static int _yaraMemMatchCallback ( int message, void* message_data, void* user_data ) { YR_RULE* rule = (YR_RULE*)message_data; YaraMatchContext* context = (YaraMatchContext*)user_data; rSequence event = NULL; if( CALLBACK_MSG_RULE_MATCHING == message && NULL != message_data && NULL != user_data ) { if( NULL != ( event = rSequence_new() ) ) { rSequence_addRU32( event, RP_TAGS_PROCESS_ID, context->pid ); rSequence_addPOINTER64( event, RP_TAGS_BASE_ADDRESS, context->regionBase ); rSequence_addRU64( event, RP_TAGS_MEMORY_SIZE, context->regionSize ); hbs_markAsRelated( context->fileInfo, event ); if( NULL == context->processInfo ) { context->processInfo = processLib_getProcessInfo( context->pid, NULL ); } if( NULL != context->processInfo ) { rSequence_addSEQUENCE( event, RP_TAGS_PROCESS, rSequence_duplicate( context->processInfo ) ); } if( NULL != context->moduleInfo ) { rSequence_addSEQUENCE( event, RP_TAGS_DLL, rSequence_duplicate( context->moduleInfo ) ); } rSequence_addSTRINGA( event, RP_TAGS_RULE_NAME, (char*)rule->identifier ); notifications_publish( RP_TAGS_NOTIFICATION_YARA_DETECTION, event ); rSequence_free( event ); } else { rpal_debug_warning( "error creating event from Yara match" ); } } return CALLBACK_CONTINUE; }
static RBOOL notifyOfKernelModule ( KernelAcqModule* module ) { RBOOL isSuccess = FALSE; rSequence notif = NULL; RU32 pathLength = 0; RU32 i = 0; RPNCHAR dirSep = RPAL_FILE_LOCAL_DIR_SEP_N; RPNCHAR cleanPath = NULL; Atom parentAtom = { 0 }; if( NULL != module ) { if( NULL != ( notif = rSequence_new() ) ) { module->ts += MSEC_FROM_SEC( rpal_time_getGlobalFromLocal( 0 ) ); hbs_timestampEvent( notif, module->ts ); parentAtom.key.category = RP_TAGS_NOTIFICATION_NEW_PROCESS; parentAtom.key.process.pid = module->pid; if( atoms_query( &parentAtom, module->ts ) ) { HbsSetParentAtom( notif, parentAtom.id ); } rSequence_addRU32( notif, RP_TAGS_PROCESS_ID, module->pid ); rSequence_addPOINTER64( notif, RP_TAGS_BASE_ADDRESS, (RU64)module->baseAddress ); rSequence_addRU64( notif, RP_TAGS_MEMORY_SIZE, module->imageSize ); if( 0 != ( pathLength = rpal_string_strlen( module->path ) ) ) { cleanPath = rpal_file_clean( module->path ); rSequence_addSTRINGN( notif, RP_TAGS_FILE_PATH, cleanPath ? cleanPath : module->path ); rpal_memory_free( cleanPath ); // For compatibility with user mode we extract the module name. for( i = pathLength - 1; i != 0; i-- ) { if( dirSep[ 0 ] == module->path[ i ] ) { i++; break; } } rSequence_addSTRINGN( notif, RP_TAGS_MODULE_NAME, &( module->path[ i ] ) ); if( hbs_publish( RP_TAGS_NOTIFICATION_MODULE_LOAD, notif ) ) { isSuccess = TRUE; } } rSequence_free( notif ); } } return isSuccess; }