//============================================================================= // rRwLock API //============================================================================= rRwLock rRwLock_create ( ) { _rRwLock* lock; lock = rpal_memory_alloc( sizeof( *lock ) ); if( rpal_memory_isValid( lock ) ) { lock->evtCanRead = rEvent_create( TRUE ); lock->evtCanWrite = rEvent_create( TRUE ); lock->stateLock = rMutex_create(); lock->readCount = 0; if( !rpal_memory_isValid( lock->evtCanRead ) || !rpal_memory_isValid( lock->evtCanWrite ) || !rpal_memory_isValid( lock->stateLock ) ) { rEvent_free( lock->evtCanRead ); rEvent_free( lock->evtCanWrite ); rMutex_free( lock->stateLock ); rpal_memory_free( lock ); lock = NULL; } else { rEvent_set( lock->evtCanRead ); } } return (rRwLock)lock; }
RBOOL rpHostCommonPlatformLib_unload ( RU8 moduleId ) { RBOOL isSuccess = FALSE; RU32 moduleIndex = 0; for( moduleIndex = 0; moduleIndex < RP_HCP_CONTEXT_MAX_MODULES; moduleIndex++ ) { if( moduleId == g_hcpContext.modules[ moduleIndex ].id ) { if( rEvent_set( g_hcpContext.modules[ moduleIndex ].isTimeToStop ) && rpal_thread_wait( g_hcpContext.modules[ moduleIndex ].hThread, (30*1000) ) ) { isSuccess = TRUE; #ifdef RPAL_PLATFORM_WINDOWS FreeLibrary( (HMODULE)g_hcpContext.modules[ moduleIndex ].hModule ); #elif defined( RPAL_PLATFORM_LINUX ) || defined( RPAL_PLATFORM_MACOSX ) dlclose( g_hcpContext.modules[ moduleIndex ].hModule ); #endif rEvent_free( g_hcpContext.modules[ moduleIndex ].context.isTimeToStop ); rpal_thread_free( g_hcpContext.modules[ moduleIndex ].hThread ); } break; } } return isSuccess; }
RPRIVATE RVOID _cleanupModuleEntry ( rpHCPModuleInfo* mod ) { rEvent_free( mod->context.isTimeToStop ); rpal_thread_free( mod->hThread ); if( mod->isOsLoaded ) { #ifdef RPAL_PLATFORM_WINDOWS FreeLibrary( (HMODULE)(mod->hModule) ); #elif defined( RPAL_PLATFORM_LINUX ) || defined( RPAL_PLATFORM_MACOSX ) dlclose( mod->hModule ); #endif } else { MemoryFreeLibrary( mod->hModule ); } rpal_debug_info( "module %d cleaned up", mod->id ); rpal_memory_zero( mod, sizeof( *mod ) ); }
static RVOID scan_for_hidden_module ( rpcm_tag eventType, rSequence event ) { RU32 pid = (RU32)(-1); rEvent dummy = NULL; UNREFERENCED_PARAMETER( eventType ); rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid ); if( NULL != ( dummy = rEvent_create( TRUE ) ) ) { if( (RU32)( -1 ) == pid ) { lookForHiddenModules( dummy, NULL ); } else { lookForHiddenModulesIn( dummy, pid ); } rEvent_free( dummy ); } }
RBOOL stopBeacons ( ) { RBOOL isSuccess = FALSE; if( NULL != g_hcpContext.isBeaconTimeToStop ) { rEvent_set( g_hcpContext.isBeaconTimeToStop ); if( 0 != g_hcpContext.hBeaconThread ) { rpal_thread_wait( g_hcpContext.hBeaconThread, MSEC_FROM_SEC( 40 ) ); rpal_thread_free( g_hcpContext.hBeaconThread ); isSuccess = TRUE; } rEvent_free( g_hcpContext.isBeaconTimeToStop ); g_hcpContext.isBeaconTimeToStop = NULL; } return isSuccess; }
//============================================================================= // API //============================================================================= RBOOL startBeacons ( ) { RBOOL isSuccess = FALSE; g_hcpContext.isBeaconTimeToStop = rEvent_create( TRUE ); if( NULL != g_hcpContext.isBeaconTimeToStop ) { g_hcpContext.hBeaconThread = rpal_thread_new( thread_beacon, NULL ); if( 0 != g_hcpContext.hBeaconThread ) { isSuccess = TRUE; } else { rEvent_free( g_hcpContext.isBeaconTimeToStop ); g_hcpContext.isBeaconTimeToStop = NULL; } } return isSuccess; }
RVOID rRwLock_free ( rRwLock lock ) { _rRwLock* lck = (_rRwLock*)lock; if( rpal_memory_isValid( lock ) ) { rEvent_free( lck->evtCanRead ); rEvent_free( lck->evtCanWrite ); rMutex_free( lck->stateLock ); rpal_memory_free( lock ); } }
RBOOL rpHostCommonPlatformLib_stop ( ) { if( 0 == rInterlocked_decrement32( &g_hcpContext.isRunning ) ) { stopBeacons(); stopAllModules(); rpal_memory_free( g_hcpContext.primaryUrl ); rpal_memory_free( g_hcpContext.secondaryUrl ); if( NULL != g_hcpContext.enrollmentToken && 0 != g_hcpContext.enrollmentTokenSize ) { rpal_memory_free( g_hcpContext.enrollmentToken ); } freeKeys(); #ifdef RPAL_PLATFORM_WINDOWS SetConsoleCtrlHandler( (PHANDLER_ROUTINE)ctrlHandler, FALSE ); #endif rMutex_free( g_hcpContext.cloudConnectionMutex ); rEvent_free( g_hcpContext.isCloudOnline ); g_hcpContext.cloudConnectionMutex = NULL; g_hcpContext.isCloudOnline = NULL; rpal_Context_cleanup(); rpal_Context_deinitialize(); // If the default crashContext is still present, remove it since // we are shutting down properly. If it's non-default leave it since // somehow we may have had a higher order crash we want to keep // track of but we are still leaving through our normal code path. if( 1 == getCrashContextSize() ) { rpal_debug_info( "clearing default crash context" ); cleanCrashContext(); } } else { rInterlocked_increment32( &g_hcpContext.isRunning ); } rpal_debug_info( "finished stopping hcp" ); return TRUE; }
static RVOID scan_for_hidden_module ( rpcm_tag eventType, rSequence event ) { RU32 pid = (RU32)(-1); rEvent dummy = NULL; LibOsPerformanceProfile perfProfile = { 0 }; UNREFERENCED_PARAMETER( eventType ); perfProfile.enforceOnceIn = 4; perfProfile.sanityCeiling = MSEC_FROM_SEC( 20 ); perfProfile.lastTimeoutValue = 100; perfProfile.targetCpuPerformance = 10; perfProfile.globalTargetCpuPerformance = GLOBAL_CPU_USAGE_TARGET_WHEN_TASKED; perfProfile.timeoutIncrementPerSec = 50; rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid ); if( NULL != ( dummy = rEvent_create( TRUE ) ) ) { if( (RU32)( -1 ) == pid ) { lookForHiddenModules( dummy, event ); } else { lookForHiddenModulesIn( dummy, pid, event, &perfProfile ); } rEvent_free( dummy ); } }
//============================================================================= // Entry Point //============================================================================= RU32 RPAL_THREAD_FUNC RpHcpI_mainThread ( rEvent isTimeToStop ) { RU32 ret = 0; RU64 nextBeaconTime = 0; rList cloudMessages = NULL; rSequence msg = NULL; rList newConfigurations = NULL; rList newNotifications = NULL; RPU8 newConfigurationHash = NULL; RU32 newHashSize = 0; rSequence staticConfig = NULL; RU8* tmpBuffer = NULL; RU32 tmpSize = 0; FORCE_LINK_THAT( HCP_IFACE ); CryptoLib_init(); getPrivileges(); // This is the event for the collectors, it is different than the // hbs proper event so that we can restart the collectors without // signaling hbs as a whole. if( NULL == ( g_hbs_state.isTimeToStop = rEvent_create( TRUE ) ) ) { return (RU32)-1; } // By default, no collectors are running rEvent_set( g_hbs_state.isTimeToStop ); // We attempt to load some initial config from the serialized // rSequence that can be patched in this binary. if( NULL != ( staticConfig = getStaticConfig() ) ) { if( rSequence_getBUFFER( staticConfig, RP_TAGS_HBS_ROOT_PUBLIC_KEY, &tmpBuffer, &tmpSize ) ) { hbs_cloud_pub_key = rpal_memory_duplicate( tmpBuffer, tmpSize ); if( NULL == hbs_cloud_pub_key ) { hbs_cloud_pub_key = hbs_cloud_default_pub_key; } rpal_debug_info( "loading hbs root public key from static config" ); } if( rSequence_getRU32( staticConfig, RP_TAGS_MAX_QUEUE_SIZE, &g_hbs_state.maxQueueNum ) ) { rpal_debug_info( "loading max queue size from static config" ); } else { g_hbs_state.maxQueueNum = HBS_EXFIL_QUEUE_MAX_NUM; } if( rSequence_getRU32( staticConfig, RP_TAGS_MAX_SIZE, &g_hbs_state.maxQueueSize ) ) { rpal_debug_info( "loading max queue num from static config" ); } else { g_hbs_state.maxQueueSize = HBS_EXFIL_QUEUE_MAX_SIZE; } rSequence_free( staticConfig ); } else { hbs_cloud_pub_key = hbs_cloud_default_pub_key; g_hbs_state.maxQueueNum = HBS_EXFIL_QUEUE_MAX_NUM; g_hbs_state.maxQueueSize = HBS_EXFIL_QUEUE_MAX_SIZE; } if( !rQueue_create( &g_hbs_state.outQueue, freeExfilEvent, g_hbs_state.maxQueueNum ) ) { rEvent_free( g_hbs_state.isTimeToStop ); return (RU32)-1; } // We simply enqueue a message to let the cloud know we're starting sendStartupEvent(); while( !rEvent_wait( isTimeToStop, (RU32)nextBeaconTime ) ) { nextBeaconTime = MSEC_FROM_SEC( HBS_DEFAULT_BEACON_TIMEOUT + ( rpal_rand() % HBS_DEFAULT_BEACON_TIMEOUT_FUZZ ) ); if( NULL != ( cloudMessages = beaconHome() ) ) { while( rList_getSEQUENCE( cloudMessages, RP_TAGS_MESSAGE, &msg ) ) { // Cloud message indicating next requested beacon time, as a Seconds delta if( rSequence_getTIMEDELTA( msg, RP_TAGS_TIMEDELTA, &nextBeaconTime ) ) { nextBeaconTime = MSEC_FROM_SEC( nextBeaconTime ); rpal_debug_info( "received set_next_beacon" ); } if( NULL == newConfigurations && rSequence_getLIST( msg, RP_TAGS_HBS_CONFIGURATIONS, &newConfigurations ) ) { rpal_debug_info( "received a new profile" ); if( rSequence_getBUFFER( msg, RP_TAGS_HASH, &newConfigurationHash, &newHashSize ) && newHashSize == CRYPTOLIB_HASH_SIZE ) { newConfigurations = rList_duplicate( newConfigurations ); rpal_memory_memcpy( &( g_hbs_state.currentConfigHash ), newConfigurationHash, CRYPTOLIB_HASH_SIZE ); g_hbs_state.isProfilePresent = TRUE; } else { newConfigurations = NULL; rpal_debug_error( "profile hash received is invalid" ); } } if( NULL == newNotifications && rSequence_getLIST( msg, RP_TAGS_HBS_CLOUD_NOTIFICATIONS, &newNotifications ) ) { rpal_debug_info( "received cloud events" ); newNotifications = rList_duplicate( newNotifications ); } } rList_free( cloudMessages ); } // If this is the initial boot and we have no profile yet, we'll load a dummy // blank profile and use our defaults. if( NULL == newConfigurations && !g_hbs_state.isProfilePresent && !rEvent_wait( isTimeToStop, 0 ) ) { newConfigurations = rList_new( RP_TAGS_HCP_MODULES, RPCM_SEQUENCE ); rpal_debug_info( "setting empty profile" ); } if( NULL != newConfigurations ) { // We try to be as responsive as possible when asked to quit // so if we happen to have received the signal during a beacon // we will action the quit instead of the config change. if( !rEvent_wait( isTimeToStop, 0 ) ) { rpal_debug_info( "begining sensor update on new profile" ); shutdownCollectors(); updateCollectorConfigs( newConfigurations ); rList_free( newConfigurations ); newConfigurations = NULL; startCollectors(); } else { rList_free( newConfigurations ); } newConfigurations = NULL; } if( NULL != newNotifications ) { if( !rEvent_wait( isTimeToStop, 0 ) ) { publishCloudNotifications( newNotifications ); } rList_free( newNotifications ); newNotifications = NULL; } } // We issue one last beacon indicating we are stopping sendShutdownEvent(); // Shutdown everything shutdownCollectors(); // Cleanup the last few resources rEvent_free( g_hbs_state.isTimeToStop ); rQueue_free( g_hbs_state.outQueue ); CryptoLib_deinit(); if( hbs_cloud_default_pub_key != hbs_cloud_pub_key && NULL != hbs_cloud_pub_key ) { rpal_memory_free( hbs_cloud_pub_key ); hbs_cloud_pub_key = NULL; } return ret; }
static RVOID scan_for_hollowing ( rpcm_tag eventType, rSequence event ) { RU32 pid = (RU32)( -1 ); rEvent dummy = NULL; rList hollowedModules = NULL; rSequence process = NULL; LibOsPerformanceProfile perfProfile = { 0 }; Atom parentAtom = { 0 }; UNREFERENCED_PARAMETER( eventType ); if( NULL != ( dummy = rEvent_create( TRUE ) ) ) { perfProfile.targetCpuPerformance = 10; perfProfile.globalTargetCpuPerformance = GLOBAL_CPU_USAGE_TARGET_WHEN_TASKED; perfProfile.timeoutIncrementPerSec = _PROFILE_INCREMENT; perfProfile.enforceOnceIn = 7; perfProfile.lastTimeoutValue = _INITIAL_PROFILED_TIMEOUT; perfProfile.sanityCeiling = _SANITY_CEILING; if( rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid ) ) { if( NULL != ( process = processLib_getProcessInfo( pid, NULL ) ) || ( NULL != ( process = rSequence_new() ) && rSequence_addRU32( process, RP_TAGS_PROCESS_ID, pid ) ) ) { if( NULL != ( hollowedModules = _spotCheckProcess( dummy, pid, &perfProfile ) ) ) { if( !rSequence_addLIST( process, RP_TAGS_MODULES, hollowedModules ) ) { rList_free( hollowedModules ); } else { parentAtom.key.category = RP_TAGS_NOTIFICATION_NEW_PROCESS; parentAtom.key.process.pid = pid; if( atoms_query( &parentAtom, 0 ) ) { HbsSetParentAtom( process, parentAtom.id ); } hbs_publish( RP_TAGS_NOTIFICATION_MODULE_MEM_DISK_MISMATCH, process ); } } } if( rpal_memory_isValid( process ) ) { rSequence_free( process ); } } rEvent_free( dummy ); } }
static VOID WINAPI ServiceMain ( DWORD dwArgc, RPCHAR lpszArgv ) { RU32 memUsed = 0; RWCHAR svcName[] = { _SERVICE_NAME }; RU32 i = 0; UNREFERENCED_PARAMETER( dwArgc ); UNREFERENCED_PARAMETER( lpszArgv ); if( NULL == ( g_svc_status_handle = RegisterServiceCtrlHandlerW( svcName, SvcCtrlHandler ) ) ) { return; } rpal_memory_zero( &g_svc_status, sizeof( g_svc_status ) ); g_svc_status.dwServiceType = SERVICE_WIN32_OWN_PROCESS; g_svc_status.dwControlsAccepted = 0; g_svc_status.dwCurrentState = SERVICE_START_PENDING; g_svc_status.dwWin32ExitCode = 0; g_svc_status.dwServiceSpecificExitCode = 0; g_svc_status.dwCheckPoint = 0; SetServiceStatus( g_svc_status_handle, &g_svc_status ); if( NULL == ( g_timeToQuit = rEvent_create( TRUE ) ) ) { g_svc_status.dwControlsAccepted = 0; g_svc_status.dwCurrentState = SERVICE_STOPPED; g_svc_status.dwWin32ExitCode = GetLastError(); g_svc_status.dwCheckPoint = 1; SetServiceStatus( g_svc_status_handle, &g_svc_status ); return; } rpal_debug_info( "initialising rpHCP." ); if( !rpHostCommonPlatformLib_launch( g_svc_primary, g_svc_secondary ) ) { rpal_debug_warning( "error launching hcp." ); } for( i = 0; i < ARRAY_N_ELEM( g_manual_loads ); i++ ) { if( NULL != g_manual_loads[ i ].modPath ) { if( 0 != g_manual_loads[ i ].nMod ) { #ifdef HCP_EXE_ENABLE_MANUAL_LOAD rpHostCommonPlatformLib_load( g_manual_loads[ i ].modPath, g_manual_loads[ i ].nMod ); #endif } else { rpal_debug_error( "Mismatched number of -m modulePath and -n moduleId statements provided!" ); } rpal_memory_free( g_manual_loads[ i ].modPath ); g_manual_loads[ i ].modPath = NULL; } else { break; } } g_svc_status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN; g_svc_status.dwCurrentState = SERVICE_RUNNING; g_svc_status.dwWin32ExitCode = 0; g_svc_status.dwCheckPoint = 1; SetServiceStatus( g_svc_status_handle, &g_svc_status ); rpal_debug_info( "...running, waiting to exit..." ); rEvent_wait( g_timeToQuit, RINFINITE ); rEvent_free( g_timeToQuit ); rpal_debug_info( "...exiting..." ); rpal_Context_cleanup(); memUsed = rpal_memory_totalUsed(); if( 0 != memUsed ) { rpal_debug_critical( "Memory leak: %d bytes.\n", memUsed ); //rpal_memory_findMemory(); #ifdef RPAL_FEATURE_MEMORY_ACCOUNTING rpal_memory_printDetailedUsage(); #endif } g_svc_status.dwControlsAccepted = 0; g_svc_status.dwCurrentState = SERVICE_STOPPED; g_svc_status.dwWin32ExitCode = 0; g_svc_status.dwCheckPoint = 3; SetServiceStatus( g_svc_status_handle, &g_svc_status ); }
static rList assembleRequest ( RPU8 optCrashCtx, RU32 optCrashCtxSize ) { rSequence req = NULL; RU32 moduleIndex = 0; rList msgList = NULL; rList modList = NULL; rSequence modEntry = NULL; if( NULL != ( req = rSequence_new() ) ) { // Add some basic info rSequence_addRU32( req, RP_TAGS_MEMORY_USAGE, rpal_memory_totalUsed() ); rSequence_addTIMESTAMP( req, RP_TAGS_TIMESTAMP, rpal_time_getGlobal() ); // If we have a crash context to report if( NULL != optCrashCtx ) { if( !rSequence_addBUFFER( req, RP_TAGS_HCP_CRASH_CONTEXT, optCrashCtx, optCrashCtxSize ) ) { rpal_debug_error( "error adding crash context of size %d to hcp beacon", optCrashCtxSize ); } else { rpal_debug_info( "crash context is being bundled in hcp beacon" ); } } // List of loaded modules if( NULL != ( modList = rList_new( RP_TAGS_HCP_MODULE, RPCM_SEQUENCE ) ) ) { for( moduleIndex = 0; moduleIndex < RP_HCP_CONTEXT_MAX_MODULES; moduleIndex++ ) { if( NULL != g_hcpContext.modules[ moduleIndex ].hModule ) { if( NULL != ( modEntry = rSequence_new() ) ) { if( !rSequence_addBUFFER( modEntry, RP_TAGS_HASH, g_hcpContext.modules[ moduleIndex ].hash, sizeof( g_hcpContext.modules[ moduleIndex ].hash ) ) || !rSequence_addRU8( modEntry, RP_TAGS_HCP_MODULE_ID, g_hcpContext.modules[ moduleIndex ].id ) || !rList_addSEQUENCE( modList, modEntry ) ) { break; } // We take the opportunity to cleanup the list of modules... if( rpal_thread_wait( g_hcpContext.modules[ moduleIndex ].hThread, 0 ) ) { // This thread has exited, which is our signal that the module // has stopped executing... rEvent_free( g_hcpContext.modules[ moduleIndex ].isTimeToStop ); rpal_thread_free( g_hcpContext.modules[ moduleIndex ].hThread ); rpal_memory_zero( &(g_hcpContext.modules[ moduleIndex ]), sizeof( g_hcpContext.modules[ moduleIndex ] ) ); if( !rSequence_addRU8( modEntry, RP_TAGS_HCP_MODULE_TERMINATED, 1 ) ) { break; } } } } } if( !rSequence_addLIST( req, RP_TAGS_HCP_MODULES, modList ) ) { rList_free( modList ); } } if( NULL != ( msgList = rList_new( RP_TAGS_MESSAGE, RPCM_SEQUENCE ) ) ) { if( !rList_addSEQUENCE( msgList, req ) ) { rList_free( msgList ); rSequence_free( req ); msgList = NULL; } } else { rSequence_free( req ); } } return msgList; }