static
int
_yaraMemMatchCallback
(
int message,
void* message_data,
void* user_data
)
{
YR_RULE* rule = (YR_RULE*)message_data;
YaraMatchContext* context = (YaraMatchContext*)user_data;
rSequence event = NULL;
if( CALLBACK_MSG_RULE_MATCHING == message &&
NULL != message_data &&
NULL != user_data )
{
if( NULL != ( event = rSequence_new() ) )
{
rSequence_addRU32( event, RP_TAGS_PROCESS_ID, context->pid );
rSequence_addPOINTER64( event, RP_TAGS_BASE_ADDRESS, context->regionBase );
rSequence_addRU64( event, RP_TAGS_MEMORY_SIZE, context->regionSize );
hbs_markAsRelated( context->fileInfo, event );
if( NULL == context->processInfo )
{
context->processInfo = processLib_getProcessInfo( context->pid, NULL );
}
if( NULL != context->processInfo )
{
rSequence_addSEQUENCE( event, RP_TAGS_PROCESS, rSequence_duplicate( context->processInfo ) );
}
if( NULL != context->moduleInfo )
{
rSequence_addSEQUENCE( event, RP_TAGS_DLL, rSequence_duplicate( context->moduleInfo ) );
}
rSequence_addSTRINGA( event, RP_TAGS_RULE_NAME, (char*)rule->identifier );
notifications_publish( RP_TAGS_NOTIFICATION_YARA_DETECTION, event );
rSequence_free( event );
}
else
{
rpal_debug_warning( "error creating event from Yara match" );
}
}
return CALLBACK_CONTINUE;
}
static RBOOL
notifyOfKernelModule
(
KernelAcqModule* module
)
{
RBOOL isSuccess = FALSE;
rSequence notif = NULL;
RU32 pathLength = 0;
RU32 i = 0;
RPNCHAR dirSep = RPAL_FILE_LOCAL_DIR_SEP_N;
RPNCHAR cleanPath = NULL;
Atom parentAtom = { 0 };
if( NULL != module )
{
if( NULL != ( notif = rSequence_new() ) )
{
module->ts += MSEC_FROM_SEC( rpal_time_getGlobalFromLocal( 0 ) );
hbs_timestampEvent( notif, module->ts );
parentAtom.key.category = RP_TAGS_NOTIFICATION_NEW_PROCESS;
parentAtom.key.process.pid = module->pid;
if( atoms_query( &parentAtom, module->ts ) )
{
HbsSetParentAtom( notif, parentAtom.id );
}
rSequence_addRU32( notif, RP_TAGS_PROCESS_ID, module->pid );
rSequence_addPOINTER64( notif, RP_TAGS_BASE_ADDRESS, (RU64)module->baseAddress );
rSequence_addRU64( notif, RP_TAGS_MEMORY_SIZE, module->imageSize );
if( 0 != ( pathLength = rpal_string_strlen( module->path ) ) )
{
cleanPath = rpal_file_clean( module->path );
rSequence_addSTRINGN( notif, RP_TAGS_FILE_PATH, cleanPath ? cleanPath : module->path );
rpal_memory_free( cleanPath );
// For compatibility with user mode we extract the module name.
for( i = pathLength - 1; i != 0; i-- )
{
if( dirSep[ 0 ] == module->path[ i ] )
{
i++;
break;
}
}
rSequence_addSTRINGN( notif, RP_TAGS_MODULE_NAME, &( module->path[ i ] ) );
if( hbs_publish( RP_TAGS_NOTIFICATION_MODULE_LOAD,
notif ) )
{
isSuccess = TRUE;
}
}
rSequence_free( notif );
}
}
return isSuccess;
}
RPRIVATE
RVOID
_searchForStrings
(
rList stringsFound,
rList searchStrings,
RPU8 pBuff,
RU64 size,
RU64 baseAddr,
RU32 minLength,
RU32 maxLength
)
{
RPU8 pCurr;
RPU8 pEnd;
RPCHAR pStartStr = NULL;
RBOOL isChar;
RPU16 pwCurr;
RPU16 pwEnd;
RBOOL isWChar;
RPWCHAR pwStartStr = NULL;
RPWCHAR thisStrW = NULL;
rSequence newFoundStr;
pCurr = pBuff;
pEnd = pBuff + size;
// currently we only deal with NULL terminated strings
// start with ascii strings...
while( pCurr < pEnd )
{
isChar = rpal_string_isprint( *pCurr );
if( NULL == pStartStr && isChar ) // found the begining of a string
{
pStartStr = (RPCHAR)pCurr;
}
else if( NULL != pStartStr && ( !isChar || 0 == *pCurr ) ) // found the end of a string
{
// is string NULL or Non-Ascii terminated
if( 0 == *pCurr || !rpal_string_charIsAscii( *pCurr ) )
{
// Null terminate it so we can use it like a normal string
*pCurr = 0;
// strlen is really pCurr - pStartStr
if( (RU32)( (RPCHAR)pCurr - pStartStr ) >= minLength &&
(RU32)( (RPCHAR)pCurr - pStartStr ) <= maxLength ) // is string long enough
{
// convert string to wide char for comparision
if( NULL != ( thisStrW = rpal_string_atow( pStartStr ) ) )
{
if( _isStringInList( searchStrings, thisStrW ) && NULL != ( newFoundStr = rSequence_new() ) )
{
rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, thisStrW );
rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pStartStr - pBuff ) );
if( !rList_addSEQUENCE( stringsFound, newFoundStr ) )
{
rSequence_free( newFoundStr );
}
}
rpal_memory_free( thisStrW );
}
}
}
pStartStr = NULL;
}
pCurr++;
}
// Now look for Unicode strings
pwCurr = (RPU16)pBuff;
pwEnd = pwCurr + ( size / 2 );
while( pwCurr < pwEnd )
{
isWChar = rpal_string_isprintW( *pwCurr );
if( NULL == pwStartStr && isWChar ) // found the begining of a string
{
pwStartStr = (RPWCHAR)pwCurr;
}
else if( NULL != pwStartStr && ( !isWChar || 0 == *pwCurr ) ) // found the end of a string
{
// is string NULL terminated
if( 0 == *pwCurr )
{
// wcslen is really pCurr - pStartStr
if( (RU32)( (RPWCHAR)pwCurr - pwStartStr ) >= minLength &&
(RU32)( (RPWCHAR)pwCurr - pwStartStr ) <= maxLength ) // is string long enough
{
if( _isStringInList( searchStrings, pwStartStr ) && NULL != ( newFoundStr = rSequence_new() ) )
{
rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, pwStartStr );
rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pwStartStr - pBuff ) );
if( !rList_addSEQUENCE( stringsFound, newFoundStr ) )
{
rSequence_free( newFoundStr );
}
}
}
}
pwStartStr = NULL;
}
pwCurr++;
}
}
