-
Notifications
You must be signed in to change notification settings - Fork 3
/
appmon.h
85 lines (67 loc) · 2.91 KB
/
appmon.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
//
// appmon.h
// appmon
//
// Created by Patrick Wardle.
// Modified by Chris Ross
//
//
#import <Foundation/Foundation.h>
#import <EndpointSecurity/EndpointSecurity.h>
#import <IOKit/kext/KextManager.h>
#import <Kernel/kern/cs_blobs.h> // For signing flags
// Majority of the code in appmon.h and appmon.m was taken from the ProcessMonitor project by Patrick Wardle
// https://github.com/objective-see/ProcessMonitor
//code signing keys
#define KEY_SIGNATURE_CDHASH @"cdHash"
#define KEY_SIGNATURE_FLAGS @"csFlags"
#define KEY_SIGNATURE_IDENTIFIER @"signatureIdentifier"
#define KEY_SIGNATURE_TEAM_IDENTIFIER @"teamIdentifier"
#define KEY_SIGNATURE_PLATFORM_BINARY @"isPlatformBinary"
// Event Class for events
@class SecurityEvent;
// Typedef for event handling callback function
typedef void (^EventCallbackBlock)(SecurityEvent* _Nonnull);
@interface Inspecter : NSObject
-(BOOL)start:(EventCallbackBlock _Nonnull)callback;
-(BOOL)stop;
@end
@interface SecurityEvent : NSObject
// Properties. These properties will need to be serialized into JSON
@property NSNumber* _Nonnull pid;
@property NSDate* _Nonnull timestamp;
@property NSString* _Nonnull hostname;
@property NSNumber* _Nonnull uid;
@property NSString* _Nonnull user;
@property NSString* _Nonnull type;
@property NSMutableDictionary* _Nonnull metadata;
@property NSPredicate* _Nullable eventFilter;
// Initialization method for all events
-(id _Nullable)init:(es_message_t* _Nonnull)message;
// helper function written by Patrick Wardle to extract arguments for process events
-(void)extractArgs:(es_events_t *_Nonnull)event;
// helper function written by Patrick Wardle to extract signing info in Process events
-(void)extractSigningInfo:(es_process_t *_Nonnull)process forOriginProcess:(bool)forOriginProcess;
// helper function written by Patrick Wardle to extract file path information for file events
-(void)extractPaths:(es_message_t*_Nonnull)message;
// helper function to handle process events in general
-(void)handleProcessEventData:(es_process_t *_Nonnull)process;
-(void)extractOriginProcessDataForEvent:(es_process_t *_Nonnull)process;
-(void)extractEnvironmentVariablesForProcess:(es_event_exec_t *_Nonnull)process;
-(void)handleGetTaskEventData:(es_event_get_task_t *_Nonnull)task;
-(void)handleMMapEventData:(es_event_mmap_t *_Nonnull)mmap;
-(void)handleKextEventData:(es_message_t *_Nonnull)kext;
-(void)handleSetExtattrEventData:(es_event_setextattr_t *_Nonnull)extattr;
-(void)handleSetAttrlistEventData:(es_event_setattrlist_t *_Nonnull)attr;
-(void)handleSetOwnerEventData:(es_event_setowner_t *_Nonnull)owner;
-(void)extractFileOpenFlags:(es_event_open_t *_Nonnull)open;
-(NSString*_Nonnull)nsDateToString;
@end
//helper function
// get parent of arbitrary process
pid_t getParentID(pid_t child);
typedef void (*EventHandlerFn)(char * _Nonnull jsonEventString);
typedef struct {
EventHandlerFn _Nonnull f;
} Callbacks;
void startEventHandler(Callbacks functionCallback);