static
RVOID
processNewModule
(
rpcm_tag notifType,
rSequence event
)
{
RPWCHAR nameW = NULL;
RPCHAR nameA = NULL;
RU8 fileHash[ CRYPTOLIB_HASH_SIZE ] = { 0 };
RU64 size = 0;
UNREFERENCED_PARAMETER( notifType );
if( rpal_memory_isValid( event ) )
{
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) )
{
if( NULL != nameA &&
!CryptoLib_hashFileA( nameA, fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
if( NULL != nameW &&
!CryptoLib_hashFileW( nameW, fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
rSequence_getRU64( event, RP_TAGS_MEMORY_SIZE, &size );
if( NULL != nameA )
{
processCodeIdentA( nameA, fileHash, size, event );
}
else if( NULL != nameW )
{
processCodeIdentW( nameW, fileHash, size, event );
}
}
}
}
static
RVOID
processHashedEvent
(
rpcm_tag notifType,
rSequence event
)
{
RPWCHAR nameW = NULL;
RPCHAR nameA = NULL;
CryptoLib_Hash* pHash = NULL;
CryptoLib_Hash localHash = { 0 };
UNREFERENCED_PARAMETER( notifType );
if( rpal_memory_isValid( event ) )
{
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ||
rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) ||
rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) )
{
rSequence_getBUFFER( event, RP_TAGS_HASH, (RPU8*)&pHash, NULL );
if( NULL != nameA )
{
if( NULL == pHash )
{
if( _MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) )
{
rSequence_unTaintRead( event );
rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE );
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGA( event, RP_TAGS_DLL, &nameA ) ||
rSequence_getSTRINGA( event, RP_TAGS_EXECUTABLE, &nameA ) )
{
// Find the name again with shortcircuit
}
}
else if( CryptoLib_hashFileA( nameA, &localHash, TRUE ) )
{
pHash = &localHash;
}
}
processCodeIdentA( nameA, pHash, 0, event );
}
else if( NULL != nameW )
{
if( NULL == pHash )
{
if( _MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) )
{
rSequence_unTaintRead( event );
rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE );
if( rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) ||
rSequence_getSTRINGW( event, RP_TAGS_DLL, &nameW ) ||
rSequence_getSTRINGW( event, RP_TAGS_EXECUTABLE, &nameW ) )
{
// Find the name again with shortcircuit
}
}
else if( CryptoLib_hashFileW( nameW, &localHash, TRUE ) )
{
pHash = &localHash;
}
}
processCodeIdentW( nameW, pHash, 0, event );
}
}
}
}
static
RVOID
processNewModule
(
rpcm_tag notifType,
rSequence event
)
{
RPWCHAR nameW = NULL;
RPCHAR nameA = NULL;
CryptoLib_Hash fileHash = { 0 };
RU64 size = 0;
UNREFERENCED_PARAMETER( notifType );
if( rpal_memory_isValid( event ) )
{
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) )
{
if( ( NULL != nameA &&
_MAX_FILE_HASH_SIZE < rpal_file_getSize( nameA, TRUE ) ) ||
( NULL != nameW &&
_MAX_FILE_HASH_SIZE < rpal_file_getSizew( nameW, TRUE ) ) )
{
// We already read from the event, but we will be careful.
rSequence_unTaintRead( event );
rSequence_addRU32( event, RP_TAGS_ERROR, RPAL_ERROR_FILE_TOO_LARGE );
// We need to re-get the paths in case adding the error triggered
// a change in the structure.
if( rSequence_getSTRINGA( event, RP_TAGS_FILE_PATH, &nameA ) ||
rSequence_getSTRINGW( event, RP_TAGS_FILE_PATH, &nameW ) )
{
// Find the name again with shortcircuit
}
}
else
{
if( NULL != nameA &&
!CryptoLib_hashFileA( nameA, &fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
if( NULL != nameW &&
!CryptoLib_hashFileW( nameW, &fileHash, TRUE ) )
{
rpal_debug_info( "unable to fetch file hash for ident" );
}
}
rSequence_getRU64( event, RP_TAGS_MEMORY_SIZE, &size );
if( NULL != nameA )
{
processCodeIdentA( nameA, &fileHash, size, event );
}
else if( NULL != nameW )
{
processCodeIdentW( nameW, &fileHash, size, event );
}
}
}
}
