static
RBOOL
_reportEvents
(
StatefulMachine* machine
)
{
RBOOL isSuccess = FALSE;
rSequence wrapper = NULL;
rList events = NULL;
rSequence event = NULL;
RU32 i = 0;
if( NULL != machine )
{
if( NULL != ( wrapper = rSequence_new() ) )
{
if( NULL != ( events = rList_new( RP_TAGS_EVENT, RPCM_SEQUENCE ) ) )
{
for( i = 0; i < machine->history->nElements; i++ )
{
event = ( (StatefulEvent*)machine->history->elements[ i ] )->data;
rList_addSEQUENCE( events, rSequence_duplicate( event ) );
}
if( !rSequence_addLIST( wrapper, RP_TAGS_EVENTS, events ) )
{
rList_free( events );
}
else
{
hbs_timestampEvent( wrapper, 0 );
isSuccess = hbs_publish( machine->desc->reportEventType, wrapper );
}
}
rSequence_free( wrapper );
}
}
return isSuccess;
}
static
RVOID
getDocument
(
rpcm_tag notifId,
rSequence notif
)
{
rSequence tmp = NULL;
DocSearchContext ctx = { 0 };
RU32 hashSize = 0;
rList foundDocs = NULL;
RBOOL isAAlloced = FALSE;
RBOOL isWAlloced = FALSE;
UNREFERENCED_PARAMETER( notifId );
if( NULL != notif )
{
if( !rSequence_getSTRINGA( notif, RP_TAGS_STRING_PATTERN, &ctx.exprA ) )
{
ctx.exprA = NULL;
}
if( !rSequence_getSTRINGW( notif, RP_TAGS_STRING_PATTERN, &ctx.exprW ) )
{
ctx.exprW = NULL;
}
if( NULL != ctx.exprA && NULL == ctx.exprW )
{
ctx.exprW = rpal_string_atow( ctx.exprA );
isWAlloced = TRUE;
}
if( NULL != ctx.exprW && NULL == ctx.exprA )
{
ctx.exprA = rpal_string_wtoa( ctx.exprW );
isAAlloced = TRUE;
}
if( !rSequence_getBUFFER( notif, RP_TAGS_HASH, (RPU8*)&ctx.pHash, &hashSize ) ||
sizeof( *ctx.pHash ) != hashSize )
{
// Unexpected hash size, let's not gamble
ctx.pHash = NULL;
}
}
if( rMutex_lock( cacheMutex ) )
{
if( NULL != ( foundDocs = rList_new( RP_TAGS_FILE_INFO, RPCM_SEQUENCE ) ) )
{
while( HbsRingBuffer_find( documentCache, (HbsRingBufferCompareFunc)findDoc, &ctx, &tmp ) )
{
// TODO: optimize this since if we're dealing with large files
// we will be temporarily using large amounts of duplicate memory.
// We just need to do some shallow free of the datastructures
// somehow.
if( NULL != ( tmp = rSequence_duplicate( tmp ) ) )
{
if( !rList_addSEQUENCE( foundDocs, tmp ) )
{
rSequence_free( tmp );
}
}
}
if( !rSequence_addLIST( notif, RP_TAGS_FILES, foundDocs ) )
{
rList_free( foundDocs );
}
}
rMutex_unlock( cacheMutex );
notifications_publish( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REP, notif );
}
if( isAAlloced )
{
rpal_memory_free( ctx.exprA );
}
if( isWAlloced )
{
rpal_memory_free( ctx.exprW );
}
}
static rList
beaconHome
(
)
{
rList response = NULL;
rList exfil = NULL;
rSequence msg = NULL;
RU32 nExfilMsg = 0;
rSequence tmpMessage = NULL;
if( NULL != ( exfil = rList_new( RP_TAGS_MESSAGE, RPCM_SEQUENCE ) ) )
{
if( NULL != ( msg = rSequence_new() ) )
{
if( rSequence_addBUFFER( msg, RP_TAGS_HASH, g_hbs_state.currentConfigHash, CRYPTOLIB_HASH_SIZE ) )
{
if( !rList_addSEQUENCE( exfil, msg ) )
{
rSequence_free( msg );
msg = NULL;
}
tmpMessage = msg;
}
else
{
rSequence_free( msg );
msg = NULL;
}
}
while( rQueue_remove( g_hbs_state.outQueue, &msg, NULL, 0 ) )
{
nExfilMsg++;
if( !rList_addSEQUENCE( exfil, msg ) )
{
rSequence_free( msg );
}
}
rpal_debug_info( "%d messages ready for exfil.", nExfilMsg );
if( rpHcpI_beaconHome( exfil, &response ) )
{
rpal_debug_info( "%d messages received from cloud.", rList_getNumElements( response ) );
}
else if( g_hbs_state.maxQueueSize > rList_getEstimateSize( exfil ) )
{
rpal_debug_info( "beacon failed, re-adding %d messages.", rList_getNumElements( exfil ) );
// We will attempt to re-add the existing messages back in the queue since this failed
rList_resetIterator( exfil );
while( rList_getSEQUENCE( exfil, RP_TAGS_MESSAGE, &msg ) )
{
// Ignore message we generate temporarily for the beacon
if( tmpMessage == msg )
{
rSequence_free( msg );
continue;
}
if( !rQueue_add( g_hbs_state.outQueue, msg, 0 ) )
{
rSequence_free( msg );
}
}
rList_shallowFree( exfil );
exfil = NULL;
}
else
{
rpal_debug_warning( "beacon failed but discarded exfil because of its size." );
}
if( NULL != exfil )
{
rList_free( exfil );
}
}
return response;
}
static
rList
_spotCheckProcess
(
rEvent isTimeToStop,
RU32 pid,
LibOsPerformanceProfile* perfProfile
)
{
rList hollowedModules = NULL;
rList modules = NULL;
rSequence module = NULL;
RPNCHAR modulePath = NULL;
RU32 fileSize = 0;
RU64 moduleBase = 0;
RU64 moduleSize = 0;
HObs diskSample = NULL;
rSequence hollowedModule = NULL;
RU32 lastScratchIndex = 0;
RU32 nSamplesFound = 0;
RU32 nSamplesTotal = 0;
RU32 tmpSamplesFound = 0;
RU32 tmpSamplesSize = 0;
RTIME runTime = 0;
rpal_debug_info( "spot checking process %d", pid );
if( NULL != ( modules = processLib_getProcessModules( pid ) ) )
{
while( !rEvent_wait( isTimeToStop, 0 ) &&
rList_getSEQUENCE( modules, RP_TAGS_DLL, &module ) )
{
libOs_timeoutWithProfile( perfProfile, FALSE, isTimeToStop );
runTime = rpal_time_getLocal();
modulePath = NULL;
lastScratchIndex = 0;
if( ( rSequence_getSTRINGN( module,
RP_TAGS_FILE_PATH,
&modulePath ) ) &&
rSequence_getPOINTER64( module, RP_TAGS_BASE_ADDRESS, &moduleBase ) &&
rSequence_getRU64( module, RP_TAGS_MEMORY_SIZE, &moduleSize ) )
{
if( 0 != ( fileSize = rpal_file_getSize( modulePath, TRUE ) ) )
{
nSamplesFound = 0;
nSamplesTotal = 0;
tmpSamplesFound = (RU32)( -1 );
while( !rEvent_wait( isTimeToStop, 0 ) &&
NULL != ( diskSample = _getModuleDiskStringSample( modulePath,
&lastScratchIndex,
isTimeToStop,
perfProfile ) ) )
{
libOs_timeoutWithProfile( perfProfile, TRUE, isTimeToStop );
tmpSamplesSize = obsLib_getNumPatterns( diskSample );
if( 0 != tmpSamplesSize )
{
tmpSamplesFound = _checkMemoryForStringSample( diskSample,
pid,
NUMBER_TO_PTR( moduleBase ),
moduleSize,
isTimeToStop,
perfProfile );
obsLib_free( diskSample );
if( (RU32)( -1 ) == tmpSamplesFound )
{
break;
}
nSamplesFound += tmpSamplesFound;
nSamplesTotal += tmpSamplesSize;
if( _MIN_DISK_SAMPLE_SIZE <= nSamplesTotal &&
( _MIN_SAMPLE_MATCH_PERCENT < ( (RFLOAT)nSamplesFound /
nSamplesTotal ) * 100 ) &&
_MIN_DISK_BIN_COVERAGE_PERCENT <= (RFLOAT)( ( lastScratchIndex *
_SCRATCH_SIZE ) /
fileSize ) * 100 )
{
break;
}
}
else
{
obsLib_free( diskSample );
}
}
}
else
{
rpal_debug_info( "could not get file information, not checking" );
}
rpal_debug_info( "process hollowing check found a match in %d ( %d / %d ) from %d passes in %d sec",
pid,
nSamplesFound,
nSamplesTotal,
lastScratchIndex,
rpal_time_getLocal() - runTime );
if( !rEvent_wait( isTimeToStop, 0 ) &&
(RU32)(-1) != tmpSamplesFound &&
_MIN_DISK_SAMPLE_SIZE <= nSamplesTotal &&
( ( (RFLOAT)nSamplesFound / nSamplesTotal ) * 100 ) < _MIN_SAMPLE_MATCH_PERCENT )
{
rpal_debug_info( "sign of process hollowing found in process %d", pid );
if( NULL != ( hollowedModule = rSequence_duplicate( module ) ) )
{
if( !rList_addSEQUENCE( hollowedModules, hollowedModule ) )
{
rSequence_free( hollowedModule );
}
}
}
}
else
{
rpal_debug_info( "module missing characteristic" );
}
}
rList_free( modules );
}
else
{
rpal_debug_info( "failed to get process modules, might be dead" );
}
return hollowedModules;
}
static
rList
assembleRequest
(
RPU8 optCrashCtx,
RU32 optCrashCtxSize
)
{
rSequence req = NULL;
RU32 moduleIndex = 0;
rList msgList = NULL;
rList modList = NULL;
rSequence modEntry = NULL;
if( NULL != ( req = rSequence_new() ) )
{
// Add some basic info
rSequence_addRU32( req, RP_TAGS_MEMORY_USAGE, rpal_memory_totalUsed() );
rSequence_addTIMESTAMP( req, RP_TAGS_TIMESTAMP, rpal_time_getGlobal() );
// If we have a crash context to report
if( NULL != optCrashCtx )
{
if( !rSequence_addBUFFER( req, RP_TAGS_HCP_CRASH_CONTEXT, optCrashCtx, optCrashCtxSize ) )
{
rpal_debug_error( "error adding crash context of size %d to hcp beacon", optCrashCtxSize );
}
else
{
rpal_debug_info( "crash context is being bundled in hcp beacon" );
}
}
// List of loaded modules
if( NULL != ( modList = rList_new( RP_TAGS_HCP_MODULE, RPCM_SEQUENCE ) ) )
{
for( moduleIndex = 0; moduleIndex < RP_HCP_CONTEXT_MAX_MODULES; moduleIndex++ )
{
if( NULL != g_hcpContext.modules[ moduleIndex ].hModule )
{
if( NULL != ( modEntry = rSequence_new() ) )
{
if( !rSequence_addBUFFER( modEntry,
RP_TAGS_HASH,
g_hcpContext.modules[ moduleIndex ].hash,
sizeof( g_hcpContext.modules[ moduleIndex ].hash ) ) ||
!rSequence_addRU8( modEntry,
RP_TAGS_HCP_MODULE_ID,
g_hcpContext.modules[ moduleIndex ].id ) ||
!rList_addSEQUENCE( modList, modEntry ) )
{
break;
}
// We take the opportunity to cleanup the list of modules...
if( rpal_thread_wait( g_hcpContext.modules[ moduleIndex ].hThread, 0 ) )
{
// This thread has exited, which is our signal that the module
// has stopped executing...
rEvent_free( g_hcpContext.modules[ moduleIndex ].isTimeToStop );
rpal_thread_free( g_hcpContext.modules[ moduleIndex ].hThread );
rpal_memory_zero( &(g_hcpContext.modules[ moduleIndex ]),
sizeof( g_hcpContext.modules[ moduleIndex ] ) );
if( !rSequence_addRU8( modEntry, RP_TAGS_HCP_MODULE_TERMINATED, 1 ) )
{
break;
}
}
}
}
}
if( !rSequence_addLIST( req, RP_TAGS_HCP_MODULES, modList ) )
{
rList_free( modList );
}
}
if( NULL != ( msgList = rList_new( RP_TAGS_MESSAGE, RPCM_SEQUENCE ) ) )
{
if( !rList_addSEQUENCE( msgList, req ) )
{
rList_free( msgList );
rSequence_free( req );
msgList = NULL;
}
}
else
{
rSequence_free( req );
}
}
return msgList;
}
RPRIVATE
RVOID
mem_find_string
(
rpcm_tag eventType,
rSequence event
)
{
RU32 pid = 0;
RU32 currentPid = 0;
rList searchStrings = NULL;
rList processes = NULL;
rSequence process = NULL;
processLibProcEntry* pids = NULL;
RU32 nCurrent = 0;
RU32 minLength = 5;
RU32 maxLength = 128;
RPU8 atom = NULL;
RU32 atomSize = 0;
UNREFERENCED_PARAMETER( eventType );
if( rpal_memory_isValid( event ) )
{
if( ( rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid ) ||
( rSequence_getBUFFER( event, RP_TAGS_HBS_THIS_ATOM, &atom, &atomSize ) &&
HBS_ATOM_ID_SIZE == atomSize &&
0 != ( pid = atoms_getPid( atom ) ) ) ) &&
rSequence_getLIST( event, RP_TAGS_STRINGSW, &searchStrings ) )
{
currentPid = processLib_getCurrentPid();
if( NULL != ( processes = rList_new( RP_TAGS_PROCESS, RPCM_SEQUENCE ) ) )
{
if( 0 != pid )
{
if( NULL != ( process = _findStringsInProcess( pid,
searchStrings,
minLength,
maxLength ) ) )
{
if( !rList_addSEQUENCE( processes, process ) )
{
rSequence_free( process );
}
}
}
else
{
if( NULL != ( pids = processLib_getProcessEntries( TRUE ) ) )
{
while( 0 != pids[ nCurrent ].pid )
{
if( currentPid != pids[ nCurrent ].pid )
{
if( NULL != ( process = _findStringsInProcess( pids[ nCurrent ].pid,
searchStrings,
minLength,
maxLength ) ) )
{
if( !rList_addSEQUENCE( processes, process ) )
{
rSequence_free( process );
}
}
}
nCurrent++;
}
rpal_memory_free( pids );
}
}
if( !rSequence_addLIST( event, RP_TAGS_PROCESSES, processes ) )
{
rList_free( processes );
}
}
}
hbs_timestampEvent( event, 0 );
hbs_publish( RP_TAGS_NOTIFICATION_MEM_FIND_STRING_REP, event );
}
}
RPRIVATE
RVOID
_searchForStrings
(
rList stringsFound,
rList searchStrings,
RPU8 pBuff,
RU64 size,
RU64 baseAddr,
RU32 minLength,
RU32 maxLength
)
{
RPU8 pCurr;
RPU8 pEnd;
RPCHAR pStartStr = NULL;
RBOOL isChar;
RPU16 pwCurr;
RPU16 pwEnd;
RBOOL isWChar;
RPWCHAR pwStartStr = NULL;
RPWCHAR thisStrW = NULL;
rSequence newFoundStr;
pCurr = pBuff;
pEnd = pBuff + size;
// currently we only deal with NULL terminated strings
// start with ascii strings...
while( pCurr < pEnd )
{
isChar = rpal_string_isprint( *pCurr );
if( NULL == pStartStr && isChar ) // found the begining of a string
{
pStartStr = (RPCHAR)pCurr;
}
else if( NULL != pStartStr && ( !isChar || 0 == *pCurr ) ) // found the end of a string
{
// is string NULL or Non-Ascii terminated
if( 0 == *pCurr || !rpal_string_charIsAscii( *pCurr ) )
{
// Null terminate it so we can use it like a normal string
*pCurr = 0;
// strlen is really pCurr - pStartStr
if( (RU32)( (RPCHAR)pCurr - pStartStr ) >= minLength &&
(RU32)( (RPCHAR)pCurr - pStartStr ) <= maxLength ) // is string long enough
{
// convert string to wide char for comparision
if( NULL != ( thisStrW = rpal_string_atow( pStartStr ) ) )
{
if( _isStringInList( searchStrings, thisStrW ) && NULL != ( newFoundStr = rSequence_new() ) )
{
rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, thisStrW );
rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pStartStr - pBuff ) );
if( !rList_addSEQUENCE( stringsFound, newFoundStr ) )
{
rSequence_free( newFoundStr );
}
}
rpal_memory_free( thisStrW );
}
}
}
pStartStr = NULL;
}
pCurr++;
}
// Now look for Unicode strings
pwCurr = (RPU16)pBuff;
pwEnd = pwCurr + ( size / 2 );
while( pwCurr < pwEnd )
{
isWChar = rpal_string_isprintW( *pwCurr );
if( NULL == pwStartStr && isWChar ) // found the begining of a string
{
pwStartStr = (RPWCHAR)pwCurr;
}
else if( NULL != pwStartStr && ( !isWChar || 0 == *pwCurr ) ) // found the end of a string
{
// is string NULL terminated
if( 0 == *pwCurr )
{
// wcslen is really pCurr - pStartStr
if( (RU32)( (RPWCHAR)pwCurr - pwStartStr ) >= minLength &&
(RU32)( (RPWCHAR)pwCurr - pwStartStr ) <= maxLength ) // is string long enough
{
if( _isStringInList( searchStrings, pwStartStr ) && NULL != ( newFoundStr = rSequence_new() ) )
{
rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, pwStartStr );
rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pwStartStr - pBuff ) );
if( !rList_addSEQUENCE( stringsFound, newFoundStr ) )
{
rSequence_free( newFoundStr );
}
}
}
}
pwStartStr = NULL;
}
pwCurr++;
}
}
