Navigation

← Previous Changeset
Next Changeset →

Changeset 409

Timestamp:

05/29/07 23:12:01 (1 year ago)

Author:

kindlund

Message:

Merged kindlund-filesystem branch back into trunk.

Files:

honeyclient/trunk/bin/StartAgent.pl (modified) (4 diffs)
honeyclient/trunk/bin/StartManager.pl (modified) (1 diff)
honeyclient/trunk/etc/honeyclient.xml (modified) (4 diffs)
honeyclient/trunk/etc/honeyclient_log.conf (modified) (2 diffs)
honeyclient/trunk/lib/HoneyClient/Agent.pm (modified) (20 diffs)
honeyclient/trunk/lib/HoneyClient/Agent/Driver/Browser.pm (modified) (2 diffs)
honeyclient/trunk/lib/HoneyClient/Agent/Integrity.pm (modified) (2 diffs)
honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Filesystem.pm (modified) (1 diff, 1 prop)
honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Registry.pm (modified) (10 diffs)
honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Registry/Parser.pm (modified) (9 diffs)
honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Registry/Parser.yp (modified) (9 diffs)
honeyclient/trunk/lib/HoneyClient/Manager.pm (modified) (12 diffs)
honeyclient/trunk/lib/HoneyClient/Manager/VM.pm (modified) (19 diffs)
honeyclient/trunk/lib/HoneyClient/Util/Config.pm (modified) (5 diffs)
honeyclient/trunk/lib/HoneyClient/Util/SOAP.pm (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

honeyclient/trunk/bin/StartAgent.pl

r333	r409
7	7	use Carp ();
8	8
	9	use HoneyClient::Util::Config qw(getVar);
9	10	use HoneyClient::Agent;
10	11	use HoneyClient::Util::SOAP qw(getClientHandle);
…	…
12	13	use MIME::Base64 qw(decode_base64 encode_base64);
13	14	use Storable qw(thaw nfreeze);
	15	use Log::Log4perl qw(:easy);
	16
	17	# The global logging object.
	18	our $LOG = get_logger();
14	19
15	20	our ($stub, $som);
…	…
18	23	our $agentState = undef;
19	24	my $tempState = undef;
	25	our $faultDetected = 0;
20	26
21	27	print "URL: " . $URL. "\n";
…	…
35	41	}
36	42
37		print "Watchdog fault detected, recovering Agent daemon.\n";
	43	if (!$faultDetected) {
	44	$LOG->error("Watchdog fault detected, recovering Agent daemon.");
	45	$faultDetected = 1;
	46	}
38	47	# XXX: Reenable this, eventually.
39		#Carp::carp __PACKAGE__ . "->_watchdogFaultHandler(): Error occurred during processing.\n" . $errMsg;
	48	$LOG->error(__PACKAGE__ . "->_watchdogFaultHandler(): Error occurred during processing.\n" . $errMsg);
	49	Carp::carp __PACKAGE__ . "->_watchdogFaultHandler(): Error occurred during processing.\n" . $errMsg;
40	50
41	51

honeyclient/trunk/bin/StartManager.pl

r351	r409
25	25
26	26	my $driver = "IE";
27		my $config = "/vm/master-vms/Agent.Master-16/winXPPro.cfg";
	27	my $config = "/vm/master-vms/Agent.Master-19/winXPPro.cfg";
28	28	my $maxrel = 5;
29	29	my $nexturl = "";

honeyclient/trunk/etc/honeyclient.xml

r359	r409
54	54	etc/honeyclient_log.conf
55	55	</log_config>
	56	<syslog_address description="The IP address of the syslog server that all logging messages will be sent to by both Agent and Manager processes over UDP port 514." default="10.0.0.1">
	57	10.0.0.1
	58	</syslog_address>
56	59	<!-- HoneyClient::Agent Options -->
57	60	<Agent>
…	…
121	124	</Driver>
122	125	<perform_integrity_checks description="An integer, representing whether the Agent should perform any integrity checks. 1 enables, 0 disables." default="1">
123		1
	126	1
124	127	</perform_integrity_checks>
125	128	<!-- HoneyClient::Agent::Integrity Options -->
…	…
137	140	<regex>C:/Documents and Settings/Administrator/Application Data/Mozilla/Firefox/Profiles.*</regex>
138	141	<regex>C:/Documents and Settings/Administrator/Cookies.*</regex>
	142	<regex>C:/Documents and Settings/Administrator/Local Settings/Application Data/Macromedia/Flash Player.*</regex>
139	143	<regex>C:/Documents and Settings/Administrator/Local Settings/Application Data/Mozilla/Firefox/Profiles.*</regex>
140	144	<regex>C:/Documents and Settings/Administrator/Local Settings/History/History.IE5.*</regex>
…	…
181	185	<name>HKEY_CURRENT_USER</name>
182	186	<name>HKEY_USERS</name>
183		<name>HKEY_CURRENT_CONFIG</name>
	187	<name>HKEY_CURRENT_CONFIG</name>
184	188	</hives_to_check>
185	189	<exclude_list description="List of perl regular expressions, each matching one or more registry key directory names to exclude from analysis. These entries match registry key directories that change normally during the course of driving the target application. As such, they are excluded from analysis in order to reduce false positives. As in normal regular expressions, each backslash (\) must be escaped (\\) and each regex must not end with any backslash character.">

honeyclient/trunk/etc/honeyclient_log.conf

r158	r409
59	59	#######################################################################
60	60
61		log4perl.rootLogger=INFO, Screen
	61	log4perl.rootLogger=INFO, Screen, Syslog
	62
	63	# Screen Logging Settings
62	64	#log4perl.logger.HoneyClient.Agent.Integrity.Registry=DEBUG, Screen
63	65	# Suppress Parser Debugging Messages
…	…
70	72	log4perl.appender.Screen.layout=Log::Log4perl::Layout::PatternLayout
71	73	log4perl.appender.Screen.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %5p [%M] (%F:%L) - %m%n
	74
	75	# Syslog Logging Settings
	76	log4perl.appender.Syslog=Log::Dispatch::Syslog
	77	log4perl.appender.Syslog.socket=inet
	78	log4perl.appender.Syslog.Threshold=DEBUG
	79	log4perl.appender.Syslog.layout=Log::Log4perl::Layout::PatternLayout
	80	log4perl.appender.Syslog.layout.ConversionPattern=%5p [%M] (%F:%L) - %m%n

honeyclient/trunk/lib/HoneyClient/Agent.pm

r333	r409
163	163
164	164	# Make sure Storable loads.
165		BEGIN { use_ok('Storable', qw(freeze nfreeze thaw)) or diag("Can't load Storable package. Check to make sure the package library is correctly listed within the path."); }
	165	BEGIN { use_ok('Storable', qw(freeze nfreeze thaw dclone)) or diag("Can't load Storable package. Check to make sure the package library is correctly listed within the path."); }
166	166	require_ok('Storable');
167	167	can_ok('Storable', 'freeze');
168	168	can_ok('Storable', 'nfreeze');
169	169	can_ok('Storable', 'thaw');
170		use Storable qw(freeze nfreeze thaw);
	170	can_ok('Storable', 'dclone');
	171	use Storable qw(freeze nfreeze thaw dclone);
171	172
172	173	# Make sure MIME::Base64 loads.
…	…
209	210
210	211	# Include Hash Serialization Utility Libraries
211		~~# TODO: Update unit tests to include 'dclone'~~
212	212	use Storable qw(freeze nfreeze thaw dclone);
213	213	$Storable::Deparse = 1;
…	…
228	228	use Data::Compare;
229	229
	230	# Include Logging Library
	231	use Log::Log4perl qw(:easy);
	232
	233	# The global logging object.
	234	our $LOG = get_logger();
	235
230	236	# Complete URL of SOAP server, when initialized.
231	237	our $URL_BASE : shared = undef;
…	…
240	246	getVar(name => "perform_integrity_checks");
241	247
242		# A globally shared, serialized hashtable, containing the
243		# initialized integrity state of the VM -- ready to be checked
244		# against, at any time.
245		#our $integrity = undef;
246		our $integrityState : shared = undef;
	248	# A globally shared object, containing the initialized integrity
	249	# state of the VM -- ready to be checked against, at any time after
	250	# initialization.
	251	our $integrityData;
247	252
248	253	# A globally shared, serialized hashtable, containing data per
…	…
344	349	# Sanity check. Make sure the daemon isn't already running.
345	350	if (defined($DAEMON_PID)) {
	351	$LOG->fatal("Error: " . __PACKAGE__ . " daemon is already running (PID = " . $DAEMON_PID .")!");
346	352	Carp::croak "Error: " . __PACKAGE__ . " daemon is already running (PID = $DAEMON_PID)!\n";
347	353	}
…	…
370	376
371	377	# Perform initial integrity baseline check.
372		#my $integrity = undef;
373		#if ($PERFORM_INTEGRITY_CHECKS) {
374		# $integrity = HoneyClient::Agent::Integrity->new();
375		# $integrity->closeFiles();
376		# $integrityState = freeze($integrity);
377		#}
378		# XXX: Check to make sure this doesn't destroy the integrity
379		# object prematurely.
380		#$integrity = undef;
	378	if ($PERFORM_INTEGRITY_CHECKS) {
	379	$integrityData = HoneyClient::Agent::Integrity->new();
	380	$integrityData->closeFiles();
	381	}
381	382
382	383	# Release data lock.
…	…
412	413	# Make sure the fork was successful.
413	414	if (!defined($pid)) {
	415	$LOG->fatal("Error: Unable to fork child process.\n$!");
414	416	Carp::croak "Error: Unable to fork child process.\n$!";
415	417	}
…	…
438	440
439	441	for (;;) {
440		$daemon->handle;
	442	$daemon->handle();
441	443	}
442	444	}
…	…
472	474	# the parent process...
473	475	if (defined($DAEMON_PID) && ($DAEMON_PID != 0)) {
	476	$LOG->error("Killing PID = " . $DAEMON_PID);
474	477	print STDERR "Killing PID = " . $DAEMON_PID . "\n";
475	478	# The Win32 version of kill() seems to only respond to SIGKILL(9).
…	…
494	497	%driverUpdateQueues = ( );
495	498
	499	# Destroy all integrity data, if defined.
	500	if (defined($integrityData)) {
	501	$integrityData->destroy();
	502	}
	503	$integrityData = undef;
	504
496	505	# Release data lock.
497	506	_unlock();
…	…
562	571	# When called from run(), this function takes in the corresponding
563	572	# Driver object; checks to see if there's a new entry within the
564		# driver's corresponding update queue; and dequeues the ~~first~~
565		# entry in the queue, overwriting the Driver's state data
	573	# driver's corresponding update queue; and dequeues the all
	574	# entries in the queue, overwriting the Driver's state data
566	575	# accordingly.
567	576	#
568	577	# The external updateState() call adds new driver state into the queue,
569	578	# one entry per call. The internal _update() function merges this
570		# driver state with the currently running driver, ~~one merge~~
571		# ~~operation~~ per call. In order words, a single call to _update()
572		# ~~may NOT~~ empty the corresponding Driver update queue completely
573		# -- ~~only one entry~~ within the queue will be dequeued per _update()
	579	# driver state with the currently running driver, merging everything
	580	# queued per call. In order words, a single call to _update()
	581	# WILL empty the corresponding Driver update queue completely
	582	# -- all entries within the queue will be dequeued per _update()
574	583	# call made.
575	584	#
…	…
587	596	my $queue = $driverUpdateQueues{$driverName};
588	597
	598	# XXX: One possible DoS condition here; what if
	599	# the manager keeps feeding updates to the Agent
	600	# before the Agent has a chance to do any work?
	601
589	602	# If we have data in our driver specific queue...
590		if ($queue->pending) {
	603	while ($queue->pending) {
591	604
592	605	# Update our driver state with the first entry
…	…
663	676	# Read the TID.
664	677	$tid = $data->{$driverName}->{'thread_id'};
	678
	679	# XXX: Delete this, eventually.
	680	print "Checking TID = " . Dumper($tid) . "\n";
	681	if (defined(threads->object($tid))) {
	682	print "Thread defined.\n";
	683	if (threads->object($tid)->is_running()) {
	684	print "Thread is running.\n";
	685	} else {
	686	print "Thread is NOT running.\n";
	687	}
	688	} else {
	689	print "Thread NOT defined.\n";
	690	}
665	691
666	692	# Sanity check: Return false, if we already have a
…	…
674	700
675	701	return 0;
	702	} else {
	703	# XXX: Remove this, eventually.
	704	print "Creating a new run() child thread...\n";
676	705	}
677	706
…	…
693	722	_unlock($data);
694	723
695		# TODO: Clean up this comment block.
696		# This function should do the following:
697		# - Initialize all drivers with starting state.
698		# - "Drive" each driver, one-by-one.
699		# - Collect any integrity violations found, with offending
700		# state information.
701		#
702		# Notes:
703		# This function will eventually sit in a sub-thread, allowing the parent
704		# thread to return without any delay. It is expected that the Manager
705		# would then subsequently call a getStatus() operation, in order to
706		# then poll for any new violations found.
707		#
708		# TODO: We need to create a fault reporting mechanism, in order
709		# to properly deal with exceptions/faults that occur within this
710		# thread.
711		$thread = async {
712		threads->yield();
713
714		# Trap all faults that may occur from these asynchronous operations.
715		eval {
716
717		###################################
718		### Driver Initialization Phase ###
719		###################################
720
721		# Initially set local integrity object to undef.
722		my $integrity = undef;
723
724		# Initially set all driver objects to undef.
725		my $driver = undef;
726
727		# Acquire lock on stored driver state.
728		$data = _lock();
729
730		if ($PERFORM_INTEGRITY_CHECKS) {
731		# XXX: WARNING - The $integrityState object data is NOT thread-safe
732		# (since it relies on external data stored on the file system).
733		# As such, do NOT try to call integrity checks on multiple, simultaneous
734		# asynchronous threaded drivers.
735		#$integrity = thaw($integrityState);
736		# Perform initial integrity baseline check.
737		#print "Initializing Integrity Check...\n";
738		# TODO: Initialize Integrity Checks
739		$integrity = HoneyClient::Agent::Integrity->new();
740		}
741
742		# Now, initialize each driver object.
743		# Figure out which $driver object to use...
744		my $driverClass = 'HoneyClient::Agent::Driver::Browser::' . $driverName;
745
746		if (!defined($data->{$driverName}->{'state'})) {
747
748		# If the driver state is undefined, then
749		# create a new state object.
750		$driver = $driverClass->new();
751
752		} else {
753		# Then the driver state object is already defined,
754		# so go ahead and reuse it.
755		$driver = $driverClass->new(
756		%{$data->{$driverName}->{'state'}},
757		);
758		}
759
760		# Next, we make sure we have no updates, before we update
761		# the corresponding shared memory version.
762		$driver = _update($driver);
763
764		# Once we've initialized the object, be sure to update
765		# the corresponding shared memory version. We do this
766		# one time before the loop starts, in case we end up
767		# finishing before we drove anywhere.
768
769		# Copy object data to shared memory.
770		$data->{$driverName}->{'next'} = $driver->next();
771		$data->{$driverName}->{'status'} = $driver->status();
772		$data->{$driverName}->{'status'}->{'is_compromised'} = 0;
773		$data->{$driverName}->{'state'} = $driver;
774
775		if ($driver->isFinished()) {
776		# Thread is about to finish, set the ID back to undef.
777		# This looks ugly, but setting it this early avoids the
778		# potential race condition of when the run() thread is finished
779		# and when updateState() checks for $driverData->{$driverName}->{'thread_id'}
780		# to be set to undef.
781		$data->{$driverName}->{'thread_id'} = undef;
782		}
783
784		# Release lock on stored driver state.
785		_unlock($data);
786
787		###################################
788		### Driver Running Phase ###
789		###################################
790
791		# Boolean to indicate that the driver is about to transition
792		# to a new set of targets upon the next drive() operation.
793		my $driverTargetsChanged = 0;
794
795		while (!$driver->isFinished() && !$driverTargetsChanged) {
796		# XXX: Debug. Remove this.
797		# We assume $driver->next() returns defined data.
798		foreach my $resource (keys %{$driver->next()->{resources}}) {
799		print "Using Resource: " . $resource . "\n";
800		}
801
802		# Drive the driver for one step.
803		# If the operation fails, then an exception will be generated.
804		$driver->drive();
805
806		# Acquire lock on stored driver state.
807		$data = _lock();
808
809		# Check for any additional external driver updates.
810		$driver = _update($driver);
811
812		# Check to see if our driver's targets have changed.
813		$driverTargetsChanged = not(Compare($data->{$driverName}->{'next'}->{'targets'}, $driver->next()->{'targets'}));
814		# XXX: Delete this, eventually.
815		if ($driverTargetsChanged) {
816		print "Driver targets have changed.\n";
817		#$Data::Dumper::Terse = 0;
818		#$Data::Dumper::Indent = 1;
819		#print "Current: " . Dumper($data->{$driverName}->{'next'}->{'targets'}) . "\n";
820		#print "Next: " . Dumper($driver->next()->{'targets'}) . "\n";
821		}
822
823		# Copy object data to shared memory.
824		$data->{$driverName}->{'next'} = $driver->next();
825		$data->{$driverName}->{'status'} = $driver->status();
826		$data->{$driverName}->{'status'}->{'is_compromised'} = 0;
827		$data->{$driverName}->{'state'} = $driver;
828
829		if ($driver->isFinished() or $driverTargetsChanged) {
830		# Thread is about to finish, set the ID back to undef.
831		# This looks ugly, but setting it this early avoids the
832		# potential race condition of when the run() thread is finished
833		# and when updateState() checks for $driverData->{$driverName}->{'thread_id'}
834		# to be set to undef.
835		$data->{$driverName}->{'thread_id'} = undef;
836		}
837
838		# Release lock on stored driver state.
839		_unlock($data);
840		}
841
842		# Acquire lock on stored driver state.
843		$data = _lock();
844
845		# TODO: Perform Integrity Check
846		if (defined($integrity)) {
847		# For now, we update a scalar called 'is_compromised' within
848		# the $data->{$driverName}->{'status'} sub-hashtable.
849		print "Performing Integrity Checks...\n";
850		my $changes = $integrity->check();
851		if (scalar(@{$changes->{registry}}) \|\|
852		scalar(@{$changes->{filesystem}})) {
853		print "Integrity Check: FAILED\n";
854		$data->{$driverName}->{'status'}->{'is_compromised'} = 1;
855		} else {
856		print "Integrity Check: PASSED\n";
857		}
858		}
859
860		# Release lock on stored driver state.
861		_unlock($data);
862
863		# XXX: Debugging, remove eventually.
864		print "Exiting run() thread.\n";
865		#print Dumper($driver);
866		# Verbose debugging:
867		#print Dumper($driver->status());
868		# Short-hand debugging:
869		#my $status = $driver->status();
870		#print "R(" . $status->{relative_links_remaining} . ") \| [ " .
871		# "V(" . $status->{links_remaining} . ") + ".
872		# "P(" . $status->{links_processed} . ") = " .
873		# "T(" . $status->{links_total} . ") ] " .
874		# "\| (" . $status->{percent_complete} . ")\n";
875		};
876
877		###################################
878		### Driver Cleanup Phase ###
879		###################################
880
881		# Check to see if any errors occurred within the thread.
882		# Queue any faults found, to transmit back to the next SOAP
883		# caller.
884		if ($@) {
885		# Release any pending locks, to avoid deadlocks.
886		_unlock();
887
888		# Acquire lock on stored driver state.
889		$data = _lock();
890
891		# Make sure we update our state to reflect ourself dying.
892		$data->{$driverName}->{'thread_id'} = undef;
893
894		# Release lock on stored driver state.
895		_unlock($data);
896
897		# TODO: Do proper fault queuing.
898		print "FAULT: " . $@ . "\n";
899		}
900
901		threads->detach(); # XXX: Test this.
902		return;
903		};
	724	$thread = threads->create(\&worker,
	725	{
	726	'driver_name' => $driverName,
	727	'integrity' => $integrityData,
	728	}
	729	);
904	730
905	731	# Acquire data lock.
…	…
907	733
908	734	# Set the valid thread ID.
	735	$data->{$driverName}->{'thread_id'} = $thread->tid();
909	736	if ($thread->is_running()) {
910		$data->{$driverName}->{'thread_id'} = $thread->tid();
	737	# XXX: Debugging, remove eventually.
	738	print "Thread ID = " . $thread->tid() . "\n";
911	739	} else {
912		$data->{$driverName}->{'thread_id'} = undef;
	740	# XXX: Debugging, remove eventually.
	741	print "Thread ID = " . $thread->tid() . " (NOT RUNNING)\n";
913	742	}
914	743
…	…
916	745	_unlock($data);
917	746	}
	747
	748	# XXX: Debugging, remove eventually.
	749	print "Run thread initialized.\n";
918	750
919	751	# At this point, the driver thread is initialized and running,
920	752	# return true.
921	753	return 1;
	754	}
	755
	756	# TODO: Clean up this comment block.
	757	# This function should do the following:
	758	# - Initialize all drivers with starting state.
	759	# - "Drive" each driver, one-by-one.
	760	# - Collect any integrity violations found, with offending
	761	# state information.
	762	#
	763	# Notes:
	764	# This function will eventually sit in a sub-thread, allowing the parent
	765	# thread to return without any delay. It is expected that the Manager
	766	# would then subsequently call a getStatus() operation, in order to
	767	# then poll for any new violations found.
	768	#
	769	# TODO: We need to create a fault reporting mechanism, in order
	770	# to properly deal with exceptions/faults that occur within this
	771	# thread.
	772	sub worker {
	773
	774	# Extract arguments.
	775	my $args = shift;
	776	my $driverName = $args->{'driver_name'};
	777	my $integrity = $args->{'integrity'};
	778
	779	# Temporary variable, used to hold thawed driver data.
	780	my $data = undef;
	781
	782	# Yield processing to parent thread.
	783	threads->yield();
	784
	785	# Trap all faults that may occur from these asynchronous operations.
	786	eval {
	787
	788	###################################
	789	### Driver Initialization Phase ###
	790	###################################
	791
	792	# Initially set all driver objects to undef.
	793	my $driver = undef;
	794
	795	# Acquire lock on stored driver state.
	796	$data = _lock();
	797
	798	# Now, initialize each driver object.
	799	# Figure out which $driver object to use...
	800	my $driverClass = 'HoneyClient::Agent::Driver::Browser::' . $driverName;
	801
	802	if (!defined($data->{$driverName}->{'state'})) {
	803
	804	# If the driver state is undefined, then
	805	# create a new state object.
	806	$driver = $driverClass->new();
	807
	808	} else {
	809	# Then the driver state object is already defined,
	810	# so go ahead and reuse it.
	811	$driver = $driverClass->new(
	812	%{$data->{$driverName}->{'state'}},
	813	);
	814	}
	815
	816	# Next, we make sure we have no updates, before we update
	817	# the corresponding shared memory version.
	818	$driver = _update($driver);
	819
	820	# Once we've initialized the object, be sure to update
	821	# the corresponding shared memory version. We do this
	822	# one time before the loop starts, in case we end up
	823	# finishing before we drove anywhere.
	824
	825	# Copy object data to shared memory.
	826	$data->{$driverName}->{'next'} = $driver->next();
	827	$data->{$driverName}->{'status'} = $driver->status();
	828	$data->{$driverName}->{'status'}->{'is_compromised'} = 0;
	829	$data->{$driverName}->{'status'}->{'is_running'} = 1;
	830	$data->{$driverName}->{'state'} = $driver;
	831
	832	# Release lock on stored driver state.
	833	_unlock($data);
	834
	835	###################################
	836	### Driver Running Phase ###
	837	###################################
	838
	839	# Boolean to indicate that the driver is about to transition
	840	# to a new set of targets upon the next drive() operation.
	841	my $driverTargetsChanged = 0;
	842
	843	while (!$driver->isFinished() && !$driverTargetsChanged) {
	844	# XXX: Debug. Remove this.
	845	# We assume $driver->next() returns defined data.
	846	foreach my $resource (keys %{$driver->next()->{resources}}) {
	847	$LOG->info("Driving To Resource: " . $resource);
	848	}
	849
	850	# Drive the driver for one step.
	851	# If the operation fails, then an exception will be generated.
	852	$driver->drive();
	853
	854	# Acquire lock on stored driver state.
	855	$data = _lock();
	856
	857	# Check for any additional external driver updates.
	858	$driver = _update($driver);
	859
	860	# Check to see if our driver's targets have changed.
	861	$driverTargetsChanged = not(Compare($data->{$driverName}->{'next'}->{'targets'}, $driver->next()->{'targets'}));
	862	# XXX: Delete this, eventually.
	863	if ($driverTargetsChanged) {
	864	$LOG->info("Driver targets have changed.");
	865	#$Data::Dumper::Terse = 0;
	866	#$Data::Dumper::Indent = 1;
	867	#print "Current: " . Dumper($data->{$driverName}->{'next'}->{'targets'}) . "\n";
	868	#print "Next: " . Dumper($driver->next()->{'targets'}) . "\n";
	869	}
	870
	871	# Copy object data to shared memory.
	872	$data->{$driverName}->{'next'} = $driver->next();
	873	$data->{$driverName}->{'status'} = $driver->status();
	874	$data->{$driverName}->{'status'}->{'is_compromised'} = 0;
	875	$data->{$driverName}->{'status'}->{'is_running'} = 1;
	876	$data->{$driverName}->{'state'} = $driver;
	877
	878	# Release lock on stored driver state.
	879	_unlock($data);
	880	}
	881
	882	# TODO: Perform Integrity Check
	883	my $isCompromised = 0;
	884	if (defined($integrity)) {
	885	# For now, we update a scalar called 'is_compromised' within
	886	# the $data->{$driverName}->{'status'} sub-hashtable.
	887	$LOG->info("Performing Integrity Checks.");
	888	my $changes = $integrity->check();
	889	if (scalar(@{$changes->{registry}}) \|\|
	890	scalar(@{$changes->{filesystem}})) {
	891	$LOG->warn("Integrity Check: FAILED");
	892	$isCompromised = 1;
	893	} else {
	894	$LOG->info("Integrity Check: PASSED");
	895	}
	896	}
	897	# Release our copy of the integrity object, but do not destroy
	898	# any internal references.
	899	$integrity = undef;
	900
	901	# Update driver state one last time, before exiting.
	902
	903	# Acquire lock on stored driver state.
	904	$data = _lock();
	905
	906	# Check for any additional external driver updates.
	907	$driver = _update($driver);
	908
	909	# Copy object data to shared memory.
	910	$data->{$driverName}->{'next'} = $driver->next();
	911	$data->{$driverName}->{'status'} = $driver->status();
	912	$data->{$driverName}->{'status'}->{'is_compromised'} = $isCompromised;
	913	$data->{$driverName}->{'status'}->{'is_running'} = 0;
	914	$data->{$driverName}->{'state'} = $driver;
	915
	916	# Release lock on stored driver state.
	917	_unlock($data);
	918	};
	919
	920	###################################
	921	### Driver Cleanup Phase ###
	922	###################################
	923
	924	# Check to see if any errors occurred within the thread.
	925	# Queue any faults found, to transmit back to the next SOAP
	926	# caller.
	927	if ($@) {
	928	# Release any pending locks, to avoid deadlocks.
	929	_unlock();
	930
	931	# TODO: Do proper fault queuing.
	932	$LOG->error("FAULT: " . $@);
	933	}
	934
	935	# XXX: Debugging, remove eventually.
	936	print "About to return out of child thread.\n";
	937	if (!threads->is_detached()) {
	938	threads->detach();
	939	}
	940	threads->exit();
922	941	}
923	942
…	…
1010	1029	# Figure out which $driver object to use...
1011	1030	my $driverClass = 'HoneyClient::Agent::Driver::Browser::' . $driverName;
1012
	1031
1013	1032	if (!defined($data->{$driverName}->{'state'})) {
1014	1033
…	…
1036	1055	# would get overwritten, during the next updateState() call.
1037	1056	$data->{$driverName}->{'status'}->{'is_compromised'} = 0;
	1057	$data->{$driverName}->{'status'}->{'is_running'} = 0;
1038	1058	$data->{$driverName}->{'state'} = $driver;
1039	1059
…	…
1119	1139	if ($proc->{Name} eq $processName) {
1120	1140	# TODO: Should this statement be in here?
	1141	$LOG->warn("Killing Process ID: " . $proc->{ProcessId});
1121	1142	Carp::carp "Killing Process ID: " . $proc->{ProcessId} . "\n";
1122	1143	Win32::Process::KillProcess($proc->{ProcessId}, 0);

honeyclient/trunk/lib/HoneyClient/Agent/Driver/Browser.pm

r357	r409
234	234	# TODO: Need unit testing.
235	235	use URI::URL;
	236
	237	# Include Logging Library
	238	use Log::Log4perl qw(:easy);
	239
	240	# The global logging object.
	241	our $LOG = get_logger();
236	242
237	243	=pod
…	…
1025	1031	if ($self->_remaining_number_of_relative_links_to_visit == 1) {
1026	1032
1027		# XXX: D~~elete this, eventually.~~
1028		~~print "Resetting relative links to visit counter.\n"~~;
	1033	# XXX: Do we need this message in here?
	1034	$LOG->info("Resetting relative links to visit counter.");
1029	1035
1030	1036	# The counter has reached one, so drop all other relative links

honeyclient/trunk/lib/HoneyClient/Agent/Integrity.pm

r328	r409
535	535
536	536	# Log resolved arguments.
537		# Make Dumper format more terse.
538		$Data::Dumper::Terse = 1;
539		$Data::Dumper::Indent = 0;
540		$LOG->debug(Dumper(\%args));
	537	$LOG->debug(sub {
	538	# Make Dumper format more terse.
	539	$Data::Dumper::Terse = 1;
	540	$Data::Dumper::Indent = 0;
	541	Dumper(\%args);
	542	});
541	543
542	544	my $changes = {
…	…
568	570	if (defined($self->{'_registry'})) {
569	571	$self->{'_registry'}->closeFiles();
	572	}
	573	}
	574
	575	# TODO: Comment this.
	576	sub destroy {
	577	my $self = shift;
	578
	579	if (defined($self->{'_registry'})) {
	580	$self->{'_registry'}->destroy();
570	581	}
571	582	}

honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Filesystem.pm

Property svn:executable deleted

r328	r409
1008	1008
1009	1009	# Log resolved arguments.
1010		# Make Dumper format more terse.
1011		$Data::Dumper::Terse = 1;
1012		$Data::Dumper::Indent = 0;
1013		$LOG->debug(Dumper(\%args));
	1010	$LOG->debug(sub {
	1011	# Make Dumper format more terse.
	1012	$Data::Dumper::Terse = 1;
	1013	$Data::Dumper::Indent = 0;
	1014	Dumper(\%args);
	1015	});
1014	1016
1015	1017	# Analyze the filesystem.

honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Registry.pm

r328	r409
403	403
404	404	# Base destructor function.
405		# Since none of our state data ever contains circular references,
406		# we can simply leave the garbage collection up to Perl's internal
407		# mechanism.
408		sub DESTROY {
	405	sub destroy {
	406	# Extract arguments.
409	407	my $self = shift;
	408
	409	# Delete any temporary files created by the baseline
	410	# and checkpoint parsers.
	411	$self->_cleanupParsers($self->{_baseline_parsers});
	412	$self->_cleanupParsers($self->{_checkpoint_parsers});
	413	}
	414
	415	# Helper function, designed to cleanup temporary files created
	416	# by specified parsers.
	417	#
	418	# Inputs: HoneyClient::Agent::Integrity::Registry object,
	419	# the hashtable collection of specified parsers
	420	#
	421	# Outputs: None.
	422	sub _cleanupParsers {
	423	# Extract arguments.
	424	my ($self, $parser_collection) = @_;
410	425
411	426	# Delete any temporary files created.
…	…
413	428	my $fname = undef;
414	429	foreach my $hive (@{$self->{hives_to_check}}) {
415		$parser = $~~self->{_baseline_parsers}~~->{$hive};
	430	$parser = $parser_collection->{$hive};
416	431	if (defined($parser)) {
417	432	$fname = $parser->getFilename();
418	433	if (defined($fname) && (-f $fname)) {
419		$LOG->debug("Deleting ~~baseline of hive '" . $hive . "'~~ in '" .
	434	$LOG->debug("Deleting temporary '" . $hive . "' hive data in '" .
420	435	$fname . "'.");
421	436	if (!unlink($fname)) {
…	…
424	439	}
425	440	}
426		delete($self->{_baseline_parsers}->{$hive});
427		}
428		$parser = $self->{_checkpoint_parsers}->{$hive};
429		if (defined($parser)) {
430		$fname = $parser->getFilename();
431		if (defined($fname) && (-f $fname)) {
432		$LOG->debug("Deleting checkpoint of hive '" . $hive . "' in '" .
433		$fname . "'.");
434		if (!unlink($fname)) {
435		$LOG->fatal("Error: Unable to unlink '" . $hive . "' hive data in '" . $fname ."'.");
436		Carp::croak("Error: Unable to unlink '" . $hive . "' hive data in '" . $fname ."'.");
437		}
438		}
439		delete($self->{_checkpoint_parsers}->{$hive});
	441	delete($parser_collection->{$hive});
440	442	}
441	443	}
…	…
457	459	my $fname_tmp = undef;
458	460	foreach my $hive (@{$self->{hives_to_check}}) {
459		$fname = tmpnam();
	461	# Check to see if we can reuse temporary files from
	462	# past checkpoint operations.
	463	if (exists($parser_collection->{$hive}) &&
	464	defined($parser_collection->{$hive})) {
	465	$parser = $parser_collection->{$hive};
	466	$fname = $parser->getFilename();
	467	} else {
	468	$fname = tmpnam();
	469	}
	470
460	471	$fname_tmp = tmpnam();
461	472	$LOG->debug("Storing snapshot of hive '" . $hive . "' into '" . $fname . "'.");
…	…
1172	1183
1173	1184	# Log resolved arguments.
1174		# Make Dumper format more terse.
1175		$Data::Dumper::Terse = 1;
1176		$Data::Dumper::Indent = 0;
1177		$LOG->debug(Dumper(\%args));
	1185	$LOG->debug(sub {
	1186	# Make Dumper format more terse.
	1187	$Data::Dumper::Terse = 1;
	1188	$Data::Dumper::Indent = 0;
	1189	Dumper(\%args);
	1190	});
1178	1191
1179	1192	# Check to see if the class name is inherited or defined.
…	…
1390	1403
1391	1404	# Log resolved arguments.
1392		# Make Dumper format more terse.
1393		$Data::Dumper::Terse = 1;
1394		$Data::Dumper::Indent = 0;
1395		$