/* is_process: Check is a process is running.
*/
int is_process(char *value, void *p_list_p)
{
OSList *p_list = (OSList *)p_list_p;
OSListNode *l_node;
if(p_list == NULL)
{
return(0);
}
if(!value)
{
return(0);
}
l_node = OSList_GetFirstNode(p_list);
while(l_node)
{
Proc_Info *pinfo;
pinfo = (Proc_Info *)l_node->data;
/* Checking if value matches */
if(pt_matches(pinfo->p_path, value))
{
int i = 0;
char _b_msg[OS_SIZE_1024 +1];
_b_msg[OS_SIZE_1024] = '\0';
snprintf(_b_msg, OS_SIZE_1024, " Process: %s.",
pinfo->p_path);
/* Already present. */
if(_is_str_in_array(rootcheck.alert_msg, _b_msg))
{
return(1);
}
while(rootcheck.alert_msg[i] && (i< 255))
i++;
if(!rootcheck.alert_msg[i])
os_strdup(_b_msg, rootcheck.alert_msg[i]);
return(1);
}
l_node = OSList_GetNextNode(p_list);
}
return(0);
}
/* Query the key and get the value of a specific entry */
int __os_winreg_querykey(HKEY hKey, char *p_key, char *full_key_name,
char *reg_option, char *reg_value)
{
int i, rc;
DWORD j;
/* QueryInfo and EnumKey variables */
TCHAR class_name_b[MAX_PATH + 1];
DWORD class_name_s = MAX_PATH;
/* Number of sub keys */
DWORD subkey_count = 0;
/* Number of values */
DWORD value_count;
/* Variables for RegEnumValue */
TCHAR value_buffer[MAX_VALUE_NAME + 1];
TCHAR data_buffer[MAX_VALUE_NAME + 1];
DWORD value_size;
DWORD data_size;
/* Data type for RegEnumValue */
DWORD data_type = 0;
/* Storage var */
char var_storage[MAX_VALUE_NAME + 1];
/* Initialize the memory for some variables */
class_name_b[0] = '\0';
class_name_b[MAX_PATH] = '\0';
/* We use the class_name, subkey_count and the value count */
rc = RegQueryInfoKey(hKey, class_name_b, &class_name_s, NULL,
&subkey_count, NULL, NULL, &value_count,
NULL, NULL, NULL, NULL);
if (rc != ERROR_SUCCESS) {
return (0);
}
/* Get values (if available) */
if (value_count) {
char *mt_data;
/* Clear the values for value_size and data_size */
value_buffer[MAX_VALUE_NAME] = '\0';
data_buffer[MAX_VALUE_NAME] = '\0';
var_storage[MAX_VALUE_NAME] = '\0';
/* Get each value */
for (i = 0; i < value_count; i++) {
value_size = MAX_VALUE_NAME;
data_size = MAX_VALUE_NAME;
value_buffer[0] = '\0';
data_buffer[0] = '\0';
var_storage[0] = '\0';
rc = RegEnumValue(hKey, i, value_buffer, &value_size,
NULL, &data_type, (LPBYTE)data_buffer, &data_size);
/* No more values available */
if (rc != ERROR_SUCCESS) {
break;
}
/* Check if no value name is specified */
if (value_buffer[0] == '\0') {
value_buffer[0] = '@';
value_buffer[1] = '\0';
}
/* Check if the entry name matches the reg_option */
if (strcasecmp(value_buffer, reg_option) != 0) {
continue;
}
/* If a value is not present and the option matches,
* we can return ok
*/
if (!reg_value) {
return (1);
}
/* Write value into a string */
switch (data_type) {
int size_available;
case REG_SZ:
case REG_EXPAND_SZ:
snprintf(var_storage, MAX_VALUE_NAME, "%s", data_buffer);
break;
case REG_MULTI_SZ:
/* Printing multiple strings */
size_available = MAX_VALUE_NAME - 3;
mt_data = data_buffer;
while (*mt_data) {
if (size_available > 2) {
strncat(var_storage, mt_data, size_available);
strncat(var_storage, " ", 2);
size_available = MAX_VALUE_NAME -
(strlen(var_storage) + 2);
}
mt_data += strlen(mt_data) + 1;
}
break;
case REG_DWORD:
snprintf(var_storage, MAX_VALUE_NAME,
"%x", (unsigned int)*data_buffer);
break;
default:
size_available = MAX_VALUE_NAME - 2;
for (j = 0; j < data_size; j++) {
char tmp_c[12];
snprintf(tmp_c, 12, "%02x",
(unsigned int)data_buffer[j]);
if (size_available > 2) {
strncat(var_storage, tmp_c, size_available);
size_available = MAX_VALUE_NAME -
(strlen(var_storage) + 2);
}
}
break;
}
/* Check if value matches */
if (pt_matches(var_storage, reg_value)) {
return (1);
}
return (0);
}
}
return (0);
}
/** int rk_check_file(char *value, char *pattern)
*/
int rk_check_file(char *file, char *pattern)
{
char *split_file;
int full_negate = 0;
int pt_result = 0;
FILE *fp;
char buf[OS_SIZE_2048 +1];
/* If string is null, we don't match */
if(file == NULL)
{
return(0);
}
/* Checking if the file is divided */
split_file = strchr(file, ',');
if(split_file)
{
*split_file = '\0';
split_file++;
}
/* Getting each file */
do
{
/* If we don't have a pattern, just check if the file/dir is there */
if(pattern == NULL)
{
if(is_file(file))
{
int i = 0;
char _b_msg[OS_SIZE_1024 +1];
_b_msg[OS_SIZE_1024] = '\0';
snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
file);
/* Already present. */
if(_is_str_in_array(rootcheck.alert_msg, _b_msg))
{
return(1);
}
while(rootcheck.alert_msg[i] && (i < 255))
i++;
if(!rootcheck.alert_msg[i])
os_strdup(_b_msg, rootcheck.alert_msg[i]);
return(1);
}
}
else
{
full_negate = pt_check_negate(pattern);
/* Checking for a content in the file */
debug1("checking file: %s", file);
fp = fopen(file, "r");
if(fp)
{
debug1(" starting new file: %s", file);
buf[OS_SIZE_2048] = '\0';
while(fgets(buf, OS_SIZE_2048, fp) != NULL)
{
char *nbuf;
/* Removing end of line */
nbuf = strchr(buf, '\n');
if(nbuf)
{
*nbuf = '\0';
}
#ifdef WIN32
/* Removing end of line */
nbuf = strchr(buf, '\r');
if(nbuf)
{
*nbuf = '\0';
}
#endif
/* Matched */
pt_result = pt_matches(buf, pattern);
debug1("Buf == \"%s\"", buf);
debug1("Pattern == \"%s\"", pattern);
debug1("pt_result == %d and full_negate == %d", pt_result, full_negate);
if((pt_result == 1 && full_negate == 0) )
{
debug1("alerting file %s on line %s", file, buf);
int i = 0;
char _b_msg[OS_SIZE_1024 +1];
/* Closing the file before dealing with the alert. */
fclose(fp);
/* Generating the alert itself. */
_b_msg[OS_SIZE_1024] = '\0';
snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
file);
/* Already present. */
if(_is_str_in_array(rootcheck.alert_msg, _b_msg))
{
return(1);
}
while(rootcheck.alert_msg[i] && (i < 255))
i++;
if(!rootcheck.alert_msg[i])
os_strdup(_b_msg, rootcheck.alert_msg[i]);
return(1);
}
else if((pt_result == 0 && full_negate == 1) )
{
/* found a full+negate match so no longer need to search
* break out of loop and amke sure the full negate does
* not alertin
*/
debug1("found a complete match for full_negate");
full_negate = 0;
break;
}
}
fclose(fp);
if(full_negate == 1)
{
debug1("full_negate alerting - file %s",file);
int i = 0;
char _b_msg[OS_SIZE_1024 +1];
/* Generating the alert itself. */
_b_msg[OS_SIZE_1024] = '\0';
snprintf(_b_msg, OS_SIZE_1024, " File: %s.",
file);
/* Already present. */
if(_is_str_in_array(rootcheck.alert_msg, _b_msg))
{
return(1);
}
while(rootcheck.alert_msg[i] && (i < 255))
i++;
if(!rootcheck.alert_msg[i])
os_strdup(_b_msg, rootcheck.alert_msg[i]);
return(1);
}
}
}
if(split_file)
{
file = split_file;
split_file = strchr(split_file, ',');
if(split_file)
{
split_file++;
}
}
}while(split_file);
return(0);
}