static int _yaraMemMatchCallback ( int message, void* message_data, void* user_data ) { YR_RULE* rule = (YR_RULE*)message_data; YaraMatchContext* context = (YaraMatchContext*)user_data; rSequence event = NULL; if( CALLBACK_MSG_RULE_MATCHING == message && NULL != message_data && NULL != user_data ) { if( NULL != ( event = rSequence_new() ) ) { rSequence_addRU32( event, RP_TAGS_PROCESS_ID, context->pid ); rSequence_addPOINTER64( event, RP_TAGS_BASE_ADDRESS, context->regionBase ); rSequence_addRU64( event, RP_TAGS_MEMORY_SIZE, context->regionSize ); hbs_markAsRelated( context->fileInfo, event ); if( NULL == context->processInfo ) { context->processInfo = processLib_getProcessInfo( context->pid, NULL ); } if( NULL != context->processInfo ) { rSequence_addSEQUENCE( event, RP_TAGS_PROCESS, rSequence_duplicate( context->processInfo ) ); } if( NULL != context->moduleInfo ) { rSequence_addSEQUENCE( event, RP_TAGS_DLL, rSequence_duplicate( context->moduleInfo ) ); } rSequence_addSTRINGA( event, RP_TAGS_RULE_NAME, (char*)rule->identifier ); notifications_publish( RP_TAGS_NOTIFICATION_YARA_DETECTION, event ); rSequence_free( event ); } else { rpal_debug_warning( "error creating event from Yara match" ); } } return CALLBACK_CONTINUE; }
static RBOOL notifyOfKernelModule ( KernelAcqModule* module ) { RBOOL isSuccess = FALSE; rSequence notif = NULL; RU32 pathLength = 0; RU32 i = 0; RPNCHAR dirSep = RPAL_FILE_LOCAL_DIR_SEP_N; RPNCHAR cleanPath = NULL; Atom parentAtom = { 0 }; if( NULL != module ) { if( NULL != ( notif = rSequence_new() ) ) { module->ts += MSEC_FROM_SEC( rpal_time_getGlobalFromLocal( 0 ) ); hbs_timestampEvent( notif, module->ts ); parentAtom.key.category = RP_TAGS_NOTIFICATION_NEW_PROCESS; parentAtom.key.process.pid = module->pid; if( atoms_query( &parentAtom, module->ts ) ) { HbsSetParentAtom( notif, parentAtom.id ); } rSequence_addRU32( notif, RP_TAGS_PROCESS_ID, module->pid ); rSequence_addPOINTER64( notif, RP_TAGS_BASE_ADDRESS, (RU64)module->baseAddress ); rSequence_addRU64( notif, RP_TAGS_MEMORY_SIZE, module->imageSize ); if( 0 != ( pathLength = rpal_string_strlen( module->path ) ) ) { cleanPath = rpal_file_clean( module->path ); rSequence_addSTRINGN( notif, RP_TAGS_FILE_PATH, cleanPath ? cleanPath : module->path ); rpal_memory_free( cleanPath ); // For compatibility with user mode we extract the module name. for( i = pathLength - 1; i != 0; i-- ) { if( dirSep[ 0 ] == module->path[ i ] ) { i++; break; } } rSequence_addSTRINGN( notif, RP_TAGS_MODULE_NAME, &( module->path[ i ] ) ); if( hbs_publish( RP_TAGS_NOTIFICATION_MODULE_LOAD, notif ) ) { isSuccess = TRUE; } } rSequence_free( notif ); } } return isSuccess; }
RPRIVATE RVOID _searchForStrings ( rList stringsFound, rList searchStrings, RPU8 pBuff, RU64 size, RU64 baseAddr, RU32 minLength, RU32 maxLength ) { RPU8 pCurr; RPU8 pEnd; RPCHAR pStartStr = NULL; RBOOL isChar; RPU16 pwCurr; RPU16 pwEnd; RBOOL isWChar; RPWCHAR pwStartStr = NULL; RPWCHAR thisStrW = NULL; rSequence newFoundStr; pCurr = pBuff; pEnd = pBuff + size; // currently we only deal with NULL terminated strings // start with ascii strings... while( pCurr < pEnd ) { isChar = rpal_string_isprint( *pCurr ); if( NULL == pStartStr && isChar ) // found the begining of a string { pStartStr = (RPCHAR)pCurr; } else if( NULL != pStartStr && ( !isChar || 0 == *pCurr ) ) // found the end of a string { // is string NULL or Non-Ascii terminated if( 0 == *pCurr || !rpal_string_charIsAscii( *pCurr ) ) { // Null terminate it so we can use it like a normal string *pCurr = 0; // strlen is really pCurr - pStartStr if( (RU32)( (RPCHAR)pCurr - pStartStr ) >= minLength && (RU32)( (RPCHAR)pCurr - pStartStr ) <= maxLength ) // is string long enough { // convert string to wide char for comparision if( NULL != ( thisStrW = rpal_string_atow( pStartStr ) ) ) { if( _isStringInList( searchStrings, thisStrW ) && NULL != ( newFoundStr = rSequence_new() ) ) { rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, thisStrW ); rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pStartStr - pBuff ) ); if( !rList_addSEQUENCE( stringsFound, newFoundStr ) ) { rSequence_free( newFoundStr ); } } rpal_memory_free( thisStrW ); } } } pStartStr = NULL; } pCurr++; } // Now look for Unicode strings pwCurr = (RPU16)pBuff; pwEnd = pwCurr + ( size / 2 ); while( pwCurr < pwEnd ) { isWChar = rpal_string_isprintW( *pwCurr ); if( NULL == pwStartStr && isWChar ) // found the begining of a string { pwStartStr = (RPWCHAR)pwCurr; } else if( NULL != pwStartStr && ( !isWChar || 0 == *pwCurr ) ) // found the end of a string { // is string NULL terminated if( 0 == *pwCurr ) { // wcslen is really pCurr - pStartStr if( (RU32)( (RPWCHAR)pwCurr - pwStartStr ) >= minLength && (RU32)( (RPWCHAR)pwCurr - pwStartStr ) <= maxLength ) // is string long enough { if( _isStringInList( searchStrings, pwStartStr ) && NULL != ( newFoundStr = rSequence_new() ) ) { rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, pwStartStr ); rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pwStartStr - pBuff ) ); if( !rList_addSEQUENCE( stringsFound, newFoundStr ) ) { rSequence_free( newFoundStr ); } } } } pwStartStr = NULL; } pwCurr++; } }