refactor(accessor): Lazy file information filter fields

rabbitstack · rabbitstack · commit 01de00bd8035 · 2026-02-27T18:37:44.000+01:00
diff --git a/pkg/filter/accessor_windows.go b/pkg/filter/accessor_windows.go
@@ -716,12 +716,11 @@ func (l *fileAccessor) Get(f Field, e *event.Event) (params.Value, error) {
 			return isLOLDriver(f.Name, e)
 		}
 		return false, nil
-	case fields.FileIsDLL:
-		return e.Params.GetBool(params.FileIsDLL)
-	case fields.FileIsDriver:
-		return e.Params.GetBool(params.FileIsDriver)
-	case fields.FileIsExecutable:
-		return e.Params.GetBool(params.FileIsExecutable)
+	case fields.FileIsDLL, fields.FileIsDriver, fields.FileIsExecutable:
+		if e.IsCreateDisposition() && e.IsSuccess() {
+			return getFileInfo(f.Name, e)
+		}
+		return false, nil
 	case fields.FilePID:
 		return e.Params.GetPid()
 	case fields.FileKey:
@@ -873,14 +872,13 @@ func (*moduleAccessor) Get(f Field, e *event.Event) (params.Value, error) {
 			return isLOLDriver(f.Name, e)
 		}
 		return false, nil
-	case fields.ImageIsDLL, fields.ModuleIsDLL:
-		return e.Params.GetBool(params.FileIsDLL)
-	case fields.ImageIsDriver, fields.ModuleIsDriver:
-		return e.Params.GetBool(params.FileIsDriver)
-	case fields.ImageIsExecutable, fields.ModuleIsExecutable:
-		return e.Params.GetBool(params.FileIsExecutable)
-	case fields.ImageIsDotnet, fields.ModuleIsDotnet, fields.DllIsDotnet:
-		return e.Params.GetBool(params.FileIsDotnet)
+	case fields.ImageIsDLL, fields.ModuleIsDLL, fields.ImageIsDriver,
+		fields.ModuleIsDriver, fields.ImageIsExecutable, fields.ModuleIsExecutable,
+		fields.ImageIsDotnet, fields.ModuleIsDotnet, fields.DllIsDotnet:
+		if e.IsLoadImage() {
+			return getFileInfo(f.Name, e)
+		}
+		return false, nil
 	}
 
 	return nil, nil
diff --git a/pkg/filter/filter_test.go b/pkg/filter/filter_test.go
@@ -1016,6 +1016,7 @@ func TestModuleFilter(t *testing.T) {
 		{`module.signature.subject icontains 'Microsoft Corporation'`, true},
 		{`module.pe.is_dotnet`, false},
 		{`module.path.stem endswith 'System32\\kernel32'`, true},
+		{`module.is_dll`, true},
 		{`dll.path.stem endswith 'System32\\kernel32'`, true},
 		{`dll.signature.type = 'EMBEDDED'`, true},
 		{`dll.signature.level = 'AUTHENTICODE'`, true},
diff --git a/pkg/filter/util.go b/pkg/filter/util.go
@@ -20,13 +20,15 @@ package filter
 
 import (
 	"encoding/hex"
+	"fmt"
 	"net"
 	"path/filepath"
 	"strings"
 
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/rabbitstack/fibratus/pkg/filter/fields"
+	"github.com/rabbitstack/fibratus/pkg/fs"
 	"github.com/rabbitstack/fibratus/pkg/util/bytes"
 	"github.com/rabbitstack/fibratus/pkg/util/loldrivers"
 	"github.com/rabbitstack/fibratus/pkg/util/signature"
@@ -72,6 +74,53 @@ func initLOLDriversClient(flds []Field) {
 	}
 }
 
+// getFileInfo obtains the file information for created files and loaded modules.
+// Appends the file data to the event parameters, so subsequent field extractions
+// will already have the needed info.
+func getFileInfo(f fields.Field, e *event.Event) (params.Value, error) {
+	switch f {
+	case fields.FileIsDLL, fields.ImageIsDLL, fields.ModuleIsDLL:
+		if e.Params.Contains(params.FileIsDLL) {
+			return e.Params.GetBool(params.FileIsDLL)
+		}
+	case fields.FileIsDriver, fields.ModuleIsDriver, fields.ImageIsDriver:
+		if e.Params.Contains(params.FileIsDriver) {
+			return e.Params.GetBool(params.FileIsDriver)
+		}
+	case fields.FileIsExecutable, fields.ImageIsExecutable, fields.ModuleIsExecutable:
+		if e.Params.Contains(params.FileIsExecutable) {
+			return e.Params.GetBool(params.FileIsExecutable)
+		}
+	case fields.ImageIsDotnet, fields.ModuleIsDotnet, fields.DllIsDotnet:
+		if e.Params.Contains(params.FileIsDotnet) {
+			return e.Params.GetBool(params.FileIsDotnet)
+		}
+	}
+
+	fileinfo, err := fs.GetFileInfo(e.GetParamAsString(params.FilePath))
+	if err != nil {
+		return nil, err
+	}
+
+	e.AppendParam(params.FileIsDLL, params.Bool, fileinfo.IsDLL)
+	e.AppendParam(params.FileIsDriver, params.Bool, fileinfo.IsDriver)
+	e.AppendParam(params.FileIsExecutable, params.Bool, fileinfo.IsExecutable)
+	e.AppendParam(params.FileIsDotnet, params.Bool, fileinfo.IsDotnet)
+
+	switch f {
+	case fields.FileIsDLL, fields.ImageIsDLL, fields.ModuleIsDLL:
+		return fileinfo.IsDLL, nil
+	case fields.FileIsDriver, fields.ModuleIsDriver, fields.ImageIsDriver:
+		return fileinfo.IsDriver, nil
+	case fields.FileIsExecutable, fields.ImageIsExecutable, fields.ModuleIsExecutable:
+		return fileinfo.IsExecutable, nil
+	case fields.ImageIsDotnet, fields.ModuleIsDotnet, fields.DllIsDotnet:
+		return fileinfo.IsDotnet, nil
+	}
+
+	return nil, fmt.Errorf("unexpected field: %s", f)
+}
+
 // getSignature tries to find the module signature mapped to the given address.
 // If the signature is not found in the cache, then a fresh signature instance
 // is created and verified.
diff --git a/pkg/filter/util_test.go b/pkg/filter/util_test.go
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2021-present by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package filter
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/rabbitstack/fibratus/pkg/event"
+	"github.com/rabbitstack/fibratus/pkg/event/params"
+	"github.com/rabbitstack/fibratus/pkg/filter/fields"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetFileInfo(t *testing.T) {
+	path, err := os.Executable()
+	require.NoError(t, err)
+
+	var tests = []struct {
+		e   *event.Event
+		f   func(*testing.T, *event.Event)
+		fld fields.Field
+	}{
+		{
+			e: &event.Event{
+				Name: "CreateFile",
+				Params: map[string]*event.Param{
+					params.FilePath: {Name: params.FilePath, Type: params.UnicodeString, Value: path},
+				},
+			},
+			f: func(t *testing.T, e *event.Event) {
+				require.True(t, e.Params.MustGetBool(params.FileIsExecutable))
+			},
+			fld: fields.FileIsExecutable,
+		},
+		{
+			e: &event.Event{
+				Name: "CreateFile",
+				Params: map[string]*event.Param{
+					params.FilePath: {Name: params.FilePath, Type: params.UnicodeString, Value: filepath.Join(os.Getenv("SystemRoot"), "System32", "kernel32.dll")},
+				},
+			},
+			f: func(t *testing.T, e *event.Event) {
+				require.True(t, e.Params.MustGetBool(params.FileIsDLL))
+			},
+			fld: fields.ModuleIsDLL,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.e.GetParamAsString(params.FilePath), func(t *testing.T) {
+			v, err := getFileInfo(tt.fld, tt.e)
+			require.NotNil(t, v)
+			require.NoError(t, err)
+			if tt.f != nil {
+				tt.f(t, tt.e)
+			}
+		})
+	}
+}
