static
int
_yaraFileMatchCallback
(
int message,
void* message_data,
void* user_data
)
{
YR_RULE* rule = (YR_RULE*)message_data;
YaraMatchContext* context = (YaraMatchContext*)user_data;
rSequence event = NULL;
if( CALLBACK_MSG_RULE_MATCHING == message &&
NULL != message_data &&
NULL != user_data )
{
if( NULL != ( event = rSequence_duplicate( context->fileInfo ) ) )
{
rSequence_addSTRINGA( event, RP_TAGS_RULE_NAME, (char*)rule->identifier );
notifications_publish( RP_TAGS_NOTIFICATION_YARA_DETECTION, event );
rSequence_free( event );
}
else
{
rpal_debug_warning( "error creating event from Yara match" );
}
}
return CALLBACK_CONTINUE;
}
RBOOL
hbs_markAsRelated
(
rSequence parent,
rSequence toMark
)
{
RBOOL isSuccess = FALSE;
RPCHAR invId = NULL;
if( rpal_memory_isValid( parent ) &&
rpal_memory_isValid( toMark ) )
{
isSuccess = TRUE;
if( rSequence_getSTRINGA( parent, RP_TAGS_HBS_INVESTIGATION_ID, &invId ) )
{
isSuccess = FALSE;
if( rSequence_addSTRINGA( toMark, RP_TAGS_HBS_INVESTIGATION_ID, invId ) )
{
isSuccess = TRUE;
}
}
}
return isSuccess;
}
static
int
_yaraMemMatchCallback
(
int message,
void* message_data,
void* user_data
)
{
YR_RULE* rule = (YR_RULE*)message_data;
YaraMatchContext* context = (YaraMatchContext*)user_data;
rSequence event = NULL;
if( CALLBACK_MSG_RULE_MATCHING == message &&
NULL != message_data &&
NULL != user_data )
{
if( NULL != ( event = rSequence_new() ) )
{
rSequence_addRU32( event, RP_TAGS_PROCESS_ID, context->pid );
rSequence_addPOINTER64( event, RP_TAGS_BASE_ADDRESS, context->regionBase );
rSequence_addRU64( event, RP_TAGS_MEMORY_SIZE, context->regionSize );
hbs_markAsRelated( context->fileInfo, event );
if( NULL == context->processInfo )
{
context->processInfo = processLib_getProcessInfo( context->pid, NULL );
}
if( NULL != context->processInfo )
{
rSequence_addSEQUENCE( event, RP_TAGS_PROCESS, rSequence_duplicate( context->processInfo ) );
}
if( NULL != context->moduleInfo )
{
rSequence_addSEQUENCE( event, RP_TAGS_DLL, rSequence_duplicate( context->moduleInfo ) );
}
rSequence_addSTRINGA( event, RP_TAGS_RULE_NAME, (char*)rule->identifier );
notifications_publish( RP_TAGS_NOTIFICATION_YARA_DETECTION, event );
rSequence_free( event );
}
else
{
rpal_debug_warning( "error creating event from Yara match" );
}
}
return CALLBACK_CONTINUE;
}
static
RVOID
processCodeIdentA
(
RPCHAR name,
RPU8 pFileHash,
RU64 codeSize,
rSequence originalEvent
)
{
CodeIdent ident = { 0 };
rSequence notif = NULL;
ident.codeSize = codeSize;
if( NULL != name )
{
CryptoLib_hash( name, rpal_string_strlen( name ) * sizeof( RCHAR ), ident.nameHash );
}
if( NULL != pFileHash )
{
rpal_memory_memcpy( ident.fileHash, pFileHash, CRYPTOLIB_HASH_SIZE );
}
if( rpal_bloom_addIfNew( knownCode, &ident, sizeof( ident ) ) )
{
if( NULL != ( notif = rSequence_new() ) )
{
hbs_markAsRelated( originalEvent, notif );
if( rSequence_addSTRINGA( notif, RP_TAGS_FILE_NAME, name ) &&
rSequence_addBUFFER( notif, RP_TAGS_HASH, pFileHash, CRYPTOLIB_HASH_SIZE ) &&
rSequence_addRU32( notif, RP_TAGS_MEMORY_SIZE, (RU32)codeSize ) &&
rSequence_addTIMESTAMP( notif, RP_TAGS_TIMESTAMP, rpal_time_getGlobal() ) )
{
notifications_publish( RP_TAGS_NOTIFICATION_CODE_IDENTITY, notif );
}
rSequence_free( notif );
}
}
}
//=============================================================================
// YARA Required Shims
//=============================================================================
static
RVOID
reportError
(
rSequence originalRequest,
RU32 errorCode,
RPCHAR errorStr
)
{
rSequence event = NULL;
if( NULL != ( event = rSequence_new() ) )
{
hbs_markAsRelated( originalRequest, event );
rSequence_addRU32( event, RP_TAGS_ERROR, errorCode );
rSequence_addSTRINGA( event, RP_TAGS_ERROR_MESSAGE, errorStr ? errorStr : "" );
rSequence_addTIMESTAMP( event, RP_TAGS_TIMESTAMP, rpal_time_getGlobal() );
notifications_publish( RP_TAGS_NOTIFICATION_YARA_DETECTION, event );
rSequence_free( event );
}
}
RPRIVATE
RVOID
processDnsPacket
(
KernelAcqDnsPacket* pDns
)
{
rSequence notification = NULL;
RU32 i = 0;
DnsLabel* pLabel = NULL;
DnsHeader* dnsHeader = NULL;
DnsResponseInfo* pResponseInfo = NULL;
RCHAR domain[ DNS_LABEL_MAX_SIZE ] = { 0 };
RU16 recordType = 0;
RU64 timestamp = 0;
Atom parentAtom = { 0 };
if( NULL == pDns )
{
return;
}
dnsHeader = (DnsHeader*)( (RPU8)pDns + sizeof( *pDns ) );
pLabel = (DnsLabel*)dnsHeader->data;
// We are parsing DNS packets coming from the kernel. They may:
// 1- Be requests and not responses, check there are Answers.
// 2- Be maliciously crafter packets so we need extra checking for sanity.
if( 0 == dnsHeader->anCount ||
0 == dnsHeader->qr ||
DNS_SANITY_MAX_RECORDS < rpal_ntoh16( dnsHeader->qdCount ) ||
DNS_SANITY_MAX_RECORDS < rpal_ntoh16( dnsHeader->anCount ) )
{
return;
}
// We need to walk the Questions first to get to the Answers
// but we don't really care to record them since they'll be repeated
// in the Answers.
for( i = 0; i < rpal_ntoh16( dnsHeader->qdCount ); i++ )
{
DnsQuestionInfo* pQInfo = NULL;
pLabel = dnsReadLabels( pLabel, NULL, (RPU8)dnsHeader, pDns->packetSize, 0, 0 );
pQInfo = (DnsQuestionInfo*)( pLabel );
if( !IS_WITHIN_BOUNDS( pQInfo, sizeof( *pQInfo ), dnsHeader, pDns->packetSize ) )
{
rpal_debug_warning( "error parsing dns packet" );
break;
}
pLabel = (DnsLabel*)( (RPU8)pQInfo + sizeof( *pQInfo ) );
}
if( !IS_WITHIN_BOUNDS( pLabel, sizeof( RU16 ), dnsHeader, pDns->packetSize ) )
{
rpal_debug_warning( "error parsing dns packet" );
return;
}
// This is what we care about, the Answers (which also point to each Question).
// We will emit one event per Answer so as to keep the DNS_REQUEST event flat and atomic.
for( i = 0; i < rpal_ntoh16( dnsHeader->anCount ); i++ )
{
pResponseInfo = NULL;
// This was the Question for this answer.
rpal_memory_zero( domain, sizeof( domain ) );
pLabel = dnsReadLabels( pLabel, domain, (RPU8)dnsHeader, pDns->packetSize, 0, 0 );
pResponseInfo = (DnsResponseInfo*)pLabel;
pLabel = (DnsLabel*)( (RPU8)pResponseInfo + sizeof( *pResponseInfo ) + rpal_ntoh16( pResponseInfo->rDataLength ) );
if( !IS_WITHIN_BOUNDS( pResponseInfo, sizeof( *pResponseInfo ), dnsHeader, pDns->packetSize ) )
{
rpal_debug_warning( "error parsing dns packet" );
break;
}
if( NULL == ( notification = rSequence_new() ) )
{
rpal_debug_warning( "error parsing dns packet" );
break;
}
// This is a timestamp coming from the kernel so it is not globally adjusted.
// We'll adjust it with the global offset.
timestamp = pDns->ts;
timestamp += MSEC_FROM_SEC( rpal_time_getGlobalFromLocal( 0 ) );
// Try to relate the DNS request to the owner process, this only works on OSX
// at the moment (since the kernel does not expose the PID at the packet capture
// stage), and even on OSX it's the DNSResolver process. So it's not super useful
// but regardless we have the mechanism here as it's better than nothing and when
// we add better resolving in the kernel it will work transparently.
parentAtom.key.process.pid = pDns->pid;
parentAtom.key.category = RP_TAGS_NOTIFICATION_NEW_PROCESS;
if( atoms_query( &parentAtom, timestamp ) )
{
HbsSetParentAtom( notification, parentAtom.id );
}
rSequence_addTIMESTAMP( notification, RP_TAGS_TIMESTAMP, timestamp );
rSequence_addSTRINGA( notification, RP_TAGS_DOMAIN_NAME, domain );
rSequence_addRU32( notification, RP_TAGS_PROCESS_ID, pDns->pid );
recordType = rpal_ntoh16( pResponseInfo->recordType );
rSequence_addRU16( notification, RP_TAGS_MESSAGE_ID, rpal_ntoh16( dnsHeader->msgId ) );
rSequence_addRU16( notification, RP_TAGS_DNS_TYPE, recordType );
if( DNS_A_RECORD == recordType )
{
rSequence_addIPV4( notification, RP_TAGS_IP_ADDRESS, *(RU32*)pResponseInfo->rData );
}
else if( DNS_AAAA_RECORD == recordType )
{
rSequence_addIPV6( notification, RP_TAGS_IP_ADDRESS, pResponseInfo->rData );
}
else if( DNS_CNAME_RECORD == recordType )
{
// CNAME records will have another label as a value and not an IP.
rpal_memory_zero( domain, sizeof( domain ) );
dnsReadLabels( (DnsLabel*)pResponseInfo->rData, domain, (RPU8)dnsHeader, pDns->packetSize, 0, 0 );
rSequence_addSTRINGA( notification, RP_TAGS_CNAME, domain );
}
else
{
// Right now we only care for A, CNAME and AAAA records.
rSequence_free( notification );
notification = NULL;
continue;
}
hbs_publish( RP_TAGS_NOTIFICATION_DNS_REQUEST, notification );
rSequence_free( notification );
notification = NULL;
}
}
static
rString
assembleOutboundStream
(
RpHcp_ModuleId moduleId,
rList payload,
RU8 sessionKey[ CRYPTOLIB_SYM_KEY_SIZE ],
RU8 sessionIv[ CRYPTOLIB_SYM_IV_SIZE ]
)
{
rString str = NULL;
rSequence hdrSeq = NULL;
rSequence hcpid = NULL;
rBlob blob = NULL;
RPCHAR encoded = NULL;
RPU8 encBuffer = NULL;
RU64 encSize = 0;
RPU8 finalBuffer = NULL;
RU32 finalSize = 0;
RPCHAR hostName = NULL;
RBOOL isSuccess = FALSE;
OBFUSCATIONLIB_DECLARE( payHdr, RP_HCP_CONFIG_PAYLOAD_HDR );
str = rpal_stringbuffer_new( 0, 0, FALSE );
if( NULL != str )
{
if( NULL != ( hdrSeq = rSequence_new() ) )
{
if( NULL != ( hcpid = hcpIdToSeq( g_hcpContext.currentId ) ) )
{
// System basic information
// Host Name
if( NULL != ( hostName = libOs_getHostName() ) )
{
rSequence_addSTRINGA( hdrSeq, RP_TAGS_HOST_NAME, hostName );
rpal_memory_free( hostName );
}
else
{
rpal_debug_warning( "could not determine hostname" );
}
// Internal IP
rSequence_addIPV4( hdrSeq, RP_TAGS_IP_ADDRESS, libOs_getMainIp() );
if( rSequence_addSEQUENCE( hdrSeq, RP_TAGS_HCP_ID, hcpid ) &&
rSequence_addRU8( hdrSeq, RP_TAGS_HCP_MODULE_ID, moduleId ) &&
rSequence_addBUFFER( hdrSeq, RP_TAGS_SYM_KEY, sessionKey, CRYPTOLIB_SYM_KEY_SIZE ) &&
rSequence_addBUFFER( hdrSeq, RP_TAGS_SYM_IV, sessionIv, CRYPTOLIB_SYM_IV_SIZE ) )
{
if( NULL != g_hcpContext.enrollmentToken &&
0 != g_hcpContext.enrollmentTokenSize )
{
rSequence_addBUFFER( hdrSeq, RP_TAGS_HCP_ENROLLMENT_TOKEN, g_hcpContext.enrollmentToken, g_hcpContext.enrollmentTokenSize );
}
if( NULL != payload )
{
blob = rpal_blob_create( 0, 0 );
}
if( NULL == payload ||
NULL != blob )
{
if( rSequence_serialise( hdrSeq, blob ) &&
( NULL == payload ||
rList_serialise( payload, blob ) ) )
{
encSize = compressBound( rpal_blob_getSize( blob ) );
encBuffer = rpal_memory_alloc( (RU32)encSize );
if( NULL == payload ||
NULL != encBuffer )
{
if( NULL == payload ||
Z_OK == compress( encBuffer, (uLongf*)&encSize, (RPU8)rpal_blob_getBuffer( blob ), rpal_blob_getSize( blob ) ) )
{
FREE_N_NULL( blob, rpal_blob_free );
if( NULL == payload ||
CryptoLib_fastAsymEncrypt( encBuffer, (RU32)encSize, getC2PublicKey(), &finalBuffer, &finalSize ) )
{
FREE_N_NULL( encBuffer, rpal_memory_free );
if( NULL == payload ||
base64_encode( finalBuffer, finalSize, &encoded, TRUE ) )
{
isSuccess = TRUE;
if( NULL != payload )
{
FREE_N_NULL( finalBuffer, rpal_memory_free );
DO_IFF( rpal_stringbuffer_add( str, "&" ), isSuccess );
OBFUSCATIONLIB_TOGGLE( payHdr );
DO_IFF( rpal_stringbuffer_add( str, (RPCHAR)payHdr ), isSuccess );
DO_IFF( rpal_stringbuffer_add( str, encoded ), isSuccess );
OBFUSCATIONLIB_TOGGLE( payHdr );
}
IF_VALID_DO( encoded, rpal_memory_free );
}
IF_VALID_DO( finalBuffer, rpal_memory_free );
}
}
IF_VALID_DO( encBuffer, rpal_memory_free );
}
}
IF_VALID_DO( blob, rpal_blob_free );
}
}
}
rSequence_free( hdrSeq );
}
if( !isSuccess )
{
rpal_stringbuffer_free( str );
str = NULL;
}
}
return str;
}
static
RVOID
processCodeIdentA
(
RPCHAR name,
CryptoLib_Hash* pFileHash,
RU64 codeSize,
rSequence originalEvent
)
{
CodeIdent ident = { 0 };
rSequence notif = NULL;
rSequence sig = NULL;
RPWCHAR wPath = NULL;
RPWCHAR cleanPath = NULL;
ident.codeSize = codeSize;
if( NULL != name )
{
CryptoLib_hash( name, rpal_string_strlen( name ) * sizeof( RCHAR ), &ident.nameHash );
}
if( NULL != pFileHash )
{
rpal_memory_memcpy( &ident.fileHash, pFileHash, sizeof( *pFileHash ) );
}
if( rMutex_lock( g_mutex ) )
{
if( rpal_bloom_addIfNew( g_knownCode, &ident, sizeof( ident ) ) )
{
rMutex_unlock( g_mutex );
if( NULL != ( notif = rSequence_new() ) )
{
hbs_markAsRelated( originalEvent, notif );
if( ( rSequence_addSTRINGA( notif, RP_TAGS_FILE_PATH, name ) ||
rSequence_addSTRINGA( notif, RP_TAGS_DLL, name ) ||
rSequence_addSTRINGA( notif, RP_TAGS_EXECUTABLE, name ) ) &&
rSequence_addRU32( notif, RP_TAGS_MEMORY_SIZE, (RU32)codeSize ) &&
rSequence_addTIMESTAMP( notif, RP_TAGS_TIMESTAMP, rpal_time_getGlobal() ) )
{
if( NULL != pFileHash )
{
rSequence_addBUFFER( notif, RP_TAGS_HASH, (RPU8)pFileHash, sizeof( *pFileHash ) );
}
if( NULL != ( wPath = rpal_string_atow( name ) ) )
{
cleanPath = rpal_file_cleanw( wPath );
if( libOs_getSignature( cleanPath ? cleanPath : wPath,
&sig,
OSLIB_SIGNCHECK_NO_NETWORK,
NULL,
NULL,
NULL ) )
{
if( !rSequence_addSEQUENCE( notif, RP_TAGS_SIGNATURE, sig ) )
{
rSequence_free( sig );
}
}
if( NULL != cleanPath )
{
rpal_memory_free( cleanPath );
}
rpal_memory_free( wPath );
}
notifications_publish( RP_TAGS_NOTIFICATION_CODE_IDENTITY, notif );
}
rSequence_free( notif );
}
}
else
{
rMutex_unlock( g_mutex );
}
}
}