refactor(filter)!: Make ps.modules return full module paths

rabbitstack · rabbitstack · commit c614390593f9 · 2026-02-01T19:05:57.000+01:00
diff --git a/pkg/filter/accessor_windows.go b/pkg/filter/accessor_windows.go
@@ -192,7 +192,7 @@ func (ps *psAccessor) Get(f Field, e *event.Event) (params.Value, error) {
 		}
 		mods := make([]string, 0, len(ps.Modules))
 		for _, m := range ps.Modules {
-			mods = append(mods, filepath.Base(m.Name))
+			mods = append(mods, m.Name)
 		}
 		return mods, nil
 	case fields.PsUUID:
diff --git a/pkg/filter/filter_test.go b/pkg/filter/filter_test.go
@@ -301,7 +301,7 @@ func TestProcFilter(t *testing.T) {
 
 		{`evt.name = 'CreateProcess' and ps.name contains 'svchost'`, true},
 
-		{`ps.modules IN ('kernel32.dll')`, true},
+		{`ps.modules IN ('C:\\Windows\\System32\\kernel32.dll')`, true},
 		{`evt.name = 'CreateProcess' and evt.pid != ps.ppid`, true},
 		{`ps.parent.name = 'svchost.exe'`, true},
 
@@ -328,7 +328,7 @@ func TestProcFilter(t *testing.T) {
 		{`ps.args iintersects ('-K', 'DComLaunch')`, true},
 		{`ps.args iintersects ('-W', 'DcomLaunch')`, false},
 
-		{`foreach(ps.modules, $mod, $mod imatches 'us?r32.dll')`, true},
+		{`foreach(ps.modules, $mod, $mod imatches '?:\\*\\us?r32.dll')`, true},
 		{`foreach(ps._modules, $mod, $mod.path imatches '?:\\Windows\\System32\\us?r32.dll')`, true},
 		{`foreach(ps._modules, $mod, $mod.name imatches 'USER32.*')`, true},
 		{`foreach(ps._modules, $mod, $mod.name imatches 'USER32.*' and $mod.size >= 212354)`, true},

Original file line number	Diff line number	Diff line change
`@@ -192,7 +192,7 @@ func (ps psAccessor) Get(f Field, e event.Event) (params.Value, error) {`
`192`	`192`	`}`
`193`	`193`	`mods := make([]string, 0, len(ps.Modules))`
`194`	`194`	`for _, m := range ps.Modules {`
`195`		`- mods = append(mods, filepath.Base(m.Name))`
	`195`	`+ mods = append(mods, m.Name)`
`196`	`196`	`}`
`197`	`197`	`return mods, nil`
`198`	`198`	`case fields.PsUUID:`