
RU32 pid,
YaraMatchContext* matchContext,
YR_RULES* rules,
rEvent isTimeToStop
)
{
RU32 scanError = (RU32)(-1);
rList modules = NULL;
rSequence module = NULL;
_MemRange* memRanges = NULL;
RU32 i = 0;
rList memoryMap = NULL;
rSequence memoryRegion = NULL;
RU8 memAccess = 0;
RU64 mem = 0;
RU64 memSize = 0;
RPU8 buffer = NULL;
// First pass is to scan known modules
if( NULL != ( modules = processLib_getProcessModules( pid ) ) )
{
rpal_debug_info( "scanning process %d module memory with yara", pid );
// We also generate an optimized list of module ranges for later
if( NULL != ( memRanges = rpal_memory_alloc( sizeof( _MemRange ) *
rList_getNumElements( modules ) ) ) )
{
while( ( NULL == isTimeToStop || !rEvent_wait( isTimeToStop, MSEC_FROM_SEC( 5 ) ) ) &&
rList_getSEQUENCE( modules, RP_TAGS_DLL, &module ) )
{
if( rSequence_getPOINTER64( module, RP_TAGS_BASE_ADDRESS, &mem ) &&
rSequence_getRU64( module, RP_TAGS_MEMORY_SIZE, &memSize ) )
{
memRanges[ i ].base = mem;
memRanges[ i ].size = memSize;
i++;
matchContext->regionBase = mem;
matchContext->regionSize = memSize;
matchContext->moduleInfo = module;
if( processLib_getProcessMemory( pid,
(RPVOID)NUMBER_TO_PTR( mem ),
memSize,
(RPVOID*)&buffer,
TRUE ) )
{
rpal_debug_info( "yara scanning module region of size 0x%lx", memSize );
if( NULL != rules ||
rMutex_lock( g_global_rules_mutex ) )
{
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_mem( NULL == rules ? g_global_rules : rules,
buffer,
(size_t)memSize,
SCAN_FLAGS_FAST_MODE |
SCAN_FLAGS_PROCESS_MEMORY,
_yaraMemMatchCallback,
matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara module scan error: %d 0x%lx 0x%lx: %d",
pid,
mem,
memSize,
scanError );
}
if( NULL == rules )
{
rMutex_unlock( g_global_rules_mutex );
}
}
rpal_memory_free( buffer );
rpal_debug_info( "finished region" );
}
}
}
}
rList_free( modules );
}
// Optimize the memory ranges
if( rpal_memory_isValid( memRanges ) &&
!rpal_sort_array( memRanges, i, sizeof( _MemRange ), (rpal_ordering_func)rpal_order_RU64 ) )
{
rpal_memory_free( memRanges );
memRanges = NULL;
}
// Second pass is to go through executable non-module areas
if( NULL != ( memoryMap = processLib_getProcessMemoryMap( pid ) ) )
{
rpal_debug_info( "scanning process %d non-module memory with yara", pid );
while( ( NULL == isTimeToStop || !rEvent_wait(isTimeToStop, MSEC_FROM_SEC( 5 ) ) ) &&
rList_getSEQUENCE( memoryMap, RP_TAGS_MEMORY_REGION, &memoryRegion ) )
{
if( rSequence_getPOINTER64( memoryRegion, RP_TAGS_BASE_ADDRESS, &mem ) &&
rSequence_getRU64( memoryRegion, RP_TAGS_MEMORY_SIZE, &memSize ) &&
rSequence_getRU8( memoryRegion, RP_TAGS_MEMORY_ACCESS, &memAccess ) &&
( PROCESSLIB_MEM_ACCESS_EXECUTE == memAccess ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ == memAccess ||
PROCESSLIB_MEM_ACCESS_EXECUTE_READ_WRITE == memAccess ||
PROCESSLIB_MEM_ACCESS_EXECUTE_WRITE_COPY == memAccess ) )
{
// If it's in a known module, skip
if( (RU32)( -1 ) != rpal_binsearch_array_closest( memRanges,
i,
sizeof( _MemRange ),
&mem,
(rpal_ordering_func)rpal_order_RU64,
TRUE ) )
{
continue;
}
matchContext->regionBase = mem;
matchContext->regionSize = memSize;
matchContext->moduleInfo = NULL;
if( processLib_getProcessMemory( pid,
(RPVOID)NUMBER_TO_PTR(mem),
memSize,
(RPVOID*)&buffer,
TRUE ) )
{
rpal_debug_info( "yara scanning memory region of size 0x%lx", memSize );
if( NULL != rules ||
rMutex_lock( g_global_rules_mutex ) )
{
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_mem( NULL == rules ? g_global_rules : rules,
buffer,
(size_t)memSize,
SCAN_FLAGS_FAST_MODE |
SCAN_FLAGS_PROCESS_MEMORY,
_yaraMemMatchCallback,
matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara memory scan error: %d 0x%lx 0x%lx: %d",
pid,
mem,
memSize,
scanError );
}
if( NULL == rules )
{
rMutex_unlock( g_global_rules_mutex );
}
}
rpal_memory_free( buffer );
}
}
}
rList_free( memoryMap );
}
if( rpal_memory_isValid( memRanges ) )
{
rpal_memory_free( memRanges );
}
return scanError;
}
static
RU32
installService
(
)
{
RU32 res = (RU32)-1;
RNCHAR currentPath[ RPAL_MAX_PATH ] = {0};
RU32 currentPathSize = sizeof( currentPath );
RNCHAR svcDir[] = { _SERVICE_DIR };
RNCHAR svcPath[] = { _SERVICE_FILE };
RNCHAR svcDescPath[] = { _SERVICE_DESC_FILE };
RNCHAR svcDesc[] = { _SERVICE_DESC };
RBOOL isOnDisk = FALSE;
RNCHAR svcLoad[] = { _SERVICE_LOAD };
RNCHAR svcStart[] = { _SERVICE_START };
if( 0 == _NSGetExecutablePath( currentPath, ¤tPathSize ) )
{
if( rDir_create( svcDir ) )
{
chmod( svcDir, S_IRWXU );
}
if( rpal_file_copy( currentPath, svcPath ) )
{
if( 0 != chmod( svcPath, S_IRWXU ) )
{
rpal_debug_warning( "could not set restricted permissions on executable" );
}
if( rpal_file_write( svcDescPath, svcDesc, rpal_string_strlen( svcDesc ), TRUE ) )
{
if( 0 != chmod( svcDescPath, S_IRWXU ) )
{
rpal_debug_warning( "could not set restricted permissions on service descriptor" );
}
isOnDisk = TRUE;
}
else
{
rpal_debug_error( "could not write service descriptor" );
}
}
else
{
rpal_debug_error( "could not copy executable to service location" );
}
}
else
{
rpal_debug_error( "could not get current executable path" );
}
if( isOnDisk )
{
if( 0 != system( svcLoad ) )
{
rpal_debug_warning( "failed to load service, already exists?" );
}
if( 0 != system( svcStart ) )
{
rpal_debug_warning( "failed to start service, already running?" );
}
else
{
rpal_debug_info( "successfully installed" );
res = 0;
}
}
return res;
}
static
RPVOID
continuousFileScan
(
rEvent isTimeToStop,
RPVOID ctx
)
{
rSequence event = NULL;
RU32 timeout = 0;
RPWCHAR strW = NULL;
RPCHAR strA = NULL;
YaraMatchContext matchContext = { 0 };
RU32 scanError = 0;
rBloom knownFiles = NULL;
UNREFERENCED_PARAMETER( ctx );
if( NULL == ( knownFiles = rpal_bloom_create( 100000, 0.00001 ) ) )
{
return NULL;
}
while( !rEvent_wait( isTimeToStop, timeout ) )
{
if( rQueue_remove( g_async_files_to_scan, (RPVOID*)&event, NULL, MSEC_FROM_SEC( 2 ) ) )
{
if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &strW ) )
{
strA = rpal_string_wtoa( strW );
}
else
{
rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &strA );
}
if( NULL != strA &&
rpal_bloom_addIfNew( knownFiles, strA, rpal_string_strlen( strA ) ) )
{
rpal_debug_info( "yara scanning %s", strA );
matchContext.fileInfo = event;
if( rMutex_lock( g_global_rules_mutex ) )
{
if( NULL != g_global_rules )
{
rpal_debug_info( "scanning continuous file with yara" );
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_file( g_global_rules,
strA,
SCAN_FLAGS_FAST_MODE,
_yaraFileMatchCallback,
&matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara file scan error: %d", scanError );
}
}
rMutex_unlock( g_global_rules_mutex );
}
}
if( NULL != strA && NULL != strW )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( strA );
}
strA = NULL;
strW = NULL;
rSequence_free( event );
timeout = _TIMEOUT_BETWEEN_FILE_SCANS;
}
else
{
timeout = 0;
}
}
rpal_bloom_destroy( knownFiles );
yr_finalize_thread();
return NULL;
}
RPRIVATE
RVOID
processDnsPacket
(
KernelAcqDnsPacket* pDns
)
{
rSequence notification = NULL;
RU32 i = 0;
DnsLabel* pLabel = NULL;
DnsHeader* dnsHeader = NULL;
DnsResponseInfo* pResponseInfo = NULL;
RCHAR domain[ DNS_LABEL_MAX_SIZE ] = { 0 };
RU16 recordType = 0;
RU64 timestamp = 0;
Atom parentAtom = { 0 };
if( NULL == pDns )
{
return;
}
dnsHeader = (DnsHeader*)( (RPU8)pDns + sizeof( *pDns ) );
pLabel = (DnsLabel*)dnsHeader->data;
// We are parsing DNS packets coming from the kernel. They may:
// 1- Be requests and not responses, check there are Answers.
// 2- Be maliciously crafter packets so we need extra checking for sanity.
if( 0 == dnsHeader->anCount ||
0 == dnsHeader->qr ||
DNS_SANITY_MAX_RECORDS < rpal_ntoh16( dnsHeader->qdCount ) ||
DNS_SANITY_MAX_RECORDS < rpal_ntoh16( dnsHeader->anCount ) )
{
return;
}
// We need to walk the Questions first to get to the Answers
// but we don't really care to record them since they'll be repeated
// in the Answers.
for( i = 0; i < rpal_ntoh16( dnsHeader->qdCount ); i++ )
{
DnsQuestionInfo* pQInfo = NULL;
pLabel = dnsReadLabels( pLabel, NULL, (RPU8)dnsHeader, pDns->packetSize, 0, 0 );
pQInfo = (DnsQuestionInfo*)( pLabel );
if( !IS_WITHIN_BOUNDS( pQInfo, sizeof( *pQInfo ), dnsHeader, pDns->packetSize ) )
{
rpal_debug_warning( "error parsing dns packet" );
break;
}
pLabel = (DnsLabel*)( (RPU8)pQInfo + sizeof( *pQInfo ) );
}
if( !IS_WITHIN_BOUNDS( pLabel, sizeof( RU16 ), dnsHeader, pDns->packetSize ) )
{
rpal_debug_warning( "error parsing dns packet" );
return;
}
// This is what we care about, the Answers (which also point to each Question).
// We will emit one event per Answer so as to keep the DNS_REQUEST event flat and atomic.
for( i = 0; i < rpal_ntoh16( dnsHeader->anCount ); i++ )
{
pResponseInfo = NULL;
// This was the Question for this answer.
rpal_memory_zero( domain, sizeof( domain ) );
pLabel = dnsReadLabels( pLabel, domain, (RPU8)dnsHeader, pDns->packetSize, 0, 0 );
pResponseInfo = (DnsResponseInfo*)pLabel;
pLabel = (DnsLabel*)( (RPU8)pResponseInfo + sizeof( *pResponseInfo ) + rpal_ntoh16( pResponseInfo->rDataLength ) );
if( !IS_WITHIN_BOUNDS( pResponseInfo, sizeof( *pResponseInfo ), dnsHeader, pDns->packetSize ) )
{
rpal_debug_warning( "error parsing dns packet" );
break;
}
if( NULL == ( notification = rSequence_new() ) )
{
rpal_debug_warning( "error parsing dns packet" );
break;
}
// This is a timestamp coming from the kernel so it is not globally adjusted.
// We'll adjust it with the global offset.
timestamp = pDns->ts;
timestamp += MSEC_FROM_SEC( rpal_time_getGlobalFromLocal( 0 ) );
// Try to relate the DNS request to the owner process, this only works on OSX
// at the moment (since the kernel does not expose the PID at the packet capture
// stage), and even on OSX it's the DNSResolver process. So it's not super useful
// but regardless we have the mechanism here as it's better than nothing and when
// we add better resolving in the kernel it will work transparently.
parentAtom.key.process.pid = pDns->pid;
parentAtom.key.category = RP_TAGS_NOTIFICATION_NEW_PROCESS;
if( atoms_query( &parentAtom, timestamp ) )
{
HbsSetParentAtom( notification, parentAtom.id );
}
rSequence_addTIMESTAMP( notification, RP_TAGS_TIMESTAMP, timestamp );
rSequence_addSTRINGA( notification, RP_TAGS_DOMAIN_NAME, domain );
rSequence_addRU32( notification, RP_TAGS_PROCESS_ID, pDns->pid );
recordType = rpal_ntoh16( pResponseInfo->recordType );
rSequence_addRU16( notification, RP_TAGS_MESSAGE_ID, rpal_ntoh16( dnsHeader->msgId ) );
rSequence_addRU16( notification, RP_TAGS_DNS_TYPE, recordType );
if( DNS_A_RECORD == recordType )
{
rSequence_addIPV4( notification, RP_TAGS_IP_ADDRESS, *(RU32*)pResponseInfo->rData );
}
else if( DNS_AAAA_RECORD == recordType )
{
rSequence_addIPV6( notification, RP_TAGS_IP_ADDRESS, pResponseInfo->rData );
}
else if( DNS_CNAME_RECORD == recordType )
{
// CNAME records will have another label as a value and not an IP.
rpal_memory_zero( domain, sizeof( domain ) );
dnsReadLabels( (DnsLabel*)pResponseInfo->rData, domain, (RPU8)dnsHeader, pDns->packetSize, 0, 0 );
rSequence_addSTRINGA( notification, RP_TAGS_CNAME, domain );
}
else
{
// Right now we only care for A, CNAME and AAAA records.
rSequence_free( notification );
notification = NULL;
continue;
}
hbs_publish( RP_TAGS_NOTIFICATION_DNS_REQUEST, notification );
rSequence_free( notification );
notification = NULL;
}
}
// Parses a label from a DNS packet and returns a pointer to the next byte after the label
// or label chain to be used to continue parsing the packet.
// If a human label is specified, will also assemble a human readable version of the labels
// in the buffer.
RPRIVATE
DnsLabel*
dnsReadLabels
(
DnsLabel* pLabel,
RCHAR humanLabel[ DNS_LABEL_MAX_SIZE ],
RPU8 packetStart,
RSIZET packetSize,
RU32 labelOffset,
RU32 recursiveDepth
)
{
RU32 copied = labelOffset;
if( 3 < recursiveDepth )
{
return NULL;
}
if( NULL == pLabel )
{
return NULL;
}
while( IS_WITHIN_BOUNDS( pLabel, sizeof( *pLabel ), packetStart, packetSize ) &&
( DNS_LABEL_IS_OFFSET( pLabel ) ||
( IS_WITHIN_BOUNDS( pLabel, sizeof( *pLabel ) + pLabel->nChar, packetStart, packetSize ) &&
0 != pLabel->nChar ) ) )
{
// It's possible for a pointer to be terminating a traditional label
if( DNS_LABEL_IS_OFFSET( pLabel ) )
{
// Pointer to a label
DnsLabel* tmpLabel = NULL;
RU16 offset = DNS_LABEL_OFFSET( pLabel );
if( !IS_WITHIN_BOUNDS( (RPU8)packetStart + offset, sizeof( RU16 ), packetStart, packetSize ) )
{
rpal_debug_warning( "error parsing dns packet" );
return NULL;
}
tmpLabel = (DnsLabel*)( (RPU8)packetStart + offset );
if( NULL == dnsReadLabels( tmpLabel, humanLabel, packetStart, packetSize, copied, recursiveDepth + 1 ) )
{
return NULL;
}
// Pointers are always terminating the label. So since there is
// no 0 terminated label we don't need to skip an extra byte, we
// just skip the current label pointer value.
pLabel = (DnsLabel*)( (RPU8)pLabel + sizeof( RU16 ) );
return pLabel;
}
else
{
if( DNS_LABEL_MAX_SIZE < copied + 1 + pLabel->nChar )
{
rpal_debug_warning( "error parsing dns packet" );
return NULL;
}
if( NULL != humanLabel )
{
if( 0 != copied )
{
humanLabel[ copied ] = '.';
copied++;
}
rpal_memory_memcpy( (RPU8)humanLabel + copied, pLabel->label, pLabel->nChar );
copied += pLabel->nChar;
}
pLabel = (DnsLabel*)( (RPU8)pLabel + pLabel->nChar + 1 );
}
}
// We do a last sanity check. A valid label parsing should end in a 0-val nChar within
// the buffer, so we check it's all valid, otherwise we'll assume an error and will return an error.
if( !IS_WITHIN_BOUNDS( pLabel, sizeof( *pLabel ), packetStart, packetSize ) ||
0 != pLabel->nChar )
{
rpal_debug_warning( "error parsing dns packet" );
return NULL;
}
// Get to the next valid byte, so we skip the 0-termination.
pLabel = (DnsLabel*)( (RPU8)pLabel + 1 );
return pLabel;
}
static
RPVOID
modUserModeDiff
(
rEvent isTimeToStop
)
{
rBlob previousSnapshot = NULL;
rBlob newSnapshot = NULL;
_moduleHistEntry curModule = { 0 };
processLibProcEntry* processes = NULL;
processLibProcEntry* curProc = NULL;
rList modules = NULL;
rSequence module = NULL;
LibOsPerformanceProfile perfProfile = { 0 };
Atom parentAtom = { 0 };
RU64 curTime = 0;
perfProfile.enforceOnceIn = 1;
perfProfile.lastTimeoutValue = 10;
perfProfile.sanityCeiling = MSEC_FROM_SEC( 10 );
perfProfile.targetCpuPerformance = 0;
perfProfile.globalTargetCpuPerformance = GLOBAL_CPU_USAGE_TARGET;
perfProfile.timeoutIncrementPerSec = 1;
while( rpal_memory_isValid( isTimeToStop ) &&
!rEvent_wait( isTimeToStop, 0 ) &&
( !kAcq_isAvailable() ||
g_is_kernel_failure ) )
{
if( NULL != ( processes = processLib_getProcessEntries( FALSE ) ) )
{
if( NULL != ( newSnapshot = rpal_blob_create( 1000 * sizeof( _moduleHistEntry ),
1000 * sizeof( _moduleHistEntry ) ) ) )
{
libOs_timeoutWithProfile( &perfProfile, FALSE, isTimeToStop );
curProc = processes;
while( rpal_memory_isValid( isTimeToStop ) &&
#ifdef RPAL_PLATFORM_WINDOWS
!rEvent_wait( isTimeToStop, 0 ) &&
#else
// Module listing outside of
!rEvent_wait( isTimeToStop, MSEC_FROM_SEC( 1 ) ) &&
#endif
0 != curProc->pid )
{
if( NULL != ( modules = processLib_getProcessModules( curProc->pid ) ) )
{
curTime = rpal_time_getGlobalPreciseTime();
while( rpal_memory_isValid( isTimeToStop ) &&
!rEvent_wait( isTimeToStop, 0 ) &&
rList_getSEQUENCE( modules, RP_TAGS_DLL, &module ) )
{
libOs_timeoutWithProfile( &perfProfile, TRUE, isTimeToStop );
if( rSequence_getPOINTER64( module,
RP_TAGS_BASE_ADDRESS,
&( curModule.baseAddr ) ) &&
rSequence_getRU64( module,
RP_TAGS_MEMORY_SIZE,
&(curModule.size) ) )
{
curModule.procId = curProc->pid;
rpal_blob_add( newSnapshot, &curModule, sizeof( curModule ) );
if( NULL != previousSnapshot &&
-1 == rpal_binsearch_array( rpal_blob_getBuffer( previousSnapshot ),
rpal_blob_getSize( previousSnapshot ) /
sizeof( _moduleHistEntry ),
sizeof( _moduleHistEntry ),
&curModule,
(rpal_ordering_func)_cmpModule ) )
{
hbs_timestampEvent( module, curTime );
parentAtom.key.category = RP_TAGS_NOTIFICATION_NEW_PROCESS;
parentAtom.key.process.pid = curProc->pid;
if( atoms_query( &parentAtom, curTime ) )
{
HbsSetParentAtom( module, parentAtom.id );
}
rpal_memory_zero( &parentAtom, sizeof( parentAtom ) );
hbs_publish( RP_TAGS_NOTIFICATION_MODULE_LOAD,
module );
}
}
}
rList_free( modules );
}
curProc++;
}
if( !rpal_sort_array( rpal_blob_getBuffer( newSnapshot ),
rpal_blob_getSize( newSnapshot ) / sizeof( _moduleHistEntry ),
sizeof( _moduleHistEntry ),
(rpal_ordering_func)_cmpModule ) )
{
rpal_debug_warning( "error sorting modules" );
}
}
rpal_memory_free( processes );
}
if( NULL != previousSnapshot )
{
rpal_blob_free( previousSnapshot );
}
previousSnapshot = newSnapshot;
newSnapshot = NULL;
}
if( NULL != previousSnapshot )
{
rpal_blob_free( previousSnapshot );
}
return NULL;
}
static RPVOID
processDiffThread
(
rEvent isTimeToStop,
RPVOID ctx
)
{
processEntry* currentSnapshot = g_snapshot_1;
processEntry* previousSnapshot = g_snapshot_2;
processEntry* tmpSnapshot = NULL;
RBOOL isFirstSnapshots = TRUE;
RU32 i = 0;
RU32 j = 0;
RBOOL isFound = FALSE;
RU32 nThLoop = 0;
RU32 currentTimeout = 0;
UNREFERENCED_PARAMETER( ctx );
while( !rEvent_wait( isTimeToStop, currentTimeout ) )
{
tmpSnapshot = currentSnapshot;
currentSnapshot = previousSnapshot;
previousSnapshot = tmpSnapshot;
if( getSnapshot( currentSnapshot ) )
{
if( isFirstSnapshots )
{
isFirstSnapshots = FALSE;
continue;
}
// Diff to find new processes
for( i = 0; i < MAX_SNAPSHOT_SIZE; i++ )
{
isFound = FALSE;
if( 0 == currentSnapshot[ i ].pid )
{
break;
}
for( j = 0; j < MAX_SNAPSHOT_SIZE; j++ )
{
if( 0 == previousSnapshot[ j ].pid )
{
break;
}
if( previousSnapshot[ j ].pid == currentSnapshot[ i ].pid )
{
isFound = TRUE;
break;
}
}
if( !isFound )
{
if( !notifyOfProcess( currentSnapshot[ i ].pid,
currentSnapshot[ i ].ppid,
TRUE ) )
{
rpal_debug_warning( "error reporting new process: %d",
currentSnapshot[ i ].pid );
}
}
}
// Diff to find terminated processes
for( i = 0; i < MAX_SNAPSHOT_SIZE; i++ )
{
isFound = FALSE;
if( 0 == previousSnapshot[ i ].pid )
{
break;
}
for( j = 0; j < MAX_SNAPSHOT_SIZE; j++ )
{
if( 0 == currentSnapshot[ j ].pid )
{
break;
}
if( previousSnapshot[ i ].pid == currentSnapshot[ j ].pid )
{
isFound = TRUE;
break;
}
}
if( !isFound )
{
if( !notifyOfProcess( previousSnapshot[ i ].pid,
previousSnapshot[ i ].ppid,
FALSE ) )
{
rpal_debug_warning( "error reporting terminated process: %d",
previousSnapshot[ i ].pid );
}
}
}
}
nThLoop++;
if( 0 == nThLoop % 20 )
{
#ifdef RPAL_PLATFORM_WINDOWS
// The Windows API is much more efficient than on Nix so we can affort
// going faster between our diffs.
currentTimeout = libOs_getUsageProportionalTimeout( 500 ) + 100;
#else
currentTimeout = libOs_getUsageProportionalTimeout( 800 ) + 200;
#endif
}
}
return NULL;
}
static
RPVOID
networkDiffThread
(
rEvent isTimeToStop,
RPVOID ctx
)
{
NetLib_Tcp4Table* currentTcp4Table = NULL;
NetLib_Tcp4Table* oldTcp4Table = NULL;
NetLib_UdpTable* currentUdpTable = NULL;
NetLib_UdpTable* oldUdpTable = NULL;
RU32 i = 0;
RU32 j = 0;
RBOOL isFound = FALSE;
rSequence notif = NULL;
rSequence comp = NULL;
RU32 timeout = 100;
RU32 nThLoop = 0;
UNREFERENCED_PARAMETER( ctx );
while( rpal_memory_isValid( isTimeToStop ) &&
!rEvent_wait( isTimeToStop, 0 ) )
{
if( NULL != oldTcp4Table )
{
rpal_memory_free( oldTcp4Table );
oldTcp4Table = NULL;
}
if( NULL != oldUdpTable )
{
rpal_memory_free( oldUdpTable );
oldUdpTable = NULL;
}
// Swap the old snapshot for the (prev) new one
oldTcp4Table = currentTcp4Table;
oldUdpTable = currentUdpTable;
currentTcp4Table = NULL;
currentUdpTable = NULL;
// Generate new tables
currentTcp4Table = NetLib_getTcp4Table();
currentUdpTable = NetLib_getUdpTable();
// Diff TCP snapshots for new entries
if( rpal_memory_isValid( currentTcp4Table ) &&
rpal_memory_isValid( oldTcp4Table ) )
{
for( i = 0; i < currentTcp4Table->nRows; i++ )
{
isFound = FALSE;
if( rEvent_wait( isTimeToStop, 0 ) )
{
break;
}
for( j = 0; j < oldTcp4Table->nRows; j++ )
{
if( isTcpEqual( ¤tTcp4Table->rows[ i ], &oldTcp4Table->rows[ j ] ) )
{
isFound = TRUE;
break;
}
}
if( !isFound )
{
if( NULL != ( notif = rSequence_new() ) )
{
if( rSequence_addRU32( notif,
RP_TAGS_STATE,
currentTcp4Table->rows[ i ].state ) &&
rSequence_addRU32( notif,
RP_TAGS_PROCESS_ID,
currentTcp4Table->rows[ i ].pid ) &&
rSequence_addTIMESTAMP( notif,
RP_TAGS_TIMESTAMP,
rpal_time_getGlobal() ) )
{
if( NULL != ( comp = rSequence_new() ) )
{
// Add the destination components
if( !rSequence_addIPV4( comp,
RP_TAGS_IP_ADDRESS,
currentTcp4Table->rows[ i ].destIp ) ||
!rSequence_addRU16( comp,
RP_TAGS_PORT,
rpal_ntoh16( (RU16)currentTcp4Table->rows[ i ].destPort ) ) ||
!rSequence_addSEQUENCE( notif,
RP_TAGS_DESTINATION,
comp ) )
{
rSequence_free( comp );
comp = NULL;
}
}
if( NULL != ( comp = rSequence_new() ) )
{
// Add the source components
if( !rSequence_addIPV4( comp,
RP_TAGS_IP_ADDRESS,
currentTcp4Table->rows[ i ].sourceIp ) ||
!rSequence_addRU16( comp,
RP_TAGS_PORT,
rpal_ntoh16( (RU16)currentTcp4Table->rows[ i ].sourcePort ) ) ||
!rSequence_addSEQUENCE( notif,
RP_TAGS_SOURCE,
comp ) )
{
rSequence_free( comp );
comp = NULL;
}
}
rpal_debug_info( "new tcp connection: 0x%08X = 0x%08X:0x%04X ---> 0x%08X:0x%04X -- 0x%08X.",
currentTcp4Table->rows[ i ].state,
currentTcp4Table->rows[ i ].sourceIp,
currentTcp4Table->rows[ i ].sourcePort,
currentTcp4Table->rows[ i ].destIp,
currentTcp4Table->rows[ i ].destPort,
currentTcp4Table->rows[ i ].pid );
notifications_publish( RP_TAGS_NOTIFICATION_NEW_TCP4_CONNECTION, notif );
}
rSequence_free( notif );
}
}
}
}
else if( 0 != nThLoop )
{
rpal_debug_warning( "could not get tcp connections table." );
}
// Diff TCP snapshots for new entries
if( NULL != currentUdpTable &&
NULL != oldUdpTable )
{
for( i = 0; i < currentUdpTable->nRows; i++ )
{
isFound = FALSE;
if( rEvent_wait( isTimeToStop, 0 ) )
{
break;
}
for( j = 0; j < oldUdpTable->nRows; j++ )
{
if( isUdpEqual( ¤tUdpTable->rows[ i ], &oldUdpTable->rows[ j ] ) )
{
isFound = TRUE;
break;
}
}
if( !isFound )
{
if( NULL != ( notif = rSequence_new() ) )
{
if( !rSequence_addIPV4( notif,
RP_TAGS_IP_ADDRESS,
currentUdpTable->rows[ i ].localIp ) ||
!rSequence_addRU16( notif,
RP_TAGS_PORT,
rpal_ntoh16( (RU16)currentUdpTable->rows[ i ].localPort ) ) ||
!rSequence_addRU32( notif,
RP_TAGS_PROCESS_ID,
currentUdpTable->rows[ i ].pid ) ||
!rSequence_addTIMESTAMP( notif,
RP_TAGS_TIMESTAMP,
rpal_time_getGlobal() ) )
{
notif = NULL;
}
else
{
rpal_debug_info( "new udp connection: 0x%08X:0x%04X -- 0x%08X.",
currentUdpTable->rows[ i ].localIp,
currentUdpTable->rows[ i ].localPort,
currentUdpTable->rows[ i ].pid );
notifications_publish( RP_TAGS_NOTIFICATION_NEW_UDP4_CONNECTION, notif );
}
rSequence_free( notif );
}
}
}
}
else if( 0 != nThLoop )
{
rpal_debug_warning( "could not get udp connections table." );
}
nThLoop++;
if( 0 == nThLoop % 10 )
{
timeout = libOs_getUsageProportionalTimeout( 1000 ) + 500;
}
rpal_thread_sleep( timeout );
}
rpal_memory_free( currentTcp4Table );
rpal_memory_free( currentUdpTable );
rpal_memory_free( oldTcp4Table );
rpal_memory_free( oldUdpTable );
return NULL;
}
static
RVOID
doScan
(
rpcm_tag eventType,
rSequence event
)
{
RU32 pid = 0;
RPWCHAR fileW = NULL;
RPCHAR fileA = NULL;
RPWCHAR procW = NULL;
RPCHAR procA = NULL;
RPU8 rulesBuffer = NULL;
RU32 rulesBufferSize = 0;
YR_RULES* rules = NULL;
YaraMatchContext matchContext = { 0 };
processLibProcEntry* processes = NULL;
processLibProcEntry* curProc = NULL;
RU32 scanError = 0;
rSequence processInfo = NULL;
RPWCHAR tmpW = NULL;
RPCHAR tmpA = NULL;
UNREFERENCED_PARAMETER( eventType );
if( rpal_memory_isValid( event ) )
{
rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid );
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &fileW );
rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &fileA );
rSequence_getSTRINGW( event, RP_TAGS_PROCESS, &procW );
rSequence_getSTRINGA( event, RP_TAGS_PROCESS, &procA );
if( rSequence_getBUFFER( event, RP_TAGS_RULES, &rulesBuffer, &rulesBufferSize ) )
{
rules = loadYaraRules( rulesBuffer, rulesBufferSize );
}
if( NULL != rules )
{
if( NULL != fileW )
{
fileA = rpal_string_wtoa( fileW );
}
if( NULL != procW )
{
procA = rpal_string_wtoa( procW );
}
if( NULL != fileA )
{
rpal_debug_info( "scanning file with yara" );
matchContext.fileInfo = event;
// Scan this file
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_file( rules,
fileA,
SCAN_FLAGS_FAST_MODE,
_yaraFileMatchCallback,
&matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara file scan error: %d", scanError );
}
}
else if( NULL != procA )
{
// Scan processes matching
if( NULL != ( processes = processLib_getProcessEntries( TRUE ) ) )
{
curProc = processes;
while( 0 != curProc->pid )
{
if( NULL != ( processInfo = processLib_getProcessInfo( curProc->pid, NULL ) ) )
{
if( rSequence_getSTRINGW( processInfo, RP_TAGS_FILE_PATH, &tmpW ) ||
rSequence_getSTRINGA( processInfo, RP_TAGS_FILE_PATH, &tmpA ) )
{
if( NULL != tmpW )
{
tmpA = rpal_string_wtoa( tmpW );
}
if( NULL != tmpA )
{
if( rpal_string_match( procA, tmpA, RPAL_PLATFORM_FS_CASE_SENSITIVITY ) )
{
matchContext.pid = curProc->pid;
matchContext.processInfo = processInfo;
scanError = _scanProcessWith( curProc->pid,
&matchContext,
rules,
NULL );
}
}
if( NULL != tmpW && NULL != tmpA )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( tmpA );
}
}
rSequence_free( processInfo );
}
curProc++;
}
rpal_memory_free( processes );
}
}
else if( 0 != pid )
{
// Scan this process
matchContext.pid = pid;
scanError = _scanProcessWith( pid, &matchContext, rules, NULL );
rSequence_free( matchContext.processInfo );
}
else
{
// Scan all processes
if( NULL != ( processes = processLib_getProcessEntries( TRUE ) ) )
{
curProc = processes;
while( 0 != curProc->pid )
{
matchContext.pid = curProc->pid;
scanError = _scanProcessWith( curProc->pid, &matchContext, rules, NULL );
rSequence_free( matchContext.processInfo );
curProc++;
}
rpal_memory_free( processes );
}
}
if( NULL != fileW && NULL != fileA )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( fileA );
}
if( NULL != procW && NULL != procA )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( procA );
}
yr_rules_destroy( rules );
}
else
{
rpal_debug_warning( "no rules in yara scan request" );
reportError( event, RPAL_ERROR_NOT_SUPPORTED, "yara rules do not parse" );
}
}
rpal_debug_info( "finished on demand yara scan" );
reportError( event, scanError, "done" );
yr_finalize_thread();
}
RPRIVATE_TESTABLE
RBOOL
loadModule
(
rpHCPContext* hcpContext,
rSequence seq
)
{
RBOOL isSuccess = FALSE;
RU32 moduleIndex = (RU32)(-1);
RPU8 tmpBuff = NULL;
RU32 tmpSize = 0;
RPU8 tmpSig = NULL;
RU32 tmpSigSize = 0;
rpal_thread_func pEntry = NULL;
rpHCPModuleContext* modContext = NULL;
OBFUSCATIONLIB_DECLARE( entryName, RP_HCP_CONFIG_MODULE_ENTRY );
OBFUSCATIONLIB_DECLARE( recvMessage, RP_HCP_CONFIG_MODULE_RECV_MESSAGE );
if( NULL != seq &&
NULL != hcpContext )
{
for( moduleIndex = 0; moduleIndex < RP_HCP_CONTEXT_MAX_MODULES; moduleIndex++ )
{
if( 0 == hcpContext->modules[ moduleIndex ].hThread )
{
// Found an empty spot
break;
}
}
}
if( RP_HCP_CONTEXT_MAX_MODULES != moduleIndex &&
(RU32)(-1) != moduleIndex )
{
// We got an empty spot for our module
if( rSequence_getRU8( seq,
RP_TAGS_HCP_MODULE_ID,
&(hcpContext->modules[ moduleIndex ].id ) ) &&
rSequence_getBUFFER( seq,
RP_TAGS_BINARY,
&tmpBuff,
&tmpSize ) &&
rSequence_getBUFFER( seq,
RP_TAGS_SIGNATURE,
&tmpSig,
&tmpSigSize ) &&
CRYPTOLIB_SIGNATURE_SIZE == tmpSigSize )
{
// We got the data, now verify the buffer signature
if( CryptoLib_verify( tmpBuff, tmpSize, getRootPublicKey(), tmpSig ) )
{
// Ready to load the module
rpal_debug_info( "loading module in memory" );
hcpContext->modules[ moduleIndex ].hModule = MemoryLoadLibrary( tmpBuff, tmpSize );
if( NULL != hcpContext->modules[ moduleIndex ].hModule )
{
OBFUSCATIONLIB_TOGGLE( entryName );
pEntry = (rpal_thread_func)MemoryGetProcAddress( hcpContext->modules[ moduleIndex ].hModule,
(RPCHAR)entryName );
OBFUSCATIONLIB_TOGGLE( entryName );
if( NULL != pEntry )
{
modContext = &(hcpContext->modules[ moduleIndex ].context);
modContext->pCurrentId = &( hcpContext->currentId );
modContext->func_sendHome = doSend;
modContext->isTimeToStop = rEvent_create( TRUE );
modContext->rpalContext = rpal_Context_get();
modContext->isOnlineEvent = hcpContext->isCloudOnline;
if( NULL != modContext->isTimeToStop )
{
hcpContext->modules[ moduleIndex ].isTimeToStop = modContext->isTimeToStop;
OBFUSCATIONLIB_TOGGLE( recvMessage );
hcpContext->modules[ moduleIndex ].func_recvMessage =
(rpHCPModuleMsgEntry)MemoryGetProcAddress( hcpContext->modules[ moduleIndex ].hModule,
(RPCHAR)recvMessage );
OBFUSCATIONLIB_TOGGLE( recvMessage );
hcpContext->modules[ moduleIndex ].hThread = rpal_thread_new( pEntry, modContext );
if( 0 != hcpContext->modules[ moduleIndex ].hThread )
{
CryptoLib_hash( tmpBuff, tmpSize, &(hcpContext->modules[ moduleIndex ].hash ) );
hcpContext->modules[ moduleIndex ].isOsLoaded = FALSE;
isSuccess = TRUE;
}
else
{
rpal_debug_warning( "Error creating handler thread for new module." );
}
}
}
else
{
rpal_debug_warning( "Could not find new module's entry point." );
}
}
else
{
rpal_debug_warning( "Error loading module in memory." );
}
}
else
{
rpal_debug_warning( "New module signature invalid." );
}
}
else
{
rpal_debug_warning( "Could not find core module components to load." );
}
// Main cleanup
if( !isSuccess )
{
if( NULL != modContext )
{
IF_VALID_DO( modContext->isTimeToStop, rEvent_free );
}
if( NULL != hcpContext->modules[ moduleIndex ].hModule )
{
MemoryFreeLibrary( hcpContext->modules[ moduleIndex ].hModule );
}
rpal_memory_zero( &(hcpContext->modules[ moduleIndex ] ),
sizeof( hcpContext->modules[ moduleIndex ] ) );
}
}
else
{
rpal_debug_error( "Could not find a spot for new module, or invalid module id!" );
}
return isSuccess;
}
