void
test_modules
(
void
)
{
processLibProcEntry* entries = NULL;
RU32 entryIndex = 0;
rList mods = NULL;
rSequence mod = NULL;
RPWCHAR path = NULL;
entries = processLib_getProcessEntries( TRUE );
CU_ASSERT_PTR_NOT_EQUAL_FATAL( entries, NULL );
CU_ASSERT_NOT_EQUAL_FATAL( entries[ entryIndex ].pid, 0 );
mods = processLib_getProcessModules( entries[ entryIndex ].pid );
CU_ASSERT_PTR_NOT_EQUAL( mods, NULL );
CU_ASSERT_TRUE( rList_getSEQUENCE( mods, RP_TAGS_DLL, &mod ) );
CU_ASSERT_TRUE( rSequence_getSTRINGW( mod, RP_TAGS_FILE_PATH, &path ) );
CU_ASSERT_PTR_NOT_EQUAL( path, NULL );
CU_ASSERT_NOT_EQUAL( rpal_string_strlenw( path ), 0 );
rSequence_free( mods );
rpal_memory_free( entries );
}
void
test_processInfo
(
void
)
{
processLibProcEntry* entries = NULL;
RU32 entryIndex = 0;
rSequence proc = NULL;
RPWCHAR path = NULL;
entries = processLib_getProcessEntries( TRUE );
CU_ASSERT_PTR_NOT_EQUAL_FATAL( entries, NULL );
CU_ASSERT_NOT_EQUAL_FATAL( entries[ entryIndex ].pid, 0 );
proc = processLib_getProcessInfo( entries[ entryIndex ].pid );
CU_ASSERT_PTR_NOT_EQUAL( proc, NULL );
CU_ASSERT_TRUE( rSequence_getSTRINGW( proc, RP_TAGS_FILE_PATH, &path ) );
CU_ASSERT_PTR_NOT_EQUAL( path, NULL );
CU_ASSERT_NOT_EQUAL( rpal_string_strlenw( path ), 0 );
rSequence_free( proc );
rpal_memory_free( entries );
}
static
RVOID
processCodeIdentW
(
RPWCHAR name,
RPU8 pFileHash,
RU64 codeSize,
rSequence originalEvent
)
{
CodeIdent ident = { 0 };
rSequence notif = NULL;
ident.codeSize = codeSize;
if( NULL != name )
{
CryptoLib_hash( name, rpal_string_strlenw( name ) * sizeof( RWCHAR ), ident.nameHash );
}
if( NULL != pFileHash )
{
rpal_memory_memcpy( ident.fileHash, pFileHash, CRYPTOLIB_HASH_SIZE );
}
if( rpal_bloom_addIfNew( knownCode, &ident, sizeof( ident ) ) )
{
if( NULL != ( notif = rSequence_new() ) )
{
hbs_markAsRelated( originalEvent, notif );
if( rSequence_addSTRINGW( notif, RP_TAGS_FILE_PATH, name ) &&
rSequence_addBUFFER( notif, RP_TAGS_HASH, pFileHash, CRYPTOLIB_HASH_SIZE ) &&
rSequence_addRU32( notif, RP_TAGS_MEMORY_SIZE, (RU32)codeSize ) &&
rSequence_addTIMESTAMP( notif, RP_TAGS_TIMESTAMP, rpal_time_getGlobal() ) )
{
notifications_publish( RP_TAGS_NOTIFICATION_CODE_IDENTITY, notif );
}
rSequence_free( notif );
}
}
}
void
test_handles
(
void
)
{
rList handles = NULL;
rSequence handle = NULL;
RU32 nHandles = 0;
RU32 nNamedHandles = 0;
RPWCHAR handleName = NULL;
handles = processLib_getHandles( 0, FALSE, NULL );
CU_ASSERT_PTR_NOT_EQUAL_FATAL( handles, NULL );
while( rList_getSEQUENCE( handles, RP_TAGS_HANDLE_INFO, &handle ) )
{
nHandles++;
}
CU_ASSERT_TRUE( 100 < nHandles );
rList_free( handles );
handles = processLib_getHandles( 0, TRUE, NULL );
CU_ASSERT_PTR_NOT_EQUAL_FATAL( handles, NULL );
while( rList_getSEQUENCE( handles, RP_TAGS_HANDLE_INFO, &handle ) )
{
nNamedHandles++;
CU_ASSERT_TRUE( rSequence_getSTRINGW( handle, RP_TAGS_HANDLE_NAME, &handleName ) );
CU_ASSERT_TRUE( 0 != rpal_string_strlenw( handleName ) );
}
CU_ASSERT_TRUE( nNamedHandles < nHandles );
rList_free( handles );
}
void
test_servicesList
(
void
)
{
rList svcs = NULL;
rSequence svc = NULL;
RU32 type = PROCESSLIB_SVCS;
#if defined( RPAL_PLATFORM_WINDOWS ) || defined( RPAL_PLATFORM_LINUX )
RPWCHAR svcName = NULL;
#elif defined( RPAL_PLATFORM_MACOSX )
RPCHAR svcName = NULL;
#endif
svcs = processLib_getServicesList( type );
CU_ASSERT_PTR_NOT_EQUAL_FATAL( svcs, NULL );
CU_ASSERT_TRUE( rList_getSEQUENCE( svcs, RP_TAGS_SVC, &svc ) );
#if defined( RPAL_PLATFORM_WINDOWS ) || defined( RPAL_PLATFORM_LINUX )
CU_ASSERT_TRUE( rSequence_getSTRINGW( svc, RP_TAGS_SVC_NAME, &svcName ) );
CU_ASSERT_PTR_NOT_EQUAL( svcName, NULL );
CU_ASSERT_NOT_EQUAL( rpal_string_strlenw( svcName ), 0 );
#elif defined( RPAL_PLATFORM_MACOSX )
CU_ASSERT_TRUE( rSequence_getSTRINGA( svc, RP_TAGS_SVC_NAME, &svcName ) );
CU_ASSERT_PTR_NOT_EQUAL( svcName, NULL );
CU_ASSERT_NOT_EQUAL( rpal_string_strlen( svcName ), 0 );
#endif
rSequence_free( svcs );
}
static
RVOID
processFile
(
rSequence notif
)
{
RPCHAR fileA = NULL;
RPWCHAR fileW = NULL;
RPU8 fileContent = NULL;
RU32 fileSize = 0;
CryptoLib_Hash hash = { 0 };
if( NULL != notif )
{
obsLib_resetSearchState( matcherA );
obsLib_resetSearchState( matcherW );
if( ( rSequence_getSTRINGA( notif, RP_TAGS_FILE_PATH, &fileA ) &&
obsLib_setTargetBuffer( matcherA,
fileA,
( rpal_string_strlen( fileA ) + 1 ) * sizeof( RCHAR ) ) &&
obsLib_nextHit( matcherA, NULL, NULL ) ) ||
( rSequence_getSTRINGW( notif, RP_TAGS_FILE_PATH, &fileW ) &&
obsLib_setTargetBuffer( matcherW,
fileW,
( rpal_string_strlenw( fileW ) + 1 ) * sizeof( RWCHAR ) ) &&
obsLib_nextHit( matcherW, NULL, NULL ) ) )
{
// This means it's a file of interest.
if( ( NULL != fileA &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSize( fileA, TRUE ) &&
rpal_file_read( fileA, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileA( fileA, &hash, TRUE ) ) ) ||
( NULL != fileW &&
( ( DOCUMENT_MAX_SIZE >= rpal_file_getSizew( fileW, TRUE ) &&
rpal_file_readw( fileW, (RPVOID*)&fileContent, &fileSize, TRUE ) &&
CryptoLib_hash( fileContent, fileSize, &hash ) ) ||
CryptoLib_hashFileW( fileW, &hash, TRUE ) ) ) )
{
// We acquired the hash, either by reading the entire file in memory
// which we will use for caching, or if it was too big by hashing it
// sequentially on disk.
rSequence_unTaintRead( notif );
rSequence_addBUFFER( notif, RP_TAGS_HASH, (RPU8)&hash, sizeof( hash ) );
notifications_publish( RP_TAGS_NOTIFICATION_NEW_DOCUMENT, notif );
}
if( rMutex_lock( cacheMutex ) )
{
if( NULL == fileContent ||
!rSequence_addBUFFER( notif, RP_TAGS_FILE_CONTENT, fileContent, fileSize ) ||
!HbsRingBuffer_add( documentCache, notif ) )
{
rSequence_free( notif );
}
rMutex_unlock( cacheMutex );
}
else
{
rSequence_free( notif );
}
if( NULL != fileContent )
{
rpal_memory_free( fileContent );
}
}
else
{
rSequence_free( notif );
}
}
}
static
RVOID
processCodeIdentW
(
RPWCHAR name,
CryptoLib_Hash* pFileHash,
RU64 codeSize,
rSequence originalEvent
)
{
CodeIdent ident = { 0 };
rSequence notif = NULL;
rSequence sig = NULL;
RBOOL isSigned = FALSE;
RBOOL isVerifiedLocal = FALSE;
RBOOL isVerifiedGlobal = FALSE;
ident.codeSize = codeSize;
if( NULL != name )
{
CryptoLib_hash( name, rpal_string_strlenw( name ) * sizeof( RWCHAR ), &ident.nameHash );
}
if( NULL != pFileHash )
{
rpal_memory_memcpy( &ident.fileHash, pFileHash, sizeof( *pFileHash ) );
}
if( rMutex_lock( g_mutex ) )
{
if( rpal_bloom_addIfNew( g_knownCode, &ident, sizeof( ident ) ) )
{
rMutex_unlock( g_mutex );
if( NULL != ( notif = rSequence_new() ) )
{
hbs_markAsRelated( originalEvent, notif );
if( ( rSequence_addSTRINGW( notif, RP_TAGS_FILE_PATH, name ) ||
rSequence_addSTRINGW( notif, RP_TAGS_DLL, name ) ||
rSequence_addSTRINGW( notif, RP_TAGS_EXECUTABLE, name ) ) &&
rSequence_addRU32( notif, RP_TAGS_MEMORY_SIZE, (RU32)codeSize ) &&
rSequence_addTIMESTAMP( notif, RP_TAGS_TIMESTAMP, rpal_time_getGlobal() ) )
{
if( NULL != pFileHash )
{
rSequence_addBUFFER( notif, RP_TAGS_HASH, (RPU8)pFileHash, sizeof( *pFileHash ) );
}
if( libOs_getSignature( name,
&sig,
( OSLIB_SIGNCHECK_NO_NETWORK | OSLIB_SIGNCHECK_CHAIN_VERIFICATION ),
&isSigned,
&isVerifiedLocal,
&isVerifiedGlobal ) )
{
if( !rSequence_addSEQUENCE( notif, RP_TAGS_SIGNATURE, sig ) )
{
rSequence_free( sig );
}
}
notifications_publish( RP_TAGS_NOTIFICATION_CODE_IDENTITY, notif );
}
rSequence_free( notif );
}
}
else
{
rMutex_unlock( g_mutex );
}
}
}