refactor(event)!: Rename image to module

Author: rabbitstack

configs/fibratus.yml

@@ -187,7 +187,7 @@ event:
   serialize-threads: false
 
   # Indicates if modules such as Dynamic Linked Libraries are serialized as part of the process state
-  serialize-images: false
+  serialize-modules: false
 
   # Indicates if handles are serialized as part of the process state
   serialize-handles: false
@@ -240,8 +240,8 @@ eventsource:
   # Determines whether VA map/unmap events are collected by Kernel Logger provider
   #enable-vamap: true
 
-  # Determines whether image events are collected by Kernel Logger provider
-  #enable-image: true
+  # Determines whether module events are collected by Kernel Logger provider
+  #enable-module: true
 
   # Determines whether object manager events (handle creation/destruction) are
   # collected by Kernel Logger provider

internal/etw/processors/chain_windows.go

@@ -56,7 +56,7 @@ func NewChain(
 	if config.EventSource.EnableRegistryEvents {
 		chain.addProcessor(newRegistryProcessor(hsnap))
 	}
-	if config.EventSource.EnableImageEvents {
+	if config.EventSource.EnableModuleEvents {
 		chain.addProcessor(newModuleProcessor(psnap))
 	}
 	if config.EventSource.EnableNetEvents {

internal/etw/processors/handle_windows.go

@@ -19,13 +19,14 @@
 package processors
 
 import (
+	"strings"
+
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/rabbitstack/fibratus/pkg/fs"
 	"github.com/rabbitstack/fibratus/pkg/handle"
 	"github.com/rabbitstack/fibratus/pkg/ps"
 	"github.com/rabbitstack/fibratus/pkg/util/key"
-	"strings"
 )
 
 type handleProcessor struct {
@@ -92,7 +93,7 @@ func (h *handleProcessor) processEvent(e *event.Event) (*event.Event, error) {
 				driverPath = driverName
 			}
 			h.devPathResolver.RemovePath(driverName)
-			e.Params.Append(params.ImagePath, params.Path, driverPath)
+			e.Params.Append(params.ModulePath, params.Path, driverPath)
 		}
 		// assign the formatted handle name
 		if err := e.Params.SetValue(params.HandleObjectName, name); err != nil {

internal/etw/processors/module_windows.go

@@ -34,24 +34,24 @@ func newModuleProcessor(psnap ps.Snapshotter) Processor {
 	return m
 }
 
-func (*moduleProcessor) Name() ProcessorType { return Image }
+func (*moduleProcessor) Name() ProcessorType { return Module }
 
 func (m *moduleProcessor) ProcessEvent(e *event.Event) (*event.Event, bool, error) {
-	if e.IsLoadImageInternal() {
+	if e.IsLoadModuleInternal() {
 		// state management
 		return e, false, m.psnap.AddModule(e)
 	}
 
-	if e.IsUnloadImage() {
+	if e.IsUnloadModule() {
 		pid := e.Params.MustGetPid()
-		addr := e.Params.TryGetAddress(params.ImageBase)
+		addr := e.Params.TryGetAddress(params.ModuleBase)
 		if pid == 0 {
 			pid = e.PID
 		}
 		return e, false, m.psnap.RemoveModule(pid, addr)
 	}
 
-	if e.IsLoadImage() || e.IsImageRundown() {
+	if e.IsLoadModule() || e.IsModuleRundown() {
 		return e, false, m.psnap.AddModule(e)
 	}
 

internal/etw/processors/module_windows_test.go

@@ -41,16 +41,16 @@ func TestModuleProcessor(t *testing.T) {
 		assertions func(*event.Event, *testing.T, *ps.SnapshotterMock)
 	}{
 		{
-			"load new image",
+			"load new Module",
 			&event.Event{
-				Type: event.LoadImage,
+				Type: event.LoadModule,
 				Params: event.Params{
-					params.ImagePath:           {Name: params.ImagePath, Type: params.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")},
-					params.ProcessID:           {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)},
-					params.ImageCheckSum:       {Name: params.ImageCheckSum, Type: params.Uint32, Value: uint32(2323432)},
-					params.ImageBase:           {Name: params.ImageBase, Type: params.Address, Value: uint64(0x7ffb313833a3)},
-					params.ImageSignatureType:  {Name: params.ImageSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types},
-					params.ImageSignatureLevel: {Name: params.ImageSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels},
+					params.ModulePath:           {Name: params.ModulePath, Type: params.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")},
+					params.ProcessID:            {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)},
+					params.ModuleCheckSum:       {Name: params.ModuleCheckSum, Type: params.Uint32, Value: uint32(2323432)},
+					params.ModuleBase:           {Name: params.ModuleBase, Type: params.Address, Value: uint64(0x7ffb313833a3)},
+					params.ModuleSignatureType:  {Name: params.ModuleSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types},
+					params.ModuleSignatureLevel: {Name: params.ModuleSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels},
 				},
 			},
 			func() *ps.SnapshotterMock {
@@ -61,21 +61,21 @@ func TestModuleProcessor(t *testing.T) {
 			func(e *event.Event, t *testing.T, psnap *ps.SnapshotterMock) {
 				psnap.AssertNumberOfCalls(t, "AddModule", 1)
 				// should get the signature verified
-				assert.Equal(t, "EMBEDDED", e.GetParamAsString(params.ImageSignatureType))
-				assert.Equal(t, "AUTHENTICODE", e.GetParamAsString(params.ImageSignatureLevel))
+				assert.Equal(t, "EMBEDDED", e.GetParamAsString(params.ModuleSignatureType))
+				assert.Equal(t, "AUTHENTICODE", e.GetParamAsString(params.ModuleSignatureLevel))
 			},
 		},
 		{
-			"parse image characteristics",
+			"parse Module characteristics",
 			&event.Event{
-				Type: event.LoadImage,
+				Type: event.LoadModule,
 				Params: event.Params{
-					params.ImagePath:           {Name: params.ImagePath, Type: params.UnicodeString, Value: "../_fixtures/mscorlib.dll"},
-					params.ProcessID:           {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)},
-					params.ImageCheckSum:       {Name: params.ImageCheckSum, Type: params.Uint32, Value: uint32(2323432)},
-					params.ImageBase:           {Name: params.ImageBase, Type: params.Address, Value: uint64(0x7ffb313833a3)},
-					params.ImageSignatureType:  {Name: params.ImageSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types},
-					params.ImageSignatureLevel: {Name: params.ImageSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels},
+					params.ModulePath:           {Name: params.ModulePath, Type: params.UnicodeString, Value: "../_fixtures/mscorlib.dll"},
+					params.ProcessID:            {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)},
+					params.ModuleCheckSum:       {Name: params.ModuleCheckSum, Type: params.Uint32, Value: uint32(2323432)},
+					params.ModuleBase:           {Name: params.ModuleBase, Type: params.Address, Value: uint64(0x7ffb313833a3)},
+					params.ModuleSignatureType:  {Name: params.ModuleSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types},
+					params.ModuleSignatureLevel: {Name: params.ModuleSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels},
 				},
 			},
 			func() *ps.SnapshotterMock {
@@ -88,16 +88,16 @@ func TestModuleProcessor(t *testing.T) {
 			},
 		},
 		{
-			"unload image",
+			"unload Module",
 			&event.Event{
-				Type: event.UnloadImage,
+				Type: event.LoadModule,
 				Params: event.Params{
-					params.ImagePath:           {Name: params.ImagePath, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\kernel32.dll"},
-					params.ProcessName:         {Name: params.ProcessName, Type: params.AnsiString, Value: "csrss.exe"},
-					params.ProcessID:           {Name: params.ProcessID, Type: params.PID, Value: uint32(676)},
-					params.ImageBase:           {Name: params.ImageBase, Type: params.Address, Value: uint64(0xfffb313833a3)},
-					params.ImageSignatureType:  {Name: params.ImageSignatureType, Type: params.Enum, Value: uint32(0), Enum: signature.Types},
-					params.ImageSignatureLevel: {Name: params.ImageSignatureLevel, Type: params.Enum, Value: uint32(0), Enum: signature.Levels},
+					params.ModulePath:           {Name: params.ModulePath, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\kernel32.dll"},
+					params.ProcessName:          {Name: params.ProcessName, Type: params.AnsiString, Value: "csrss.exe"},
+					params.ProcessID:            {Name: params.ProcessID, Type: params.PID, Value: uint32(676)},
+					params.ModuleBase:           {Name: params.ModuleBase, Type: params.Address, Value: uint64(0xfffb313833a3)},
+					params.ModuleSignatureType:  {Name: params.ModuleSignatureType, Type: params.Enum, Value: uint32(0), Enum: signature.Types},
+					params.ModuleSignatureLevel: {Name: params.ModuleSignatureLevel, Type: params.Enum, Value: uint32(0), Enum: signature.Levels},
 				},
 			},
 			func() *ps.SnapshotterMock {

internal/etw/processors/processor.go

@@ -32,8 +32,8 @@ const (
 	Fs
 	// Registry represents the registry event processor.
 	Registry
-	// Image represents the image event processor.
-	Image
+	// Module represents the module event processor.
+	Module
 	// Net represents the network event processor.
 	Net
 	// Handle represents the handle event processor.
@@ -66,8 +66,8 @@ func (typ ProcessorType) String() string {
 		return "file"
 	case Registry:
 		return "registry"
-	case Image:
-		return "image"
+	case Module:
+		return "module"
 	case Net:
 		return "net"
 	case Handle:

internal/etw/source.go

@@ -22,6 +22,9 @@ import (
 	"errors"
 	"expvar"
 	"fmt"
+	"time"
+	"unsafe"
+
 	"github.com/rabbitstack/fibratus/internal/etw/processors"
 	"github.com/rabbitstack/fibratus/pkg/config"
 	errs "github.com/rabbitstack/fibratus/pkg/errors"
@@ -34,8 +37,6 @@ import (
 	"github.com/rabbitstack/fibratus/pkg/util/multierror"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows/registry"
-	"time"
-	"unsafe"
 )
 
 const (
@@ -129,7 +130,7 @@ func (e *EventSource) Open(config *config.Config) error {
 	// are not captured
 	if e.r != nil {
 		config.EventSource.EnableThreadEvents = config.EventSource.EnableThreadEvents && e.r.HasThreadEvents
-		config.EventSource.EnableImageEvents = config.EventSource.EnableImageEvents && e.r.HasImageEvents
+		config.EventSource.EnableModuleEvents = config.EventSource.EnableModuleEvents && e.r.HasModuleEvents
 		config.EventSource.EnableNetEvents = config.EventSource.EnableNetEvents && e.r.HasNetworkEvents
 		config.EventSource.EnableRegistryEvents = config.EventSource.EnableRegistryEvents && (e.r.HasRegistryEvents || (config.Yara.Enabled && !config.Yara.SkipRegistry))
 		config.EventSource.EnableFileIOEvents = config.EventSource.EnableFileIOEvents && (e.r.HasFileEvents || (config.Yara.Enabled && !config.Yara.SkipFiles))
@@ -140,7 +141,7 @@ func (e *EventSource) Open(config *config.Config) error {
 		config.EventSource.EnableThreadpoolEvents = config.EventSource.EnableThreadpoolEvents && e.r.HasThreadpoolEvents
 		for _, typ := range event.All() {
 			if typ == event.CreateProcess || typ == event.TerminateProcess ||
-				typ == event.LoadImage || typ == event.UnloadImage {
+				typ == event.LoadModule || typ == event.UnloadModule {
 				// always allow fundamental events
 				continue
 			}

internal/etw/source_test.go

@@ -168,7 +168,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) {
 
 	r := &config.RulesCompileResult{
 		HasProcEvents:     true,
-		HasImageEvents:    true,
+		HasModuleEvents:   true,
 		HasRegistryEvents: true,
 		HasNetworkEvents:  true,
 		HasFileEvents:     true,
@@ -177,7 +177,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) {
 		HasAuditAPIEvents: true,
 		UsedEvents: []event.Type{
 			event.CreateProcess,
-			event.LoadImage,
+			event.LoadModule,
 			event.RegCreateKey,
 			event.RegSetValue,
 			event.CreateFile,
@@ -191,7 +191,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) {
 		EventSource: config.EventSourceConfig{
 			EnableThreadEvents:   true,
 			EnableRegistryEvents: true,
-			EnableImageEvents:    true,
+			EnableModuleEvents:   true,
 			EnableFileIOEvents:   true,
 			EnableAuditAPIEvents: true,
 		},
@@ -212,7 +212,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) {
 	// rules compile result doesn't have the thread event
 	// and thread events are enabled in the config
 	require.True(t, flags&etw.Thread == 0)
-	require.True(t, flags&etw.ImageLoad != 0)
+	require.True(t, flags&etw.Module != 0)
 	require.True(t, flags&etw.Registry != 0)
 	// rules compile result has the network event
 	// but network I/O is disabled in the config
@@ -222,7 +222,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) {
 	// but VAMap is disabled in the config
 	require.True(t, flags&etw.VaMap == 0)
 
-	require.False(t, cfg.EventSource.TestDropMask(event.UnloadImage))
+	require.False(t, cfg.EventSource.TestDropMask(event.UnloadModule))
 	require.True(t, cfg.EventSource.TestDropMask(event.WriteFile))
 	require.True(t, cfg.EventSource.TestDropMask(event.UnmapViewFile))
 	require.False(t, cfg.EventSource.TestDropMask(event.OpenProcess))
@@ -248,15 +248,15 @@ func TestEventSourceEnableFlagsDynamicallyWithYaraEnabled(t *testing.T) {
 
 	r := &config.RulesCompileResult{
 		HasProcEvents:     true,
-		HasImageEvents:    true,
+		HasModuleEvents:   true,
 		HasRegistryEvents: true,
 		HasNetworkEvents:  true,
 		HasFileEvents:     false,
 		HasThreadEvents:   false,
 		HasAuditAPIEvents: true,
 		UsedEvents: []event.Type{
 			event.CreateProcess,
-			event.LoadImage,
+			event.LoadModule,
 			event.RegCreateKey,
 			event.RegSetValue,
 			event.RenameFile,
@@ -268,7 +268,7 @@ func TestEventSourceEnableFlagsDynamicallyWithYaraEnabled(t *testing.T) {
 		EventSource: config.EventSourceConfig{
 			EnableThreadEvents:   true,
 			EnableRegistryEvents: true,
-			EnableImageEvents:    true,
+			EnableModuleEvents:   true,
 			EnableFileIOEvents:   true,
 			EnableAuditAPIEvents: true,
 			EnableVAMapEvents:    false,
@@ -326,7 +326,7 @@ func TestEventSourceRundownEvents(t *testing.T) {
 
 	evsConfig := config.EventSourceConfig{
 		EnableThreadEvents:   true,
-		EnableImageEvents:    true,
+		EnableModuleEvents:   true,
 		EnableFileIOEvents:   true,
 		EnableNetEvents:      true,
 		EnableRegistryEvents: true,
@@ -348,7 +348,7 @@ func TestEventSourceRundownEvents(t *testing.T) {
 	rundownsByType := map[event.Type]bool{
 		event.ProcessRundown: false,
 		event.ThreadRundown:  false,
-		event.ImageRundown:   false,
+		event.ModuleRundown:  false,
 		event.FileRundown:    false,
 		event.RegKCBRundown:  false,
 	}
@@ -435,11 +435,11 @@ func TestEventSourceAllEvents(t *testing.T) {
 			false,
 		},
 		{
-			"load image",
+			"load module",
 			nil,
 			func(e *event.Event) bool {
 				img := filepath.Join(os.Getenv("windir"), "System32", "notepad.exe")
-				return e.IsLoadImage() && strings.EqualFold(img, e.GetParamAsString(params.ImagePath))
+				return e.IsLoadModule() && strings.EqualFold(img, e.GetParamAsString(params.ModulePath))
 			},
 			false,
 		},
@@ -491,7 +491,7 @@ func TestEventSourceAllEvents(t *testing.T) {
 		{
 			"map view section",
 			func() error {
-				const SecImage = 0x01000000
+				const SecModule = 0x01000000
 				const SectionRead = 0x4
 
 				var sec windows.Handle
@@ -514,7 +514,7 @@ func TestEventSourceAllEvents(t *testing.T) {
 					0,
 					uintptr(unsafe.Pointer(&size)),
 					windows.PAGE_READONLY,
-					SecImage,
+					SecModule,
 					windows.Handle(f.Fd()),
 				); err != nil {
 					return fmt.Errorf("NtCreateSection: %v", err)
@@ -539,7 +539,7 @@ func TestEventSourceAllEvents(t *testing.T) {
 			func(e *event.Event) bool {
 				return e.CurrentPid() && e.Type == event.MapViewFile &&
 					e.GetParamAsString(params.MemProtect) == "EXECUTE_READWRITE|READONLY" &&
-					e.GetParamAsString(params.FileViewSectionType) == "IMAGE" &&
+					e.GetParamAsString(params.FileViewSectionType) == "Module" &&
 					strings.Contains(e.GetParamAsString(params.FilePath), "_fixtures\\yara-test.dll")
 			},
 			false,
@@ -717,7 +717,7 @@ func TestEventSourceAllEvents(t *testing.T) {
 
 	evsConfig := config.EventSourceConfig{
 		EnableThreadEvents:   true,
-		EnableImageEvents:    true,
+		EnableModuleEvents:   true,
 		EnableFileIOEvents:   true,
 		EnableVAMapEvents:    true,
 		EnableNetEvents:      true,
@@ -889,10 +889,10 @@ func testCallstackEnrichment(t *testing.T, hsnap handle.Snapshotter, psnap ps.Sn
 			false,
 		},
 		{
-			"load image callstack",
+			"load Module callstack",
 			nil,
 			func(e *event.Event) bool {
-				if e.IsLoadImage() && filepath.Ext(e.GetParamAsString(params.FilePath)) == ".dll" {
+				if e.IsLoadModule() && filepath.Ext(e.GetParamAsString(params.FilePath)) == ".dll" {
 					callstack := e.Callstack.String()
 					return strings.Contains(strings.ToLower(callstack), strings.ToLower("\\WINDOWS\\System32\\KERNELBASE.dll!LoadLibraryExW")) &&
 						strings.Contains(strings.ToLower(callstack), strings.ToLower("\\WINDOWS\\system32\\ntoskrnl.exe!NtMapViewOfSection"))
@@ -1202,7 +1202,7 @@ func testCallstackEnrichment(t *testing.T, hsnap handle.Snapshotter, psnap ps.Sn
 
 	evsConfig := config.EventSourceConfig{
 		EnableThreadEvents:   true,
-		EnableImageEvents:    true,
+		EnableModuleEvents:   true,
 		EnableFileIOEvents:   true,
 		EnableRegistryEvents: true,
 		EnableMemEvents:      true,
@@ -1327,7 +1327,7 @@ func TestEvasionScanner(t *testing.T) {
 
 	evsConfig := config.EventSourceConfig{
 		EnableThreadEvents:   true,
-		EnableImageEvents:    true,
+		EnableModuleEvents:   true,
 		EnableFileIOEvents:   false,
 		EnableVAMapEvents:    true,
 		EnableNetEvents:      true,