import global_vars
import process
#import yara
import hash_white_list
rm_plugs_config = {
    "enable": True,
    "author": "huoji",
    "description": "基于进程链的uac提权检测",
    "version": "0.0.1"
}


def intergritylevel_to_int(str_name):
    if str_name == 'high':
        return 3
    elif str_name == 'medium':
        return 2
    return 1


def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data):
    if 'integritylevel' in json_log_data['data']:
        integritylevel = intergritylevel_to_int(
            json_log_data['data']['integritylevel'])
        current_process.plugin_var['uac_flag'] = integritylevel

        if 'uac_flag' not in current_process.chain.root_process.plugin_var:
            current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel
        if integritylevel > current_process.chain.root_process.plugin_var['uac_flag'] and hash_white_list.check_in_while_list(current_process) == False:
            print('[uac bypass detect] detect uac bypass in process chain {}'.format(
                current_process.path))
            current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel
            current_process.set_score(30, "进程权限等级变动")
            return global_vars.THREAT_TYPE_PROCESS
        # print('process chain: {} path: {} level: {} log level: {}'.format(
        #    current_process.chain_hash, current_process.path, integritylevel, current_process.chain.root_process.plugin_var['uac_flag']))
    return global_vars.THREAT_TYPE_NONE


def rule_new_process_action(current_process, host, raw_log_data, json_log_data):
    return global_vars.THREAT_TYPE_NONE


def rule_init():
    pass


def plugin_init():
    print('uac提权插件 2022/8/15 by huoji')