Changeset 403 for trunk

Timestamp:

Jul 11, 2012, 9:02:13 PM (12 years ago)

Author:

katerina

Message:

Fix for tickets #301 and #302 (problems with the windows registry check).

Location:

trunk

Files:

• configure.ac (modified) (1 diff)
• docs/Changelog (modified) (2 diffs)
• src/sh_cat.c (modified) (1 diff)
• src/sh_registry.c (modified) (7 diffs)

trunk/configure.ac

@@ -12 +12 @@
 dnl start
 dnl
-AM_INIT_AUTOMAKE(samhain, 3.0.4)
+AM_INIT_AUTOMAKE(samhain, 3.0.5)
 AC_DEFINE([SAMHAIN], 1, [Application is samhain])
 AC_CANONICAL_HOST

trunk/docs/Changelog

@@ +1 @@
+3.0.5:
+        * fix xml format templates for registry check
+        * fix database download on registry check init (reported by ldieu)
+
 3.0.4:
         * fix verbosity of message for alerts on already deleted watches
@@ -22 +26 @@
         * change sql init scripts to make bigint fields unsigned (problem
           reported by A. Sabitov)
-        * patch by Andy Jack for issue with the --with-gpg option (hangs with 
+        * patch by Andy Jack for issue with the --with-gpg option (hangs with
           high cpu load at startup)
         * call ./samhain-install.sh as /bin/sh ./samhain-install.sh in the

trunk/src/sh_cat.c

@@ -169 +169 @@
 
 #ifdef USE_REGISTRY_CHECK
-  { MSG_REG_MISS,   SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyMissing]\" path=\"%s\" %s")},
-  { MSG_REG_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyNew]\" path=\"%s\" %s")},
-  { MSG_REG_CHANGE, SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyChanged]\" path=\"%s\" %s")},
+  { MSG_REG_MISS,   SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyMissing] %s\" path=\"%s\" %s")},
+  { MSG_REG_NEW,    SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyNew] %s\" path=\"%s\" %s")},
+  { MSG_REG_CHANGE, SH_ERR_SEVERE,  EVENT, N_("msg=\"POLICY [RegistryKeyChanged] %s\" path=\"%s\" %s")},
 #endif
 

trunk/src/sh_registry.c

@@ -181 +181 @@
           if (status != 0)
             {
-              char  errbuf[256];
+              char  errbuf[512];
+              char  *p;
               regerror(status, &(newkey->preg), errbuf, sizeof(errbuf));
+
+              sl_strlcat(errbuf, ": ", sizeof(errbuf));
+              p = sh_util_safe_name_keepspace(s);
+              sl_strlcat(errbuf, p, sizeof(errbuf));
+              SH_FREE(p);
+
               SH_MUTEX_LOCK(mutex_thread_nolog);
               sh_error_handle((-1), FIL__, __LINE__, status, MSG_E_SUBGEN, 
@@ -743 +750 @@
           doUpdate = S_TRUE;
         }
+
     }
  
-  if ( sh.flag.checkSum == SH_CHECK_INIT || doUpdate == S_TRUE )
+  if ( sh.flag.checkSum == SH_CHECK_INIT || doUpdate == S_TRUE /* change detected */ )
     {
       struct store2db save;
@@ -767 +775 @@
     }
 
-  if (tPath)
-    sh_hash_set_visited (tPath);
-  else
-    sh_hash_set_visited (path);
+  /* Without this, freshly updated entries would get deleted
+   * as 'not seen'.
+   */
+  if (sh.flag.checkSum != SH_CHECK_INIT)
+    {
+      if (tPath)
+        sh_hash_set_visited (tPath);
+      else
+        sh_hash_set_visited (path);
+    }
 
   if (tPath)
@@ -806 +820 @@
 {
   HKEY hTestKey;
+  LONG qError;
   char * newpath;
   size_t len;
@@ -836 +851 @@
   snprintf(newpath, len, "%s\\%s", path, subkey);
   
-  if( RegOpenKeyEx( key,
-                    subkey,
-                    0,
-                    (KEY_READ | view),
-                    &hTestKey) == ERROR_SUCCESS
-      )
+  qError = RegOpenKeyEx( key,
+                         subkey,
+                         0,
+                         (KEY_READ | view),
+                         &hTestKey);
+
+
+  if (qError == ERROR_SUCCESS)
     {
       QueryKey(hTestKey, newpath, len-1, isSingle);
@@ -850 +867 @@
     {
       /* Error message */
-      char  * tmp    = sh_util_safe_name (newpath);
-      size_t  tlen   = sl_strlen(tmp);
-      
+      LPVOID lpMsgBuf;
+  
+      char  * tmp     = sh_util_safe_name (newpath);
+      size_t  tlen    = sl_strlen(tmp);
+
       if (SL_TRUE == sl_ok_adds(64, tlen))
         {
-          char * errbuf = SH_ALLOC(64 + tlen);
-          sl_snprintf(errbuf, 64+tlen, _("Failed to open key %s"), tmp);
-          
-          SH_MUTEX_LOCK(mutex_thread_nolog);
-          sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN, 
-                          errbuf, _("CheckThisSubkey"));
-          SH_MUTEX_UNLOCK(mutex_thread_nolog);
-          
-          SH_FREE(errbuf);
-        }
-      sh_reg_add_ign (tmp);
+          char * errbuf;
+          size_t elen;
+
+          tlen += 64;
+
+          elen = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | 
+                               FORMAT_MESSAGE_FROM_SYSTEM |
+                               FORMAT_MESSAGE_IGNORE_INSERTS,
+                               NULL,
+                               qError,
+                               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+                               (LPTSTR) &lpMsgBuf,
+                               0, NULL );
+
+          if (elen > 0 && SL_TRUE == sl_ok_adds(elen, tlen))
+            {
+              tlen += elen;
+
+              errbuf = SH_ALLOC(elen + tlen);
+              sl_snprintf(errbuf, 64+tlen, _("Failed to open key %s: %s"), 
+                          tmp, lpMsgBuf);
+              LocalFree(lpMsgBuf);
+
+              SH_MUTEX_LOCK(mutex_thread_nolog);
+              sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN, 
+                              errbuf, _("CheckThisSubkey"));
+              SH_MUTEX_UNLOCK(mutex_thread_nolog);
+              
+              SH_FREE(errbuf);
+            }
+        }
+      sh_reg_add_ign (newpath);
       SH_FREE(tmp);
     }
@@ -880 +920 @@
   char path[20] = "";
   int pos = 0;
-  int retval = -1;
   
   if      (0 == strncmp(key, _("HKEY_CLASSES_ROOT"), 17))