static
RBOOL
findDoc
(
rSequence doc,
DocSearchContext* ctx
)
{
RBOOL isMatch = FALSE;
RPCHAR filePathA = NULL;
RPWCHAR filePathW = NULL;
CryptoLib_Hash* pHash = NULL;
RU32 hashSize = 0;
if( rpal_memory_isValid( doc ) &&
NULL != ctx )
{
rSequence_getSTRINGA( doc, RP_TAGS_FILE_PATH, &filePathA );
rSequence_getSTRINGW( doc, RP_TAGS_FILE_PATH, &filePathW );
rSequence_getBUFFER( doc, RP_TAGS_HASH, (RPU8*)&pHash, &hashSize );
if( ( NULL == filePathA || NULL == ctx->exprA || rpal_string_match( ctx->exprA, filePathA, FALSE ) ) &&
( NULL == filePathW || NULL == ctx->exprW || rpal_string_matchw( ctx->exprW, filePathW, FALSE ) ) &&
( NULL == pHash || NULL == ctx->pHash || 0 == rpal_memory_memcmp( pHash, ctx->pHash, hashSize ) ) )
{
isMatch = TRUE;
}
}
return isMatch;
}
RBOOL
hbs_markAsRelated
(
rSequence parent,
rSequence toMark
)
{
RBOOL isSuccess = FALSE;
RPCHAR invId = NULL;
if( rpal_memory_isValid( parent ) &&
rpal_memory_isValid( toMark ) )
{
isSuccess = TRUE;
if( rSequence_getSTRINGA( parent, RP_TAGS_HBS_INVESTIGATION_ID, &invId ) )
{
isSuccess = FALSE;
if( rSequence_addSTRINGA( toMark, RP_TAGS_HBS_INVESTIGATION_ID, invId ) )
{
isSuccess = TRUE;
}
}
}
return isSuccess;
}
static
RVOID
processNewModule
(
rpcm_tag notifType,
rSequence event
)
{
RPWCHAR nameW = NULL;
RPCHAR nameA = NULL;
RU8 fileHash[ CRYPTOLIB_HASH_SIZE ] = { 0 };
RU64 size = 0;
UNREFERENCED_PARAMETER( notifType );
if( rpal_memory_isValid( event ) )
{
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) )
{
if( NULL != nameA &&
!CryptoLib_hashFileA( nameA, fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
if( NULL != nameW &&
!CryptoLib_hashFileW( nameW, fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
rSequence_getRU64( event, RP_TAGS_MEMORY_SIZE, &size );
if( NULL != nameA )
{
processCodeIdentA( nameA, fileHash, size, event );
}
else if( NULL != nameW )
{
processCodeIdentW( nameW, fileHash, size, event );
}
}
}
}
void
test_servicesList
(
void
)
{
rList svcs = NULL;
rSequence svc = NULL;
RU32 type = PROCESSLIB_SVCS;
#if defined( RPAL_PLATFORM_WINDOWS ) || defined( RPAL_PLATFORM_LINUX )
RPWCHAR svcName = NULL;
#elif defined( RPAL_PLATFORM_MACOSX )
RPCHAR svcName = NULL;
#endif
svcs = processLib_getServicesList( type );
CU_ASSERT_PTR_NOT_EQUAL_FATAL( svcs, NULL );
CU_ASSERT_TRUE( rList_getSEQUENCE( svcs, RP_TAGS_SVC, &svc ) );
#if defined( RPAL_PLATFORM_WINDOWS ) || defined( RPAL_PLATFORM_LINUX )
CU_ASSERT_TRUE( rSequence_getSTRINGW( svc, RP_TAGS_SVC_NAME, &svcName ) );
CU_ASSERT_PTR_NOT_EQUAL( svcName, NULL );
CU_ASSERT_NOT_EQUAL( rpal_string_strlenw( svcName ), 0 );
#elif defined( RPAL_PLATFORM_MACOSX )
CU_ASSERT_TRUE( rSequence_getSTRINGA( svc, RP_TAGS_SVC_NAME, &svcName ) );
CU_ASSERT_PTR_NOT_EQUAL( svcName, NULL );
CU_ASSERT_NOT_EQUAL( rpal_string_strlen( svcName ), 0 );
#endif
rSequence_free( svcs );
}
static
RVOID
doScan
(
rpcm_tag eventType,
rSequence event
)
{
RU32 pid = 0;
RPWCHAR fileW = NULL;
RPCHAR fileA = NULL;
RPWCHAR procW = NULL;
RPCHAR procA = NULL;
RPU8 rulesBuffer = NULL;
RU32 rulesBufferSize = 0;
YR_RULES* rules = NULL;
YaraMatchContext matchContext = { 0 };
processLibProcEntry* processes = NULL;
processLibProcEntry* curProc = NULL;
RU32 scanError = 0;
rSequence processInfo = NULL;
RPWCHAR tmpW = NULL;
RPCHAR tmpA = NULL;
UNREFERENCED_PARAMETER( eventType );
if( rpal_memory_isValid( event ) )
{
rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid );
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &fileW );
rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &fileA );
rSequence_getSTRINGW( event, RP_TAGS_PROCESS, &procW );
rSequence_getSTRINGA( event, RP_TAGS_PROCESS, &procA );
if( rSequence_getBUFFER( event, RP_TAGS_RULES, &rulesBuffer, &rulesBufferSize ) )
{
rules = loadYaraRules( rulesBuffer, rulesBufferSize );
}
if( NULL != rules )
{
if( NULL != fileW )
{
fileA = rpal_string_wtoa( fileW );
}
if( NULL != procW )
{
procA = rpal_string_wtoa( procW );
}
if( NULL != fileA )
{
rpal_debug_info( "scanning file with yara" );
matchContext.fileInfo = event;
// Scan this file
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_file( rules,
fileA,
SCAN_FLAGS_FAST_MODE,
_yaraFileMatchCallback,
&matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara file scan error: %d", scanError );
}
}
else if( NULL != procA )
{
// Scan processes matching
if( NULL != ( processes = processLib_getProcessEntries( TRUE ) ) )
{
curProc = processes;
while( 0 != curProc->pid )
{
if( NULL != ( processInfo = processLib_getProcessInfo( curProc->pid, NULL ) ) )
{
if( rSequence_getSTRINGW( processInfo, RP_TAGS_FILE_PATH, &tmpW ) ||
rSequence_getSTRINGA( processInfo, RP_TAGS_FILE_PATH, &tmpA ) )
{
if( NULL != tmpW )
{
tmpA = rpal_string_wtoa( tmpW );
}
if( NULL != tmpA )
{
if( rpal_string_match( procA, tmpA, RPAL_PLATFORM_FS_CASE_SENSITIVITY ) )
{
matchContext.pid = curProc->pid;
matchContext.processInfo = processInfo;
scanError = _scanProcessWith( curProc->pid,
&matchContext,
rules,
NULL );
}
}
if( NULL != tmpW && NULL != tmpA )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( tmpA );
}
}
rSequence_free( processInfo );
}
curProc++;
}
rpal_memory_free( processes );
}
}
else if( 0 != pid )
{
// Scan this process
matchContext.pid = pid;
scanError = _scanProcessWith( pid, &matchContext, rules, NULL );
rSequence_free( matchContext.processInfo );
}
else
{
// Scan all processes
if( NULL != ( processes = processLib_getProcessEntries( TRUE ) ) )
{
curProc = processes;
while( 0 != curProc->pid )
{
matchContext.pid = curProc->pid;
scanError = _scanProcessWith( curProc->pid, &matchContext, rules, NULL );
rSequence_free( matchContext.processInfo );
curProc++;
}
rpal_memory_free( processes );
}
}
if( NULL != fileW && NULL != fileA )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( fileA );
}
if( NULL != procW && NULL != procA )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( procA );
}
yr_rules_destroy( rules );
}
else
{
rpal_debug_warning( "no rules in yara scan request" );
reportError( event, RPAL_ERROR_NOT_SUPPORTED, "yara rules do not parse" );
}
}
rpal_debug_info( "finished on demand yara scan" );
reportError( event, scanError, "done" );
yr_finalize_thread();
}
static
RPVOID
continuousFileScan
(
rEvent isTimeToStop,
RPVOID ctx
)
{
rSequence event = NULL;
RU32 timeout = 0;
RPWCHAR strW = NULL;
RPCHAR strA = NULL;
YaraMatchContext matchContext = { 0 };
RU32 scanError = 0;
rBloom knownFiles = NULL;
UNREFERENCED_PARAMETER( ctx );
if( NULL == ( knownFiles = rpal_bloom_create( 100000, 0.00001 ) ) )
{
return NULL;
}
while( !rEvent_wait( isTimeToStop, timeout ) )
{
if( rQueue_remove( g_async_files_to_scan, (RPVOID*)&event, NULL, MSEC_FROM_SEC( 2 ) ) )
{
if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &strW ) )
{
strA = rpal_string_wtoa( strW );
}
else
{
rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &strA );
}
if( NULL != strA &&
rpal_bloom_addIfNew( knownFiles, strA, rpal_string_strlen( strA ) ) )
{
rpal_debug_info( "yara scanning %s", strA );
matchContext.fileInfo = event;
if( rMutex_lock( g_global_rules_mutex ) )
{
if( NULL != g_global_rules )
{
rpal_debug_info( "scanning continuous file with yara" );
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_file( g_global_rules,
strA,
SCAN_FLAGS_FAST_MODE,
_yaraFileMatchCallback,
&matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara file scan error: %d", scanError );
}
}
rMutex_unlock( g_global_rules_mutex );
}
}
if( NULL != strA && NULL != strW )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( strA );
}
strA = NULL;
strW = NULL;
rSequence_free( event );
timeout = _TIMEOUT_BETWEEN_FILE_SCANS;
}
else
{
timeout = 0;
}
}
rpal_bloom_destroy( knownFiles );
yr_finalize_thread();
return NULL;
}
static
RVOID
processFile
(
rSequence notif
)
{
RPCHAR fileA = NULL;
RPWCHAR fileW = NULL;
RPU8 fileContent = NULL;
RU32 fileSize = 0;
CryptoLib_Hash hash = { 0 };
if( NULL != notif )
{
obsLib_resetSearchState( matcherA );
obsLib_resetSearchState( matcherW );
if( ( rSequence_getSTRINGA( notif, RP_TAGS_FILE_PATH, &fileA ) &&
obsLib_setTargetBuffer( matcherA,
fileA,
( rpal_string_strlen( fileA ) + 1 ) * sizeof( RCHAR ) ) &&
obsLib_nextHit( matcherA, NULL, NULL ) ) ||
( rSequence_getSTRINGW( notif, RP_TAGS_FILE_PATH, &fileW ) &&
obsLib_setTargetBuffer( matcherW,
fileW,
( rpal_string_strlenw( fileW ) + 1 ) * sizeof( RWCHAR ) ) &&
obsLib_nextHit( matcherW, NULL, NULL ) ) )
{
// This means it's a file of interest.
if( ( NULL != fileA &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSize( fileA, TRUE ) &&
rpal_file_read( fileA, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileA( fileA, &hash, TRUE ) ) ) ||
( NULL != fileW &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSizew( fileW, TRUE ) &&
rpal_file_readw( fileW, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileW( fileW, &hash, TRUE ) ) ) )
{
// We acquired the hash, either by reading the entire file in memory
// which we will use for caching, or if it was too big by hashing it
// sequentially on disk.
rSequence_unTaintRead( notif );
rSequence_addBUFFER( notif, RP_TAGS_HASH, (RPU8)&hash, sizeof( hash ) );
notifications_publish( RP_TAGS_NOTIFICATION_NEW_DOCUMENT, notif );
}
if( rMutex_lock( cacheMutex ) )
{
if( NULL == fileContent ||
!rSequence_addBUFFER( notif, RP_TAGS_FILE_CONTENT, fileContent, fileSize ) ||
!HbsRingBuffer_add( documentCache, notif ) )
{
rSequence_free( notif );
}
rMutex_unlock( cacheMutex );
}
else
{
rSequence_free( notif );
}
if( NULL != fileContent )
{
rpal_memory_free( fileContent );
}
}
else
{
rSequence_free( notif );
}
}
}
static
RVOID
getDocument
(
rpcm_tag notifId,
rSequence notif
)
{
rSequence tmp = NULL;
DocSearchContext ctx = { 0 };
RU32 hashSize = 0;
rList foundDocs = NULL;
RBOOL isAAlloced = FALSE;
RBOOL isWAlloced = FALSE;
UNREFERENCED_PARAMETER( notifId );
if( NULL != notif )
{
if( !rSequence_getSTRINGA( notif, RP_TAGS_STRING_PATTERN, &ctx.exprA ) )
{
ctx.exprA = NULL;
}
if( !rSequence_getSTRINGW( notif, RP_TAGS_STRING_PATTERN, &ctx.exprW ) )
{
ctx.exprW = NULL;
}
if( NULL != ctx.exprA && NULL == ctx.exprW )
{
ctx.exprW = rpal_string_atow( ctx.exprA );
isWAlloced = TRUE;
}
if( NULL != ctx.exprW && NULL == ctx.exprA )
{
ctx.exprA = rpal_string_wtoa( ctx.exprW );
isAAlloced = TRUE;
}
if( !rSequence_getBUFFER( notif, RP_TAGS_HASH, (RPU8*)&ctx.pHash, &hashSize ) ||
sizeof( *ctx.pHash ) != hashSize )
{
// Unexpected hash size, let's not gamble
ctx.pHash = NULL;
}
}
if( rMutex_lock( cacheMutex ) )
{
if( NULL != ( foundDocs = rList_new( RP_TAGS_FILE_INFO, RPCM_SEQUENCE ) ) )
{
while( HbsRingBuffer_find( documentCache, (HbsRingBufferCompareFunc)findDoc, &ctx, &tmp ) )
{
// TODO: optimize this since if we're dealing with large files
// we will be temporarily using large amounts of duplicate memory.
// We just need to do some shallow free of the datastructures
// somehow.
if( NULL != ( tmp = rSequence_duplicate( tmp ) ) )
{
if( !rList_addSEQUENCE( foundDocs, tmp ) )
{
rSequence_free( tmp );
}
}
}
if( !rSequence_addLIST( notif, RP_TAGS_FILES, foundDocs ) )
{
rList_free( foundDocs );
}
}
rMutex_unlock( cacheMutex );
notifications_publish( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REP, notif );
}
if( isAAlloced )
{
rpal_memory_free( ctx.exprA );
}
if( isWAlloced )
{
rpal_memory_free( ctx.exprW );
}
}
RBOOL
collector_22_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
rList patterns = NULL;
rSequence pattern = NULL;
RPCHAR strA = NULL;
RPWCHAR strW = NULL;
RPNCHAR tmpN = NULL;
RU8 patternId = 0;
RU32 i = 0;
if( NULL != hbsState &&
NULL != ( g_extensions = obsLib_new( 0, 0 ) ) )
{
if( rSequence_getLIST( config, RP_TAGS_PATTERNS, &patterns ) )
{
while( rList_getSEQUENCE( patterns, RP_TAGS_RULE, &pattern ) )
{
if( rSequence_getRU8( pattern, RP_TAGS_RULE_NAME, &patternId ) )
{
if( 64 < patternId || 0 == patternId )
{
rpal_debug_critical( "rule id must be below 64 and 1-based." );
continue;
}
// Base the pattern id to 0
patternId--;
if( rSequence_getSTRINGA( pattern, RP_TAGS_EXTENSION, &strA ) &&
NULL != ( tmpN = rpal_string_aton( strA ) ) )
{
_addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) );
rpal_memory_free( tmpN );
}
if( rSequence_getSTRINGW( pattern, RP_TAGS_EXTENSION, &strW ) &&
NULL != ( tmpN = rpal_string_wton( strW ) ) )
{
_addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) );
rpal_memory_free( tmpN );
}
if( rSequence_getSTRINGA( pattern, RP_TAGS_STRING_PATTERN, &strA ) &&
NULL != ( tmpN = rpal_string_aton( strA ) ) )
{
_addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) );
rpal_memory_free( tmpN );
}
if( rSequence_getSTRINGW( pattern, RP_TAGS_STRING_PATTERN, &strW ) &&
NULL != ( tmpN = rpal_string_wton( strW ) ) )
{
_addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) );
rpal_memory_free( tmpN );
}
}
}
if( NULL != ( g_mutex = rMutex_create() ) &&
NULL != ( g_procContexts = rpal_vector_new() ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, 0, NULL, processFileIo ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, 0, NULL, processFileIo ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, 0, NULL, processFileIo ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, 0, NULL, processFileIo ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, NULL, processNewProcesses ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, 0, NULL, processNewProcesses ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, 0, NULL, processTerminateProcesses ) )
{
isSuccess = TRUE;
}
}
}
if( !isSuccess )
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, processFileIo );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, processFileIo );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, processFileIo );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, processFileIo );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, processNewProcesses );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, processTerminateProcesses );
obsLib_free( g_extensions );
g_extensions = NULL;
if( NULL != g_procContexts )
{
for( i = 0; i < g_procContexts->nElements; i++ )
{
rpal_memory_free( ( (ProcExtInfo*)g_procContexts->elements[ i ] )->processPath );
rpal_memory_free( g_procContexts->elements[ i ] );
}
}
rpal_vector_free( g_procContexts );
g_procContexts = NULL;
rMutex_free( g_mutex );
g_mutex = NULL;
}
return isSuccess;
}
RBOOL
rpHostCommonPlatformLib_launch
(
RU8 configHint,
RPNCHAR primaryHomeUrl,
RPNCHAR secondaryHomeUrl
)
{
RBOOL isInitSuccessful = FALSE;
rSequence staticConfig = NULL;
RPCHAR tmpStr = NULL;
rSequence tmpSeq = NULL;
RPU8 tmpBuffer = NULL;
RU32 tmpSize = 0;
RU16 tmpPort = 0;
rpal_debug_info( "launching hcp" );
#ifdef RPAL_PLATFORM_WINDOWS
if( setGlobalCrashHandler() &&
SetConsoleCtrlHandler( (PHANDLER_ROUTINE)ctrlHandler, TRUE ) )
{
rpal_debug_info( "global crash handler set" );
}
else
{
rpal_debug_warning( "error setting global crash handler" );
}
#endif
if( 1 == rInterlocked_increment32( &g_hcpContext.isRunning ) )
{
if( rpal_initialize( NULL, RPAL_COMPONENT_HCP ) )
{
CryptoLib_init();
if( NULL == ( g_hcpContext.cloudConnectionMutex = rMutex_create() ) ||
NULL == ( g_hcpContext.isCloudOnline = rEvent_create( TRUE ) ) )
{
rMutex_free( g_hcpContext.cloudConnectionMutex );
rpal_debug_error( "could not create cloud connection mutex or event" );
return FALSE;
}
g_hcpContext.currentId.raw = g_idTemplate.raw;
// We attempt to load some initial config from the serialized
// rSequence that can be patched in this binary.
if( NULL != ( staticConfig = getStaticConfig() ) )
{
if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_PRIMARY_URL, &tmpStr ) &&
rSequence_getRU16( staticConfig, RP_TAGS_HCP_PRIMARY_PORT, &tmpPort ) )
{
g_hcpContext.primaryUrl = rpal_string_strdupA( tmpStr );
g_hcpContext.primaryPort = tmpPort;
rpal_debug_info( "loading primary url from static config" );
}
if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_SECONDARY_URL, &tmpStr ) &&
rSequence_getRU16( staticConfig, RP_TAGS_HCP_SECONDARY_PORT, &tmpPort ) )
{
g_hcpContext.secondaryUrl = rpal_string_strdupA( tmpStr );
g_hcpContext.secondaryPort = tmpPort;
rpal_debug_info( "loading secondary url from static config" );
}
if( rSequence_getSEQUENCE( staticConfig, RP_TAGS_HCP_ID, &tmpSeq ) )
{
g_hcpContext.currentId = seqToHcpId( tmpSeq );
rpal_debug_info( "loading default id from static config" );
}
if( rSequence_getBUFFER( staticConfig, RP_TAGS_HCP_C2_PUBLIC_KEY, &tmpBuffer, &tmpSize ) )
{
setC2PublicKey( rpal_memory_duplicate( tmpBuffer, tmpSize ) );
rpal_debug_info( "loading c2 public key from static config" );
}
if( rSequence_getBUFFER( staticConfig, RP_TAGS_HCP_ROOT_PUBLIC_KEY, &tmpBuffer, &tmpSize ) )
{
setRootPublicKey( rpal_memory_duplicate( tmpBuffer, tmpSize ) );
rpal_debug_info( "loading root public key from static config" );
}
if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_DEPLOYMENT_KEY, &tmpStr ) )
{
g_hcpContext.deploymentKey = rpal_string_strdupA( tmpStr );
rpal_debug_info( "loading deployment key from static config" );
}
rSequence_free( staticConfig );
}
// Now we will override the defaults (if present) with command
// line parameters.
if( NULL != primaryHomeUrl &&
0 != rpal_string_strlen( primaryHomeUrl ) )
{
if( NULL != g_hcpContext.primaryUrl )
{
rpal_memory_free( g_hcpContext.primaryUrl );
g_hcpContext.primaryUrl = NULL;
}
g_hcpContext.primaryUrl = rpal_string_ntoa( primaryHomeUrl );
}
if( NULL != secondaryHomeUrl &&
0 != rpal_string_strlen( secondaryHomeUrl ) )
{
if( NULL != g_hcpContext.secondaryUrl )
{
rpal_memory_free( g_hcpContext.secondaryUrl );
g_hcpContext.secondaryUrl = NULL;
}
g_hcpContext.secondaryUrl = rpal_string_ntoa( secondaryHomeUrl );
}
g_hcpContext.enrollmentToken = NULL;
g_hcpContext.enrollmentTokenSize = 0;
getStoreConf(); /* Sets the agent ID platform. */
// Set the current configId
g_hcpContext.currentId.id.configId = configHint;
if( startBeacons() )
{
isInitSuccessful = TRUE;
}
else
{
rpal_debug_warning( "error starting beacons" );
}
CryptoLib_deinit();
}
else
{
rpal_debug_warning( "hcp platform could not init rpal" );
}
}
else
{
rInterlocked_decrement32( &g_hcpContext.isRunning );
rpal_debug_info( "hcp already launched" );
}
return isInitSuccessful;
}
static
RVOID
processHashedEvent
(
rpcm_tag notifType,
rSequence event
)
{
RPWCHAR nameW = NULL;
RPCHAR nameA = NULL;
CryptoLib_Hash* pHash = NULL;
CryptoLib_Hash localHash = { 0 };
UNREFERENCED_PARAMETER( notifType );
if( rpal_memory_isValid( event ) )
{
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ||
rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) ||
rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) )
{
rSequence_getBUFFER( event, RP_TAGS_HASH, (RPU8*)&pHash, NULL );
if( NULL != nameA )
{
if( NULL == pHash )
{
if( _MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) )
{
rSequence_unTaintRead( event );
rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE );
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) ||
rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) )
{
// Find the name again with shortcircuit
}
}
else if( CryptoLib_hashFileA( nameA, &localHash, TRUE ) )
{
pHash = &localHash;
}
}
processCodeIdentA( nameA, pHash, 0, event );
}
else if( NULL != nameW )
{
if( NULL == pHash )
{
if( _MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) )
{
rSequence_unTaintRead( event );
rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE );
if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ||
rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) ||
rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) )
{
// Find the name again with shortcircuit
}
}
else if( CryptoLib_hashFileW( nameW, &localHash, TRUE ) )
{
pHash = &localHash;
}
}
processCodeIdentW( nameW, pHash, 0, event );
}
}
}
}
static
RVOID
processNewModule
(
rpcm_tag notifType,
rSequence event
)
{
RPWCHAR nameW = NULL;
RPCHAR nameA = NULL;
CryptoLib_Hash fileHash = { 0 };
RU64 size = 0;
UNREFERENCED_PARAMETER( notifType );
if( rpal_memory_isValid( event ) )
{
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) )
{
if( ( NULL != nameA &&
_MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) ) ||
( NULL != nameW &&
_MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) ) )
{
// We already read from the event, but we will be careful.
rSequence_unTaintRead( event );
rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE );
// We need to re-get the paths in case adding the error triggered
// a change in the structure.
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) )
{
// Find the name again with shortcircuit
}
}
else
{
if( NULL != nameA &&
!CryptoLib_hashFileA( nameA, &fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
if( NULL != nameW &&
!CryptoLib_hashFileW( nameW, &fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
}
rSequence_getRU64( event, RP_TAGS_MEMORY_SIZE, &size );
if( NULL != nameA )
{
processCodeIdentA( nameA, &fileHash, size, event );
}
else if( NULL != nameW )
{
processCodeIdentW( nameW, &fileHash, size, event );
}
}
}
}
