static RVOID processNewModule ( rpcm_tag notifType, rSequence event ) { RPWCHAR nameW = NULL; RPCHAR nameA = NULL; RU8 fileHash[ CRYPTOLIB_HASH_SIZE ] = { 0 }; RU64 size = 0; UNREFERENCED_PARAMETER( notifType ); if( rpal_memory_isValid( event ) ) { if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ) { if( NULL != nameA && !CryptoLib_hashFileA( nameA, fileHash, TRUE ) ) { rpal_debug_info( "unable to fetch file hash for ident" ); } if( NULL != nameW && !CryptoLib_hashFileW( nameW, fileHash, TRUE ) ) { rpal_debug_info( "unable to fetch file hash for ident" ); } rSequence_getRU64( event, RP_TAGS_MEMORY_SIZE, &size ); if( NULL != nameA ) { processCodeIdentA( nameA, fileHash, size, event ); } else if( NULL != nameW ) { processCodeIdentW( nameW, fileHash, size, event ); } } } }
static RVOID processHashedEvent ( rpcm_tag notifType, rSequence event ) { RPWCHAR nameW = NULL; RPCHAR nameA = NULL; CryptoLib_Hash* pHash = NULL; CryptoLib_Hash localHash = { 0 }; UNREFERENCED_PARAMETER( notifType ); if( rpal_memory_isValid( event ) ) { if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) || rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) || rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) ) { rSequence_getBUFFER( event, RP_TAGS_HASH, (RPU8*)&pHash, NULL ); if( NULL != nameA ) { if( NULL == pHash ) { if( _MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) ) { rSequence_unTaintRead( event ); rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE ); if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) || rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) ) { // Find the name again with shortcircuit } } else if( CryptoLib_hashFileA( nameA, &localHash, TRUE ) ) { pHash = &localHash; } } processCodeIdentA( nameA, pHash, 0, event ); } else if( NULL != nameW ) { if( NULL == pHash ) { if( _MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) ) { rSequence_unTaintRead( event ); rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE ); if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) || rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) || rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) ) { // Find the name again with shortcircuit } } else if( CryptoLib_hashFileW( nameW, &localHash, TRUE ) ) { pHash = &localHash; } } processCodeIdentW( nameW, pHash, 0, event ); } } } }
static RVOID processNewModule ( rpcm_tag notifType, rSequence event ) { RPWCHAR nameW = NULL; RPCHAR nameA = NULL; CryptoLib_Hash fileHash = { 0 }; RU64 size = 0; UNREFERENCED_PARAMETER( notifType ); if( rpal_memory_isValid( event ) ) { if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ) { if( ( NULL != nameA && _MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) ) || ( NULL != nameW && _MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) ) ) { // We already read from the event, but we will be careful. rSequence_unTaintRead( event ); rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE ); // We need to re-get the paths in case adding the error triggered // a change in the structure. if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) || rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ) { // Find the name again with shortcircuit } } else { if( NULL != nameA && !CryptoLib_hashFileA( nameA, &fileHash, TRUE ) ) { rpal_debug_info( "unable to fetch file hash for ident" ); } if( NULL != nameW && !CryptoLib_hashFileW( nameW, &fileHash, TRUE ) ) { rpal_debug_info( "unable to fetch file hash for ident" ); } } rSequence_getRU64( event, RP_TAGS_MEMORY_SIZE, &size ); if( NULL != nameA ) { processCodeIdentA( nameA, &fileHash, size, event ); } else if( NULL != nameW ) { processCodeIdentW( nameW, &fileHash, size, event ); } } } }