RBOOL collector_3_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule ) ) { isSuccess = TRUE; } rpal_bloom_destroy( knownCode ); knownCode = NULL; } return isSuccess; }
RBOOL collector_3_cleanup ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, processNewProcesses ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_SERVICE_CHANGE, NULL, processHashedEvent ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_DRIVER_CHANGE, NULL, processHashedEvent ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_AUTORUN_CHANGE, NULL, processHashedEvent ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_SERVICES_REP, NULL, processGenericSnapshot ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_DRIVERS_REP, NULL, processGenericSnapshot ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_PROCESSES_REP, NULL, processGenericSnapshot ) && notifications_unsubscribe( RP_TAGS_NOTIFICATION_OS_AUTORUNS_REP, NULL, processGenericSnapshot ) ) { isSuccess = TRUE; } rpal_bloom_destroy( g_knownCode ); g_knownCode = NULL; rMutex_free( g_mutex ); g_mutex = NULL; } return isSuccess; }
RBOOL collector_3_init ( HbsState* hbsState, rSequence config ) { RBOOL isSuccess = FALSE; UNREFERENCED_PARAMETER( config ); if( NULL != hbsState ) { if( NULL != ( knownCode = rpal_bloom_create( 50000, 0.00001 ) ) ) { isSuccess = FALSE; if( notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS, NULL, 0, NULL, processNewProcesses ) && notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, 0, NULL, processNewModule ) ) { isSuccess = TRUE; } else { notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, NULL, processNewModule ); rpal_bloom_destroy( knownCode ); } } } return isSuccess; }
static RPVOID continuousFileScan ( rEvent isTimeToStop, RPVOID ctx ) { rSequence event = NULL; RU32 timeout = 0; RPWCHAR strW = NULL; RPCHAR strA = NULL; YaraMatchContext matchContext = { 0 }; RU32 scanError = 0; rBloom knownFiles = NULL; UNREFERENCED_PARAMETER( ctx ); if( NULL == ( knownFiles = rpal_bloom_create( 100000, 0.00001 ) ) ) { return NULL; } while( !rEvent_wait( isTimeToStop, timeout ) ) { if( rQueue_remove( g_async_files_to_scan, (RPVOID*)&event, NULL, MSEC_FROM_SEC( 2 ) ) ) { if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &strW ) ) { strA = rpal_string_wtoa( strW ); } else { rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &strA ); } if( NULL != strA && rpal_bloom_addIfNew( knownFiles, strA, rpal_string_strlen( strA ) ) ) { rpal_debug_info( "yara scanning %s", strA ); matchContext.fileInfo = event; if( rMutex_lock( g_global_rules_mutex ) ) { if( NULL != g_global_rules ) { rpal_debug_info( "scanning continuous file with yara" ); if( ERROR_SUCCESS != ( scanError = yr_rules_scan_file( g_global_rules, strA, SCAN_FLAGS_FAST_MODE, _yaraFileMatchCallback, &matchContext, 60 ) ) ) { rpal_debug_warning( "Yara file scan error: %d", scanError ); } } rMutex_unlock( g_global_rules_mutex ); } } if( NULL != strA && NULL != strW ) { // If both are allocated it means we got a strW and converted to A // so we must free the strA version. rpal_memory_free( strA ); } strA = NULL; strW = NULL; rSequence_free( event ); timeout = _TIMEOUT_BETWEEN_FILE_SCANS; } else { timeout = 0; } } rpal_bloom_destroy( knownFiles ); yr_finalize_thread(); return NULL; }
static HObs _getModuleDiskStringSample ( RPNCHAR modulePath, RU32* pLastScratch, rEvent isTimeToStop, LibOsPerformanceProfile* perfProfile ) { HObs sample = NULL; RPU8 scratch = NULL; rFile hFile = NULL; RU32 read = 0; RPU8 start = NULL; RPU8 end = NULL; RU32 toSkip = 0; RU32 longestLength = 0; RBOOL isUnicode = FALSE; RPU8 sampleNumber = 0; rBloom stringsSeen = NULL; RU64 readOffset = 0; UNREFERENCED_PARAMETER( isTimeToStop ); if( NULL != modulePath && NULL != pLastScratch ) { readOffset = *pLastScratch * _SCRATCH_SIZE; if( NULL != ( stringsSeen = rpal_bloom_create( _MAX_DISK_SAMPLE_SIZE, 0.0001 ) ) ) { if( NULL != ( scratch = rpal_memory_alloc( _SCRATCH_SIZE ) ) ) { if( rFile_open( modulePath, &hFile, RPAL_FILE_OPEN_EXISTING | RPAL_FILE_OPEN_READ ) ) { if( readOffset == rFile_seek( hFile, readOffset, rFileSeek_SET ) && 0 != ( read = rFile_readUpTo( hFile, _SCRATCH_SIZE, scratch ) ) ) { if( NULL != ( sample = obsLib_new( _MAX_DISK_SAMPLE_SIZE, 0 ) ) ) { ( *pLastScratch )++; start = scratch; end = scratch + read; // We parse for strings up to 'read', we don't care about the // memory boundary, we might truncate some strings but we're // sampling anyway. while( !rEvent_wait( isTimeToStop, 0 ) && ( start >= scratch ) && ( start >= scratch ) && ( start + _MIN_SAMPLE_STR_LEN ) < ( scratch + read ) && _MAX_DISK_SAMPLE_SIZE >= PTR_TO_NUMBER( sampleNumber ) ) { libOs_timeoutWithProfile( perfProfile, TRUE, isTimeToStop ); isUnicode = FALSE; if( _longestString( (RPCHAR)start, (RU32)( end - start ), &toSkip, &longestLength, &isUnicode ) && _MIN_SAMPLE_STR_LEN <= longestLength && _MAX_SAMPLE_STR_LEN >= longestLength ) { if( rpal_bloom_addIfNew( stringsSeen, start, longestLength ) ) { if( obsLib_addPattern( sample, start, longestLength, sampleNumber ) ) { sampleNumber++; } } } start += toSkip; } } } rFile_close( hFile ); } rpal_memory_free( scratch ); } rpal_bloom_destroy( stringsSeen ); } } return sample; }