Changeset 365

Show
Ignore:
Timestamp:
08/07/08 19:27:39 (9 years ago)
Author:
cseifert
Message:

bug fixes
2.5 beta1

Location:
capture-hpc/trunk
Files:
16 modified

Legend:

Unmodified
Added
Removed
  • capture-hpc/trunk/ReleaseNotes-HPC.txt

    r364 r365  
    2020Known Issues 
    2121------------ 
    22 XXX     When IE instance locks up, close method fails leading to a VM stalled error. (but those failures are now retried once) 
    23 XXX     When Capture-Client crashes, it will lead to a client inactivity errors. (but those failures are now retried once) 
     22736     When IE instance locks up, close method fails leading to a VM stalled error. (but those failures are now retried once) 
     23735     When Capture-Client crashes, it will lead to a client inactivity errors. (but those failures are now retried once) 
     24734     Terminate process is not recorded 
    2425615     Registry monitoring can't handle a key named  
    2526690 Capture is not able to detect file renames 
     
    2930719 Closing a browser during visitation does not cause this event to be reported back to the server 
    3031721     filedownloader writes to const file name preventing dac algorithm to be applied for applications that make use of this feature 
     32 
    3133 
    3234Version 2.1 
  • capture-hpc/trunk/capture-client/COPYING

    r243 r365  
    279279 
    280280                     END OF TERMS AND CONDITIONS 
    281  
    282             How to Apply These Terms to Your New Programs 
    283  
    284   If you develop a new program, and you want it to be of the greatest 
    285 possible use to the public, the best way to achieve this is to make it 
    286 free software which everyone can redistribute and change under these terms. 
    287  
    288   To do so, attach the following notices to the program.  It is safest 
    289 to attach them to the start of each source file to most effectively 
    290 convey the exclusion of warranty; and each file should have at least 
    291 the "copyright" line and a pointer to where the full notice is found. 
    292  
    293     <one line to give the program's name and a brief idea of what it does.> 
    294     Copyright (C) <year>  <name of author> 
    295  
    296     This program is free software; you can redistribute it and/or modify 
    297     it under the terms of the GNU General Public License as published by 
    298     the Free Software Foundation; either version 2 of the License, or 
    299     (at your option) any later version. 
    300  
    301     This program is distributed in the hope that it will be useful, 
    302     but WITHOUT ANY WARRANTY; without even the implied warranty of 
    303     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
    304     GNU General Public License for more details. 
    305  
    306     You should have received a copy of the GNU General Public License along 
    307     with this program; if not, write to the Free Software Foundation, Inc., 
    308     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 
    309  
    310 Also add information on how to contact you by electronic and paper mail. 
    311  
    312 If the program is interactive, make it output a short notice like this 
    313 when it starts in an interactive mode: 
    314  
    315     Gnomovision version 69, Copyright (C) year name of author 
    316     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 
    317     This is free software, and you are welcome to redistribute it 
    318     under certain conditions; type `show c' for details. 
    319  
    320 The hypothetical commands `show w' and `show c' should show the appropriate 
    321 parts of the General Public License.  Of course, the commands you use may 
    322 be called something other than `show w' and `show c'; they could even be 
    323 mouse-clicks or menu items--whatever suits your program. 
    324  
    325 You should also get your employer (if you work as a programmer) or your 
    326 school, if any, to sign a "copyright disclaimer" for the program, if 
    327 necessary.  Here is a sample; alter the names: 
    328  
    329   Yoyodyne, Inc., hereby disclaims all copyright interest in the program 
    330   `Gnomovision' (which makes passes at compilers) written by James Hacker. 
    331  
    332   <signature of Ty Coon>, 1 April 1989 
    333   Ty Coon, President of Vice 
    334  
    335 This General Public License does not permit incorporating your program into 
    336 proprietary programs.  If your program is a subroutine library, you may 
    337 consider it more useful to permit linking proprietary applications with the 
    338 library.  If this is what you want to do, use the GNU Lesser General 
    339 Public License instead of this License. 
  • capture-hpc/trunk/capture-client/CaptureClient.cpp

    r340 r365  
    284284int _tmain(int argc, WCHAR* argv[]) 
    285285{ 
     286        printf("PROJECT: Capture-HPC\n"); 
     287    printf("VERSION: 2.5\n"); 
     288    printf("DATE: August 6, 2008\n"); 
     289    printf("COPYRIGHT HOLDER: Victoria University of Wellington, NZ\n"); 
     290    printf("AUTHORS:\n"); 
     291    printf("\tChristian Seifert ([email protected])\n"); 
     292    printf("\tRamon Steenson([email protected])\n"); 
     293    printf("\n"); 
     294    printf("Capture-HPC is free software; you can redistribute it and/or modify\n"); 
     295    printf("it under the terms of the GNU General Public License, V2 as published by\n"); 
     296    printf("the Free Software Foundation.\n"); 
     297    printf("\n"); 
     298    printf("Capture-HPC is distributed in the hope that it will be useful,\n"); 
     299    printf("but WITHOUT ANY WARRANTY; without even the implied warranty of\n"); 
     300    printf("MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n"); 
     301    printf("GNU General Public License for more details.\n"); 
     302    printf("\n"); 
     303    printf("You should have received a copy of the GNU General Public License\n"); 
     304    printf("along with Capture-HPC; if not, write to the Free Software\n"); 
     305    printf("Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301,USA\n\n"); 
     306 
    286307        DebugPrintTrace(L"CaptureClient::main start\n"); 
    287308        /* Set the current directory to the where the CaptureClient.exe is found */ 
  • capture-hpc/trunk/capture-client/CaptureClient.rc

    r340 r365  
    5858            VALUE "FileVersion", "2.5.0" 
    5959            VALUE "InternalName", "CaptureClient.exe" 
    60             VALUE "LegalCopyright", "GNU General Public License" 
     60            VALUE "LegalCopyright", "GNU General Public License, V2" 
    6161            VALUE "OriginalFilename", "CaptureClient.exe" 
    6262            VALUE "ProductName", "Capture" 
  • capture-hpc/trunk/capture-client/CaptureClient.vcproj

    r340 r365  
    4343                                Optimization="0" 
    4444                                AdditionalIncludeDirectories="&quot;C:\Program Files\Microsoft Visual Studio 9.0\VC\include&quot;;C:\expatpp\expat\lib;C:\expatpp\src_pp;C:\WinDDK\6000\inc;&quot;C:\program files\boost\boost_1_35_0&quot;;&quot;C:\program files\Microsoft Platform SDK for Windows Server 2003 R2\Include&quot;;C:\WpdPack\Include;C:\WinDDK\6000\inc\api" 
    45                                 PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;WARN;CAPTURE_DEBUG" 
     45                                PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;WARN" 
    4646                                MinimalRebuild="true" 
    4747                                BasicRuntimeChecks="3" 
     
    123123                                Optimization="3" 
    124124                                AdditionalIncludeDirectories="C:\Program Files\Microsoft Visual Studio 9.0\VC\include;C:\expatpp\expat\lib;C:\expatpp\src_pp;C:\WinDDK\6000\inc;&quot;C:\program files\boost\boost_1_35_0&quot;;&quot;C:\program files\Microsoft Platform SDK for Windows Server 2003 R2\Include&quot;;C:\WpdPack\Include;C:\WinDDK\6000\inc\api" 
    125                                 PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;WARN;CAPTURE_DEBUG" 
     125                                PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;WARN" 
    126126                                RuntimeLibrary="2" 
    127127                                UsePrecompiledHeader="0" 
  • capture-hpc/trunk/capture-client/ExclusionLists/FileMonitor.exl

    r320 r365  
    66+       Create  .*      .* 
    77+       Open    .*      .* 
     8#issue in the way process path information is communicated to capture client 
     9+       Write   UNKNOWN .* 
     10+       Delete  UNKNOWN .* 
     11#capture 
    812+       Write   .*      C:\\program files\\capture\\logs\\.+ 
    913+       Delete  C:\\program Files\\capture\\captureclient\.exe  C:\\program files\\capture\\.+\.zip 
  • capture-hpc/trunk/capture-client/ExclusionLists/ProcessMonitor.exl

    r309 r365  
    33### Clean Windows XP SP 2 System                ### 
    44################################################### 
     5#issue in the way process path information is communicated to capture client 
     6+       UNKNOWN .*      UNKNOWN 
     7#capture client itself 
     8+       CaptureClient.exe       .*      C:\\Program Files\\Capture\\CaptureClient\.exe 
     9+       CaptureClient.bat       .*      C:\\Program Files\\Capture\\CaptureClient\.bat 
     10+       7za.exe .*      C:\\Program Files\\Capture\\7za\.exe 
    511#Windows update (it runs even if disabled) 
    612+       wuauclt.exe     .*      C:\\WINDOWS\\system32\\wuauclt\.exe 
     
    1723+       wmiadap.exe     .*      C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe 
    1824+       wmiprvse.exe    .*      C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe 
     25#vmware tools 
     26+       VMwareUser.exe  .*      C:\\Program Files\\VMware\\VMware Tools\\VMwareUser\.exe 
    1927################################################### 
    2028### Microsoft Internet Explorer 6.0             ### 
     
    2634+       msmsgs.exe      .*      C:\\Program Files\\Messenger\\msmsgs.exe 
    2735+       rundll32.exe    .*      C:\\WINDOWS\\system32\\rundll32.exe 
     36#imapi 
     37+       imapi.exe       .*      c:\\WINDOWS\\system32\\imapi\.exe 
  • capture-hpc/trunk/capture-client/ExclusionLists/RegistryMonitor.exl

    r320 r365  
    1010+       QueryValueKey   .*      .* 
    1111+       QueryKey        .*      .* 
     12#issue in the way process path information is communicated to capture client 
     13+       SetValueKey     UNKNOWN .* 
     14+       DeleteValueKey  UNKNOWN .* 
    1215+       SetValueKey     .*      HKU\\.+\\SessionInformation\\ProgramCount 
    1316+       SetValueKey     .*      HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam.* 
  • capture-hpc/trunk/capture-client/ProcessManager.cpp

    r243 r365  
    44ProcessManager::ProcessManager(void) 
    55{ 
     6        syncEvent = CreateEvent(NULL,FALSE,TRUE,NULL); 
    67        cacheHits = 0; 
    78        cacheMisses = 0; 
     
    1718        DebugPrint(L"\tCache Failures: %i\n", cacheFailures); 
    1819        instanceCreated = false; 
    19         processMap.clear(); 
     20 
     21        if(WaitForSingleObject(syncEvent,INFINITE)==0) { 
     22                processMap.clear(); 
     23                SetEvent(syncEvent); 
     24        } else { 
     25                DebugPrint(L"Capture-ProcessManager: ~ProcessManager signaled incorrectly"); 
     26        } 
     27         
     28        CloseHandle(syncEvent); 
     29 
    2030} 
    2131 
     
    4252        if(created == TRUE) 
    4353        { 
    44                 //processMap.insert(ProcessPair(processId, process)); 
    4554                insertProcess(processId, process); 
    4655        } 
     
    5059ProcessManager::insertProcess(DWORD processId, const std::wstring& processPath) 
    5160{ 
    52         stdext::hash_map<DWORD, std::wstring>::iterator it; 
    53         it = processMap.find(processId); 
    54         if(it !=  processMap.end()) { 
    55                 processMap.erase(it); 
    56         } 
    57         std::wstring processCompletePath = convertFileObjectPathToDOSPath(processPath); 
    58         DebugPrint(L"Capture-ProcessManager: Insert process %i -> %ls\n", processId, processCompletePath.c_str());  
    59         processMap.insert(std::pair<DWORD, std::wstring>(processId, processCompletePath)); 
     61        DebugPrint(L"ProcessManager::insertProcess start\n"); 
     62        if(WaitForSingleObject(syncEvent,INFINITE)==0) { 
     63                DebugPrint(L"ProcessManager::insertProcess signaled\n"); 
     64                stdext::hash_map<DWORD, std::wstring>::iterator it; 
     65                it = processMap.find(processId); 
     66                if(it !=  processMap.end()) { 
     67                        processMap.erase(it); 
     68                } 
     69                std::wstring processCompletePath = convertFileObjectPathToDOSPath(processPath); 
     70                DebugPrint(L"Capture-ProcessManager: Insert process %i -> %ls\n", processId, processCompletePath.c_str());  
     71                processMap.insert(std::pair<DWORD, std::wstring>(processId, processCompletePath)); 
     72                SetEvent(syncEvent); 
     73        } else { 
     74                DebugPrint(L"Capture-ProcessManager: insertProcess signaled incorrectly"); 
     75        } 
     76        DebugPrint(L"ProcessManager::insertProcess end\n"); 
    6077} 
    6178 
     
    100117{ 
    101118        std::wstring processPath = L"UNKNOWN"; 
     119 
     120         
    102121        if(processId == 4) 
    103122        { 
     
    105124                return processPath; 
    106125        } 
    107         stdext::hash_map<DWORD, std::wstring>::iterator it; 
    108         it = processMap.find(processId); 
    109         if((it !=  processMap.end()) && (it->second != L"<unknown>")) 
    110         { 
    111                 cacheHits++; 
    112                 processPath = it->second; 
    113         } else { 
    114                 // NOTE testing showed that this case should never or hardly ever 
    115                 // occur. If you are getting a lot of cache misses maybe there is 
    116                 // something wrong during initialiseProcessMap() for example you 
    117                 // do not have the debug privilege. 
    118                 cacheMisses++; 
    119                 wchar_t szTemp[1024]; 
    120                 ZeroMemory(&szTemp, sizeof(szTemp)); 
    121  
    122                 HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION | 
    123                             PROCESS_VM_READ, FALSE, processId); 
    124                 if(!hProc) 
     126 
     127         
     128        if(WaitForSingleObject(syncEvent,INFINITE)==0) { 
     129                stdext::hash_map<DWORD, std::wstring>::iterator it; 
     130                it = processMap.find(processId); 
     131                if((it !=  processMap.end()) && (it->second != L"<unknown>")) 
    125132                { 
    126                         cacheFailures++; 
    127                         DebugPrint(L"Capture-ProcessManager: Cache failure - process id = %i\n", processId);  
    128                         _ltow_s(processId, szTemp, 256, 10); 
    129                         processPath = szTemp; 
     133                        cacheHits++; 
     134                        processPath = it->second; 
     135                        DebugPrint(L"Capture-ProcessManager: Cache hit %i -> %ls\n", processId, processPath.c_str());  
     136                        SetEvent(syncEvent); 
    130137                        return processPath; 
    131138                } 
    132                 // Cannot use GetModuleFileName because the module list won't be 
    133                 // updated in time ... only happens on rare occasions. 
    134                 DWORD ret = GetProcessImageFileName(hProc, szTemp,1024); 
    135                 CloseHandle(hProc); 
    136                 if(ret > 0) 
    137                 { 
    138                         processPath = szTemp; 
    139                         DebugPrint(L"Capture-ProcessManager: Cache miss %i -> %ls\n", processId, szTemp);  
    140                         insertProcess(processId, processPath); 
    141                 } else { 
    142                         cacheFailures++; 
    143                         DebugPrint(L"Capture-ProcessManager: Cache failure - process id = %i\n", processId);  
    144                         _ltow_s(processId, szTemp, 256, 10); 
    145                         processPath = szTemp; 
    146                 } 
    147         } 
    148          
    149         return processPath; 
    150 } 
     139                SetEvent(syncEvent); 
     140        } else { 
     141                DebugPrint(L"Capture-ProcessManager: getProcessPath signaled incorrectly"); 
     142        } 
     143 
     144        // NOTE testing showed that this case should never or hardly ever 
     145        // occur. If you are getting a lot of cache misses maybe there is 
     146        // something wrong during initialiseProcessMap() for example you 
     147        // do not have the debug privilege. 
     148        cacheMisses++; 
     149        wchar_t szTemp[1024]; 
     150        ZeroMemory(&szTemp, sizeof(szTemp)); 
     151 
     152        HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION | 
     153                                                PROCESS_VM_READ, FALSE, processId); 
     154        int time = 0; 
     155        while(!hProc && time<500) { //half a sec 
     156                //failure to get path - maybe because process is not fully created yet 
     157                //inserting delay and try again 
     158                Sleep(10); 
     159                time = time + 10; 
     160                DebugPrint(L"Capture-ProcessManager: Cache failure1 delay %i\n",time); 
     161                hProc = OpenProcess(PROCESS_QUERY_INFORMATION | 
     162                                                PROCESS_VM_READ, FALSE, processId); 
     163        } 
     164        if(!hProc) 
     165        { 
     166                cacheFailures++; 
     167                processPath = L"UNKNOWN"; 
     168                DebugPrint(L"Capture-ProcessManager: Cache failure1 %i -> %ls\n", processId, processPath.c_str());  
     169                return processPath; 
     170        } 
     171 
     172        time = 0; 
     173        DWORD ret = GetProcessImageFileName(hProc, szTemp,1024); 
     174        while(ret<=0 && time<500) { 
     175                Sleep(10); 
     176                time = time + 10; 
     177                DebugPrint(L"Capture-ProcessManager: Cache failure2 delay %i\n",time); 
     178                ret = GetProcessImageFileName(hProc, szTemp,1024); 
     179        } 
     180 
     181        CloseHandle(hProc); 
     182        if(ret > 0) 
     183        { 
     184                processPath = szTemp; 
     185                DebugPrint(L"Capture-ProcessManager: Cache miss %i -> %ls\n", processId, processPath.c_str());  
     186                insertProcess(processId, processPath); 
     187        } else { 
     188                //failure to get path 
     189                cacheFailures++; 
     190                processPath = L"UNKNOWN"; 
     191                DebugPrint(L"Capture-ProcessManager: Cache failure2 %i -> %ls\n", processId, processPath.c_str());  
     192        } 
     193        DebugPrint(L"ProcessManager::getProcessPath end4\n"); 
     194        return processPath;              
     195} 
     196 
     197 
    151198 
    152199std::wstring 
     
    168215        DWORD aProcesses[1024], cbNeeded, cProcesses; 
    169216 
    170         if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) 
     217        if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) { 
     218                DebugPrint(L"Capture-ProcessManager: Unable to enum processes.\n"); 
    171219                return; 
     220        } 
    172221 
    173222        cProcesses = cbNeeded / sizeof(DWORD); 
     
    194243                                } 
    195244                        } 
    196                         //printf("Added process: %i -> %ls\n", processId, processPath.c_str()); 
    197                         //processMap.insert(ProcessPair(processId, processPath)); 
    198245                        insertProcess(processId, processPath); 
    199246                        CloseHandle( hProcess ); 
     
    201248        } 
    202249} 
     250 
     251 
     252stdext::hash_map<DWORD, std::wstring> ProcessManager::getProcessMap() { return processMap; } 
  • capture-hpc/trunk/capture-client/ProcessManager.h

    r243 r365  
    5858         
    5959 
    60         stdext::hash_map<DWORD, std::wstring> getProcessMap() { return processMap; } 
     60        stdext::hash_map<DWORD, std::wstring> getProcessMap(); 
     61        HANDLE syncEvent; 
    6162 
    6263private: 
     64         
    6365        static bool instanceCreated; 
    6466    static ProcessManager *processManager; 
    6567         
    6668        ProcessManager(void); 
    67  
    6869        int cacheHits; 
    6970        int cacheMisses; 
  • capture-hpc/trunk/capture-client/ProcessMonitor.cpp

    r320 r365  
    7878ProcessMonitor::connect_onProcessEvent(const signal_processEvent::slot_type& s) 
    7979{  
     80        DebugPrintTrace(L"ProcessMonitor::connect_onProcessEvent start\n"); 
     81        DebugPrintTrace(L"ProcessMonitor::connect_onProcessEvent end\n"); 
    8082        return signalProcessEvent.connect(s);  
    8183} 
     
    105107ProcessMonitor::initialiseKernelDriverProcessMap() 
    106108{ 
    107         stdext::hash_map<DWORD, std::wstring> processMap; 
    108  
    109         processMap = ProcessManager::getInstance()->getProcessMap(); 
    110         stdext::hash_map<DWORD, std::wstring>::iterator it; 
    111         for(it = processMap.begin(); it != processMap.end(); it++) 
    112         { 
    113                 DWORD dwReturn; 
    114                 PROCESS_TUPLE pTuple; 
    115                 ZeroMemory(&pTuple, sizeof(PROCESS_TUPLE)); 
    116                 pTuple.processID = it->first; 
    117                 memcpy(pTuple.name, it->second.c_str(), it->second.length()*sizeof(wchar_t)); 
    118                 DeviceIoControl(hDriver, 
    119                         IOCTL_CAPTURE_PROC_LIST,  
    120                         &pTuple,  
    121                         sizeof(PROCESS_TUPLE),  
    122                         0,  
    123                         0,  
    124                         &dwReturn,  
    125                         NULL); 
    126         } 
     109        DebugPrintTrace(L"ProcessMonitor::initialiseKernelDriverProcessMap start\n"); 
     110        ProcessManager* processManager = ProcessManager::getInstance(); 
     111        if(WaitForSingleObject(processManager->syncEvent,INFINITE)==0) { 
     112                DebugPrint(L"ProcessMonitor::initialiseKernelDriverProcessMap signaled\n"); 
     113                stdext::hash_map<DWORD, std::wstring> processMap; 
     114 
     115                processMap = processManager->getProcessMap(); 
     116                stdext::hash_map<DWORD, std::wstring>::iterator it; 
     117                for(it = processMap.begin(); it != processMap.end(); it++) 
     118                { 
     119                        DWORD dwReturn; 
     120                        PROCESS_TUPLE pTuple; 
     121                        ZeroMemory(&pTuple, sizeof(PROCESS_TUPLE)); 
     122                        pTuple.processID = it->first; 
     123                        memcpy(pTuple.name, it->second.c_str(), it->second.length()*sizeof(wchar_t)); 
     124                        DeviceIoControl(hDriver, 
     125                                IOCTL_CAPTURE_PROC_LIST,  
     126                                &pTuple,  
     127                                sizeof(PROCESS_TUPLE),  
     128                                0,  
     129                                0,  
     130                                &dwReturn,  
     131                                NULL); 
     132                } 
     133                SetEvent(processManager->syncEvent); 
     134        } else { 
     135                DebugPrint(L"ProcessMonitor::initialiseKernelDriverProcessMap signaled incorrectly\n"); 
     136        } 
     137        DebugPrintTrace(L"ProcessMonitor::initialiseKernelDriverProcessMap end\n"); 
    127138} 
    128139 
     
    172183ProcessMonitor::run() 
    173184{ 
     185        DebugPrintTrace(L"ProcessMonitor::run() start\n"); 
    174186        ProcessInfo tempP; 
    175187        ZeroMemory(&tempP, sizeof(tempP)); 
     
    178190        while(!processMonitorThread->shouldStop() && isMonitorRunning()) 
    179191        { 
     192 
     193                DebugPrint(L"Capture-ProcessMonitor: waiting for hEvent signal\n"); 
    180194                WaitForSingleObject(hEvent, INFINITE); 
     195                DebugPrint(L"Capture-ProcessMonitor: hEvent signal received\n"); 
    181196                BOOL       bReturnCode = FALSE; 
    182197                 
     
    199214                                p.ProcessId != tempP.ProcessId) 
    200215                        {                
     216                                DebugPrint(L"Capture-ProcessMonitor: onEvent1 %i %i -> %i\n", p.bCreate, p.ParentId, p.ProcessId);  
     217 
    201218                                std::wstring processPath; 
    202219                                std::wstring processModuleName; 
     
    215232                                parentProcessModuleName = ProcessManager::getInstance()->getProcessModuleName(p.ParentId); 
    216233                                parentProcessPath = ProcessManager::getInstance()->getProcessPath(p.ParentId); 
     234                                DebugPrint(L"Capture-ProcessMonitor: onEvent %i %i:%ls -> %i:%ls\n", p.bCreate, p.ParentId, parentProcessPath.c_str(), p.ProcessId, processPath.c_str());  
    217235                                if(!Monitor::isEventAllowed(processModuleName,parentProcessModuleName,processPath)) 
    218236                                { 
    219                                          
    220                                         DebugPrint(L"Capture-ProcessMonitor: %i %i:%ls -> %i:%ls\n", p.bCreate, p.ParentId, parentProcessPath.c_str(), p.ProcessId, processPath.c_str());  
    221                                         signalProcessEvent(p.bCreate, time, p.ParentId, parentProcessPath, p.ProcessId, processPath); 
     237                                        //work around 
     238                                        //if(p.bCreate) { //TODO: remove and fix the issue around terminating processes not showing process paths 
     239                                                DebugPrint(L"Capture-ProcessMonitor: onEvent not allowed %i %i:%ls -> %i:%ls\n", p.bCreate, p.ParentId, parentProcessPath.c_str(), p.ProcessId, processPath.c_str());  
     240                                                signalProcessEvent(p.bCreate, time, p.ParentId, parentProcessPath, p.ProcessId, processPath); 
     241                                        //} 
    222242                                } 
    223243                                tempP = p; 
    224                         }                
     244                        } else { 
     245                                DebugPrint(L"Capture-ProcessMonitor: onEvent2 %i %i -> %i\n", p.bCreate, p.ParentId, p.ProcessId);  
     246 
     247                                std::wstring processPath; 
     248                                std::wstring parentProcessPath; 
     249                                processPath = ProcessManager::getInstance()->getProcessPath(p.ProcessId); 
     250                                parentProcessPath = ProcessManager::getInstance()->getProcessPath(p.ParentId); 
     251                                 
     252                                DebugPrint(L"Capture-ProcessMonitor: onEvent already processed %i %i:%ls -> %i:%ls\n", p.bCreate, p.ParentId, parentProcessPath.c_str(), p.ProcessId, processPath.c_str());  
     253                        } 
    225254                } 
    226255        } 
    227256        SetEvent(hMonitorStoppedEvent); 
    228 } 
     257        DebugPrintTrace(L"ProcessMonitor::run() stop\n"); 
     258} 
  • capture-hpc/trunk/capture-client/ReadMe-HPC.txt

    r320 r365  
    53534.2. Client Configuration 
    5454------------------------- 
    55 In addition to the exclusion list, one can configure the client identifiers of the client honeypot in the applications.conf file. The client identifiers are pointers to client applications that can be used to interact with a server, such as Internet Explorer, Firefox, Opera, but also other applications that can retrieve content from a network, such as Microsoft Word, Adobe Acrobat Reader. Simply add the client identfier and fully qualifying path name to the client.conf file and specify the client identifier with the uri that should be interacted with in the uri list that is piped to the server, e.g. http://www.google.com::firefox. 
     55In addition to the exclusion list, one can configure the client identifiers of the client honeypot in the applications.conf file. The client identifiers are pointers to client applications that can be used to interact with a server, such as Internet Explorer, Firefox, Opera, but also other applications that can retrieve content from a network, such as Microsoft Word, Adobe Acrobat Reader. Simply add the client identfier and fully qualifying path name to the client.conf file and specify the client identifier with the uri that should be interacted with in the uri list that is piped to the server, e.g. http://www.google.com::firefox.  Note that the client identifier needs to be applied to all the URLs in the input file. Otherwise unpredictable behavior might result. 
    5656 
    5757Since some applications (like Adobe Acrobat) are unable to retrieve content files directly, Capture might retrieve the files, save them to a temporary folder, and then open the file with the application. To enable such behavior, edit the applications.conf file and specify "yes" at the end of the line. 
  • capture-hpc/trunk/capture-server/capture/Client.java

    r353 r365  
    254254            this.setClientState(CLIENT_STATE.VISITING); 
    255255        } else if (type.equals("finish")) { 
    256  
    257  
    258             if (visitingUrlGroup.isMalicious()) { // can already determine this here because the first state change will flip the switch 
    259                 System.out.println(this.getVirtualMachine().getLogHeader() + " Visited group " + visitingUrlGroup.getIdentifier() + " MALICIOUS"); 
    260             } else { 
    261                 System.out.println(this.getVirtualMachine().getLogHeader() + " Visited group " + visitingUrlGroup.getIdentifier() + " BENIGN"); 
    262             } 
    263256            visitingUrlGroup.setVisitFinishTime(element.attributes.get("time")); 
    264257 
     
    266259            Map<String, String> urlStateChangesMap = new TreeMap<String, String>(); 
    267260            List<Element> items = element.childElements; 
     261            List<Integer> processIds = new ArrayList<Integer>(); 
    268262            for (Iterator<Element> iterator = items.iterator(); iterator.hasNext();) { 
    269263                Element item = iterator.next(); 
     
    271265                Url url = visitingUrlGroup.getUrl(uri); 
    272266                int processId = Integer.parseInt(item.attributes.get("processId")); 
     267                processIds.add(processId); 
    273268                urlStateChangesMap.put(url.getUrl().toString(), stateChangeHandler.getStateChangesCSV(processId)); 
    274269                url.setVisitFinishTime(item.attributes.get("time")); 
     
    281276            } 
    282277 
     278 
    283279            String malicious = element.attributes.get("malicious"); 
    284             if (malicious.equals("1")) { 
     280            if (visitingUrlGroup.isMalicious() || malicious.equals("1")) { 
     281                if(!stateChangeHandler.getRemainderStateChangesCSV(processIds).equals("")) { 
     282                    System.out.println(this.getVirtualMachine().getLogHeader() + " Visited group " + visitingUrlGroup.getIdentifier() + " WARNING: No state changes were logged to url log file."); 
     283                } 
     284                System.out.println(this.getVirtualMachine().getLogHeader() + " Visited group " + visitingUrlGroup.getIdentifier() + " MALICIOUS"); 
    285285                flushStateChangeHandler(urlStateChangesMap); 
    286286                visitingUrlGroup.setMalicious(algorithm,true,urlStateChangesMap); 
     
    289289                this.setClientState(CLIENT_STATE.DISCONNECTED); 
    290290            } else { 
     291                System.out.println(this.getVirtualMachine().getLogHeader() + " Visited group " + visitingUrlGroup.getIdentifier() + " BENIGN"); 
    291292                visitingUrlGroup.setMalicious(algorithm,false,urlStateChangesMap); 
    292293                visitingUrlGroup.setUrlGroupState(URL_GROUP_STATE.VISITED);  //will set underlying url state 
  • capture-hpc/trunk/capture-server/capture/Server.java

    r340 r365  
    1414                "\n" + 
    1515                "Capture-HPC is free software; you can redistribute it and/or modify\n" + 
    16                 "it under the terms of the GNU General Public License as published by\n" + 
    17                 "the Free Software Foundation; either version 2 of the License, or\n" + 
    18                 "(at your option) any later version.\n" + 
     16                "it under the terms of the GNU General Public License, V2 as published by\n" + 
     17                "the Free Software Foundation.\n" + 
    1918                "\n" + 
    2019                "Capture-HPC is distributed in the hope that it will be useful,\n" + 
     
    9998    private static String getUsageString() { 
    10099        StringBuffer usageString = new StringBuffer(); 
    101         usageString.append("\nUsage: java -cp [classpath] -Xmx[memory] -Djava.net.preferIPv4Stack=true capture.Server -s listen address [-f input_urls]"); 
     100        usageString.append("\nUsage: java -cp [classpath] -Xmx[memory] [-DfixIds=false] -Djava.net.preferIPv4Stack=true capture.Server -s listen address -f input_urls [-r false]"); 
    102101        usageString.append("\nExample java -cp ./CaptureServer.jar -Xmx1024m -Djava.net.preferIPv4Stack=true capture.Server -s 192.168.1.100:7070 -f input_urls.txt"); 
    103102        return usageString.toString(); 
  • capture-hpc/trunk/capture-server/capture/StateChangeHandler.java

    r353 r365  
    137137        return processTrees.size(); 
    138138    } 
     139 
     140    //get the state changes that do not map to any of the processIds 
     141    public String getRemainderStateChangesCSV(List<Integer> processIds) { 
     142        String remainder = ""; 
     143        for (Iterator<ProcessStateChange> processStateChangeIterator = processTrees.iterator(); processStateChangeIterator.hasNext();) { 
     144            ProcessStateChange processStateChange = processStateChangeIterator.next(); 
     145            if (!processIds.contains(processStateChange.getProcessId())) { 
     146                remainder = remainder + getCSVofTree(processStateChange); 
     147            } 
     148        } 
     149        return remainder; 
     150    } 
     151 
     152 
    139153} 
  • capture-hpc/trunk/capture-server/capture/UrlGroup.java

    r353 r365  
    8080            } 
    8181 
    82             System.out.println("URL " + encodedURI + " not found. Looking through group."); 
     82            System.out.println("URL " + encodedURI + " not found. Looking through group " + identifier + "."); 
    8383            for (Iterator<Url> iterator = urlList.iterator(); iterator.hasNext();) { 
    8484                Url url = iterator.next(); 
     
    147147 
    148148 
    149     public void writeEventToLog(Map<String,String> urlCSVMap) { 
     149    public void writeEventToLog(Map<String, String> urlCSVMap) { 
    150150        for (Iterator<Url> urlIterator = urlList.iterator(); urlIterator.hasNext();) { 
    151151            Url url = urlIterator.next(); 
    152152            String csv = urlCSVMap.get(url.getUrl()); 
    153153            if (csv == null || csv.equals("")) { 
    154                 if(urlList.size() == 1 && urlCSVMap.size()==1) { 
    155                     csv = urlCSVMap.values().iterator().next(); 
    156                     url = urlList.get(0); 
    157                     url.writeEventToLog(csv); 
    158                     break; 
    159                 } else { 
    160                     System.out.println("WARNING: Couldnt find csv for URL " + url.getUrl()); 
    161                 } 
     154                System.out.println("WARNING: Couldnt find csv for URL " + url.getUrl()); 
    162155            } else { 
    163156                url.writeEventToLog(csv); 
     
    179172    } 
    180173 
    181     public void setMalicious(String algorithm, boolean malicious, Map<String,String> urlMaliciousMap) { 
     174    public void setMalicious(String algorithm, boolean malicious, Map<String, String> urlMaliciousMap) { 
    182175        this.malicious = malicious; 
    183         if(!algorithm.equals("bulk")) { 
     176        if (!algorithm.equals("bulk")) { 
    184177            if (!this.malicious) { 
    185178                for (Iterator<Url> iterator = urlList.iterator(); iterator.hasNext();) { 
     
    197190                Url url = iterator.next(); 
    198191                String stateChanges = urlMaliciousMap.get(url.getUrl().toString()); 
    199                 if(stateChanges.equals("")) { 
     192                if (stateChanges.equals("")) { 
    200193                    url.setMalicious(false); 
    201194                } else {