void test_singlePattern(void)
{
HObs hObs = NULL;
RU8 pattern[] = { 0x01, 0x02, 0x03, 0x04 };
RU8 buffer1[] = { 0x02, 0x04, 0xFF, 0xEF, 0x01, 0x02, 0x03, 0x04 };
RU8 buffer2[] = { 0x02, 0x04, 0xFF, 0xEF, 0x01, 0x02, 0x03, 0x04, 0xEE, 0x6F };
RU8 buffer3[] = { 0x02, 0x04, 0xFF, 0xEF, 0x01, 0x02, 0x01, 0x04, 0xEE, 0x6F };
RU8 buffer4[] = { 0x02, 0x04, 0xFF, 0xEF, 0x01, 0x02, 0x03, 0x04, 0xEE, 0x6F, 0x01, 0x02, 0x03, 0x04 };
RU32 context = 0;
PVOID hitCtx = NULL;
RU8* hitLoc = NULL;
hObs = obsLib_new( 0, 0 );
CU_ASSERT_TRUE_FATAL( rpal_memory_isValid( hObs ) );
CU_ASSERT_TRUE_FATAL( obsLib_addPattern( hObs, (RPU8)&pattern, sizeof( pattern ), &context ) );
// 1 pattern found end of buffer
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer1, sizeof( buffer1 ) ) );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context );
CU_ASSERT_EQUAL( hitLoc, buffer1 + sizeof( buffer1 ) - 4 );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
// 1 pattern found middle of buffer
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer2, sizeof( buffer2 ) ) );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context );
CU_ASSERT_EQUAL( hitLoc, buffer2 + sizeof( buffer2 ) - 6 );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
// 0 pattern found
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer3, sizeof( buffer3 ) ) );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
// 2 pattern found end and middle of buffer
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer4, sizeof( buffer4 ) ) );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context );
CU_ASSERT_EQUAL( hitLoc, buffer4 + sizeof( buffer4 ) - 10 );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context );
CU_ASSERT_EQUAL( hitLoc, buffer4 + sizeof( buffer4 ) - 4 );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
obsLib_free( hObs );
}
static
RVOID
processFile
(
rSequence notif
)
{
RPCHAR fileA = NULL;
RPWCHAR fileW = NULL;
RPU8 fileContent = NULL;
RU32 fileSize = 0;
CryptoLib_Hash hash = { 0 };
if( NULL != notif )
{
obsLib_resetSearchState( matcherA );
obsLib_resetSearchState( matcherW );
if( ( rSequence_getSTRINGA( notif, RP_TAGS_FILE_PATH, &fileA ) &&
obsLib_setTargetBuffer( matcherA,
fileA,
( rpal_string_strlen( fileA ) + 1 ) * sizeof( RCHAR ) ) &&
obsLib_nextHit( matcherA, NULL, NULL ) ) ||
( rSequence_getSTRINGW( notif, RP_TAGS_FILE_PATH, &fileW ) &&
obsLib_setTargetBuffer( matcherW,
fileW,
( rpal_string_strlenw( fileW ) + 1 ) * sizeof( RWCHAR ) ) &&
obsLib_nextHit( matcherW, NULL, NULL ) ) )
{
// This means it's a file of interest.
if( ( NULL != fileA &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSize( fileA, TRUE ) &&
rpal_file_read( fileA, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileA( fileA, &hash, TRUE ) ) ) ||
( NULL != fileW &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSizew( fileW, TRUE ) &&
rpal_file_readw( fileW, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileW( fileW, &hash, TRUE ) ) ) )
{
// We acquired the hash, either by reading the entire file in memory
// which we will use for caching, or if it was too big by hashing it
// sequentially on disk.
rSequence_unTaintRead( notif );
rSequence_addBUFFER( notif, RP_TAGS_HASH, (RPU8)&hash, sizeof( hash ) );
notifications_publish( RP_TAGS_NOTIFICATION_NEW_DOCUMENT, notif );
}
if( rMutex_lock( cacheMutex ) )
{
if( NULL == fileContent ||
!rSequence_addBUFFER( notif, RP_TAGS_FILE_CONTENT, fileContent, fileSize ) ||
!HbsRingBuffer_add( documentCache, notif ) )
{
rSequence_free( notif );
}
rMutex_unlock( cacheMutex );
}
else
{
rSequence_free( notif );
}
if( NULL != fileContent )
{
rpal_memory_free( fileContent );
}
}
else
{
rSequence_free( notif );
}
}
}
static
RVOID
processFileIo
(
rpcm_tag notifType,
rSequence event
)
{
ProcExtInfo* ctx = NULL;
RPNCHAR path = NULL;
RPVOID patternCtx = 0;
RU8 patternId = 0;
RPU8 atomId = NULL;
RU32 pid = 0;
rSequence newEvent = NULL;
UNREFERENCED_PARAMETER( notifType );
if( rSequence_getSTRINGN( event, RP_TAGS_FILE_PATH, &path ) &&
HbsGetParentAtom( event, &atomId ) &&
rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid ) )
{
if( rMutex_lock( g_mutex ) )
{
obsLib_resetSearchState( g_extensions );
if( obsLib_setTargetBuffer( g_extensions,
path,
rpal_string_strsize( path ) ) )
{
while( obsLib_nextHit( g_extensions, &patternCtx, NULL ) )
{
if( NULL != ctx ||
NULL != ( ctx = getProcContext( atomId ) ) )
{
patternId = (RU8)PTR_TO_NUMBER( patternCtx );
if( !IS_FLAG_ENABLED( ctx->extBitMask, (RU64)1 << patternId ) )
{
rpal_debug_info( "process " RF_U32 " observed file io " RF_U64,
pid, patternId + 1 );
ENABLE_FLAG( ctx->extBitMask, (RU64)1 << patternId );
if( NULL != ( newEvent = rSequence_new() ) )
{
HbsSetParentAtom( newEvent, atomId );
rSequence_addRU32( newEvent, RP_TAGS_PROCESS_ID, pid );
rSequence_addRU8( newEvent, RP_TAGS_RULE_NAME, patternId + 1 );
rSequence_addSTRINGN( newEvent, RP_TAGS_FILE_PATH, ctx->processPath );
hbs_publish( RP_TAGS_NOTIFICATION_FILE_TYPE_ACCESSED, newEvent );
rSequence_free( newEvent );
}
}
}
else
{
rpal_debug_error( "error getting process context" );
break;
}
}
}
rMutex_unlock( g_mutex );
}
}
}
static
RU32
_checkMemoryForStringSample
(
HObs sample,
RU32 pid,
RPVOID moduleBase,
RU64 moduleSize,
rEvent isTimeToStop,
LibOsPerformanceProfile* perfProfile
)
{
RPU8 pMem = NULL;
RU8* sampleList = NULL;
RPU8 sampleNumber = 0;
RU32 nSamples = 0;
RU32 nSamplesFound = (RU32)(-1);
UNREFERENCED_PARAMETER( isTimeToStop );
if( NULL != sample &&
0 != pid &&
NULL != moduleBase &&
0 != moduleSize &&
_MIN_DISK_SAMPLE_SIZE <= ( nSamples = obsLib_getNumPatterns( sample ) ) )
{
if( NULL != ( sampleList = rpal_memory_alloc( sizeof( RU8 ) * nSamples ) ) )
{
rpal_memory_zero( sampleList, sizeof( RU8 ) * nSamples );
if( processLib_getProcessMemory( pid, moduleBase, moduleSize, (RPVOID*)&pMem, TRUE ) )
{
if( obsLib_setTargetBuffer( sample, pMem, (RU32)moduleSize ) )
{
while( !rEvent_wait( isTimeToStop, 0 ) &&
obsLib_nextHit( sample, (RPVOID*)&sampleNumber, NULL ) )
{
libOs_timeoutWithProfile( perfProfile, TRUE, isTimeToStop );
if( sampleNumber < (RPU8)NUMBER_TO_PTR( nSamples ) &&
0 == sampleList[ (RU32)PTR_TO_NUMBER( sampleNumber ) ] )
{
sampleList[ (RU32)PTR_TO_NUMBER( sampleNumber ) ] = 1;
nSamplesFound++;
}
}
}
rpal_memory_free( pMem );
}
else
{
rpal_debug_info( "failed to get memory for %d: 0x%016X ( 0x%016X ) error %d",
pid,
moduleBase,
moduleSize,
rpal_error_getLast() );
}
rpal_memory_free( sampleList );
}
}
return nSamplesFound;
}
void test_multiPattern(void)
{
HObs hObs = NULL;
RU8 pattern1[] = { 0x01, 0x02, 0x03, 0x04 };
RU8 pattern2[] = { 0x01, 0x02, 0x03, 0x06 };
RU8 pattern3[] = { 0x01, 0x02, 0x06, 0x04 };
RU8 pattern4[] = { 0xEF, 0x02, 0x03, 0x04 };
RU8 buffer1[] = { 0x02, 0x04, 0xFF, 0xEF,
0x01, 0x02, 0x03, 0x04 };
RU8 buffer2[] = { 0x02, 0x04, 0xFF, 0xEF,
0x01, 0x02, 0x03, 0x04, 0xEE, 0x6F };
RU8 buffer3[] = { 0x02, 0x04, 0xFF, 0xEF,
0x01, 0x02, 0x01, 0x04, 0xEE, 0x6F };
RU8 buffer4[] = { 0x02, 0x04, 0xFF, 0xEF, 0x01,
0x02, 0x03, 0x04, 0xEE, 0x6F,
0x01, 0x02, 0x03, 0x04 };
RU8 buffer5[] = { 0x02, 0x04, 0xFF, 0xEF,
0x02, 0x03, 0x04, 0x04,
0xEE, 0x6F, 0x01, 0x02, 0x03, 0x04 };
RU8 buffer6[] = { 0x02, 0x04, 0xFF, 0xEF,
0x02, 0x03, 0x04, 0x04,
0xEE, 0x6F, 0x01, 0x02,
0x03, 0x04, 0x01, 0x02, 0x06, 0x04 };
RU32 context1 = 0;
RU32 context2 = 0;
RU32 context3 = 0;
RU32 context4 = 0;
PVOID hitCtx = NULL;
RU8* hitLoc = NULL;
hObs = obsLib_new( 0, 0 );
CU_ASSERT_TRUE_FATAL( rpal_memory_isValid( hObs ) );
CU_ASSERT_TRUE_FATAL( obsLib_addPattern( hObs, (RPU8)&pattern1, sizeof( pattern1 ), &context1 ) );
CU_ASSERT_TRUE_FATAL( obsLib_addPattern( hObs, (RPU8)&pattern2, sizeof( pattern2 ), &context2 ) );
CU_ASSERT_TRUE_FATAL( obsLib_addPattern( hObs, (RPU8)&pattern3, sizeof( pattern3 ), &context3 ) );
CU_ASSERT_TRUE_FATAL( obsLib_addPattern( hObs, (RPU8)&pattern4, sizeof( pattern4 ), &context4 ) );
// 1 pattern found end of buffer
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer1, sizeof( buffer1 ) ) );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context1 );
CU_ASSERT_EQUAL( hitLoc, buffer1 + sizeof( buffer1 ) - 4 );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
// 1 pattern found middle of buffer
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer2, sizeof( buffer2 ) ) );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context1 );
CU_ASSERT_EQUAL( hitLoc, buffer2 + sizeof( buffer2 ) - 6 );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
// 0 pattern found
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer3, sizeof( buffer3 ) ) );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
// 2 pattern found end and middle of buffer
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer4, sizeof( buffer4 ) ) );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context1 );
CU_ASSERT_EQUAL( hitLoc, buffer4 + sizeof( buffer4 ) - 10 );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context1 );
CU_ASSERT_EQUAL( hitLoc, buffer4 + sizeof( buffer4 ) - 4 );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
// Multi 1
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer5, sizeof( buffer5 ) ) );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context4 );
CU_ASSERT_EQUAL( hitLoc, buffer5 + 3 );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context1 );
CU_ASSERT_EQUAL( hitLoc, buffer5 + sizeof( buffer5 ) - 4 );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
// Multi 2
CU_ASSERT_TRUE_FATAL( obsLib_setTargetBuffer( hObs, buffer6, sizeof( buffer6 ) ) );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context4 );
CU_ASSERT_EQUAL( hitLoc, buffer6 + 3 );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context1 );
CU_ASSERT_EQUAL( hitLoc, buffer6 + sizeof( buffer6 ) - 8 );
CU_ASSERT_TRUE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
CU_ASSERT_EQUAL( hitCtx, &context3 );
CU_ASSERT_EQUAL( hitLoc, buffer6 + sizeof( buffer6 ) - 4 );
CU_ASSERT_FALSE( obsLib_nextHit( hObs, &hitCtx, &hitLoc ) );
obsLib_free( hObs );
}