RBOOL
collector_19_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
if( NULL != hbsState )
{
if( NULL != config )
{
if( !rSequence_getRU32( config, RP_TAGS_TIMEDELTA, &g_diff_timeout ) )
{
g_diff_timeout = _DIFF_TIMEOUT;
}
}
if( rThreadPool_task( hbsState->hThreadPool, trackerDiffThread, NULL ) )
{
isSuccess = TRUE;
}
}
return isSuccess;
}
RBOOL
collector_5_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
if( notifications_subscribe( RP_TAGS_NOTIFICATION_HIDDEN_MODULE_REQ,
NULL,
0,
NULL,
scan_for_hidden_module ) &&
rThreadPool_task( hbsState->hThreadPool, lookForHiddenModulesConstantly, NULL ) )
{
isSuccess = TRUE;
}
else
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_HIDDEN_MODULE_REQ, NULL, scan_for_hidden_module );
}
}
return isSuccess;
}
RBOOL
collector_15_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
if( rQueue_create( &g_newProcessNotifications, _freeEvt, 20 ) )
{
if( notifications_subscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS,
NULL,
0,
g_newProcessNotifications,
NULL ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_MEM_DISK_MISMATCH_REQ,
NULL,
0,
NULL,
scan_for_hollowing ) &&
rThreadPool_task( hbsState->hThreadPool, spotCheckProcessConstantly, NULL ) &&
rThreadPool_task( hbsState->hThreadPool, spotCheckNewProcesses, NULL ) )
{
isSuccess = TRUE;
}
else
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_NEW_PROCESS,
g_newProcessNotifications,
NULL );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_MEM_DISK_MISMATCH_REQ,
NULL,
scan_for_hollowing );
rQueue_free( g_newProcessNotifications );
g_newProcessNotifications = NULL;
}
}
}
return isSuccess;
}
RBOOL
collector_2_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
#ifdef RPAL_PLATFORM_WINDOWS
RWCHAR apiName[] = _WCH( "dnsapi.dll" );
RCHAR funcName1[] = "DnsGetCacheDataTable";
RCHAR funcName2[] = "DnsFree";
if( NULL != ( hDnsApi = LoadLibraryW( (RPWCHAR)&apiName ) ) )
{
// TODO: investigate the DnsQuery API on Windows to get the DNS resolutions.
if( NULL != ( getCache = (DnsGetCacheDataTable_f)GetProcAddress( hDnsApi, (RPCHAR)&funcName1 ) ) &&
NULL != ( freeCacheEntry = (DnsFree_f)GetProcAddress( hDnsApi, (RPCHAR)&funcName2 ) ) )
{
isSuccess = TRUE;
}
else
{
rpal_debug_warning( "failed to get dns undocumented function" );
FreeLibrary( hDnsApi );
}
}
else
{
rpal_debug_warning( "failed to load dns api" );
}
#elif defined( RPAL_PLATFORM_MACOSX )
isSuccess = TRUE;
#endif
if( isSuccess )
{
isSuccess = FALSE;
if( rThreadPool_task( hbsState->hThreadPool, dnsDiffThread, NULL ) )
{
isSuccess = TRUE;
}
}
}
return isSuccess;
}
RBOOL
collector_4_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
if( rThreadPool_task( hbsState->hThreadPool, networkDiffThread, NULL ) )
{
isSuccess = TRUE;
}
}
return isSuccess;
}
RBOOL
collector_1_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
g_is_kernel_failure = FALSE;
if( rThreadPool_task( hbsState->hThreadPool, processDiffThread, NULL ) )
{
isSuccess = TRUE;
}
}
return isSuccess;
}
RBOOL
collector_16_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
UNREFERENCED_PARAMETER( config );
if( NULL != hbsState )
{
if( 0 == yr_initialize() )
{
if( NULL != ( g_global_rules_mutex = rMutex_create() ) )
{
if( rQueue_create( &g_async_files_to_scan, _freeSeq, 100 ) )
{
if( notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE,
NULL,
0,
NULL,
updateSignatures ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_YARA_SCAN,
NULL,
0,
NULL,
doScan ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD,
NULL,
0,
g_async_files_to_scan,
NULL ) )
{
isSuccess = TRUE;
if( !rThreadPool_task( hbsState->hThreadPool, continuousMemScan, NULL ) ||
!rThreadPool_task( hbsState->hThreadPool, continuousFileScan, NULL ) )
{
isSuccess = FALSE;
}
}
}
}
}
}
if( !isSuccess )
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_RULES_UPDATE, NULL, updateSignatures );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_YARA_SCAN, NULL, doScan );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_MODULE_LOAD, g_async_files_to_scan, NULL);
rQueue_free( g_async_files_to_scan );
g_async_files_to_scan = NULL;
rMutex_free( g_global_rules_mutex );
g_global_rules_mutex = NULL;
yr_finalize();
}
return isSuccess;
}
RBOOL
collector_18_init
(
HbsState* hbsState,
rSequence config
)
{
RBOOL isSuccess = FALSE;
rList extensions = NULL;
rList patterns = NULL;
RPCHAR strA = NULL;
RPCHAR tmpA = NULL;
RPWCHAR strW = NULL;
RPWCHAR tmpW = NULL;
RU32 maxSize = 0;
RBOOL isCaseInsensitive = FALSE;
if( NULL != hbsState )
{
#ifdef RPAL_PLATFORM_WINDOWS
// On Windows files and paths are not case sensitive.
isCaseInsensitive = TRUE;
#endif
if( NULL == config ||
rSequence_getLIST( config, RP_TAGS_EXTENSIONS, &extensions ) ||
rSequence_getLIST( config, RP_TAGS_PATTERNS, &patterns ) )
{
if( NULL != ( cacheMutex = rMutex_create() ) &&
NULL != ( matcherA = obsLib_new( 0, 0 ) ) &&
NULL != ( matcherW = obsLib_new( 0, 0 ) ) )
{
cacheSize = 0;
if( NULL != config &&
rSequence_getRU32( config, RP_TAGS_MAX_SIZE, &maxSize ) )
{
cacheMaxSize = maxSize;
}
else
{
cacheMaxSize = MAX_CACHE_SIZE;
}
if( NULL != ( documentCache = HbsRingBuffer_new( 0, cacheMaxSize ) ) )
{
if( NULL == config )
{
// As a default we'll cache all new files
obsLib_addPattern( matcherA, (RPU8)"", sizeof( RCHAR ), NULL );
obsLib_addPattern( matcherW, (RPU8)_WCH(""), sizeof( RWCHAR ), NULL );
}
else
{
// If a config was provided we'll cache only certain extensions
// specified.
while( rList_getSTRINGA( extensions, RP_TAGS_EXTENSION, &strA ) )
{
if( rpal_string_expand( strA, &tmpA ) )
{
obsLib_addStringPatternA( matcherA, tmpA, TRUE, isCaseInsensitive, NULL );
rpal_memory_free( tmpA );
}
if( NULL != ( strW = rpal_string_atow( strA ) ) )
{
if( rpal_string_expandw( strW, &tmpW ) )
{
obsLib_addStringPatternW( matcherW, tmpW, TRUE, isCaseInsensitive, NULL );
rpal_memory_free( tmpW );
}
rpal_memory_free( strW );
}
}
while( rList_getSTRINGW( extensions, RP_TAGS_EXTENSION, &strW ) )
{
if( rpal_string_expandw( strW, &tmpW ) )
{
obsLib_addStringPatternW( matcherW, tmpW, TRUE, isCaseInsensitive, NULL );
rpal_memory_free( tmpW );
}
if( NULL != ( strA = rpal_string_wtoa( strW ) ) )
{
if( rpal_string_expand( strA, &tmpA ) )
{
obsLib_addStringPatternA( matcherA, tmpA, TRUE, isCaseInsensitive, NULL );
rpal_memory_free( tmpA );
}
rpal_memory_free( strA );
}
}
while( rList_getSTRINGA( patterns, RP_TAGS_STRING_PATTERN, &strA ) )
{
if( rpal_string_expand( strA, &tmpA ) )
{
obsLib_addStringPatternA( matcherA, tmpA, FALSE, isCaseInsensitive, NULL );
rpal_memory_free( tmpA );
}
if( NULL != ( strW = rpal_string_atow( strA ) ) )
{
if( rpal_string_expandw( strW, &tmpW ) )
{
obsLib_addStringPatternW( matcherW, tmpW, FALSE, isCaseInsensitive, NULL );
rpal_memory_free( tmpW );
}
rpal_memory_free( strW );
}
}
while( rList_getSTRINGW( patterns, RP_TAGS_STRING_PATTERN, &strW ) )
{
if( rpal_string_expandw( strW, &tmpW ) )
{
obsLib_addStringPatternW( matcherW, tmpW, FALSE, isCaseInsensitive, NULL );
rpal_memory_free( tmpW );
}
if( NULL != ( strA = rpal_string_wtoa( strW ) ) )
{
if( rpal_string_expand( strA, &tmpA ) )
{
obsLib_addStringPatternA( matcherA, tmpA, FALSE, isCaseInsensitive, NULL );
rpal_memory_free( tmpA );
}
rpal_memory_free( strA );
}
}
}
if( rQueue_create( &createQueue, _freeEvt, 200 ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, NULL, 0, createQueue, NULL ) &&
notifications_subscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, 0, NULL, getDocument ) &&
rThreadPool_task( hbsState->hThreadPool, parseDocuments, NULL ) )
{
isSuccess = TRUE;
}
}
}
if( !isSuccess )
{
notifications_unsubscribe( RP_TAGS_NOTIFICATION_FILE_CREATE, createQueue, NULL );
notifications_unsubscribe( RP_TAGS_NOTIFICATION_GET_DOCUMENT_REQ, NULL, getDocument );
rQueue_free( createQueue );
createQueue = NULL;
obsLib_free( matcherA );
obsLib_free( matcherW );
HbsRingBuffer_free( documentCache );
matcherA = NULL;
matcherW = NULL;
documentCache = NULL;
rMutex_free( cacheMutex );
cacheMutex = NULL;
}
}
}
return isSuccess;
}
