Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
Classes | Functions | Variables
grpc.cpp File Reference
#include <grpcpp/grpcpp.h>
#include "panoptes.grpc.pb.h"
#include "panoptes_service.h"
#include "grpc.hpp"
#include "hash.h"
#include "pano_log.h"
#include "utils.h"
#include "TrayNotifications.h"
#include "Configuration.hpp"
#include <vector>
#include <string>
#include <algorithm>
#include <filesystem>
#include <regex>
#include "PanoptesAMSI.h"

Go to the source code of this file.

Classes

class  PanoptesImpl
 The PanoptesImpl class is a class that implements the PanoptesExtensibility::Service interface from the gRPC class. More...
 

Functions

void MoveFileToQuarantine (std::string filePath)
 
bool GetRegistryPortValue (DWORD &portValue)
 
bool isPathInExclusions (const std::vector< std::string > &exclusions, const std::string &fullPath)
 
bool CheckIfMalicious (std::string jsonString)
 
bool CreateRegistryEntryWithPort (DWORD dwPort)
 
std::string CleanUpProtobufMessage (std::string msg)
 
void SelfQueuePeScan (std::string pePath, std::string fileHash)
 
void RunServiceServer (LPVOID lpParam)
 

Variables

std::unique_ptr< PanoptesExtensibility::Stub > stub_
 
std::unique_ptr< PanoptesService::Stub > selfStub_
 
std::vector< std::pair< ContainerType, int > > g_containerServerPorts
 
PanoptesContextserviceContext
 

Function Documentation

◆ CheckIfMalicious()

bool CheckIfMalicious ( std::string  jsonString)

Definition at line 104 of file grpc.cpp.

104 {
105 nlohmann::json jsonObject = nlohmann::json::parse(jsonString);
106 if (jsonObject.contains("yara_scan") && jsonObject["yara_scan"].contains("detected_rules"))
107 {
108 nlohmann::json yaraObject = jsonObject["yara_scan"];
109 int detected_rules = yaraObject["detected_rules"].size();
110 if (detected_rules > 0) {
111 return true;
112 }
113 }
114
115 if (jsonObject.contains("amsi_result"))
116 {
117 AmsiScanner::AMSI_RESULT_PANO amsiResult = jsonObject["amsi_result"];
118 if (amsiResult == AmsiScanner::AMSI_RESULT_PANO_DETECTED) {
119 return true;
120 }
121 }
122
123
124 return false;
125}
AmsiScanner::AMSI_RESULT_PANO
AMSI_RESULT_PANO
The result of the AMSI scan.
Definition PanoptesAMSI.h:19
AmsiScanner::AMSI_RESULT_PANO_DETECTED
@ AMSI_RESULT_PANO_DETECTED
Definition PanoptesAMSI.h:24

References AmsiScanner::AMSI_RESULT_PANO_DETECTED.

◆ CleanUpProtobufMessage()

std::string CleanUpProtobufMessage ( std::string  msg)

Definition at line 170 of file grpc.cpp.

170 {
171 size_t pos;
172 while ((pos = msg.find("\\u0000")) != std::string::npos) {
173 msg.erase(pos, 6);
174 }
175
176 nlohmann::json j = nlohmann::json::parse(msg);
177 std::time_t now = std::time(nullptr);
178 std::string formattedTime = FormatTime(now);
179 j["Time"] = std::string(formattedTime);
180 std::string dumpAgain = j.dump();
181
182 return dumpAgain;
183}
FormatTime
std::string FormatTime(const std::time_t &time)
Definition utils.cpp:87

References FormatTime().

◆ CreateRegistryEntryWithPort()

bool CreateRegistryEntryWithPort ( DWORD  dwPort)

Definition at line 127 of file grpc.cpp.

127 {
128 HKEY hKey;
129 DWORD dwDisposition;
130
131 // Create or open the key
132 LONG lResult = RegCreateKeyExA(
133 HKEY_LOCAL_MACHINE,
134 "SOFTWARE\\Panoptes",
135 0,
136 NULL,
137 REG_OPTION_NON_VOLATILE,
138 KEY_ALL_ACCESS,
139 NULL,
140 &hKey,
141 &dwDisposition
142 );
143
144 if (lResult != ERROR_SUCCESS) {
145 std::cerr << "Error creating/opening registry key. Error code: " << lResult << std::endl;
146 return false;
147 }
148
149 // Set the SRV_PORT value
150 lResult = RegSetValueExA(
151 hKey,
152 "SRV_PORT",
153 0,
154 REG_DWORD,
155 reinterpret_cast<const BYTE*>(&dwPort),
156 sizeof(dwPort)
157 );
158
159 if (lResult != ERROR_SUCCESS) {
160 std::cerr << "Error setting registry value. Error code: " << lResult << std::endl;
161 RegCloseKey(hKey);
162 return false;
163 }
164
165 RegCloseKey(hKey);
166 std::cout << "Registry entry created successfully." << std::endl;
167 return true;
168}
BYTE
unsigned char BYTE
Definition inject.h:4
DWORD
unsigned long DWORD
Definition inject.h:2

Referenced by RunServiceServer().

◆ GetRegistryPortValue()

bool GetRegistryPortValue ( DWORD portValue)

Definition at line 48 of file grpc.cpp.

49{
50 HKEY hKey;
51 DWORD dwType = REG_DWORD;
52 DWORD dwSize = sizeof(DWORD);
53
54 // Open the key
55 LONG lResult = RegOpenKeyExA(
56 HKEY_LOCAL_MACHINE,
57 "SOFTWARE\\Panoptes",
58 0,
59 KEY_READ,
60 &hKey
61 );
62
63 if (lResult != ERROR_SUCCESS) {
64 std::cerr << "Error opening registry key. Error code: " << lResult << std::endl;
65 return false;
66 }
67
68 // Read the SRV_PORT value
69 lResult = RegQueryValueExA(
70 hKey,
71 "SRV_PORT",
72 NULL,
73 &dwType,
74 reinterpret_cast<LPBYTE>(&portValue),
75 &dwSize
76 );
77
78 RegCloseKey(hKey);
79
80 if (lResult != ERROR_SUCCESS) {
81 std::cerr << "Error reading registry value. Error code: " << lResult << std::endl;
82 return false;
83 }
84
85 if (dwType != REG_DWORD) {
86 std::cerr << "Unexpected value type in registry." << std::endl;
87 return false;
88 }
89
90 return true;
91}

Referenced by SelfQueuePeScan().

◆ isPathInExclusions()

bool isPathInExclusions ( const std::vector< std::string > &  exclusions,
const std::string &  fullPath 
)

Definition at line 93 of file grpc.cpp.

94{
95 std::filesystem::path fullPathNormalized = std::filesystem::path(fullPath).lexically_normal();
96
97 return std::any_of(exclusions.begin(), exclusions.end(),
98 [&fullPathNormalized](const std::string& path) {
99 std::filesystem::path pathNormalized = std::filesystem::path(path).lexically_normal();
100 return fullPathNormalized.string().find(pathNormalized.string()) == 0;
101 });
102}

Referenced by SelfQueuePeScan().

◆ MoveFileToQuarantine()

void MoveFileToQuarantine ( std::string  filePath)

Definition at line 32 of file grpc.cpp.

32 {
33 std::string quarantinePath = "C:\\ProgramData\\Panoptes\\Quarantine";
34
35 if (!fs::exists(quarantinePath)) {
36 fs::create_directories(quarantinePath);
37 }
38 std::filesystem::path sourcePath(filePath);
39 std::filesystem::path destinationPath = fs::path(quarantinePath) / sourcePath.filename();
40 try {
41 fs::rename(sourcePath, destinationPath);
42 }
43 catch (const std::filesystem::filesystem_error& e) {
44 std::cerr << "Error moving file to quarantine: " << e.what() << std::endl;
45 }
46}

◆ RunServiceServer()

void RunServiceServer ( LPVOID  lpParam)

Definition at line 371 of file grpc.cpp.

372{
373 serviceContext = reinterpret_cast<PanoptesContext*>(lpParam);
374 PanoptesImpl service;
375 grpc::ServerBuilder builder;
376 int selected_port = 0;
377 std::string server_url = "localhost:0";
378
379 //Setting the server address to localhost:0 will allow the OS to assign an available port
380 builder.AddListeningPort(server_url, grpc::InsecureServerCredentials(), &selected_port);
381 builder.RegisterService(&service);
382
383 std::unique_ptr<grpc::Server> server(builder.BuildAndStart());
384 if (server == nullptr) {
385 auto threadError = &serviceContext->threadError;
386 bool threadState = threadError->load();
387 threadError->store(true);
388 }
389
390 bool updatedReg = CreateRegistryEntryWithPort(selected_port);
391 if (!updatedReg) {
392 auto threadError = &serviceContext->threadError;
393 bool threadState = threadError->load();
394 threadError->store(true);
395 }
396
397 server->Wait();
398}
PanoptesImpl
The PanoptesImpl class is a class that implements the PanoptesExtensibility::Service interface from t...
Definition ext_server.cpp:66
serviceContext
PanoptesContext * serviceContext
Definition grpc.cpp:27
CreateRegistryEntryWithPort
bool CreateRegistryEntryWithPort(DWORD dwPort)
Definition grpc.cpp:127
PanoptesContext::threadError
std::atomic< bool > threadError
Definition panoptes_service.h:7

References CreateRegistryEntryWithPort(), serviceContext, and PanoptesContext::threadError.

Referenced by WinMain().

◆ SelfQueuePeScan()

void SelfQueuePeScan ( std::string  pePath,
std::string  fileHash 
)

Definition at line 224 of file grpc.cpp.

224 {
225 auto configuration = serviceContext->config;
226 if (isPathInExclusions(configuration->m_exclusions, pePath)) {
227 return;
228 }
229
230 DWORD containerPort = 0;
231 GetRegistryPortValue(containerPort);
232 std::string server_url = "localhost:" + std::to_string(containerPort);
233 std::shared_ptr<grpc::Channel> channel = grpc::CreateChannel(server_url, grpc::InsecureChannelCredentials());
234 selfStub_ = PanoptesService::NewStub(channel);
235
236 AckMessage reply;
237 ClientContext context;
238 PeScanInfo request;
239 request.set_file_hash(fileHash);
240 request.set_portable_executable_path(pePath);
241
242 Status status = selfStub_->QueuePeScan(&context, request, &reply);
243 if (!status.ok()) {
244 std::cout << status.error_code() << ": " << status.error_message() << std::endl;
245 }
246}
GetRegistryPortValue
bool GetRegistryPortValue(DWORD &portValue)
Definition grpc.cpp:48
selfStub_
std::unique_ptr< PanoptesService::Stub > selfStub_
Definition grpc.cpp:25
isPathInExclusions
bool isPathInExclusions(const std::vector< std::string > &exclusions, const std::string &fullPath)
Definition grpc.cpp:93
PanoptesContext::config
Configuration * config
Definition panoptes_service.h:8

References PanoptesContext::config, GetRegistryPortValue(), isPathInExclusions(), selfStub_, and serviceContext.

Referenced by DisplayEventInfo().

Variable Documentation

◆ g_containerServerPorts

std::vector<std::pair<ContainerType, int> > g_containerServerPorts

Definition at line 26 of file grpc.cpp.

◆ selfStub_

std::unique_ptr<PanoptesService::Stub> selfStub_

Definition at line 25 of file grpc.cpp.

Referenced by SelfQueuePeScan().

◆ serviceContext

PanoptesContext* serviceContext

Definition at line 27 of file grpc.cpp.

Referenced by RunServiceServer(), SelfQueuePeScan(), StartPanoptesTrace(), and WinMain().

◆ stub_

std::unique_ptr<PanoptesExtensibility::Stub> stub_

Definition at line 24 of file grpc.cpp.

Generated by doxygen 1.9.8