Host Indicator Grep v0.2 documentation

Reference

«  Usage   ::   Contents

Reference

General Functions

Log(object[, ...])

Emits a log message containing the stringified version of each argument. If called in the context of evaluating a rule, the message will be included in the report for that rule. If called in any other context, it will be printed to the console.

File System Functions

GetWindowsDirectory()
Rtype :string
Returns:The path of the Windows directory, e.g. C:\Windows
GetUserProfiles()
Rtype :array of string
Returns:A list of the user profile directories on the system. e.g: ["C:\\Documents and Settings\\User1", "C:\\Documents and Settings\\User2"]
GetFileSize(path)
Arguments:
  • path (string) – A filename
Returns int:

the size of the file in bytes
Throws IOError:

if the file does not exist or cannot be read
GetPartialChecksum(path)
Arguments:
  • path (string) – A filename
Returns string:

the MD5 checksum of the first 4096 bytes of the file, in hex.

Note

The higrep distribution comes with a utility md5sum4096 which computes the partial MD5 of files.

Note

higrep maintains an in-memory cache of computed MD5 checksums. So long as the file modification timestamp does not change, a new MD5 will not be computed until the program restarts.

GetChecksum(path)
Arguments:
  • path (string) – A filename
Returns string:

the MD5 checksum of the file, in hex.

Warning

Computing MD5 checksums of large number of files could have a negative performance impact on the client system. To mitigate this risk, consider using GetPartialChecksum() instead of this function.

EnumerateFiles(path, callback)
Arguments:
  • path (string) – The path to the directory to search
  • callback – a function to be called for each file found under path. The callback function should accept exactly one argument, a FileInfo() object.
class FileInfo()
Arguments:
  • path (int) – The path to the file
  • path (int) – The size of the file in bytes

Registry Functions

EnumerateRegistry(path, callback)
EnumerateRegistryRecursive(path, callback)
Arguments:
  • path (string) – The registry path to search under
  • callback – A function to be called for each registry value found under path. callback should accept exactly on argument, a RegistryValueInfo() object.

This function enumerates all registry values under the registry path. For each value it calls callback. If callback returns a non-null value, then the search is terminated and the returned value of callback is return by RegistrySearch().

The path argument is expanded as follows:

  • If path begins with HKLM or HKEY_LOCAL_MACHINE then the local machine hive is searched.
  • If path begins with HKCU or HKEY_CURRENT_USER then ALL of the loaded user hives are searched.
  • If path begins with . then both the local machine as well as all loaded user hives are searched.

Example:

var path = RegistrySearch(".\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
  function (value_info) {
    if (value_info.type == REG_SZ && value_info.name == "FooBot") {
      Log("found foobot launcher at " + value_info.data);
      return value_info.data; // Stop the search once
    }
    // by returning nothing, we continue the search
  });
class RegistryValueInfo()
Attr string key:
 The full path to the registry key containing this value
Attr string root_key:
 The root of the search, which corresponds to an expanded version of the path argument to RegistrySearch() .
Attr string sub_key:
 The portion of the registry key path below root_key.
Attr string name:
 The name of the registry value
Attr object data:
 The data found in the value. For REG_DWORD values, this is an int, for others it is a string.
Attr int type:The value type, one of the registry constants, e.g. REG_DWORD, REG_SZ, etc.

Process Functions

IsMutexHeld(mutex_name)
Arguments:
  • name (string) – The name of the mutex
Rtype :

bool
Returns:

true if there is a thread on the system holding this mutex.
EnumerateProcesses(callback)
Arguments:
  • callback – A function to be called for each process on the system. The function should take exactly one argument, a ProcessInfo() object.
Returns:

The first non-null return value from callback.

Once callback returns a non-null value, this function stops searching processes. IterateProcesses returns the first non-null value returned by callback.

class ProcessInfo()
Arguments:
  • exe_file (string) – The path to the executable file
  • pid (int) – The process ID
SearchMemoryASCII(pid, query)
Arguments:
  • pid (int) – The process ID of the process whose memory should be searched
  • query (string) – The ASCII string to search for
Rtype :

boolean
Returns:

true if query was found in the memory of process pid
SearchMemoryWide(pid, query)
Arguments:
  • pid (int) – The process ID of the process whose memory should be searched
  • query (string) – The wide character string to search for
Rtype :

boolean
Returns:

true if query was found in the memory of process pid
SearchMemoryBinary(pid, query[, flags])
Arguments:
  • pid (int) – The process ID of the process whose memory should be searched
  • query (string) – The bytes to search for in hex.
  • flags (int) –

    If omitted, the default value of 0 is used. Flags should be on of the following ORd together:

    • kAllocationStart - query must be anchored to the start of a memory allocation
    • kPageStart - query must be anchored to the beginning of a page
Rtype :

boolean
Returns:

true if query was found in the memory of process pid

This search function (unlike the others) supports simple wild cards. Any byte can be replaced with .. to match any byte. Wildcards cannot begin or end the expression.

Warning

The memory search functions inspect process memory in chunks of 96KB. As a result, the length of search queries are limited to 96KB in size and the functions cannot find a query that spans the 96KB boundry. In practice, this does not seem to be a significant limitation.

ProcessLoadedModules(pid)
Arguments:
  • pid (int) – The process ID
Rtype :

list of string
Returns:

a list of all the filenames of all the loaded modules in pid.

Configuration

rules

This object contains the list of rules currently loaded. It can be manipulated like a dictionary to add or remove rules. For example:

rules.FooBot = function() {
  if (IsMutexHeld("FooBotMutex")) {
    return true;
  }
  if (IterateProcesses(function(process) {
      if (process.name == "foobot.exe") {
        return true;
      }
    }) {
    return true;
  }
};

// disable a broken rule
delete rules["BrokenRule"];
settings

This object contains various configuration settings.

Attr string service_name:
 the name of the service passed to Windows
Attr string service_description:
 the description of the service passed to Windows
Attr int evaluate_interval_seconds:
 The number of seconds between each pass at evaluating each rule
Attr string reporter:
 The URL or filename of the reporter. If a URL is specified then reports are uploaded via HTTP POST requests. If a filename is provided, then reports are placed in the specified file. If the special string null is specified, reports are not generated.
Attr report_interval_seconds:
 The maximum number of seconds that a report can be queued before it is sent.
Attr report_queue_maximum:
 The maximum number of reports that can be queued before the waiting reports are sent.
Attr updater:The URL or filename of an updated version of the embedded script, or the special string null to disable updating.
Attr int update_interval_seconds:
 The number of seconds between each check for an update. This is only used by the HTTP updater, the file system updater checks for updates continuously.
Attr bool update_at_start:
 If true, try to update the rules file before evaluating the built in rules even once.

«  Usage   ::   Contents

© Copyright 2010 Carnegie Mellon University. Created using Sphinx 1.0.1.