static RBOOL findDoc ( rSequence doc, DocSearchContext* ctx ) { RBOOL isMatch = FALSE; RPCHAR filePathA = NULL; RPWCHAR filePathW = NULL; CryptoLib_Hash* pHash = NULL; RU32 hashSize = 0; if( rpal_memory_isValid( doc ) && NULL != ctx ) { rSequence_getSTRINGA( doc, RP_TAGS_FILE_PATH, &filePathA ); rSequence_getSTRINGW( doc, RP_TAGS_FILE_PATH, &filePathW ); rSequence_getBUFFER( doc, RP_TAGS_HASH, (RPU8*)&pHash, &hashSize ); if( ( NULL == filePathA || NULL == ctx->exprA || rpal_string_match( ctx->exprA, filePathA, FALSE ) ) && ( NULL == filePathW || NULL == ctx->exprW || rpal_string_matchw( ctx->exprW, filePathW, FALSE ) ) && ( NULL == pHash || NULL == ctx->pHash || 0 == rpal_memory_memcmp( pHash, ctx->pHash, hashSize ) ) ) { isMatch = TRUE; } } return isMatch; }
RBOOL hbs_markAsRelated ( rSequence parent, rSequence toMark ) { RBOOL isSuccess = FALSE; RPCHAR invId = NULL; if( rpal_memory_isValid( parent ) && rpal_memory_isValid( toMark ) ) { isSuccess = TRUE; if( rSequence_getSTRINGA( parent, RP_TAGS_HBS_INVESTIGATION_ID, &invId ) ) { isSuccess = FALSE; if( rSequence_addSTRINGA( toMark, RP_TAGS_HBS_INVESTIGATION_ID, invId ) ) { isSuccess = TRUE; } } } return isSuccess; }
static RVOID processNewModule ( rpcm_tag notifType, rSequence event ) { RPWCHAR nameW = NULL; RPCHAR nameA = NULL; RU8 fileHash[ CRYPTOLIB_HASH_SIZE ] = { 0 }; RU64 size = 0; UNREFERENCED_PARAMETER( notifType ); if( rpal_memory_isValid( event ) ) { if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ) { if( NULL != nameA && !CryptoLib_hashFileA( nameA, fileHash, TRUE ) ) { rpal_debug_info( "unable to fetch file hash for ident" ); } if( NULL != nameW && !CryptoLib_hashFileW( nameW, fileHash, TRUE ) ) { rpal_debug_info( "unable to fetch file hash for ident" ); } rSequence_getRU64( event, RP_TAGS_MEMORY_SIZE, &size ); if( NULL != nameA ) { processCodeIdentA( nameA, fileHash, size, event ); } else if( NULL != nameW ) { processCodeIdentW( nameW, fileHash, size, event ); } } } }
void test_servicesList ( void ) { rList svcs = NULL; rSequence svc = NULL; RU32 type = PROCESSLIB_SVCS; #if defined( RPAL_PLATFORM_WINDOWS ) || defined( RPAL_PLATFORM_LINUX ) RPWCHAR svcName = NULL; #elif defined( RPAL_PLATFORM_MACOSX ) RPCHAR svcName = NULL; #endif svcs = processLib_getServicesList( type ); CU_ASSERT_PTR_NOT_EQUAL_FATAL( svcs, NULL ); CU_ASSERT_TRUE( rList_getSEQUENCE( svcs, RP_TAGS_SVC, &svc ) ); #if defined( RPAL_PLATFORM_WINDOWS ) || defined( RPAL_PLATFORM_LINUX ) CU_ASSERT_TRUE( rSequence_getSTRINGW( svc, RP_TAGS_SVC_NAME, &svcName ) ); CU_ASSERT_PTR_NOT_EQUAL( svcName, NULL ); CU_ASSERT_NOT_EQUAL( rpal_string_strlenw( svcName ), 0 ); #elif defined( RPAL_PLATFORM_MACOSX ) CU_ASSERT_TRUE( rSequence_getSTRINGA( svc, RP_TAGS_SVC_NAME, &svcName ) ); CU_ASSERT_PTR_NOT_EQUAL( svcName, NULL ); CU_ASSERT_NOT_EQUAL( rpal_string_strlen( svcName ), 0 ); #endif rSequence_free( svcs ); }
static RVOID doScan ( rpcm_tag eventType, rSequence event ) { RU32 pid = 0; RPWCHAR fileW = NULL; RPCHAR fileA = NULL; RPWCHAR procW = NULL; RPCHAR procA = NULL; RPU8 rulesBuffer = NULL; RU32 rulesBufferSize = 0; YR_RULES* rules = NULL; YaraMatchContext matchContext = { 0 }; processLibProcEntry* processes = NULL; processLibProcEntry* curProc = NULL; RU32 scanError = 0; rSequence processInfo = NULL; RPWCHAR tmpW = NULL; RPCHAR tmpA = NULL; UNREFERENCED_PARAMETER( eventType ); if( rpal_memory_isValid( event ) ) { rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid ); rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &fileW ); rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &fileA ); rSequence_getSTRINGW( event, RP_TAGS_PROCESS, &procW ); rSequence_getSTRINGA( event, RP_TAGS_PROCESS, &procA ); if( rSequence_getBUFFER( event, RP_TAGS_RULES, &rulesBuffer, &rulesBufferSize ) ) { rules = loadYaraRules( rulesBuffer, rulesBufferSize ); } if( NULL != rules ) { if( NULL != fileW ) { fileA = rpal_string_wtoa( fileW ); } if( NULL != procW ) { procA = rpal_string_wtoa( procW ); } if( NULL != fileA ) { rpal_debug_info( "scanning file with yara" ); matchContext.fileInfo = event; // Scan this file if( ERROR_SUCCESS != ( scanError = yr_rules_scan_file( rules, fileA, SCAN_FLAGS_FAST_MODE, _yaraFileMatchCallback, &matchContext, 60 ) ) ) { rpal_debug_warning( "Yara file scan error: %d", scanError ); } } else if( NULL != procA ) { // Scan processes matching if( NULL != ( processes = processLib_getProcessEntries( TRUE ) ) ) { curProc = processes; while( 0 != curProc->pid ) { if( NULL != ( processInfo = processLib_getProcessInfo( curProc->pid, NULL ) ) ) { if( rSequence_getSTRINGW( processInfo, RP_TAGS_FILE_PATH, &tmpW ) || rSequence_getSTRINGA( processInfo, RP_TAGS_FILE_PATH, &tmpA ) ) { if( NULL != tmpW ) { tmpA = rpal_string_wtoa( tmpW ); } if( NULL != tmpA ) { if( rpal_string_match( procA, tmpA, RPAL_PLATFORM_FS_CASE_SENSITIVITY ) ) { matchContext.pid = curProc->pid; matchContext.processInfo = processInfo; scanError = _scanProcessWith( curProc->pid, &matchContext, rules, NULL ); } } if( NULL != tmpW && NULL != tmpA ) { // If both are allocated it means we got a strW and converted to A // so we must free the strA version. rpal_memory_free( tmpA ); } } rSequence_free( processInfo ); } curProc++; } rpal_memory_free( processes ); } } else if( 0 != pid ) { // Scan this process matchContext.pid = pid; scanError = _scanProcessWith( pid, &matchContext, rules, NULL ); rSequence_free( matchContext.processInfo ); } else { // Scan all processes if( NULL != ( processes = processLib_getProcessEntries( TRUE ) ) ) { curProc = processes; while( 0 != curProc->pid ) { matchContext.pid = curProc->pid; scanError = _scanProcessWith( curProc->pid, &matchContext, rules, NULL ); rSequence_free( matchContext.processInfo ); curProc++; } rpal_memory_free( processes ); } } if( NULL != fileW && NULL != fileA ) { // If both are allocated it means we got a strW and converted to A // so we must free the strA version. rpal_memory_free( fileA ); } if( NULL != procW && NULL != procA ) { // If both are allocated it means we got a strW and converted to A // so we must free the strA version. rpal_memory_free( procA ); } yr_rules_destroy( rules ); } else { rpal_debug_warning( "no rules in yara scan request" ); reportError( event, RPAL_ERROR_NOT_SUPPORTED, "yara rules do not parse" ); } } rpal_debug_info( "finished on demand yara scan" ); reportError( event, scanError, "done" ); yr_finalize_thread(); }
static RPVOID continuousFileScan ( rEvent isTimeToStop, RPVOID ctx ) { rSequence event = NULL; RU32 timeout = 0; RPWCHAR strW = NULL; RPCHAR strA = NULL; YaraMatchContext matchContext = { 0 }; RU32 scanError = 0; rBloom knownFiles = NULL; UNREFERENCED_PARAMETER( ctx ); if( NULL == ( knownFiles = rpal_bloom_create( 100000, 0.00001 ) ) ) { return NULL; } while( !rEvent_wait( isTimeToStop, timeout ) ) { if( rQueue_remove( g_async_files_to_scan, (RPVOID*)&event, NULL, MSEC_FROM_SEC( 2 ) ) ) { if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &strW ) ) { strA = rpal_string_wtoa( strW ); } else { rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &strA ); } if( NULL != strA && rpal_bloom_addIfNew( knownFiles, strA, rpal_string_strlen( strA ) ) ) { rpal_debug_info( "yara scanning %s", strA ); matchContext.fileInfo = event; if( rMutex_lock( g_global_rules_mutex ) ) { if( NULL != g_global_rules ) { rpal_debug_info( "scanning continuous file with yara" ); if( ERROR_SUCCESS != ( scanError = yr_rules_scan_file( g_global_rules, strA, SCAN_FLAGS_FAST_MODE, _yaraFileMatchCallback, &matchContext, 60 ) ) ) { rpal_debug_warning( "Yara file scan error: %d", scanError ); } } rMutex_unlock( g_global_rules_mutex ); } } if( NULL != strA && NULL != strW ) { // If both are allocated it means we got a strW and converted to A // so we must free the strA version. rpal_memory_free( strA ); } strA = NULL; strW = NULL; rSequence_free( event ); timeout = _TIMEOUT_BETWEEN_FILE_SCANS; } else { timeout = 0; } } rpal_bloom_destroy( knownFiles ); yr_finalize_thread(); return NULL; }
static RVOID processFile ( rSequence notif ) { RPCHAR fileA = NULL; RPWCHAR fileW = NULL; RPU8 fileContent = NULL; RU32 fileSize = 0; CryptoLib_Hash hash = { 0 }; if( NULL != notif ) { obsLib_resetSearchState( matcherA ); obsLib_resetSearchState( matcherW ); if( ( rSequence_getSTRINGA( notif, RP_TAGS_FILE_PATH, &fileA ) && obsLib_setTargetBuffer( matcherA, fileA, ( rpal_string_strlen( fileA ) + 1 ) * sizeof( RCHAR ) ) && obsLib_nextHit( matcherA, NULL, NULL ) ) || ( rSequence_getSTRINGW( notif, RP_TAGS_FILE_PATH, &fileW ) && obsLib_setTargetBuffer( matcherW, fileW, ( rpal_string_strlenw( fileW ) + 1 ) * sizeof( RWCHAR ) ) && obsLib_nextHit( matcherW, NULL, NULL ) ) ) { // This means it's a file of interest. if( ( NULL != fileA && ( ( DOCUMENT_MAX_SIZE >= rpal_file_getSize( fileA, TRUE ) && rpal_file_read( fileA, (RPVOID*)&fileContent, &fileSize, TRUE ) && CryptoLib_hash( fileContent, fileSize, &hash ) ) || CryptoLib_hashFileA( fileA, &hash, TRUE ) ) ) || ( NULL != fileW && ( ( DOCUMENT_MAX_SIZE >= rpal_file_getSizew( fileW, TRUE ) && rpal_file_readw( fileW, (RPVOID*)&fileContent, &fileSize, TRUE ) && CryptoLib_hash( fileContent, fileSize, &hash ) ) || CryptoLib_hashFileW( fileW, &hash, TRUE ) ) ) ) { // We acquired the hash, either by reading the entire file in memory // which we will use for caching, or if it was too big by hashing it // sequentially on disk. rSequence_unTaintRead( notif ); rSequence_addBUFFER( notif, RP_TAGS_HASH, (RPU8)&hash, sizeof( hash ) ); notifications_publish( RP_TAGS_NOTIFICATION_NEW_DOCUMENT, notif ); } if( rMutex_lock( cacheMutex ) ) { if( NULL == fileContent || !rSequence_addBUFFER( notif, RP_TAGS_FILE_CONTENT, fileContent, fileSize ) || !HbsRingBuffer_add( documentCache, notif ) ) { rSequence_free( notif ); } rMutex_unlock( cacheMutex ); } else { rSequence_free( notif ); } if( NULL != fileContent ) { rpal_memory_free( fileContent ); } } else { rSequence_free( notif ); } } }
static RVOID getDocument ( rpcm_tag notifId, rSequence notif ) { rSequence tmp = NULL; DocSearchContext ctx = { 0 }; RU32 hashSize = 0; rList foundDocs = NULL; RBOOL isAAlloced = FALSE; RBOOL isWAlloced = FALSE; UNREFERENCED_PARAMETER( notifId ); if( NULL != notif ) { if( !rSequence_getSTRINGA( notif, RP_TAGS_STRING_PATTERN, &ctx.exprA ) ) { ctx.exprA = NULL; } if( !rSequence_getSTRINGW( notif, RP_TAGS_STRING_PATTERN, &ctx.exprW ) ) { ctx.exprW = NULL; } if( NULL != ctx.exprA && NULL == ctx.exprW ) { ctx.exprW = rpal_string_atow( ctx.exprA ); isWAlloced = TRUE; } if( NULL != ctx.exprW && NULL == ctx.exprA ) { ctx.exprA = rpal_string_wtoa( ctx.exprW ); isAAlloced = TRUE; } if( !rSequence_getBUFFER( notif, RP_TAGS_HASH, (RPU8*)&ctx.pHash, &hashSize ) || sizeof( *ctx.pHash ) != hashSize ) { // Unexpected hash size, let's not gamble ctx.pHash = NULL; } } if( rMutex_lock( cacheMutex ) ) { if( NULL != ( foundDocs = rList_new( RP_TAGS_FILE_INFO, RPCM_SEQUENCE ) ) ) { while( HbsRingBuffer_find( documentCache, (HbsRingBufferCompareFunc)findDoc, &ctx, &tmp ) ) { // TODO: optimize this since if we're dealing with large files // we will be temporarily using large amounts of duplicate memory. // We just need to do some shallow free of the datastructures // somehow. if( NULL != ( tmp = rSequence_duplicate( tmp ) ) ) { if( !rList_addSEQUENCE( foundDocs, tmp ) ) { rSequence_free( tmp ); } } } if( !rSequence_addLIST( notif, RP_TAGS_FILES, foundDocs ) ) { rList_free( foundDocs ); } } rMutex_unlock( cacheMutex ); notifications_publish( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REP, notif ); } if( isAAlloced ) { rpal_memory_free( ctx.exprA ); } if( isWAlloced ) { rpal_memory_free( ctx.exprW ); } }
RBOOL collector_22_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; rList patterns = NULL; rSequence pattern = NULL; RPCHAR strA = NULL; RPWCHAR strW = NULL; RPNCHAR tmpN = NULL; RU8 patternId = 0; RU32 i = 0; if( NULL != hbsState && NULL != ( g_extensions = obsLib_new( 0, 0 ) ) ) { if( rSequence_getLIST( config, RP_TAGS_PATTERNS, &patterns ) ) { while( rList_getSEQUENCE( patterns, RP_TAGS_RULE, &pattern ) ) { if( rSequence_getRU8( pattern, RP_TAGS_RULE_NAME, &patternId ) ) { if( 64 < patternId || 0 == patternId ) { rpal_debug_critical( "rule id must be below 64 and 1-based." ); continue; } // Base the pattern id to 0 patternId--; if( rSequence_getSTRINGA( pattern, RP_TAGS_EXTENSION, &strA ) && NULL != ( tmpN = rpal_string_aton( strA ) ) ) { _addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) ); rpal_memory_free( tmpN ); } if( rSequence_getSTRINGW( pattern, RP_TAGS_EXTENSION, &strW ) && NULL != ( tmpN = rpal_string_wton( strW ) ) ) { _addPattern( g_extensions, tmpN, TRUE, NUMBER_TO_PTR( patternId ) ); rpal_memory_free( tmpN ); } if( rSequence_getSTRINGA( pattern, RP_TAGS_STRING_PATTERN, &strA ) && NULL != ( tmpN = rpal_string_aton( strA ) ) ) { _addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) ); rpal_memory_free( tmpN ); } if( rSequence_getSTRINGW( pattern, RP_TAGS_STRING_PATTERN, &strW ) && NULL != ( tmpN = rpal_string_wton( strW ) ) ) { _addPattern( g_extensions, tmpN, FALSE, NUMBER_TO_PTR( patternId ) ); rpal_memory_free( tmpN ); } } } if( NULL != ( g_mutex = rMutex_create() ) && NULL != ( g_procContexts = rpal_vector_new() ) && notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, 0, NULL, processFileIo ) && notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, 0, NULL, processFileIo ) && notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, 0, NULL, processFileIo ) && notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, 0, NULL, processFileIo ) && notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, NULL, processNewProcesses ) && notifications_subscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, 0, NULL, processNewProcesses ) && notifications_subscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, 0, NULL, processTerminateProcesses ) ) { isSuccess = TRUE; } } } if( !isSuccess ) { notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_DELETE, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_MODIFIED, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_READ, NULL, processFileIo ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_EXISTING_PROCESS, NULL, processNewProcesses ); notifications_unsubscribe( RP_TAGS_NOTIFICATION_TERMINATE_PROCESS, NULL, processTerminateProcesses ); obsLib_free( g_extensions ); g_extensions = NULL; if( NULL != g_procContexts ) { for( i = 0; i < g_procContexts->nElements; i++ ) { rpal_memory_free( ( (ProcExtInfo*)g_procContexts->elements[ i ] )->processPath ); rpal_memory_free( g_procContexts->elements[ i ] ); } } rpal_vector_free( g_procContexts ); g_procContexts = NULL; rMutex_free( g_mutex ); g_mutex = NULL; } return isSuccess; }
RBOOL rpHostCommonPlatformLib_launch ( RU8 configHint, RPNCHAR primaryHomeUrl, RPNCHAR secondaryHomeUrl ) { RBOOL isInitSuccessful = FALSE; rSequence staticConfig = NULL; RPCHAR tmpStr = NULL; rSequence tmpSeq = NULL; RPU8 tmpBuffer = NULL; RU32 tmpSize = 0; RU16 tmpPort = 0; rpal_debug_info( "launching hcp" ); #ifdef RPAL_PLATFORM_WINDOWS if( setGlobalCrashHandler() && SetConsoleCtrlHandler( (PHANDLER_ROUTINE)ctrlHandler, TRUE ) ) { rpal_debug_info( "global crash handler set" ); } else { rpal_debug_warning( "error setting global crash handler" ); } #endif if( 1 == rInterlocked_increment32( &g_hcpContext.isRunning ) ) { if( rpal_initialize( NULL, RPAL_COMPONENT_HCP ) ) { CryptoLib_init(); if( NULL == ( g_hcpContext.cloudConnectionMutex = rMutex_create() ) || NULL == ( g_hcpContext.isCloudOnline = rEvent_create( TRUE ) ) ) { rMutex_free( g_hcpContext.cloudConnectionMutex ); rpal_debug_error( "could not create cloud connection mutex or event" ); return FALSE; } g_hcpContext.currentId.raw = g_idTemplate.raw; // We attempt to load some initial config from the serialized // rSequence that can be patched in this binary. if( NULL != ( staticConfig = getStaticConfig() ) ) { if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_PRIMARY_URL, &tmpStr ) && rSequence_getRU16( staticConfig, RP_TAGS_HCP_PRIMARY_PORT, &tmpPort ) ) { g_hcpContext.primaryUrl = rpal_string_strdupA( tmpStr ); g_hcpContext.primaryPort = tmpPort; rpal_debug_info( "loading primary url from static config" ); } if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_SECONDARY_URL, &tmpStr ) && rSequence_getRU16( staticConfig, RP_TAGS_HCP_SECONDARY_PORT, &tmpPort ) ) { g_hcpContext.secondaryUrl = rpal_string_strdupA( tmpStr ); g_hcpContext.secondaryPort = tmpPort; rpal_debug_info( "loading secondary url from static config" ); } if( rSequence_getSEQUENCE( staticConfig, RP_TAGS_HCP_ID, &tmpSeq ) ) { g_hcpContext.currentId = seqToHcpId( tmpSeq ); rpal_debug_info( "loading default id from static config" ); } if( rSequence_getBUFFER( staticConfig, RP_TAGS_HCP_C2_PUBLIC_KEY, &tmpBuffer, &tmpSize ) ) { setC2PublicKey( rpal_memory_duplicate( tmpBuffer, tmpSize ) ); rpal_debug_info( "loading c2 public key from static config" ); } if( rSequence_getBUFFER( staticConfig, RP_TAGS_HCP_ROOT_PUBLIC_KEY, &tmpBuffer, &tmpSize ) ) { setRootPublicKey( rpal_memory_duplicate( tmpBuffer, tmpSize ) ); rpal_debug_info( "loading root public key from static config" ); } if( rSequence_getSTRINGA( staticConfig, RP_TAGS_HCP_DEPLOYMENT_KEY, &tmpStr ) ) { g_hcpContext.deploymentKey = rpal_string_strdupA( tmpStr ); rpal_debug_info( "loading deployment key from static config" ); } rSequence_free( staticConfig ); } // Now we will override the defaults (if present) with command // line parameters. if( NULL != primaryHomeUrl && 0 != rpal_string_strlen( primaryHomeUrl ) ) { if( NULL != g_hcpContext.primaryUrl ) { rpal_memory_free( g_hcpContext.primaryUrl ); g_hcpContext.primaryUrl = NULL; } g_hcpContext.primaryUrl = rpal_string_ntoa( primaryHomeUrl ); } if( NULL != secondaryHomeUrl && 0 != rpal_string_strlen( secondaryHomeUrl ) ) { if( NULL != g_hcpContext.secondaryUrl ) { rpal_memory_free( g_hcpContext.secondaryUrl ); g_hcpContext.secondaryUrl = NULL; } g_hcpContext.secondaryUrl = rpal_string_ntoa( secondaryHomeUrl ); } g_hcpContext.enrollmentToken = NULL; g_hcpContext.enrollmentTokenSize = 0; getStoreConf(); /* Sets the agent ID platform. */ // Set the current configId g_hcpContext.currentId.id.configId = configHint; if( startBeacons() ) { isInitSuccessful = TRUE; } else { rpal_debug_warning( "error starting beacons" ); } CryptoLib_deinit(); } else { rpal_debug_warning( "hcp platform could not init rpal" ); } } else { rInterlocked_decrement32( &g_hcpContext.isRunning ); rpal_debug_info( "hcp already launched" ); } return isInitSuccessful; }
static RVOID processHashedEvent ( rpcm_tag notifType, rSequence event ) { RPWCHAR nameW = NULL; RPCHAR nameA = NULL; CryptoLib_Hash* pHash = NULL; CryptoLib_Hash localHash = { 0 }; UNREFERENCED_PARAMETER( notifType ); if( rpal_memory_isValid( event ) ) { if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) || rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) || rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) ) { rSequence_getBUFFER( event, RP_TAGS_HASH, (RPU8*)&pHash, NULL ); if( NULL != nameA ) { if( NULL == pHash ) { if( _MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) ) { rSequence_unTaintRead( event ); rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE ); if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) || rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) ) { // Find the name again with shortcircuit } } else if( CryptoLib_hashFileA( nameA, &localHash, TRUE ) ) { pHash = &localHash; } } processCodeIdentA( nameA, pHash, 0, event ); } else if( NULL != nameW ) { if( NULL == pHash ) { if( _MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) ) { rSequence_unTaintRead( event ); rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE ); if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) || rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) || rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) ) { // Find the name again with shortcircuit } } else if( CryptoLib_hashFileW( nameW, &localHash, TRUE ) ) { pHash = &localHash; } } processCodeIdentW( nameW, pHash, 0, event ); } } } }
static RVOID processNewModule ( rpcm_tag notifType, rSequence event ) { RPWCHAR nameW = NULL; RPCHAR nameA = NULL; CryptoLib_Hash fileHash = { 0 }; RU64 size = 0; UNREFERENCED_PARAMETER( notifType ); if( rpal_memory_isValid( event ) ) { if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ) { if( ( NULL != nameA && _MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) ) || ( NULL != nameW && _MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) ) ) { // We already read from the event, but we will be careful. rSequence_unTaintRead( event ); rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE ); // We need to re-get the paths in case adding the error triggered // a change in the structure. if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ) { // Find the name again with shortcircuit } } else { if( NULL != nameA && !CryptoLib_hashFileA( nameA, &fileHash, TRUE ) ) { rpal_debug_info( "unable to fetch file hash for ident" ); } if( NULL != nameW && !CryptoLib_hashFileW( nameW, &fileHash, TRUE ) ) { rpal_debug_info( "unable to fetch file hash for ident" ); } } rSequence_getRU64( event, RP_TAGS_MEMORY_SIZE, &size ); if( NULL != nameA ) { processCodeIdentA( nameA, &fileHash, size, event ); } else if( NULL != nameW ) { processCodeIdentW( nameW, &fileHash, size, event ); } } } }