-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Filip Olszak
committed
Apr 10, 2021
1 parent
1f0a54c
commit ec1556c
Showing
14,880 changed files
with
3,007,778 additions
and
64,409 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,3 @@ | ||
| #include "TiMemAgent.h" | ||
| #include "AgentService.h" | ||
|
|
||
| SERVICE_STATUS g_ServiceStatus{ 0 }; | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,5 @@ | ||
| #pragma once | ||
| #include "TiEtwAgent.h" | ||
|
|
||
| #ifndef SERVICE_CONFIG | ||
| #define SERVICE_CONFIG | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,16 @@ | ||
| #pragma once | ||
| #include "TiMemAgent.h" | ||
| #include <Windows.h> | ||
| #include "TiEtwAgent.h" | ||
|
|
||
| using std::string; | ||
|
|
||
| #define MAX_BUF_SIZE 2048 | ||
| #define MEM_STR_SIZE 512 | ||
|
|
||
| #define GET_VARIABLE_NAME(Variable) (#Variable) | ||
| string itohs(uint64_t i); | ||
| string ftostr(string &file_name); | ||
| string get_pname(uint64_t pid); | ||
| string dump_memory_ascii(uint64_t pid, uint64_t base_address, int length); | ||
|
|
||
| BOOL agent_message(string message); | ||
|
|
||
| std::string itohs(uint64_t i); | ||
| std::string get_pname(uint64_t pid); | ||
| std::string dump_memory_ascii(uint64_t pid, uint64_t base_address, int length); | ||
| BOOL agent_message(std::string message); | ||
| VOID log_debug(const wchar_t* format, ...); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,196 @@ | ||
| #include "TiEtwAgent.h" | ||
| #include "AgentService.h" | ||
|
|
||
| DWORD install_elam() | ||
| { | ||
| DWORD ret{ 0 }; | ||
| WCHAR driverName[]{ DRIVER_NAME }; | ||
| HANDLE hFile{ NULL }; | ||
|
|
||
| log_debug(L"TiEtwSensor: Opening driver file: %s\n", driverName); | ||
|
|
||
| hFile = CreateFile( | ||
| driverName, | ||
| FILE_READ_DATA, | ||
| FILE_SHARE_READ, | ||
| NULL, | ||
| OPEN_EXISTING, | ||
| FILE_ATTRIBUTE_NORMAL, | ||
| NULL | ||
| ); | ||
|
|
||
| if (hFile == INVALID_HANDLE_VALUE) { | ||
| ret = 1; | ||
| log_debug(L"TiEtwSensor: Unable to read driver file\n"); | ||
| return ret; | ||
| } | ||
|
|
||
| if (InstallELAMCertificateInfo(hFile) == FALSE) { | ||
| ret = 1; | ||
| log_debug(L"TiEtwSensor: Unable to install ELAM certificate\n"); | ||
| return ret; | ||
| } | ||
|
|
||
| log_debug(L"TiEtwSensor: ELAM driver has been installed successfully\n"); | ||
| return ret; | ||
| } | ||
|
|
||
| DWORD install_agent_service() | ||
| { | ||
| DWORD ret = 0; | ||
| SERVICE_LAUNCH_PROTECTED_INFO info; | ||
| SC_HANDLE hService; | ||
| SC_HANDLE hSCManager; | ||
|
|
||
| DWORD SCManagerAccess = SC_MANAGER_ALL_ACCESS; | ||
| hSCManager = OpenSCManager(NULL, NULL, SCManagerAccess); | ||
|
|
||
| if (NULL == hSCManager) { | ||
| ret = 1; | ||
| log_debug(L"TiEtwSensor: Unable to open Service Control Manager\n"); | ||
| return ret; | ||
| } | ||
|
|
||
| wchar_t serviceCmd[MAX_BUF_SIZE]{ 0 }; | ||
|
|
||
| GetModuleFileName( | ||
| NULL, | ||
| serviceCmd, | ||
| MAX_BUF_SIZE | ||
| ); | ||
|
|
||
| DWORD serviceCmdLen = lstrlenW(serviceCmd); | ||
| wcscpy_s(serviceCmd + serviceCmdLen, MAX_BUF_SIZE - serviceCmdLen, L" service"); | ||
|
|
||
| hService = CreateService( | ||
| hSCManager, | ||
| SERVICE_NAME, | ||
| SERVICE_NAME, | ||
| SCManagerAccess, | ||
| SERVICE_WIN32_OWN_PROCESS, | ||
| SERVICE_DEMAND_START, | ||
| SERVICE_ERROR_NORMAL, | ||
| serviceCmd, | ||
| NULL, | ||
| NULL, | ||
| NULL, | ||
| NULL, | ||
| NULL | ||
| ); | ||
|
|
||
| if (NULL == hService) { | ||
| ret = GetLastError(); | ||
| if (ret == ERROR_SERVICE_EXISTS) { | ||
| log_debug(L"TiEtwSensor: Service '%s' already exists\n", SERVICE_NAME); | ||
| } | ||
| else { | ||
| log_debug(L"TiEtwSensor: Unable to create new service: %d\n", ret); | ||
| } | ||
| return ret; | ||
| } | ||
|
|
||
| info.dwLaunchProtected = SERVICE_LAUNCH_PROTECTED_ANTIMALWARE_LIGHT; | ||
| if (ChangeServiceConfig2(hService, SERVICE_CONFIG_LAUNCH_PROTECTED, &info) == FALSE) { | ||
| ret = GetLastError(); | ||
| log_debug(L"TiEtwSensor: Unable to change service config %d\n", ret); | ||
| return ret; | ||
| } | ||
|
|
||
| log_debug(L"TiEtwSensor: Service has been installed successfully\n"); | ||
| return ret; | ||
| } | ||
|
|
||
|
|
||
| DWORD uninstall_agent_service() { | ||
| DWORD ret = 0; | ||
| SC_HANDLE hSCManager; | ||
| SC_HANDLE hService; | ||
| SERVICE_STATUS_PROCESS ssp; | ||
| DWORD dwBytesNeeded; | ||
| log_debug(L"TiEtwSensor: Uninstalling the service\n"); | ||
|
|
||
| hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); | ||
|
|
||
| if (hSCManager == NULL) { | ||
| ret = 1; | ||
| log_debug(L"TiEtwSensor: Couldn't open Service Control Manager %d\n"); | ||
| return ret; | ||
| } | ||
|
|
||
| hService = OpenService(hSCManager, SERVICE_NAME, SERVICE_ALL_ACCESS); | ||
|
|
||
| if (hService == NULL) { | ||
| ret = 1; | ||
| log_debug(L"TiEtwSensor: Couldn't open the service\n"); | ||
| return ret; | ||
| } | ||
|
|
||
| if (!QueryServiceStatusEx( | ||
| hService, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssp, sizeof(SERVICE_STATUS_PROCESS), &dwBytesNeeded)) { | ||
| ret = GetLastError(); | ||
| log_debug(L"TiEtwSensor: Couldn't query the service status: %d\n", ret); | ||
| return ret; | ||
| } | ||
|
|
||
| if (ssp.dwCurrentState != SERVICE_STOPPED) { | ||
| if (!ControlService(hService, SERVICE_CONTROL_STOP, (LPSERVICE_STATUS)&ssp)) { | ||
| ret = GetLastError(); | ||
| log_debug(L"TiEtwSensor: ControlService(Stop) Error: %d\n", ret); | ||
| return ret; | ||
| } | ||
| if (ssp.dwCurrentState != SERVICE_STOPPED) { | ||
| Sleep(3000); | ||
| if (!QueryServiceStatusEx( | ||
| hService, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssp, sizeof(SERVICE_STATUS_PROCESS), &dwBytesNeeded)) { | ||
| ret = GetLastError(); | ||
| log_debug(L"TiEtwSensor: QueryServiceStatusEx2 Error: %d\n", ret); | ||
| return ret; | ||
| } | ||
| if (ssp.dwCurrentState != SERVICE_STOPPED) { | ||
| ret = ssp.dwCurrentState; | ||
| log_debug(L"TiEtwSensor: Waited but service stull not stopped: %d\n", ret); | ||
| return ret; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| if (!DeleteService(hService)) { | ||
| ret = GetLastError(); | ||
| log_debug(L"TiEtwSensor: DeleteService Error: %d\n", ret); | ||
| return ret; | ||
| } | ||
|
|
||
| log_debug(L"TiEtwSensor: Deleted Service %s\n", SERVICE_NAME); | ||
|
|
||
| return ret; | ||
| } | ||
|
|
||
| int main(INT argc, CHAR** argv) | ||
| { | ||
| DWORD ret{ 0 }; | ||
|
|
||
| if (argc != 2) { | ||
| log_debug(L"Usage: TiMemAgent.exe ( install | uninstall )\n"); | ||
| ret = 1; | ||
| } | ||
| else if (strcmp("install", argv[1]) == 0) { | ||
| log_debug(L"TiEtwSensor: Installing the Early Launch Anti-Malware drivers\n"); | ||
| ret = install_elam(); | ||
| if (ret == 0) { | ||
| log_debug(L"TiEtwSensor: Installing the agent service\n"); | ||
| ret = install_agent_service(); | ||
| } | ||
| } | ||
| else if (strcmp(argv[1], "service") == 0) { | ||
| log_debug(L"TiEtwSensor: The service is starting up\n"); | ||
| ret = agent_service_init(); | ||
| } | ||
| else if (strcmp(argv[1], "uninstall") == 0) { | ||
| ret = uninstall_agent_service(); | ||
| } | ||
| else { | ||
| log_debug(L"TiEtwSensor: Unable to parse commandline\n"); | ||
| ret = 1; | ||
| } | ||
| return ret; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| #pragma once | ||
|
|
||
| #include <Windows.h> | ||
| #include <iostream> | ||
| #include <map> | ||
| #include <stdio.h> | ||
| #include <fstream> | ||
| #include <string> | ||
| #include <vector> | ||
| #include <algorithm> | ||
| #include <sstream> | ||
|
|
||
| #include "Helpers.h" | ||
|
|
||
| #define LOG_FNAME L"C:\\Windows\\Temp\\TiEtwAgent.txt" | ||
| #define YARA_ENABLED false | ||
|
|
||
| const std::string YARA_RULE_DIR{ "c:\\yara_rules" }; |
Oops, something went wrong.