-
Notifications
You must be signed in to change notification settings - Fork 6
/
Monitor.h
123 lines (104 loc) · 3.51 KB
/
Monitor.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
/*
* PROJECT: Capture
* FILE: Monitor.h
* AUTHORS: Ramon Steenson (rsteenson@gmail.com) & Christian Seifert (christian.seifert@gmail.com)
*
* Developed by Victoria University of Wellington and the New Zealand Honeynet Alliance
*
* This file is part of Capture.
*
* Capture is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* Capture is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Capture; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#pragma once
#include "CaptureGlobal.h"
#include <list>
#include <string>
#include <iostream>
#include <fstream>
#include <vector>
#include <hash_map>
#include <winioctl.h>
#include <tchar.h>
#include "Permission.h"
using namespace std;
using namespace boost;
/*
Class: Monitor
Provides a common interface for the construction of system monitors
*/
/*
Constants: Kernel Driver IOCTL Codes
IOCTL_CAPTURE_START - Starts the kernel drivers monitor.
IOCTL_CAPTURE_STOP - Stops the kernel drivers monitor.
*/
#define IOCTL_CAPTURE_START CTL_CODE(0x00000022, 0x0805, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
#define IOCTL_CAPTURE_STOP CTL_CODE(0x00000022, 0x0806, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
typedef pair <wstring, std::list<Permission*>*> Permission_Pair;
class Monitor
{
public:
Monitor();
virtual ~Monitor();
virtual void start() = 0;
virtual void stop() = 0;
/*
Function: clearExclusionList
Clears all exclusions added through the exclusion lists. Excluded all the
permaneant exclusions which are created during object creation.
*/
void clearExclusionList();
protected:
/*
Function: convertTimeFieldToWString
Converts a <TIME_FIELDS> structure to a readible wstring
*/
wstring convertTimeFieldToWString(SYSTEMTIME time);
/*
Function: EventIsAllowed
Checks whether an event is allowed
*/
bool isEventAllowed(std::wstring eventType, std::wstring subject, std::wstring object);
/*
Function: InstallKernelDriver
Installs a kernel driver
*/
bool installKernelDriver(wstring driverPath, wstring driverName, wstring driverDescription);
/*
Function: UnInstallKernelDriver
Uninstalls a kernel driver
*/
void unInstallKernelDriver();
/*
Function: LoadExclusionList
Loads an exclusion list from a a file and creates a permission list
*/
void loadExclusionList(wstring file);
/*
Function: prepareStringForExclusion
Helper function which parses a string for "." and adds a "\" in front of it
*/
void prepareStringForExclusion(wstring* s);
/*
Function: addExclusion
Creates a permission and adds an the exclusion to the internal list
*/
void addExclusion(wstring excluded, wstring action, wstring subject, wstring object, bool permaneant = false);
SC_HANDLE hService;
/*
Variable: permissionMap
A map containing a list of permissions based on a particular event type
*/
stdext::hash_map<wstring, std::list<Permission*>*> permissionMap;
};