only log anomalies when the vm is not already shutting down

spender-sandbox · Mar 3, 2014 · f3a9aeb · f3a9aeb
1 parent 065f6e5
commit f3a9aeb
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 5 deletions.
diff --git a/config.c b/config.c
@@ -56,6 +56,10 @@ void read_config()
                     strncpy(g_config.analyzer, value,
                         ARRAYSIZE(g_config.analyzer));
                 }
+                else if(!strcmp(key, "shutdown-mutex")) {
+                    strncpy(g_config.shutdown_mutex, value,
+                        ARRAYSIZE(g_config.shutdown_mutex));
+                }
                 else if(!strcmp(key, "first-process")) {
                     g_config.first_process = value[0] == '1';
                 }

diff --git a/config.h b/config.h
@@ -26,6 +26,9 @@ struct {
     // analyzer directory, has to be hidden
     char analyzer[MAX_PATH];
 
+    // if this mutex exists then we're shutting down
+    char shutdown_mutex[MAX_PATH];
+
     // is this the first process or not?
     int first_process;
 

diff --git a/misc.c b/misc.c
@@ -22,6 +22,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #include <shlwapi.h>
 #include "ntapi.h"
 #include "misc.h"
+#include "config.h"
 
 ULONG_PTR parent_process_id() // By Napalm @ NetCore2K (rohitab.com)
 {
@@ -267,3 +268,14 @@ int ensure_absolute_path(wchar_t *out, const wchar_t *in, int length)
         return out[length] = 0, length;
     }
 }
+
+int is_shutting_down()
+{
+    HANDLE mutex_handle =
+        OpenMutex(SYNCHRONIZE, FALSE, g_config.shutdown_mutex);
+    if(mutex_handle != NULL) {
+        CloseHandle(mutex_handle);
+        return 1;
+    }
+    return 0;
+}
diff --git a/misc.h b/misc.h
@@ -36,5 +36,7 @@ int ensure_absolute_path(wchar_t *out, const wchar_t *in, int length);
 int wcsnicmp(const wchar_t *a, const wchar_t *b, int len);
 int wcsicmp(const wchar_t *a, const wchar_t *b);
 
+int is_shutting_down();
+
 // Define MAX_PATH plus tolerance for windows "tolerance"
 #define MAX_PATH_PLUS_TOLERANCE MAX_PATH + 64
diff --git a/unhook.c b/unhook.c
@@ -22,6 +22,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #include "hooking.h"
 #include "pipe.h"
 #include "log.h"
+#include "misc.h"
 
 #define UNHOOK_MAXCOUNT 2048
 #define UNHOOK_BUFSIZE 256
@@ -79,8 +80,10 @@ static DWORD WINAPI _unhook_detect_thread(LPVOID param)
         if(WaitForSingleObject(g_watcher_thread_handle,
                 500) != WAIT_TIMEOUT) {
             if(watcher_first != 0) {
-                log_anomaly("unhook", 1, NULL,
-                    "Unhook watcher thread has been corrupted!");
+                if(is_shutting_down() == 0) {
+                    log_anomaly("unhook", 1, NULL,
+                        "Unhook watcher thread has been corrupted!");
+                }
                 watcher_first = 0;
             }
             Sleep(100);
@@ -102,7 +105,9 @@ static DWORD WINAPI _unhook_detect_thread(LPVOID param)
             }
 
             if(g_hook_reported[idx] == 0) {
-                log_anomaly("unhook", 1, g_funcname[idx], msg);
+                if(is_shutting_down() == 0) {
+                    log_anomaly("unhook", 1, g_funcname[idx], msg);
+                }
                 g_hook_reported[idx] = 1;
             }
         }
@@ -117,8 +122,10 @@ static DWORD WINAPI _unhook_watch_thread(LPVOID param)
 
     while (WaitForSingleObject(g_unhook_thread_handle, 1000) == WAIT_TIMEOUT);
 
-    log_anomaly("unhook", 1, NULL,
-        "Unhook detection thread has been corrupted!");
+    if(is_shutting_down() == 0) {
+        log_anomaly("unhook", 1, NULL,
+            "Unhook detection thread has been corrupted!");
+    }
     return 0;
 }