static
RPVOID
parseDocuments
(
rEvent isTimeToStop,
RPVOID ctx
)
{
rSequence createEvt = NULL;
UNREFERENCED_PARAMETER( ctx );
while( rpal_memory_isValid( isTimeToStop ) &&
!rEvent_wait( isTimeToStop, 0 ) )
{
if( rQueue_remove( createQueue, &createEvt, NULL, MSEC_FROM_SEC( 1 ) ) )
{
processFile( createEvt );
}
}
return NULL;
}
static
RPVOID
continuousFileScan
(
rEvent isTimeToStop,
RPVOID ctx
)
{
rSequence event = NULL;
RU32 timeout = 0;
RPWCHAR strW = NULL;
RPCHAR strA = NULL;
YaraMatchContext matchContext = { 0 };
RU32 scanError = 0;
rBloom knownFiles = NULL;
UNREFERENCED_PARAMETER( ctx );
if( NULL == ( knownFiles = rpal_bloom_create( 100000, 0.00001 ) ) )
{
return NULL;
}
while( !rEvent_wait( isTimeToStop, timeout ) )
{
if( rQueue_remove( g_async_files_to_scan, (RPVOID*)&event, NULL, MSEC_FROM_SEC( 2 ) ) )
{
if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &strW ) )
{
strA = rpal_string_wtoa( strW );
}
else
{
rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &strA );
}
if( NULL != strA &&
rpal_bloom_addIfNew( knownFiles, strA, rpal_string_strlen( strA ) ) )
{
rpal_debug_info( "yara scanning %s", strA );
matchContext.fileInfo = event;
if( rMutex_lock( g_global_rules_mutex ) )
{
if( NULL != g_global_rules )
{
rpal_debug_info( "scanning continuous file with yara" );
if( ERROR_SUCCESS != ( scanError = yr_rules_scan_file( g_global_rules,
strA,
SCAN_FLAGS_FAST_MODE,
_yaraFileMatchCallback,
&matchContext,
60 ) ) )
{
rpal_debug_warning( "Yara file scan error: %d", scanError );
}
}
rMutex_unlock( g_global_rules_mutex );
}
}
if( NULL != strA && NULL != strW )
{
// If both are allocated it means we got a strW and converted to A
// so we must free the strA version.
rpal_memory_free( strA );
}
strA = NULL;
strW = NULL;
rSequence_free( event );
timeout = _TIMEOUT_BETWEEN_FILE_SCANS;
}
else
{
timeout = 0;
}
}
rpal_bloom_destroy( knownFiles );
yr_finalize_thread();
return NULL;
}
static rList
beaconHome
(
)
{
rList response = NULL;
rList exfil = NULL;
rSequence msg = NULL;
RU32 nExfilMsg = 0;
rSequence tmpMessage = NULL;
if( NULL != ( exfil = rList_new( RP_TAGS_MESSAGE, RPCM_SEQUENCE ) ) )
{
if( NULL != ( msg = rSequence_new() ) )
{
if( rSequence_addBUFFER( msg, RP_TAGS_HASH, g_hbs_state.currentConfigHash, CRYPTOLIB_HASH_SIZE ) )
{
if( !rList_addSEQUENCE( exfil, msg ) )
{
rSequence_free( msg );
msg = NULL;
}
tmpMessage = msg;
}
else
{
rSequence_free( msg );
msg = NULL;
}
}
while( rQueue_remove( g_hbs_state.outQueue, &msg, NULL, 0 ) )
{
nExfilMsg++;
if( !rList_addSEQUENCE( exfil, msg ) )
{
rSequence_free( msg );
}
}
rpal_debug_info( "%d messages ready for exfil.", nExfilMsg );
if( rpHcpI_beaconHome( exfil, &response ) )
{
rpal_debug_info( "%d messages received from cloud.", rList_getNumElements( response ) );
}
else if( g_hbs_state.maxQueueSize > rList_getEstimateSize( exfil ) )
{
rpal_debug_info( "beacon failed, re-adding %d messages.", rList_getNumElements( exfil ) );
// We will attempt to re-add the existing messages back in the queue since this failed
rList_resetIterator( exfil );
while( rList_getSEQUENCE( exfil, RP_TAGS_MESSAGE, &msg ) )
{
// Ignore message we generate temporarily for the beacon
if( tmpMessage == msg )
{
rSequence_free( msg );
continue;
}
if( !rQueue_add( g_hbs_state.outQueue, msg, 0 ) )
{
rSequence_free( msg );
}
}
rList_shallowFree( exfil );
exfil = NULL;
}
else
{
rpal_debug_warning( "beacon failed but discarded exfil because of its size." );
}
if( NULL != exfil )
{
rList_free( exfil );
}
}
return response;
}
static
RPVOID
spotCheckNewProcesses
(
rEvent isTimeToStop,
RPVOID ctx
)
{
RU32 pid = 0;
RTIME timestamp = 0;
RTIME timeToWait = 0;
RTIME now = 0;
rSequence newProcess = NULL;
rList hollowedModules = NULL;
LibOsPerformanceProfile perfProfile = { 0 };
UNREFERENCED_PARAMETER( ctx );
perfProfile.sanityCeiling = _SANITY_CEILING;
perfProfile.lastTimeoutValue = _INITIAL_PROFILED_TIMEOUT;
perfProfile.targetCpuPerformance = 0;
perfProfile.globalTargetCpuPerformance = GLOBAL_CPU_USAGE_TARGET;
perfProfile.enforceOnceIn = 7;
perfProfile.timeoutIncrementPerSec = _PROFILE_INCREMENT;
while( !rEvent_wait( isTimeToStop, 0 ) )
{
if( rQueue_remove( g_newProcessNotifications, &newProcess, NULL, MSEC_FROM_SEC( 5 ) ) )
{
if( rSequence_getRU32( newProcess, RP_TAGS_PROCESS_ID, &pid ) &&
rSequence_getTIMESTAMP( newProcess, RP_TAGS_TIMESTAMP, ×tamp ) )
{
timeToWait = timestamp + _CHECK_SEC_AFTER_PROCESS_CREATION;
now = rpal_time_getGlobalPreciseTime();
if( now < timeToWait )
{
timeToWait = timeToWait - now;
if( _CHECK_SEC_AFTER_PROCESS_CREATION < timeToWait )
{
// Sanity check
timeToWait = _CHECK_SEC_AFTER_PROCESS_CREATION;
}
rpal_thread_sleep( (RU32)timeToWait );
}
if( NULL != ( hollowedModules = _spotCheckProcess( isTimeToStop, pid, &perfProfile ) ) )
{
if( !rSequence_addLIST( newProcess, RP_TAGS_MODULES, hollowedModules ) )
{
rList_free( hollowedModules );
}
else
{
hbs_publish( RP_TAGS_NOTIFICATION_MODULE_MEM_DISK_MISMATCH,
newProcess );
}
}
}
rSequence_free( newProcess );
}
}
return NULL;
}
