diff --git a/configs/fibratus.yml b/configs/fibratus.yml index c04cd94fc..63cc0225b 100644 --- a/configs/fibratus.yml +++ b/configs/fibratus.yml @@ -187,7 +187,7 @@ event: serialize-threads: false # Indicates if modules such as Dynamic Linked Libraries are serialized as part of the process state - serialize-images: false + serialize-modules: false # Indicates if handles are serialized as part of the process state serialize-handles: false @@ -240,8 +240,8 @@ eventsource: # Determines whether VA map/unmap events are collected by Kernel Logger provider #enable-vamap: true - # Determines whether image events are collected by Kernel Logger provider - #enable-image: true + # Determines whether module events are collected by Kernel Logger provider + #enable-module: true # Determines whether object manager events (handle creation/destruction) are # collected by Kernel Logger provider diff --git a/internal/etw/processors/chain_windows.go b/internal/etw/processors/chain_windows.go index 77f38b293..82f3ab47b 100644 --- a/internal/etw/processors/chain_windows.go +++ b/internal/etw/processors/chain_windows.go @@ -56,7 +56,7 @@ func NewChain( if config.EventSource.EnableRegistryEvents { chain.addProcessor(newRegistryProcessor(hsnap)) } - if config.EventSource.EnableImageEvents { + if config.EventSource.EnableModuleEvents { chain.addProcessor(newModuleProcessor(psnap)) } if config.EventSource.EnableNetEvents { diff --git a/internal/etw/processors/handle_windows.go b/internal/etw/processors/handle_windows.go index 453996c9a..e25f217b7 100644 --- a/internal/etw/processors/handle_windows.go +++ b/internal/etw/processors/handle_windows.go @@ -19,13 +19,14 @@ package processors import ( + "strings" + "github.com/rabbitstack/fibratus/pkg/event" "github.com/rabbitstack/fibratus/pkg/event/params" "github.com/rabbitstack/fibratus/pkg/fs" "github.com/rabbitstack/fibratus/pkg/handle" "github.com/rabbitstack/fibratus/pkg/ps" "github.com/rabbitstack/fibratus/pkg/util/key" - "strings" ) type handleProcessor struct { @@ -92,7 +93,7 @@ func (h *handleProcessor) processEvent(e *event.Event) (*event.Event, error) { driverPath = driverName } h.devPathResolver.RemovePath(driverName) - e.Params.Append(params.ImagePath, params.Path, driverPath) + e.Params.Append(params.ModulePath, params.Path, driverPath) } // assign the formatted handle name if err := e.Params.SetValue(params.HandleObjectName, name); err != nil { diff --git a/internal/etw/processors/module_windows.go b/internal/etw/processors/module_windows.go index a3ce31c02..5367b3d8c 100644 --- a/internal/etw/processors/module_windows.go +++ b/internal/etw/processors/module_windows.go @@ -34,24 +34,24 @@ func newModuleProcessor(psnap ps.Snapshotter) Processor { return m } -func (*moduleProcessor) Name() ProcessorType { return Image } +func (*moduleProcessor) Name() ProcessorType { return Module } func (m *moduleProcessor) ProcessEvent(e *event.Event) (*event.Event, bool, error) { - if e.IsLoadImageInternal() { + if e.IsLoadModuleInternal() { // state management return e, false, m.psnap.AddModule(e) } - if e.IsUnloadImage() { + if e.IsUnloadModule() { pid := e.Params.MustGetPid() - addr := e.Params.TryGetAddress(params.ImageBase) + addr := e.Params.TryGetAddress(params.ModuleBase) if pid == 0 { pid = e.PID } return e, false, m.psnap.RemoveModule(pid, addr) } - if e.IsLoadImage() || e.IsImageRundown() { + if e.IsLoadModule() || e.IsModuleRundown() { return e, false, m.psnap.AddModule(e) } diff --git a/internal/etw/processors/module_windows_test.go b/internal/etw/processors/module_windows_test.go index 3379c89e3..c8b388152 100644 --- a/internal/etw/processors/module_windows_test.go +++ b/internal/etw/processors/module_windows_test.go @@ -41,16 +41,16 @@ func TestModuleProcessor(t *testing.T) { assertions func(*event.Event, *testing.T, *ps.SnapshotterMock) }{ { - "load new image", + "load new Module", &event.Event{ - Type: event.LoadImage, + Type: event.LoadModule, Params: event.Params{ - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")}, - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, - params.ImageCheckSum: {Name: params.ImageCheckSum, Type: params.Uint32, Value: uint32(2323432)}, - params.ImageBase: {Name: params.ImageBase, Type: params.Address, Value: uint64(0x7ffb313833a3)}, - params.ImageSignatureType: {Name: params.ImageSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types}, - params.ImageSignatureLevel: {Name: params.ImageSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, + params.ModuleCheckSum: {Name: params.ModuleCheckSum, Type: params.Uint32, Value: uint32(2323432)}, + params.ModuleBase: {Name: params.ModuleBase, Type: params.Address, Value: uint64(0x7ffb313833a3)}, + params.ModuleSignatureType: {Name: params.ModuleSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types}, + params.ModuleSignatureLevel: {Name: params.ModuleSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels}, }, }, func() *ps.SnapshotterMock { @@ -61,21 +61,21 @@ func TestModuleProcessor(t *testing.T) { func(e *event.Event, t *testing.T, psnap *ps.SnapshotterMock) { psnap.AssertNumberOfCalls(t, "AddModule", 1) // should get the signature verified - assert.Equal(t, "EMBEDDED", e.GetParamAsString(params.ImageSignatureType)) - assert.Equal(t, "AUTHENTICODE", e.GetParamAsString(params.ImageSignatureLevel)) + assert.Equal(t, "EMBEDDED", e.GetParamAsString(params.ModuleSignatureType)) + assert.Equal(t, "AUTHENTICODE", e.GetParamAsString(params.ModuleSignatureLevel)) }, }, { - "parse image characteristics", + "parse Module characteristics", &event.Event{ - Type: event.LoadImage, + Type: event.LoadModule, Params: event.Params{ - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: "../_fixtures/mscorlib.dll"}, - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, - params.ImageCheckSum: {Name: params.ImageCheckSum, Type: params.Uint32, Value: uint32(2323432)}, - params.ImageBase: {Name: params.ImageBase, Type: params.Address, Value: uint64(0x7ffb313833a3)}, - params.ImageSignatureType: {Name: params.ImageSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types}, - params.ImageSignatureLevel: {Name: params.ImageSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: "../_fixtures/mscorlib.dll"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, + params.ModuleCheckSum: {Name: params.ModuleCheckSum, Type: params.Uint32, Value: uint32(2323432)}, + params.ModuleBase: {Name: params.ModuleBase, Type: params.Address, Value: uint64(0x7ffb313833a3)}, + params.ModuleSignatureType: {Name: params.ModuleSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types}, + params.ModuleSignatureLevel: {Name: params.ModuleSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels}, }, }, func() *ps.SnapshotterMock { @@ -88,16 +88,16 @@ func TestModuleProcessor(t *testing.T) { }, }, { - "unload image", + "unload Module", &event.Event{ - Type: event.UnloadImage, + Type: event.LoadModule, Params: event.Params{ - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\kernel32.dll"}, - params.ProcessName: {Name: params.ProcessName, Type: params.AnsiString, Value: "csrss.exe"}, - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(676)}, - params.ImageBase: {Name: params.ImageBase, Type: params.Address, Value: uint64(0xfffb313833a3)}, - params.ImageSignatureType: {Name: params.ImageSignatureType, Type: params.Enum, Value: uint32(0), Enum: signature.Types}, - params.ImageSignatureLevel: {Name: params.ImageSignatureLevel, Type: params.Enum, Value: uint32(0), Enum: signature.Levels}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\kernel32.dll"}, + params.ProcessName: {Name: params.ProcessName, Type: params.AnsiString, Value: "csrss.exe"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(676)}, + params.ModuleBase: {Name: params.ModuleBase, Type: params.Address, Value: uint64(0xfffb313833a3)}, + params.ModuleSignatureType: {Name: params.ModuleSignatureType, Type: params.Enum, Value: uint32(0), Enum: signature.Types}, + params.ModuleSignatureLevel: {Name: params.ModuleSignatureLevel, Type: params.Enum, Value: uint32(0), Enum: signature.Levels}, }, }, func() *ps.SnapshotterMock { diff --git a/internal/etw/processors/processor.go b/internal/etw/processors/processor.go index ea3209987..7f1445946 100644 --- a/internal/etw/processors/processor.go +++ b/internal/etw/processors/processor.go @@ -32,8 +32,8 @@ const ( Fs // Registry represents the registry event processor. Registry - // Image represents the image event processor. - Image + // Module represents the module event processor. + Module // Net represents the network event processor. Net // Handle represents the handle event processor. @@ -66,8 +66,8 @@ func (typ ProcessorType) String() string { return "file" case Registry: return "registry" - case Image: - return "image" + case Module: + return "module" case Net: return "net" case Handle: diff --git a/internal/etw/source.go b/internal/etw/source.go index 347b99160..8512899bb 100644 --- a/internal/etw/source.go +++ b/internal/etw/source.go @@ -22,6 +22,9 @@ import ( "errors" "expvar" "fmt" + "time" + "unsafe" + "github.com/rabbitstack/fibratus/internal/etw/processors" "github.com/rabbitstack/fibratus/pkg/config" errs "github.com/rabbitstack/fibratus/pkg/errors" @@ -34,8 +37,6 @@ import ( "github.com/rabbitstack/fibratus/pkg/util/multierror" log "github.com/sirupsen/logrus" "golang.org/x/sys/windows/registry" - "time" - "unsafe" ) const ( @@ -129,7 +130,7 @@ func (e *EventSource) Open(config *config.Config) error { // are not captured if e.r != nil { config.EventSource.EnableThreadEvents = config.EventSource.EnableThreadEvents && e.r.HasThreadEvents - config.EventSource.EnableImageEvents = config.EventSource.EnableImageEvents && e.r.HasImageEvents + config.EventSource.EnableModuleEvents = config.EventSource.EnableModuleEvents && e.r.HasModuleEvents config.EventSource.EnableNetEvents = config.EventSource.EnableNetEvents && e.r.HasNetworkEvents config.EventSource.EnableRegistryEvents = config.EventSource.EnableRegistryEvents && (e.r.HasRegistryEvents || (config.Yara.Enabled && !config.Yara.SkipRegistry)) config.EventSource.EnableFileIOEvents = config.EventSource.EnableFileIOEvents && (e.r.HasFileEvents || (config.Yara.Enabled && !config.Yara.SkipFiles)) @@ -140,7 +141,7 @@ func (e *EventSource) Open(config *config.Config) error { config.EventSource.EnableThreadpoolEvents = config.EventSource.EnableThreadpoolEvents && e.r.HasThreadpoolEvents for _, typ := range event.All() { if typ == event.CreateProcess || typ == event.TerminateProcess || - typ == event.LoadImage || typ == event.UnloadImage { + typ == event.LoadModule || typ == event.UnloadModule { // always allow fundamental events continue } diff --git a/internal/etw/source_test.go b/internal/etw/source_test.go index c1d4b328c..ed9945cec 100644 --- a/internal/etw/source_test.go +++ b/internal/etw/source_test.go @@ -168,7 +168,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) { r := &config.RulesCompileResult{ HasProcEvents: true, - HasImageEvents: true, + HasModuleEvents: true, HasRegistryEvents: true, HasNetworkEvents: true, HasFileEvents: true, @@ -177,7 +177,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) { HasAuditAPIEvents: true, UsedEvents: []event.Type{ event.CreateProcess, - event.LoadImage, + event.LoadModule, event.RegCreateKey, event.RegSetValue, event.CreateFile, @@ -191,7 +191,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) { EventSource: config.EventSourceConfig{ EnableThreadEvents: true, EnableRegistryEvents: true, - EnableImageEvents: true, + EnableModuleEvents: true, EnableFileIOEvents: true, EnableAuditAPIEvents: true, }, @@ -212,7 +212,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) { // rules compile result doesn't have the thread event // and thread events are enabled in the config require.True(t, flags&etw.Thread == 0) - require.True(t, flags&etw.ImageLoad != 0) + require.True(t, flags&etw.Module != 0) require.True(t, flags&etw.Registry != 0) // rules compile result has the network event // but network I/O is disabled in the config @@ -222,7 +222,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) { // but VAMap is disabled in the config require.True(t, flags&etw.VaMap == 0) - require.False(t, cfg.EventSource.TestDropMask(event.UnloadImage)) + require.False(t, cfg.EventSource.TestDropMask(event.UnloadModule)) require.True(t, cfg.EventSource.TestDropMask(event.WriteFile)) require.True(t, cfg.EventSource.TestDropMask(event.UnmapViewFile)) require.False(t, cfg.EventSource.TestDropMask(event.OpenProcess)) @@ -248,7 +248,7 @@ func TestEventSourceEnableFlagsDynamicallyWithYaraEnabled(t *testing.T) { r := &config.RulesCompileResult{ HasProcEvents: true, - HasImageEvents: true, + HasModuleEvents: true, HasRegistryEvents: true, HasNetworkEvents: true, HasFileEvents: false, @@ -256,7 +256,7 @@ func TestEventSourceEnableFlagsDynamicallyWithYaraEnabled(t *testing.T) { HasAuditAPIEvents: true, UsedEvents: []event.Type{ event.CreateProcess, - event.LoadImage, + event.LoadModule, event.RegCreateKey, event.RegSetValue, event.RenameFile, @@ -268,7 +268,7 @@ func TestEventSourceEnableFlagsDynamicallyWithYaraEnabled(t *testing.T) { EventSource: config.EventSourceConfig{ EnableThreadEvents: true, EnableRegistryEvents: true, - EnableImageEvents: true, + EnableModuleEvents: true, EnableFileIOEvents: true, EnableAuditAPIEvents: true, EnableVAMapEvents: false, @@ -326,7 +326,7 @@ func TestEventSourceRundownEvents(t *testing.T) { evsConfig := config.EventSourceConfig{ EnableThreadEvents: true, - EnableImageEvents: true, + EnableModuleEvents: true, EnableFileIOEvents: true, EnableNetEvents: true, EnableRegistryEvents: true, @@ -348,7 +348,7 @@ func TestEventSourceRundownEvents(t *testing.T) { rundownsByType := map[event.Type]bool{ event.ProcessRundown: false, event.ThreadRundown: false, - event.ImageRundown: false, + event.ModuleRundown: false, event.FileRundown: false, event.RegKCBRundown: false, } @@ -435,11 +435,11 @@ func TestEventSourceAllEvents(t *testing.T) { false, }, { - "load image", + "load module", nil, func(e *event.Event) bool { img := filepath.Join(os.Getenv("windir"), "System32", "notepad.exe") - return e.IsLoadImage() && strings.EqualFold(img, e.GetParamAsString(params.ImagePath)) + return e.IsLoadModule() && strings.EqualFold(img, e.GetParamAsString(params.ModulePath)) }, false, }, @@ -491,7 +491,7 @@ func TestEventSourceAllEvents(t *testing.T) { { "map view section", func() error { - const SecImage = 0x01000000 + const SecModule = 0x01000000 const SectionRead = 0x4 var sec windows.Handle @@ -514,7 +514,7 @@ func TestEventSourceAllEvents(t *testing.T) { 0, uintptr(unsafe.Pointer(&size)), windows.PAGE_READONLY, - SecImage, + SecModule, windows.Handle(f.Fd()), ); err != nil { return fmt.Errorf("NtCreateSection: %v", err) @@ -539,7 +539,7 @@ func TestEventSourceAllEvents(t *testing.T) { func(e *event.Event) bool { return e.CurrentPid() && e.Type == event.MapViewFile && e.GetParamAsString(params.MemProtect) == "EXECUTE_READWRITE|READONLY" && - e.GetParamAsString(params.FileViewSectionType) == "IMAGE" && + e.GetParamAsString(params.FileViewSectionType) == "Module" && strings.Contains(e.GetParamAsString(params.FilePath), "_fixtures\\yara-test.dll") }, false, @@ -717,7 +717,7 @@ func TestEventSourceAllEvents(t *testing.T) { evsConfig := config.EventSourceConfig{ EnableThreadEvents: true, - EnableImageEvents: true, + EnableModuleEvents: true, EnableFileIOEvents: true, EnableVAMapEvents: true, EnableNetEvents: true, @@ -889,10 +889,10 @@ func testCallstackEnrichment(t *testing.T, hsnap handle.Snapshotter, psnap ps.Sn false, }, { - "load image callstack", + "load Module callstack", nil, func(e *event.Event) bool { - if e.IsLoadImage() && filepath.Ext(e.GetParamAsString(params.FilePath)) == ".dll" { + if e.IsLoadModule() && filepath.Ext(e.GetParamAsString(params.FilePath)) == ".dll" { callstack := e.Callstack.String() return strings.Contains(strings.ToLower(callstack), strings.ToLower("\\WINDOWS\\System32\\KERNELBASE.dll!LoadLibraryExW")) && strings.Contains(strings.ToLower(callstack), strings.ToLower("\\WINDOWS\\system32\\ntoskrnl.exe!NtMapViewOfSection")) @@ -1202,7 +1202,7 @@ func testCallstackEnrichment(t *testing.T, hsnap handle.Snapshotter, psnap ps.Sn evsConfig := config.EventSourceConfig{ EnableThreadEvents: true, - EnableImageEvents: true, + EnableModuleEvents: true, EnableFileIOEvents: true, EnableRegistryEvents: true, EnableMemEvents: true, @@ -1327,7 +1327,7 @@ func TestEvasionScanner(t *testing.T) { evsConfig := config.EventSourceConfig{ EnableThreadEvents: true, - EnableImageEvents: true, + EnableModuleEvents: true, EnableFileIOEvents: false, EnableVAMapEvents: true, EnableNetEvents: true, diff --git a/internal/etw/stackext.go b/internal/etw/stackext.go index 140cef601..13f48311e 100644 --- a/internal/etw/stackext.go +++ b/internal/etw/stackext.go @@ -60,7 +60,7 @@ func (s *StackExtensions) Empty() bool { return len(s.ids) == 0 } // EnableProcessCallstack populates the stack identifiers // with event types eligible for emitting stack walk events // related to process telemetry, such as creating a process, -// creating/terminating a thread or loading an image into +// creating/terminating a thread or module loading into // process address space. func (s *StackExtensions) EnableProcessCallstack() { s.AddStackTracing(event.CreateProcess) @@ -68,8 +68,8 @@ func (s *StackExtensions) EnableProcessCallstack() { s.AddStackTracing(event.CreateThread) s.AddStackTracing(event.TerminateThread) } - if s.config.EnableImageEvents { - s.AddStackTracingWith(event.ProcessEventGUID, event.LoadImage.HookID()) + if s.config.EnableModuleEvents { + s.AddStackTracingWith(event.ProcessEventGUID, event.LoadModule.HookID()) } } diff --git a/internal/etw/trace.go b/internal/etw/trace.go index e12969b8d..c08634db6 100644 --- a/internal/etw/trace.go +++ b/internal/etw/trace.go @@ -20,14 +20,15 @@ package etw import ( "fmt" + "runtime" + "time" + "unsafe" + "github.com/rabbitstack/fibratus/pkg/config" errs "github.com/rabbitstack/fibratus/pkg/errors" "github.com/rabbitstack/fibratus/pkg/sys/etw" log "github.com/sirupsen/logrus" "golang.org/x/sys/windows" - "runtime" - "time" - "unsafe" ) // initEventTraceProps builds the trace properties descriptor which @@ -480,8 +481,8 @@ func (t *Trace) enableFlagsDynamically(config config.EventSourceConfig) etw.Even if config.EnableThreadEvents { flags |= etw.Thread } - if config.EnableImageEvents { - flags |= etw.ImageLoad + if config.EnableModuleEvents { + flags |= etw.Module } if config.EnableNetEvents { flags |= etw.NetTCPIP diff --git a/pkg/cap/reader_windows.go b/pkg/cap/reader_windows.go index cee14ca9c..d7982e10f 100644 --- a/pkg/cap/reader_windows.go +++ b/pkg/cap/reader_windows.go @@ -24,6 +24,11 @@ package cap import ( "context" "fmt" + "io" + "os" + "path/filepath" + "sync" + "github.com/rabbitstack/fibratus/pkg/cap/section" "github.com/rabbitstack/fibratus/pkg/config" "github.com/rabbitstack/fibratus/pkg/event" @@ -35,10 +40,6 @@ import ( "github.com/rabbitstack/fibratus/pkg/util/bytes" log "github.com/sirupsen/logrus" zstd "github.com/valyala/gozstd" - "io" - "os" - "path/filepath" - "sync" ) type reader struct { @@ -188,16 +189,16 @@ func (r *reader) updateSnapshotters(evt *event.Event) error { if err := r.psnapshotter.RemoveThread(pid, tid); err != nil { return err } - case event.UnloadImage: + case event.UnloadModule: pid := evt.Params.MustGetPid() - addr := evt.Params.TryGetAddress(params.ImageBase) + addr := evt.Params.TryGetAddress(params.ModuleBase) if err := r.psnapshotter.RemoveModule(pid, addr); err != nil { return err } case event.CreateProcess, event.ProcessRundown, - event.LoadImage, - event.ImageRundown, + event.LoadModule, + event.ModuleRundown, event.CreateThread, event.ThreadRundown: if err := r.psnapshotter.WriteFromCapture(evt); err != nil { diff --git a/pkg/config/config.schema.json b/pkg/config/config.schema.json index f24d078e3..e223db55c 100644 --- a/pkg/config/config.schema.json +++ b/pkg/config/config.schema.json @@ -317,7 +317,7 @@ "serialize-threads": { "type": "boolean" }, - "serialize-images": { + "serialize-modules": { "type": "boolean" }, "serialize-handles": { @@ -338,7 +338,7 @@ "enable-thread": { "type": "boolean" }, - "enable-image": { + "enable-module": { "type": "boolean" }, "enable-registry": { @@ -400,8 +400,8 @@ "OpenProcess", "OpenThread", "SetThreadContext", - "LoadImage", - "UnloadImage", + "LoadModule", + "UnloadModule", "CreateFile", "CloseFile", "ReadFile", diff --git a/pkg/config/config_windows.go b/pkg/config/config_windows.go index 59391fc97..ff5058100 100644 --- a/pkg/config/config_windows.go +++ b/pkg/config/config_windows.go @@ -21,9 +21,10 @@ package config import ( "encoding/json" "fmt" + "time" + "github.com/rabbitstack/fibratus/internal/evasion" "golang.org/x/sys/windows" - "time" "github.com/rabbitstack/fibratus/pkg/outputs/eventlog" @@ -73,7 +74,7 @@ const ( forwardMode = "forward" serializeThreads = "event.serialize-threads" - serializeImages = "event.serialize-images" + serializeModules = "event.serialize-modules" serializeHandles = "event.serialize-handles" serializePE = "event.serialize-pe" serializeEnvs = "event.serialize-envs" @@ -295,7 +296,7 @@ func (c *Config) Init() error { c.CapFile = c.viper.GetString(capFile) event.SerializeThreads = c.viper.GetBool(serializeThreads) - event.SerializeImages = c.viper.GetBool(serializeImages) + event.SerializeModules = c.viper.GetBool(serializeModules) event.SerializeHandles = c.viper.GetBool(serializeHandles) event.SerializePE = c.viper.GetBool(serializePE) event.SerializeEnvs = c.viper.GetBool(serializeEnvs) @@ -423,7 +424,7 @@ func (c *Config) addFlags() { c.flags.Bool(enableNetEvents, true, "Determines whether network (TCP/UDP) events are collected by Kernel Logger provider") c.flags.Bool(enableFileIOEvents, true, "Determines whether disk I/O events are collected by Kernel Logger provider") c.flags.Bool(enableVAMapEvents, true, "Determines whether VA map/unmap events are collected by Kernel Logger provider") - c.flags.Bool(enableImageEvents, true, "Determines whether file I/O events are collected by Kernel Logger provider") + c.flags.Bool(enableModuleEvents, true, "Determines whether module events are collected by Kernel Logger provider") c.flags.Bool(enableHandleEvents, false, "Determines whether object manager events (handle creation/destruction) are collected by Kernel Logger provider") c.flags.Bool(enableMemEvents, true, "Determines whether memory manager events are collected by Kernel Logger provider") c.flags.Bool(enableAuditAPIEvents, true, "Determines whether kernel audit API calls events are published") @@ -438,7 +439,7 @@ func (c *Config) addFlags() { c.flags.StringSlice(excludedImages, []string{}, "A list of image names that will be dropped from the event stream. Image names are case sensitive") c.flags.Bool(serializeThreads, false, "Indicates if threads are serialized as part of the process state") - c.flags.Bool(serializeImages, false, "Indicates if images are serialized as part of the process state") + c.flags.Bool(serializeModules, false, "Indicates if modules are serialized as part of the process state") c.flags.Bool(serializeHandles, false, "Indicates if handles are serialized as part of the process state") c.flags.Bool(serializePE, false, "Indicates if the PE metadata are serialized as part of the process state") c.flags.Bool(serializeEnvs, true, "Indicates if environment variables are serialized as part of the process state") diff --git a/pkg/config/eventsource.go b/pkg/config/eventsource.go index 052c0d6c7..5cfbf1b92 100644 --- a/pkg/config/eventsource.go +++ b/pkg/config/eventsource.go @@ -38,7 +38,7 @@ const ( enableNetEvents = "eventsource.enable-net" enableFileIOEvents = "eventsource.enable-fileio" enableVAMapEvents = "eventsource.enable-vamap" - enableImageEvents = "eventsource.enable-image" + enableModuleEvents = "eventsource.enable-module" enableHandleEvents = "eventsource.enable-handle" enableMemEvents = "eventsource.enable-mem" enableAuditAPIEvents = "eventsource.enable-audit-api" @@ -74,8 +74,8 @@ type EventSourceConfig struct { EnableFileIOEvents bool `json:"enable-fileio" yaml:"enable-fileio"` // EnableVAMapEvents indicates if VA map/unmap events are collected by the ETW provider. EnableVAMapEvents bool `json:"enable-vamap" yaml:"enable-vamap"` - // EnableImageEvents indicates if image events are collected by the ETW provider. - EnableImageEvents bool `json:"enable-image" yaml:"enable-image"` + // EnableModuleEvents indicates if module events are collected by the ETW provider. + EnableModuleEvents bool `json:"enable-image" yaml:"enable-module"` // EnableHandleEvents indicates whether handle creation/disposal events are enabled. EnableHandleEvents bool `json:"enable-handle" yaml:"enable-handle"` // EnableMemEvents indicates whether memory manager events are enabled. @@ -115,7 +115,7 @@ func (c *EventSourceConfig) initFromViper(v *viper.Viper) { c.EnableNetEvents = v.GetBool(enableNetEvents) c.EnableFileIOEvents = v.GetBool(enableFileIOEvents) c.EnableVAMapEvents = v.GetBool(enableVAMapEvents) - c.EnableImageEvents = v.GetBool(enableImageEvents) + c.EnableModuleEvents = v.GetBool(enableModuleEvents) c.EnableHandleEvents = v.GetBool(enableHandleEvents) c.EnableMemEvents = v.GetBool(enableMemEvents) c.EnableAuditAPIEvents = v.GetBool(enableAuditAPIEvents) diff --git a/pkg/config/eventsource_test.go b/pkg/config/eventsource_test.go index 614df5ef7..ec68b57a1 100644 --- a/pkg/config/eventsource_test.go +++ b/pkg/config/eventsource_test.go @@ -22,9 +22,10 @@ package config import ( - "github.com/rabbitstack/fibratus/pkg/event" "testing" + "github.com/rabbitstack/fibratus/pkg/event" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" "github.com/stretchr/testify/assert" @@ -39,7 +40,7 @@ func TestEventSourceConfig(t *testing.T) { "--eventsource.enable-registry=false", "--eventsource.enable-fileio=false", "--eventsource.enable-net=false", - "--eventsource.enable-image=false", + "--eventsource.enable-module=false", "--eventsource.blacklist.events=CloseFile,CloseHandle", "--eventsource.blacklist.images=System,svchost.exe", }) @@ -52,7 +53,7 @@ func TestEventSourceConfig(t *testing.T) { assert.False(t, c.EventSource.EnableThreadEvents) assert.False(t, c.EventSource.EnableNetEvents) assert.False(t, c.EventSource.EnableRegistryEvents) - assert.False(t, c.EventSource.EnableImageEvents) + assert.False(t, c.EventSource.EnableModuleEvents) assert.False(t, c.EventSource.EnableFileIOEvents) assert.True(t, c.EventSource.ExcludeEvent(event.CloseHandle.ID())) diff --git a/pkg/config/filters.go b/pkg/config/filters.go index 6c856cd6c..87ab6bb96 100644 --- a/pkg/config/filters.go +++ b/pkg/config/filters.go @@ -21,13 +21,6 @@ package config import ( "bytes" "fmt" - "github.com/Masterminds/sprig/v3" - "github.com/rabbitstack/fibratus/pkg/event" - "github.com/rabbitstack/fibratus/pkg/util/convert" - "github.com/rabbitstack/fibratus/pkg/util/multierror" - log "github.com/sirupsen/logrus" - "github.com/spf13/viper" - "gopkg.in/yaml.v3" "io" "net" "net/http" @@ -37,6 +30,14 @@ import ( "slices" "strings" "text/template" + + "github.com/Masterminds/sprig/v3" + "github.com/rabbitstack/fibratus/pkg/event" + "github.com/rabbitstack/fibratus/pkg/util/convert" + "github.com/rabbitstack/fibratus/pkg/util/multierror" + log "github.com/sirupsen/logrus" + "github.com/spf13/viper" + "gopkg.in/yaml.v3" ) // FilterConfig is the descriptor of a single filter. @@ -189,7 +190,7 @@ func (ctx *ActionContext) UniquePids() []uint32 { type RulesCompileResult struct { HasProcEvents bool HasThreadEvents bool - HasImageEvents bool + HasModuleEvents bool HasFileEvents bool HasNetworkEvents bool HasRegistryEvents bool @@ -226,7 +227,7 @@ func (r RulesCompileResult) String() string { return fmt.Sprintf(` HasProcEvents: %t HasThreadEvents: %t - HasImageEvents: %t + HasModuleEvents: %t HasFileEvents: %t HasRegistryEvents: %t HasNetworkEvents: %t @@ -239,7 +240,7 @@ func (r RulesCompileResult) String() string { Events: %s`, r.HasProcEvents, r.HasThreadEvents, - r.HasImageEvents, + r.HasModuleEvents, r.HasFileEvents, r.HasRegistryEvents, r.HasNetworkEvents, diff --git a/pkg/event/bitset_test.go b/pkg/event/bitset_test.go index 8aed8ef43..df69110db 100644 --- a/pkg/event/bitset_test.go +++ b/pkg/event/bitset_test.go @@ -19,9 +19,10 @@ package event import ( - "github.com/rabbitstack/fibratus/pkg/util/bitmask" "testing" + "github.com/rabbitstack/fibratus/pkg/util/bitmask" + "github.com/rabbitstack/fibratus/pkg/sys/etw" "github.com/stretchr/testify/assert" ) @@ -36,14 +37,14 @@ func TestBitmask(t *testing.T) { {CreateThread, true}, {CreateFile, false}, {WriteFile, false}, - {LoadImage, false}, + {LoadModule, false}, {MapFileRundown, true}, {ProcessRundown, true}, } b := bitmask.New() for _, typ := range AllWithState() { - if typ == WriteFile || typ == LoadImage || typ == CreateFile { + if typ == WriteFile || typ == LoadModule || typ == CreateFile { continue } b.Set(typ.ID()) @@ -66,7 +67,7 @@ func TestBitSets(t *testing.T) { {&Event{Type: CreateThread, Category: Thread}, true}, {&Event{Type: CreateFile}, false}, {&Event{Type: WriteFile}, false}, - {&Event{Type: LoadImage}, false}, + {&Event{Type: LoadModule}, false}, {&Event{Type: MapFileRundown}, true}, {&Event{Type: ProcessRundown}, true}, } diff --git a/pkg/event/category.go b/pkg/event/category.go index f136415c9..ae2cc4120 100644 --- a/pkg/event/category.go +++ b/pkg/event/category.go @@ -39,8 +39,8 @@ const ( Process Category = "process" // Thread is the category for thread events Thread Category = "thread" - // Image is the category for image events - Image Category = "image" + // Module is the category for module (dll, exe, sys) events + Module Category = "module" // Handle is the category for handle events Handle Category = "handle" // Driver is the category for driver events @@ -85,7 +85,7 @@ func (c Category) Index() uint8 { return 4 case Thread: return 5 - case Image: + case Module: return 6 case Handle: return 7 @@ -112,7 +112,7 @@ func Categories() []string { string(Net), string(Process), string(Thread), - string(Image), + string(Module), string(Handle), string(Mem), string(Driver), diff --git a/pkg/event/event_windows.go b/pkg/event/event_windows.go index 2201eb6b6..b4f1ee6a0 100644 --- a/pkg/event/event_windows.go +++ b/pkg/event/event_windows.go @@ -78,7 +78,7 @@ func New(seq uint64, evt *etw.EventRecord) *Event { func (e *Event) adjustPID() { switch e.Category { - case Image: + case Module: // sometimes the pid present in event header is invalid // but, we can get the valid one from the event parameters if e.InvalidPid() { @@ -169,7 +169,7 @@ func (e *Event) IsDNS() bool { // IsRundown determines if this is a rundown events. func (e *Event) IsRundown() bool { - return e.Type == ProcessRundown || e.Type == ThreadRundown || e.Type == ImageRundown || + return e.Type == ProcessRundown || e.Type == ThreadRundown || e.Type == ModuleRundown || e.Type == FileRundown || e.Type == RegKCBRundown } @@ -214,10 +214,10 @@ func (e *Event) IsDeleteFile() bool { return e.Type == DeleteFile } func (e *Event) IsEnumDirectory() bool { return e.Type == EnumDirectory } func (e *Event) IsTerminateProcess() bool { return e.Type == TerminateProcess } func (e *Event) IsTerminateThread() bool { return e.Type == TerminateThread } -func (e *Event) IsUnloadImage() bool { return e.Type == UnloadImage } -func (e *Event) IsLoadImage() bool { return e.Type == LoadImage } -func (e *Event) IsLoadImageInternal() bool { return e.Type == LoadImageInternal } -func (e *Event) IsImageRundown() bool { return e.Type == ImageRundown } +func (e *Event) IsUnloadModule() bool { return e.Type == UnloadModule } +func (e *Event) IsLoadModule() bool { return e.Type == LoadModule } +func (e *Event) IsLoadModuleInternal() bool { return e.Type == LoadModuleInternal } +func (e *Event) IsModuleRundown() bool { return e.Type == ModuleRundown } func (e *Event) IsFileOpEnd() bool { return e.Type == FileOpEnd } func (e *Event) IsRegSetValue() bool { return e.Type == RegSetValue } func (e *Event) IsRegSetValueInternal() bool { return e.Type == RegSetValueInternal } @@ -306,9 +306,9 @@ func (e *Event) RundownKey() uint64 { binary.LittleEndian.PutUint32(b, tid) return hashers.FnvUint64(b) - case ImageRundown: + case ModuleRundown: pid, _ := e.Params.GetPid() - mod, _ := e.Params.GetString(params.ImagePath) + mod, _ := e.Params.GetString(params.ModulePath) b := make([]byte, 4+len(mod)) binary.LittleEndian.PutUint32(b, pid) @@ -453,10 +453,10 @@ func (e *Event) Summary() string { exe, _ := e.Params.GetString(params.Exe) return printSummary(e, fmt.Sprintf("opened %s process' thread object with %s access right(s)", exe, access)) - case LoadImage: + case LoadModule: filename := e.GetParamAsString(params.FilePath) return printSummary(e, fmt.Sprintf("loaded %s module", filename)) - case UnloadImage: + case UnloadModule: filename := e.GetParamAsString(params.FilePath) return printSummary(e, fmt.Sprintf("unloaded %s module", filename)) case CreateFile: diff --git a/pkg/event/marshaller_test.go b/pkg/event/marshaller_test.go index 13f4870e3..37be2a3e6 100644 --- a/pkg/event/marshaller_test.go +++ b/pkg/event/marshaller_test.go @@ -20,13 +20,14 @@ package event import ( "encoding/json" - capver "github.com/rabbitstack/fibratus/pkg/cap/version" - "github.com/rabbitstack/fibratus/pkg/util/va" - "golang.org/x/sys/windows" "os" "testing" "time" + capver "github.com/rabbitstack/fibratus/pkg/cap/version" + "github.com/rabbitstack/fibratus/pkg/util/va" + "golang.org/x/sys/windows" + "github.com/rabbitstack/fibratus/pkg/event/params" htypes "github.com/rabbitstack/fibratus/pkg/handle/types" pex "github.com/rabbitstack/fibratus/pkg/pe" @@ -37,7 +38,7 @@ import ( func init() { SerializeThreads = true - SerializeImages = true + SerializeModules = true SerializeHandles = true SerializePE = true SerializeEnvs = true diff --git a/pkg/event/marshaller_windows.go b/pkg/event/marshaller_windows.go index 80405ff8b..5ded48295 100644 --- a/pkg/event/marshaller_windows.go +++ b/pkg/event/marshaller_windows.go @@ -21,14 +21,15 @@ package event import ( "expvar" "fmt" - "github.com/rabbitstack/fibratus/pkg/util/convert" - "github.com/rabbitstack/fibratus/pkg/util/va" "math" "net" "sort" "time" "unsafe" + "github.com/rabbitstack/fibratus/pkg/util/convert" + "github.com/rabbitstack/fibratus/pkg/util/va" + "github.com/rabbitstack/fibratus/pkg/cap/section" capver "github.com/rabbitstack/fibratus/pkg/cap/version" "github.com/rabbitstack/fibratus/pkg/event/params" @@ -42,8 +43,8 @@ var ( SerializeHandles bool // SerializeThreads indicates if threads are serialized as part of the process state SerializeThreads bool - // SerializeImages indicates if images are serialized as part of the process state - SerializeImages bool + // SerializeModules indicates if modules are serialized as part of the process state + SerializeModules bool // SerializePE indicates if PE metadata are serialized as part of the process state SerializePE bool // SerializeEnvs indicates if the environment variables are serialized as part of the process state @@ -423,7 +424,7 @@ func (e *Event) UnmarshalRaw(b []byte, ver capver.Version) error { var js = newJSONStream() func writePsResources() bool { - return SerializeHandles || SerializeThreads || SerializeImages || SerializePE + return SerializeHandles || SerializeThreads || SerializeModules || SerializePE } // MarshalJSON produces a JSON payload for this event. @@ -622,12 +623,12 @@ func (e *Event) MarshalJSON() []byte { ps.RUnlock() // end threads js.writeArrayEnd() - if SerializeImages || SerializeHandles { + if SerializeModules || SerializeHandles { js.writeMore() } } - if SerializeImages { + if SerializeModules { // start modules js.writeObjectField("modules") js.writeArrayStart() diff --git a/pkg/event/metainfo_windows.go b/pkg/event/metainfo_windows.go index 6f8df0e9d..ac2819c8f 100644 --- a/pkg/event/metainfo_windows.go +++ b/pkg/event/metainfo_windows.go @@ -75,8 +75,8 @@ var events = map[Type]Info{ ReconnectTCPv6: {"Reconnect", Net, "Reconnects to the socket"}, RetransmitTCPv4: {"Retransmit", Net, "Retransmits unacknowledged TCP segments"}, RetransmitTCPv6: {"Retransmit", Net, "Retransmits unacknowledged TCP segments"}, - LoadImage: {"LoadImage", Image, "Loads the module into the address space of the calling process"}, - UnloadImage: {"UnloadImage", Image, "Unloads the module from the address space of the calling process"}, + LoadModule: {"LoadModule", Module, "Loads the module into the address space of the calling process"}, + UnloadModule: {"UnloadModule", Module, "Unloads the module from the address space of the calling process"}, CreateHandle: {"CreateHandle", Handle, "Creates a new handle"}, CloseHandle: {"CloseHandle", Handle, "Closes the handle"}, DuplicateHandle: {"DuplicateHandle", Handle, "Duplicates the handle"}, @@ -100,8 +100,8 @@ var types = map[string]Type{ "TerminateThread": TerminateThread, "OpenThread": OpenThread, "SetThreadContext": SetThreadContext, - "LoadImage": LoadImage, - "UnloadImage": UnloadImage, + "LoadModule": LoadModule, + "UnloadModule": UnloadModule, "CreateFile": CreateFile, "CloseFile": CloseFile, "ReadFile": ReadFile, @@ -163,8 +163,8 @@ var indexedEvents = []Info{ events[TerminateThread], events[OpenThread], events[SetThreadContext], - events[LoadImage], - events[UnloadImage], + events[LoadModule], + events[UnloadModule], events[CreateFile], events[CloseFile], events[ReadFile], @@ -229,7 +229,7 @@ func AllWithState() []Type { s = append(s, ProcessRundown) s = append(s, ThreadRundown) - s = append(s, ImageRundown) + s = append(s, ModuleRundown) s = append(s, FileRundown) s = append(s, RegKCBRundown) s = append(s, RegCreateKCB) @@ -240,7 +240,7 @@ func AllWithState() []Type { s = append(s, StackWalk) s = append(s, CreateProcessInternal) s = append(s, ProcessRundownInternal) - s = append(s, LoadImageInternal) + s = append(s, LoadModuleInternal) s = append(s, RegSetValueInternal) return s diff --git a/pkg/event/param_windows.go b/pkg/event/param_windows.go index 3c49167d8..322f7be9e 100644 --- a/pkg/event/param_windows.go +++ b/pkg/event/param_windows.go @@ -423,7 +423,7 @@ func (e *Event) produceParams(evt *etw.EventRecord) { e.AppendParam(params.HandleObjectTypeID, params.HandleType, typeID) e.AppendParam(params.ProcessID, params.PID, sourcePID) e.AppendParam(params.TargetProcessID, params.PID, targetPID) - case LoadImage, UnloadImage, ImageRundown: + case LoadModule, UnloadModule, ModuleRundown: var ( pid uint32 checksum uint32 @@ -458,14 +458,14 @@ func (e *Event) produceParams(evt *etw.EventRecord) { } filename = evt.ConsumeUTF16String(offset) e.AppendParam(params.ProcessID, params.PID, pid) - e.AppendParam(params.ImageCheckSum, params.Uint32, checksum) - e.AppendParam(params.ImageDefaultBase, params.Address, defaultBase) - e.AppendParam(params.ImageBase, params.Address, imageBase) - e.AppendParam(params.ImageSize, params.Uint64, imageSize) - e.AppendParam(params.ImagePath, params.DOSPath, filename) - e.AppendParam(params.ImageSignatureLevel, params.Enum, uint32(sigLevel), WithEnum(signature.Levels)) - e.AppendParam(params.ImageSignatureType, params.Enum, uint32(sigType), WithEnum(signature.Types)) - case LoadImageInternal: + e.AppendParam(params.ModuleCheckSum, params.Uint32, checksum) + e.AppendParam(params.ModuleDefaultBase, params.Address, defaultBase) + e.AppendParam(params.ModuleBase, params.Address, imageBase) + e.AppendParam(params.ModuleSize, params.Uint64, imageSize) + e.AppendParam(params.ModulePath, params.DOSPath, filename) + e.AppendParam(params.ModuleSignatureLevel, params.Enum, uint32(sigLevel), WithEnum(signature.Levels)) + e.AppendParam(params.ModuleSignatureType, params.Enum, uint32(sigType), WithEnum(signature.Types)) + case LoadModuleInternal: var ( pid uint32 checksum uint32 @@ -483,11 +483,11 @@ func (e *Event) produceParams(evt *etw.EventRecord) { filename = evt.ConsumeUTF16String(36) e.AppendParam(params.ProcessID, params.PID, pid) - e.AppendParam(params.ImageCheckSum, params.Uint32, checksum) - e.AppendParam(params.ImageDefaultBase, params.Address, defaultBase) - e.AppendParam(params.ImageBase, params.Address, imageBase) - e.AppendParam(params.ImageSize, params.Uint64, imageSize) - e.AppendParam(params.ImagePath, params.DOSPath, filename) + e.AppendParam(params.ModuleCheckSum, params.Uint32, checksum) + e.AppendParam(params.ModuleDefaultBase, params.Address, defaultBase) + e.AppendParam(params.ModuleBase, params.Address, imageBase) + e.AppendParam(params.ModuleSize, params.Uint64, imageSize) + e.AppendParam(params.ModulePath, params.DOSPath, filename) case RegOpenKey, RegCloseKey, RegCreateKCB, RegDeleteKCB, RegKCBRundown, RegCreateKey, diff --git a/pkg/event/params/params_windows.go b/pkg/event/params/params_windows.go index 716719496..2fa1b90c4 100644 --- a/pkg/event/params/params_windows.go +++ b/pkg/event/params/params_windows.go @@ -44,7 +44,7 @@ const ( Username = "username" // Domain field represents the domain under which the event was generated. Domain = "domain" - // ProcessName field denotes the process image name. + // ProcessName field denotes the process Module name. ProcessName = "name" // Exe field denotes the full path of the executable. Exe = "exe" @@ -152,31 +152,31 @@ const ( // RegData identifies the parameter that stores the captured registry data RegData = "data" - // ImageBase identifies the parameter name for the base address of the process in which the image is loaded. - ImageBase = "base_address" - // ImageSize represents the parameter name for the size of the image in bytes. - ImageSize = "image_size" - // ImageCheckSum is the parameter name for image checksum. - ImageCheckSum = "checksum" - // ImageDefaultBase is the parameter name that represents image's base address. - ImageDefaultBase = "default_address" - // ImagePath is the parameter name that denotes the file path and extension of the DLL/executable image. - ImagePath = "file_path" - // ImageSignatureLevel is the parameter denoting the loaded module signature level. - ImageSignatureLevel = "signature_level" - // ImageSignatureType is the parameter denoting the loaded module signature type. - ImageSignatureType = "signature_type" - // ImageCertSubject is the parameter that indicates the subject of the certificate is the entity its public key is associated with. - ImageCertSubject = "cert_subject" - // ImageCertIssuer is the parameter that represents the certificate authority (CA). - ImageCertIssuer = "cert_issuer" - // ImageCertSerial is the parameter that represents the serial number MUST be a positive integer assigned + // ModuleBase identifies the parameter name for the base address of the process in which the Mmdule is loaded. + ModuleBase = "base_address" + // ModuleSize represents the parameter name for the size of the module in bytes. + ModuleSize = "module_size" + // ModuleCheckSum is the parameter name for module checksum. + ModuleCheckSum = "checksum" + // ModuleDefaultBase is the parameter name that represents module's base address. + ModuleDefaultBase = "default_address" + // ModulePath is the parameter name that denotes the file path and extension of the DLL/executable Module. + ModulePath = "file_path" + // ModuleSignatureLevel is the parameter denoting the loaded module signature level. + ModuleSignatureLevel = "signature_level" + // ModuleSignatureType is the parameter denoting the loaded module signature type. + ModuleSignatureType = "signature_type" + // ModuleCertSubject is the parameter that indicates the subject of the certificate is the entity its public key is associated with. + ModuleCertSubject = "cert_subject" + // ModuleCertIssuer is the parameter that represents the certificate authority (CA). + ModuleCertIssuer = "cert_issuer" + // ModuleCertSerial is the parameter that represents the serial number MUST be a positive integer assigned // by the CA to each certificate. - ImageCertSerial = "cert_serial" - // ImageCertNotBefore is the parameter that specifies the certificate won't be valid before this timestamp. - ImageCertNotBefore = "cert_not_before" - // ImageCertNotAfter is the parameter that specifies the certificate won't be valid after this timestamp. - ImageCertNotAfter = "cert_not_after" + ModuleCertSerial = "cert_serial" + // ModuleCertNotBefore is the parameter that specifies the certificate won't be valid before this timestamp. + ModuleCertNotBefore = "cert_not_before" + // ModuleCertNotAfter is the parameter that specifies the certificate won't be valid after this timestamp. + ModuleCertNotAfter = "cert_not_after" // NetSize identifies the parameter name that represents the packet size. NetSize = "size" diff --git a/pkg/event/template.go b/pkg/event/template.go index 8f349b653..8bd81f81a 100644 --- a/pkg/event/template.go +++ b/pkg/event/template.go @@ -60,7 +60,7 @@ Threads: {{- end }} {{- end }} {{ end }} -{{ if .SerializeImages }} +{{ if .SerializeModules }} Modules: {{- with .Evt.PS.Modules }} {{- range . }} @@ -79,7 +79,7 @@ Handles: {{ if and (.SerializePE) (.Evt.PS.PE) }} Entrypoint: {{ .Evt.PS.PE.EntryPoint }} -Image base: {{ .Evt.PS.PE.ImageBase }} +Module base: {{ .Evt.PS.PE.ImageBase }} Build date: {{ .Evt.PS.PE.LinkTime }} Number of symbols: {{ .Evt.PS.PE.NumberOfSymbols }} @@ -141,14 +141,14 @@ func renderTemplate(evt *Event, tmpl *template.Template) ([]byte, error) { Evt *Event SerializeHandles bool SerializeThreads bool - SerializeImages bool + SerializeModules bool SerializeEnvs bool SerializePE bool }{ evt, SerializeHandles, SerializeThreads, - SerializeImages, + SerializeModules, SerializeEnvs, SerializePE, } diff --git a/pkg/event/types_windows.go b/pkg/event/types_windows.go index 1812436e2..157ed50de 100644 --- a/pkg/event/types_windows.go +++ b/pkg/event/types_windows.go @@ -47,8 +47,8 @@ var ( ProcessEventGUID = windows.GUID{Data1: 0x3d6fa8d0, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}} // ThreadEventGUID represents thread provider event GUID ThreadEventGUID = windows.GUID{Data1: 0x3d6fa8d1, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}} - // ImageEventGUID represents image provider event GUID - ImageEventGUID = windows.GUID{Data1: 0x2cb15d1d, Data2: 0x5fc1, Data3: 0x11d2, Data4: [8]byte{0xab, 0xe1, 0x0, 0xa0, 0xc9, 0x11, 0xf5, 0x18}} + // ModuleEventGUID represents module provider event GUID + ModuleEventGUID = windows.GUID{Data1: 0x2cb15d1d, Data2: 0x5fc1, Data3: 0x11d2, Data4: [8]byte{0xab, 0xe1, 0x0, 0xa0, 0xc9, 0x11, 0xf5, 0x18}} // FileEventGUID represents file provider event GUID FileEventGUID = windows.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}} // RegistryEventGUID represents registry provider event GUID @@ -158,14 +158,14 @@ var ( // extra attributes RegSetValueInternal = pack(RegistryKernelEventGUID, 36) - // UnloadImage represents unload image kernel events - UnloadImage = pack(ImageEventGUID, 2) - // ImageRundown represents kernel events that is triggered to enumerate all loaded images - ImageRundown = pack(ImageEventGUID, 3) - // LoadImage represents load image kernel events that are triggered when a DLL or executable file is loaded - LoadImage = pack(ImageEventGUID, 10) - // LoadImageInternal same as for process internal event originating from the Microsoft Windows Kernel Process provider. - LoadImageInternal = pack(ProcessKernelEventGUID, 5) + // UnloadModule represents unload module kernel events + UnloadModule = pack(ModuleEventGUID, 2) + // ModuleRundown represents kernel events that is triggered to enumerate all loaded modules + ModuleRundown = pack(ModuleEventGUID, 3) + // LoadModule represents module load kernel events that are triggered when a DLL or executable file is loaded + LoadModule = pack(ModuleEventGUID, 10) + // LoadModuleInternal same as for process internal event originating from the Microsoft Windows Kernel Process provider + LoadModuleInternal = pack(ProcessKernelEventGUID, 5) // AcceptTCPv4 represents the TCPv4 kernel events for accepting connection requests from the socket queue. AcceptTCPv4 = pack(NetworkTCPEventGUID, 15) @@ -319,12 +319,12 @@ func (t Type) String() string { return "RegCreateKCB" case RegSetValue, RegSetValueInternal: return "RegSetValue" - case LoadImage, LoadImageInternal: - return "LoadImage" - case UnloadImage: - return "UnloadImage" - case ImageRundown: - return "ImageRundown" + case LoadModule, LoadModuleInternal: + return "LoadModule" + case UnloadModule: + return "UnloadModule" + case ModuleRundown: + return "ModuleRundown" case AcceptTCPv4, AcceptTCPv6: return "Accept" case SendTCPv4, SendTCPv6, SendUDPv4, SendUDPv6: @@ -369,8 +369,8 @@ func (t Type) Category() Category { return Process case CreateThread, TerminateThread, OpenThread, SetThreadContext, ThreadRundown, StackWalk: return Thread - case LoadImage, UnloadImage, ImageRundown, LoadImageInternal: - return Image + case LoadModule, UnloadModule, ModuleRundown, LoadModuleInternal: + return Module case CreateFile, ReadFile, WriteFile, EnumDirectory, DeleteFile, RenameFile, CloseFile, SetFileInformation, FileRundown, FileOpEnd, ReleaseFile, MapViewFile, UnmapViewFile, MapFileRundown: return File @@ -476,9 +476,9 @@ func (t Type) Description() string { return "Sends data over the wire" case RecvTCPv4, RecvUDPv4, RecvTCPv6, RecvUDPv6: return "Receives data from the socket" - case LoadImage: + case LoadModule: return "Loads the module into the address space of the calling process" - case UnloadImage: + case UnloadModule: return "Unloads the module from the address space of the calling process" case CreateHandle: return "Creates a new handle" @@ -527,8 +527,8 @@ func (t Type) OnlyState() bool { ProcessRundownInternal, CreateProcessInternal, ThreadRundown, - ImageRundown, - LoadImageInternal, + ModuleRundown, + LoadModuleInternal, FileRundown, RegKCBRundown, FileOpEnd, @@ -549,7 +549,7 @@ func (t Type) CanEnrichStack() bool { case CreateProcess, CreateThread, TerminateThread, - LoadImage, + LoadModule, RegCreateKey, RegDeleteKey, RegSetValue, @@ -677,7 +677,7 @@ func (t Type) color() string { case SetThreadContext: return colorizer.SpanBold(colorizer.Amber, t.String()) - case LoadImage, UnloadImage: + case LoadModule, UnloadModule: return colorizer.SpanBold(colorizer.Magenta, t.String()) case SendTCPv4, SendTCPv6, SendUDPv4, SendUDPv6, @@ -731,7 +731,7 @@ func (t Type) arrow() string { var clr uint8 switch t { case TerminateProcess, TerminateThread, DeleteFile, RegDeleteKey, - RegDeleteValue, UnloadImage, VirtualFree, UnmapViewFile: + RegDeleteValue, UnloadModule, VirtualFree, UnmapViewFile: clr = colorizer.Red case CreateProcess, CreateFile, WriteFile, RenameFile, SetFileInformation, @@ -740,7 +740,7 @@ func (t Type) arrow() string { SendTCPv4, SendTCPv6, SendUDPv4, SendUDPv6: clr = colorizer.Amber - case ReadFile, EnumDirectory, LoadImage, RegOpenKey, RegQueryKey, RegQueryValue, OpenProcess, + case ReadFile, EnumDirectory, LoadModule, RegOpenKey, RegQueryKey, RegQueryValue, OpenProcess, OpenThread, CreateHandle, RecvTCPv4, RecvTCPv6, RecvUDPv4, RecvUDPv6: clr = colorizer.Teal diff --git a/pkg/event/types_windows_test.go b/pkg/event/types_windows_test.go index 371feca01..f9e441375 100644 --- a/pkg/event/types_windows_test.go +++ b/pkg/event/types_windows_test.go @@ -19,11 +19,12 @@ package event import ( + "testing" + "github.com/rabbitstack/fibratus/pkg/sys/etw" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "golang.org/x/sys/windows" - "testing" ) func TestEventTypePackAllBytes(t *testing.T) { @@ -114,7 +115,7 @@ func TestGUIDAndHookIDFromEventType(t *testing.T) { guid windows.GUID }{ { - LoadImage, + LoadModule, 10, windows.GUID{Data1: 0x2cb15d1d, Data2: 0x5fc1, Data3: 0x11d2, Data4: [8]byte{0xab, 0xe1, 0x0, 0xa0, 0xc9, 0x11, 0xf5, 0x18}}, }, diff --git a/pkg/filter/accessor_windows.go b/pkg/filter/accessor_windows.go index f3da5b4de..5573fc577 100644 --- a/pkg/filter/accessor_windows.go +++ b/pkg/filter/accessor_windows.go @@ -752,7 +752,7 @@ func (moduleAccessor) SetFields(fields []Field) { func (moduleAccessor) SetSegments([]fields.Segment) {} func (moduleAccessor) IsFieldAccessible(e *event.Event) bool { - return e.Category == event.Image + return e.Category == event.Module } func newModuleAccessor() Accessor { @@ -760,11 +760,11 @@ func newModuleAccessor() Accessor { } func (*moduleAccessor) Get(f Field, e *event.Event) (params.Value, error) { - if e.IsLoadImage() && (f.Name.IsModuleSignature() || f.Name == fields.ImageSignatureType || f.Name == fields.ImageSignatureLevel || f.Name.IsImageCert()) { - filename := e.GetParamAsString(params.ImagePath) - addr := e.Params.MustGetUint64(params.ImageBase) - typ := e.Params.MustGetUint32(params.ImageSignatureType) - level := e.Params.MustGetUint32(params.ImageSignatureLevel) + if e.IsLoadModule() && (f.Name.IsModuleSignature() || f.Name == fields.ImageSignatureType || f.Name == fields.ImageSignatureLevel || f.Name.IsImageCert()) { + filename := e.GetParamAsString(params.ModulePath) + addr := e.Params.MustGetUint64(params.ModuleBase) + typ := e.Params.MustGetUint32(params.ModuleSignatureType) + level := e.Params.MustGetUint32(params.ModuleSignatureLevel) sign := signature.GetSignatures().GetSignature(addr) @@ -810,17 +810,17 @@ func (*moduleAccessor) Get(f Field, e *event.Event) (params.Value, error) { signature.GetSignatures().PutSignature(addr, sign) } // reset signature type/level parameters - _ = e.Params.SetValue(params.ImageSignatureType, sign.Type) - _ = e.Params.SetValue(params.ImageSignatureLevel, sign.Level) + _ = e.Params.SetValue(params.ModuleSignatureType, sign.Type) + _ = e.Params.SetValue(params.ModuleSignatureLevel, sign.Level) } // append certificate parameters if sign.HasCertificate() { - e.AppendParam(params.ImageCertIssuer, params.UnicodeString, sign.Cert.Issuer) - e.AppendParam(params.ImageCertSubject, params.UnicodeString, sign.Cert.Subject) - e.AppendParam(params.ImageCertSerial, params.UnicodeString, sign.Cert.SerialNumber) - e.AppendParam(params.ImageCertNotAfter, params.Time, sign.Cert.NotAfter) - e.AppendParam(params.ImageCertNotBefore, params.Time, sign.Cert.NotBefore) + e.AppendParam(params.ModuleCertIssuer, params.UnicodeString, sign.Cert.Issuer) + e.AppendParam(params.ModuleCertSubject, params.UnicodeString, sign.Cert.Subject) + e.AppendParam(params.ModuleCertSerial, params.UnicodeString, sign.Cert.SerialNumber) + e.AppendParam(params.ModuleCertNotAfter, params.Time, sign.Cert.NotAfter) + e.AppendParam(params.ModuleCertNotBefore, params.Time, sign.Cert.NotBefore) } switch f.Name { @@ -833,49 +833,49 @@ func (*moduleAccessor) Get(f Field, e *event.Event) (params.Value, error) { switch f.Name { case fields.ImagePath, fields.ModulePath, fields.DllPath: - return e.GetParamAsString(params.ImagePath), nil + return e.GetParamAsString(params.ModulePath), nil case fields.ModulePathStem, fields.DllPathStem: - path := e.GetParamAsString(params.ImagePath) + path := e.GetParamAsString(params.ModulePath) n := strings.LastIndexByte(path, '.') if n == -1 { return path, nil } return path[:n], nil case fields.ImageName, fields.ModuleName, fields.DllName: - return filepath.Base(e.GetParamAsString(params.ImagePath)), nil + return filepath.Base(e.GetParamAsString(params.ModulePath)), nil case fields.ImageDefaultAddress, fields.ModuleDefaultAddress: - return e.GetParamAsString(params.ImageDefaultBase), nil + return e.GetParamAsString(params.ModuleDefaultBase), nil case fields.ImageBase, fields.ModuleBase, fields.DllBase: - return e.GetParamAsString(params.ImageBase), nil + return e.GetParamAsString(params.ModuleBase), nil case fields.ImageSize, fields.ModuleSize, fields.DllSize: - return e.Params.GetUint64(params.ImageSize) + return e.Params.GetUint64(params.ModuleSize) case fields.ImageChecksum, fields.ModuleChecksum: - return e.Params.GetUint32(params.ImageCheckSum) + return e.Params.GetUint32(params.ModuleCheckSum) case fields.ImagePID, fields.ModulePID, fields.DllPID: return e.Params.GetPid() case fields.ImageSignatureType, fields.ModuleSignatureType, fields.DllSignatureType: - return e.GetParamAsString(params.ImageSignatureType), nil + return e.GetParamAsString(params.ModuleSignatureType), nil case fields.ImageSignatureLevel, fields.ModuleSignatureLevel, fields.DllSignatureLevel: - return e.GetParamAsString(params.ImageSignatureLevel), nil + return e.GetParamAsString(params.ModuleSignatureLevel), nil case fields.ImageCertSubject, fields.ModuleSignatureSubject, fields.DllSignatureSubject: - return e.GetParamAsString(params.ImageCertSubject), nil + return e.GetParamAsString(params.ModuleCertSubject), nil case fields.ImageCertIssuer, fields.ModuleSignatureIssuer, fields.DllSignatureIssuer: - return e.GetParamAsString(params.ImageCertIssuer), nil + return e.GetParamAsString(params.ModuleCertIssuer), nil case fields.ImageCertSerial, fields.ModuleSignatureSerial, fields.DllSignatureSerial: - return e.GetParamAsString(params.ImageCertSerial), nil + return e.GetParamAsString(params.ModuleCertSerial), nil case fields.ImageCertBefore, fields.ModuleSignatureBefore, fields.DllSignatureBefore: - return e.Params.GetTime(params.ImageCertNotBefore) + return e.Params.GetTime(params.ModuleCertNotBefore) case fields.ImageCertAfter, fields.ModuleSignatureAfter, fields.DllSignatureAfter: - return e.Params.GetTime(params.ImageCertNotAfter) + return e.Params.GetTime(params.ModuleCertNotAfter) case fields.ImageIsDriverVulnerable, fields.ImageIsDriverMalicious, fields.ModuleIsDriverVulnerable, fields.ModuleIsDriverMalicious: - if e.IsLoadImage() { + if e.IsLoadModule() { return isLOLDriver(f.Name, e) } return false, nil case fields.ImageIsDLL, fields.ModuleIsDLL, fields.ImageIsDriver, fields.ModuleIsDriver, fields.ImageIsExecutable, fields.ModuleIsExecutable, fields.ImageIsDotnet, fields.ModuleIsDotnet, fields.DllIsDotnet: - if e.IsLoadImage() { + if e.IsLoadModule() { return getFileInfo(f.Name, e) } return false, nil @@ -1025,7 +1025,7 @@ func (pa *peAccessor) SetSegments(segments []fields.Segment) { } func (peAccessor) IsFieldAccessible(e *event.Event) bool { - return e.PS != nil || e.IsLoadImage() + return e.PS != nil || e.IsLoadModule() } // parserOpts traverses all fields/segments declared in the expression and @@ -1106,15 +1106,15 @@ func (pa *peAccessor) Get(f Field, e *event.Event) (params.Value, error) { // PE for loaded executables followed by fetching the PE // from process' memory at the base address of the loaded // executable image - if e.IsLoadImage() && f.Name.IsPeModified() { - filename := e.GetParamAsString(params.ImagePath) + if e.IsLoadModule() && f.Name.IsPeModified() { + filename := e.GetParamAsString(params.ModulePath) isExecutable := filepath.Ext(filename) == ".exe" || e.Params.TryGetBool(params.FileIsExecutable) if !isExecutable { return nil, nil } pid := e.Params.MustGetPid() - addr := e.Params.MustGetUint64(params.ImageBase) + addr := e.Params.MustGetUint64(params.ModuleBase) file, err := pe.ParseFile(filename, pa.parserOpts()...) if err != nil { diff --git a/pkg/filter/accessor_windows_test.go b/pkg/filter/accessor_windows_test.go index 2cce8da17..c2164da48 100644 --- a/pkg/filter/accessor_windows_test.go +++ b/pkg/filter/accessor_windows_test.go @@ -138,7 +138,7 @@ func TestIsFieldAccessible(t *testing.T) { }, { newModuleAccessor(), - &event.Event{Type: event.LoadImage, Category: event.Image}, + &event.Event{Type: event.LoadModule, Category: event.Module}, true, }, { diff --git a/pkg/filter/fields/fields_windows.go b/pkg/filter/fields/fields_windows.go index f31acd829..a372f9f85 100644 --- a/pkg/filter/fields/fields_windows.go +++ b/pkg/filter/fields/fields_windows.go @@ -1081,7 +1081,7 @@ var fields = map[Field]FieldInfo{ ThreadUstackLimit: {ThreadUstackLimit, "limit of the thread's user space stack", params.Address, []string{"thread.ustack.limit = '8ffe0000'"}, nil, nil}, ThreadEntrypoint: {ThreadEntrypoint, "starting address of the function to be executed by the thread", params.Address, []string{"thread.entrypoint = '7efe0000'"}, &Deprecation{Since: "2.3.0", Fields: []Field{ThreadStartAddress}}, nil}, ThreadStartAddress: {ThreadStartAddress, "thread start address", params.Address, []string{"thread.start_address = '7efe0000'"}, nil, nil}, - ThreadStartAddressSymbol: {ThreadStartAddressSymbol, "thread start address symbol", params.UnicodeString, []string{"thread.start_address.symbol = 'LoadImage'"}, nil, nil}, + ThreadStartAddressSymbol: {ThreadStartAddressSymbol, "thread start address symbol", params.UnicodeString, []string{"thread.start_address.symbol = 'LoadModule'"}, nil, nil}, ThreadStartAddressModule: {ThreadStartAddressModule, "thread start address module", params.UnicodeString, []string{"thread.start_address.module endswith 'kernel32.dll'"}, nil, nil}, ThreadPID: {ThreadPID, "the process identifier where the thread is created", params.Uint32, []string{"evt.pid != thread.pid"}, nil, nil}, ThreadTEB: {ThreadTEB, "the base address of the thread environment block", params.Address, []string{"thread.teb_address = '8f30893000'"}, nil, nil}, diff --git a/pkg/filter/filter_test.go b/pkg/filter/filter_test.go index 9acfaf9ae..d42c1e5c3 100644 --- a/pkg/filter/filter_test.go +++ b/pkg/filter/filter_test.go @@ -54,7 +54,7 @@ var cfg = &config.Config{ EnableNetEvents: true, EnableRegistryEvents: true, EnableFileIOEvents: true, - EnableImageEvents: true, + EnableModuleEvents: true, EnableThreadEvents: true, EnableMemEvents: true, EnableDNSEvents: true, @@ -421,7 +421,7 @@ func TestThreadFilter(t *testing.T) { params.PagePrio: {Name: params.PagePrio, Type: params.Uint8, Value: uint8(5)}, params.UstackBase: {Name: params.UstackBase, Type: params.Address, Value: uint64(86376448)}, params.UstackLimit: {Name: params.UstackLimit, Type: params.Address, Value: uint64(86372352)}, - params.StartAddressSymbol: {Name: params.StartAddressSymbol, Type: params.UnicodeString, Value: "LoadImage"}, + params.StartAddressSymbol: {Name: params.StartAddressSymbol, Type: params.UnicodeString, Value: "LoadModule"}, params.StartAddressModule: {Name: params.StartAddressModule, Type: params.UnicodeString, Value: "C:\\Windows\\System32\\kernel32.dll"}, } evt := &event.Event{ @@ -481,7 +481,7 @@ func TestThreadFilter(t *testing.T) { {`thread.kstack.limit = 'ffffc307810cf000'`, true}, {`thread.start_address = '7ffe2557ff80'`, true}, {`thread.teb_address = '8f30893000'`, true}, - {`thread.start_address.symbol = 'LoadImage'`, true}, + {`thread.start_address.symbol = 'LoadModule'`, true}, {`thread.start_address.module = 'C:\\Windows\\System32\\kernel32.dll'`, true}, {`thread.callstack.summary = 'KERNELBASE.dll|KERNEL32.DLL|java.dll|unbacked'`, true}, {`thread.callstack.detail icontains 'C:\\WINDOWS\\System32\\KERNELBASE.dll!CreateProcessW+0x66'`, true}, @@ -985,16 +985,16 @@ func TestRegistryFilter(t *testing.T) { func TestModuleFilter(t *testing.T) { e1 := &event.Event{ - Type: event.LoadImage, - Category: event.Image, + Type: event.LoadModule, + Category: event.Module, Params: event.Params{ - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")}, - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, - params.ImageCheckSum: {Name: params.ImageCheckSum, Type: params.Uint32, Value: uint32(2323432)}, - params.ImageBase: {Name: params.ImageBase, Type: params.Address, Value: uint64(0x7ffb313833a3)}, - params.ImageSignatureType: {Name: params.ImageSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types}, - params.ImageSignatureLevel: {Name: params.ImageSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels}, - params.FileIsDotnet: {Name: params.FileIsDotnet, Type: params.Bool, Value: false}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, + params.ModuleCheckSum: {Name: params.ModuleCheckSum, Type: params.Uint32, Value: uint32(2323432)}, + params.ModuleBase: {Name: params.ModuleBase, Type: params.Address, Value: uint64(0x7ffb313833a3)}, + params.ModuleSignatureType: {Name: params.ModuleSignatureType, Type: params.Enum, Value: uint32(1), Enum: signature.Types}, + params.ModuleSignatureLevel: {Name: params.ModuleSignatureLevel, Type: params.Enum, Value: uint32(4), Enum: signature.Levels}, + params.FileIsDotnet: {Name: params.FileIsDotnet, Type: params.Bool, Value: false}, }, } @@ -1039,7 +1039,7 @@ func TestModuleFilter(t *testing.T) { } matches := f.Run(e1) if matches != tt.matches { - t.Errorf("%d. %q image filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) + t.Errorf("%d. %q module filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) } } @@ -1052,16 +1052,16 @@ func TestModuleFilter(t *testing.T) { // now exercise unsigned/unchecked signature e2 := &event.Event{ - Type: event.LoadImage, - Category: event.Image, + Type: event.LoadModule, + Category: event.Module, Params: event.Params{ - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")}, - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, - params.ImageCheckSum: {Name: params.ImageCheckSum, Type: params.Uint32, Value: uint32(2323432)}, - params.ImageBase: {Name: params.ImageBase, Type: params.Address, Value: uint64(0x7ccb313833a3)}, - params.ImageSignatureType: {Name: params.ImageSignatureType, Type: params.Enum, Value: uint32(0), Enum: signature.Types}, - params.ImageSignatureLevel: {Name: params.ImageSignatureLevel, Type: params.Enum, Value: uint32(0), Enum: signature.Levels}, - params.FileIsDotnet: {Name: params.FileIsDotnet, Type: params.Bool, Value: false}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, + params.ModuleCheckSum: {Name: params.ModuleCheckSum, Type: params.Uint32, Value: uint32(2323432)}, + params.ModuleBase: {Name: params.ModuleBase, Type: params.Address, Value: uint64(0x7ccb313833a3)}, + params.ModuleSignatureType: {Name: params.ModuleSignatureType, Type: params.Enum, Value: uint32(0), Enum: signature.Types}, + params.ModuleSignatureLevel: {Name: params.ModuleSignatureLevel, Type: params.Enum, Value: uint32(0), Enum: signature.Levels}, + params.FileIsDotnet: {Name: params.FileIsDotnet, Type: params.Bool, Value: false}, }, } @@ -1099,23 +1099,23 @@ func TestModuleFilter(t *testing.T) { } matches := f.Run(e2) if matches != tt.matches { - t.Errorf("%d. %q image filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) + t.Errorf("%d. %q filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) } } assert.NotNil(t, signature.GetSignatures().GetSignature(0x7ccb313833a3)) e3 := &event.Event{ - Type: event.LoadImage, - Category: event.Image, + Type: event.LoadModule, + Category: event.Module, Params: event.Params{ - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: "C:\\Windows\\System32\\mscorlib.dll"}, - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, - params.ImageCheckSum: {Name: params.ImageCheckSum, Type: params.Uint32, Value: uint32(2323432)}, - params.ImageBase: {Name: params.ImageBase, Type: params.Address, Value: uint64(0xfff313833a3)}, - params.ImageSignatureType: {Name: params.ImageSignatureType, Type: params.Enum, Value: uint32(0), Enum: signature.Types}, - params.ImageSignatureLevel: {Name: params.ImageSignatureLevel, Type: params.Enum, Value: uint32(0), Enum: signature.Levels}, - params.FileIsDotnet: {Name: params.FileIsDotnet, Type: params.Bool, Value: true}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: "C:\\Windows\\System32\\mscorlib.dll"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(1023)}, + params.ModuleCheckSum: {Name: params.ModuleCheckSum, Type: params.Uint32, Value: uint32(2323432)}, + params.ModuleBase: {Name: params.ModuleBase, Type: params.Address, Value: uint64(0xfff313833a3)}, + params.ModuleSignatureType: {Name: params.ModuleSignatureType, Type: params.Enum, Value: uint32(0), Enum: signature.Types}, + params.ModuleSignatureLevel: {Name: params.ModuleSignatureLevel, Type: params.Enum, Value: uint32(0), Enum: signature.Levels}, + params.FileIsDotnet: {Name: params.FileIsDotnet, Type: params.Bool, Value: true}, }, } @@ -1140,7 +1140,7 @@ func TestModuleFilter(t *testing.T) { } matches := f.Run(e3) if matches != tt.matches { - t.Errorf("%d. %q image filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) + t.Errorf("%d. %q module filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) } } } @@ -1199,7 +1199,7 @@ func TestPEFilter(t *testing.T) { func TestLazyPEFilter(t *testing.T) { evt := &event.Event{ - Type: event.LoadImage, + Type: event.LoadModule, PS: &pstypes.PS{ PID: 2312, Exe: filepath.Join(os.Getenv("windir"), "notepad.exe"), diff --git a/pkg/filter/filter_windows.go b/pkg/filter/filter_windows.go index 46345d8b8..d2a0ea1fa 100644 --- a/pkg/filter/filter_windows.go +++ b/pkg/filter/filter_windows.go @@ -64,7 +64,7 @@ func New(expr string, config *config.Config, options ...Option) Filter { if config.EventSource.EnableThreadEvents { accessors = append(accessors, newThreadAccessor()) } - if config.EventSource.EnableImageEvents { + if config.EventSource.EnableModuleEvents { accessors = append(accessors, newModuleAccessor()) } if config.EventSource.EnableFileIOEvents { diff --git a/pkg/filter/ql/function.go b/pkg/filter/ql/function.go index 5415166a8..87ec8a0a0 100644 --- a/pkg/filter/ql/function.go +++ b/pkg/filter/ql/function.go @@ -303,6 +303,8 @@ func (f *Foreach) Desc() functions.FunctionDesc { "$pe": true, "$file": true, "$image": true, + "$module": true, + "$dll": true, "$thread": true, "$threadpool": true, "$registry": true, diff --git a/pkg/filter/ql/parser_test.go b/pkg/filter/ql/parser_test.go index 0055544cb..ba50bf372 100644 --- a/pkg/filter/ql/parser_test.go +++ b/pkg/filter/ql/parser_test.go @@ -434,7 +434,7 @@ func TestIsSequenceUnordered(t *testing.T) { { `|evt.name = 'CreateProcess'| |evt.name = 'UnmapViewFile'| - |evt.name = 'LoadImage'| + |evt.name = 'LoadModule'| `, false, }, diff --git a/pkg/filter/util.go b/pkg/filter/util.go index 18c479332..5724af353 100644 --- a/pkg/filter/util.go +++ b/pkg/filter/util.go @@ -43,7 +43,7 @@ func isLOLDriver(f fields.Field, e *event.Event) (params.Value, error) { if e.Category == event.File { filename = e.GetParamAsString(params.FilePath) } else { - filename = e.GetParamAsString(params.ImagePath) + filename = e.GetParamAsString(params.ModulePath) } isDriver := filepath.Ext(filename) == ".sys" || e.Params.TryGetBool(params.FileIsDriver) diff --git a/pkg/ps/snapshotter_windows.go b/pkg/ps/snapshotter_windows.go index 9b1c9b472..d79da0331 100644 --- a/pkg/ps/snapshotter_windows.go +++ b/pkg/ps/snapshotter_windows.go @@ -138,7 +138,7 @@ func (s *snapshotter) WriteFromCapture(e *event.Event) error { s.procs[pid] = proc case event.CreateThread, event.ThreadRundown: return s.AddThread(e) - case event.LoadImage, event.ImageRundown: + case event.LoadModule, event.ModuleRundown: return s.AddModule(e) } return nil @@ -245,7 +245,7 @@ func (s *snapshotter) AddModule(e *event.Event) error { s.mu.Lock() defer s.mu.Unlock() - if pid == 0 && e.IsImageRundown() { + if pid == 0 && e.IsModuleRundown() { // assume system process if pid is zero pid = SystemPID } @@ -255,26 +255,26 @@ func (s *snapshotter) AddModule(e *event.Event) error { } module := pstypes.Module{} - module.Size, _ = e.Params.GetUint64(params.ImageSize) - module.Checksum, _ = e.Params.GetUint32(params.ImageCheckSum) - module.Name = e.GetParamAsString(params.ImagePath) - module.BaseAddress = e.Params.TryGetAddress(params.ImageBase) - module.DefaultBaseAddress = e.Params.TryGetAddress(params.ImageDefaultBase) + module.Size, _ = e.Params.GetUint64(params.ModuleSize) + module.Checksum, _ = e.Params.GetUint32(params.ModuleCheckSum) + module.Name = e.GetParamAsString(params.ModulePath) + module.BaseAddress = e.Params.TryGetAddress(params.ModuleBase) + module.DefaultBaseAddress = e.Params.TryGetAddress(params.ModuleDefaultBase) - if e.IsLoadImageInternal() { + if e.IsLoadModuleInternal() { proc.AddModule(module) return nil } moduleCount.Add(1) - module.SignatureLevel, _ = e.Params.GetUint32(params.ImageSignatureLevel) - module.SignatureType, _ = e.Params.GetUint32(params.ImageSignatureType) + module.SignatureLevel, _ = e.Params.GetUint32(params.ModuleSignatureLevel) + module.SignatureType, _ = e.Params.GetUint32(params.ModuleSignatureType) if strings.EqualFold(proc.Name, filepath.Base(module.Name)) && len(proc.Exe) < len(module.Name) { // if the module is loaded for the process executable, and // we don't have the full executable path, override with - // the one from the image path + // the one from the Module path proc.Exe = module.Name } @@ -590,7 +590,7 @@ func (s *snapshotter) Find(pid uint32) (bool, *pstypes.PS) { // through `PROCESS_VM_READ` or `PROCESS_QUERY_INFORMATION` flags. // Try to acquire the process handle again but with restricted access // rights to be able to obtain other attributes such as the full process's - // image executable path or process times + // Module executable path or process times process, err = windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pid) if err != nil { return false, nil diff --git a/pkg/ps/snapshotter_windows_test.go b/pkg/ps/snapshotter_windows_test.go index 7fa59fa77..bc922055a 100644 --- a/pkg/ps/snapshotter_windows_test.go +++ b/pkg/ps/snapshotter_windows_test.go @@ -538,20 +538,20 @@ func TestAddModule(t *testing.T) { }{ {"add module to existing process", &event.Event{ - Type: event.LoadImage, + Type: event.LoadModule, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: "C:\\Users\\admin\\AppData\\Roaming\\Spotify\\Spotify.exe"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: "C:\\Users\\admin\\AppData\\Roaming\\Spotify\\Spotify.exe"}, }, }, true, }, {"add module to absent process", &event.Event{ - Type: event.LoadImage, + Type: event.LoadModule, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid() + 1)}, - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: "C:\\Windows\\System32\\notepad.exe"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid() + 1)}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: "C:\\Windows\\System32\\notepad.exe"}, }, }, false, @@ -567,7 +567,7 @@ func TestAddModule(t *testing.T) { ok, proc := psnap.Find(evt.Params.MustGetPid()) require.Equal(t, exists, ok) if ok { - require.NotNil(t, proc.FindModule(evt.GetParamAsString(params.ImagePath))) + require.NotNil(t, proc.FindModule(evt.GetParamAsString(params.ModulePath))) assert.Equal(t, "C:\\Users\\admin\\AppData\\Roaming\\Spotify\\Spotify.exe", proc.Exe) } }) @@ -597,11 +597,11 @@ func TestRemoveModule(t *testing.T) { require.NoError(t, psnap.Write(pevt)) mevt := &event.Event{ - Type: event.LoadImage, + Type: event.LoadModule, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: "C:\\Windows\\System32\\notepad.exe"}, - params.ImageBase: {Name: params.ImageBase, Type: params.Address, Value: uint64(0xffff7656)}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: "C:\\Windows\\System32\\notepad.exe"}, + params.ModuleBase: {Name: params.ModuleBase, Type: params.Address, Value: uint64(0xffff7656)}, }, } @@ -643,28 +643,28 @@ func TestOverrideProcExecutable(t *testing.T) { }{ {`Spotify.exe`, &event.Event{ - Type: event.LoadImage, + Type: event.LoadModule, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: "C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Dee252aac#\\707569faabe821b47fa4f59ecd9eb6ea\\Microsoft.Developer.IdentityService.ni.exe"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: "C:\\Windows\\assembly\\NativeModules_v4.0.30319_32\\Microsoft.Dee252aac#\\707569faabe821b47fa4f59ecd9eb6ea\\Microsoft.Developer.IdentityService.ni.exe"}, }, }, }, {`Spotify.exe`, &event.Event{ - Type: event.LoadImage, + Type: event.LoadModule, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: "C:\\Windows\\System32\\notepad.exe"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: "C:\\Windows\\System32\\notepad.exe"}, }, }, }, {`C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`, &event.Event{ - Type: event.LoadImage, + Type: event.LoadModule, Params: event.Params{ - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, - params.ImagePath: {Name: params.ImagePath, Type: params.UnicodeString, Value: "C:\\Users\\admin\\AppData\\Roaming\\Spotify\\Spotify.exe"}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())}, + params.ModulePath: {Name: params.ModulePath, Type: params.UnicodeString, Value: "C:\\Users\\admin\\AppData\\Roaming\\Spotify\\Spotify.exe"}, }, }, }, diff --git a/pkg/rules/_fixtures/default/suspicious_module_loaded.yml b/pkg/rules/_fixtures/default/suspicious_module_loaded.yml index 28889e204..60b0a7327 100644 --- a/pkg/rules/_fixtures/default/suspicious_module_loaded.yml +++ b/pkg/rules/_fixtures/default/suspicious_module_loaded.yml @@ -1,5 +1,5 @@ name: Loaded suspicious module id: 1e4c3fbf-ed3a-4df4-9c54-8693d7397a75 version: 1.0.0 -condition: evt.name = 'LoadImage' and image.name = 'svchost.dll' +condition: evt.name = 'LoadModule' and image.name = 'svchost.dll' min-engine-version: 2.0.0 diff --git a/pkg/rules/compiler.go b/pkg/rules/compiler.go index 8b038a810..516e3668e 100644 --- a/pkg/rules/compiler.go +++ b/pkg/rules/compiler.go @@ -21,6 +21,7 @@ package rules import ( "expvar" "fmt" + semver "github.com/hashicorp/go-version" "github.com/rabbitstack/fibratus/pkg/config" "github.com/rabbitstack/fibratus/pkg/event" @@ -152,8 +153,8 @@ func (c *compiler) buildCompileResult(filters map[*config.FilterConfig]filter.Fi rs.HasProcEvents = true case event.Thread: rs.HasThreadEvents = true - case event.Image: - rs.HasImageEvents = true + case event.Module: + rs.HasModuleEvents = true case event.File: rs.HasFileEvents = true case event.Net: diff --git a/pkg/rules/compiler_test.go b/pkg/rules/compiler_test.go index fff233bf5..664ca01cd 100644 --- a/pkg/rules/compiler_test.go +++ b/pkg/rules/compiler_test.go @@ -19,12 +19,13 @@ package rules import ( + "testing" + "github.com/rabbitstack/fibratus/pkg/event" "github.com/rabbitstack/fibratus/pkg/ps" "github.com/rabbitstack/fibratus/pkg/util/version" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "testing" ) func TestCompile(t *testing.T) { @@ -34,13 +35,13 @@ func TestCompile(t *testing.T) { require.NotNil(t, rs) require.Len(t, filters, 6) - assert.True(t, rs.HasImageEvents) + assert.True(t, rs.HasModuleEvents) assert.True(t, rs.HasProcEvents) assert.False(t, rs.HasMemEvents) assert.False(t, rs.HasAuditAPIEvents) assert.True(t, rs.HasDNSEvents) assert.Contains(t, rs.UsedEvents, event.CreateProcess) - assert.Contains(t, rs.UsedEvents, event.LoadImage) + assert.Contains(t, rs.UsedEvents, event.LoadModule) assert.Contains(t, rs.UsedEvents, event.QueryDNS) assert.Contains(t, rs.UsedEvents, event.ConnectTCPv4) assert.Contains(t, rs.UsedEvents, event.ConnectTCPv6) diff --git a/pkg/rules/engine_test.go b/pkg/rules/engine_test.go index ca2046977..21bdc4250 100644 --- a/pkg/rules/engine_test.go +++ b/pkg/rules/engine_test.go @@ -88,7 +88,7 @@ func newConfig(fromFiles ...string) *config.Config { EnableNetEvents: true, EnableRegistryEvents: true, EnableFileIOEvents: true, - EnableImageEvents: true, + EnableModuleEvents: true, EnableThreadEvents: true, }, Filters: &config.Filters{ diff --git a/pkg/symbolize/symbolizer.go b/pkg/symbolize/symbolizer.go index a2c401d4c..fcda9e154 100644 --- a/pkg/symbolize/symbolizer.go +++ b/pkg/symbolize/symbolizer.go @@ -215,14 +215,14 @@ func (s *Symbolizer) ProcessEvent(e *event.Event) (bool, error) { return true, nil } - if e.IsLoadImage() || e.IsUnloadImage() { - filename := e.GetParamAsString(params.ImagePath) - addr := e.Params.TryGetAddress(params.ImageBase) + if e.IsLoadModule() || e.IsUnloadModule() { + filename := e.GetParamAsString(params.ModulePath) + addr := e.Params.TryGetAddress(params.ModuleBase) // if the kernel driver is loaded or unloaded, // load/unload symbol handlers respectively if (strings.ToLower(filepath.Ext(filename)) == ".sys" || e.Params.TryGetBool(params.FileIsDriver)) && s.config.SymbolizeKernelAddresses { - if e.IsLoadImage() { + if e.IsLoadModule() { err := s.r.LoadModule(windows.CurrentProcess(), filename, addr) if err != nil { log.Errorf("unable to load symbol table for %s module: %v", filename, err) @@ -259,10 +259,10 @@ func (s *Symbolizer) ProcessEvent(e *event.Event) (bool, error) { // the map, we get its export directory and insert // into the map. func (s *Symbolizer) syncModules(e *event.Event) error { - base := e.Params.TryGetAddress(params.ImageBase) - size := e.Params.TryGetUint64(params.ImageSize) + base := e.Params.TryGetAddress(params.ModuleBase) + size := e.Params.TryGetUint64(params.ModuleSize) - if e.IsUnloadImage() { + if e.IsUnloadModule() { s.mu.Lock() defer s.mu.Unlock() if _, ok := s.mods[e.PID][base]; ok { @@ -291,9 +291,9 @@ func (s *Symbolizer) processCallstack(e *event.Event) error { e.Callstack.Init(len(addrs)) // skip stack enrichment for the events generated by the System process - // except the LoadImage event which may prove to be useful when the driver - // is loaded and the kernel address symbolization is enabled - if e.IsSystemPid() && !e.IsLoadImage() { + // except the LoadModule event which may prove to be useful when the + // driver is loaded and the kernel address symbolization is enabled + if e.IsSystemPid() && !e.IsLoadModule() { return nil } diff --git a/pkg/symbolize/symbolizer_test.go b/pkg/symbolize/symbolizer_test.go index f46939aff..97b908b04 100644 --- a/pkg/symbolize/symbolizer_test.go +++ b/pkg/symbolize/symbolizer_test.go @@ -199,17 +199,17 @@ func TestProcessCallstackPeExports(t *testing.T) { assert.Equal(t, syminfo{module: "unbacked", symbol: "?"}, s.symbols[e.PID][0x2638e59e0a5]) e3 := &event.Event{ - Type: event.UnloadImage, + Type: event.UnloadModule, Tid: 2484, PID: uint32(os.Getpid()), CPU: 1, Seq: 2, - Name: "UnloadImage", + Name: "UnloadModule", Timestamp: time.Now(), - Category: event.Image, + Category: event.Module, Params: event.Params{ - params.ImageBase: {Name: params.ImageBase, Type: params.Address, Value: uint64(0x7ffb5d8e11c4)}, - params.FilePath: {Name: params.FilePath, Type: params.UnicodeString, Value: `C:\Windows\System32\user32.dll`}, + params.ModuleBase: {Name: params.ModuleBase, Type: params.Address, Value: uint64(0x7ffb5d8e11c4)}, + params.FilePath: {Name: params.FilePath, Type: params.UnicodeString, Value: `C:\Windows\System32\user32.dll`}, }, PS: proc, } diff --git a/pkg/sys/etw/types.go b/pkg/sys/etw/types.go index 34a9c6c6b..e540d1521 100644 --- a/pkg/sys/etw/types.go +++ b/pkg/sys/etw/types.go @@ -22,11 +22,12 @@ package etw import ( + "strings" + "unsafe" + "github.com/rabbitstack/fibratus/pkg/util/utf16" "github.com/rabbitstack/fibratus/pkg/util/va" "golang.org/x/sys/windows" - "strings" - "unsafe" ) // EventTraceFlags is the type alias for kernel trace events @@ -108,8 +109,8 @@ const ( FileIO EventTraceFlags = 0x02000000 // FileIOInit flag enables file start/end events. FileIOInit EventTraceFlags = 0x04000000 - // ImageLoad flag enables image events. - ImageLoad EventTraceFlags = 0x00000004 + // Module flag enables module events. + Module EventTraceFlags = 0x00000004 // Handle flag enables handle events. Handle EventTraceFlags = 0x80000040 // IRQ flag enables IRQ events. @@ -150,8 +151,8 @@ func (f EventTraceFlags) String() string { if f&FileIO == FileIO { flags = append(flags, "FileIO") } - if f&ImageLoad == ImageLoad { - flags = append(flags, "DLL") + if f&Module == Module { + flags = append(flags, "Module") } if f&Handle == Handle { flags = append(flags, "Handle") diff --git a/pkg/sys/trust.go b/pkg/sys/trust.go index bd9c1ea7c..3bd0efa29 100644 --- a/pkg/sys/trust.go +++ b/pkg/sys/trust.go @@ -21,12 +21,6 @@ package sys import ( "encoding/hex" "fmt" - "github.com/rabbitstack/fibratus/pkg/util/bytes" - "github.com/rabbitstack/fibratus/pkg/util/format" - "github.com/rabbitstack/fibratus/pkg/util/multierror" - log "github.com/sirupsen/logrus" - "go.mozilla.org/pkcs7" - "golang.org/x/sys/windows" "io" "os" "reflect" @@ -34,6 +28,13 @@ import ( "sync" "time" "unsafe" + + "github.com/rabbitstack/fibratus/pkg/util/bytes" + "github.com/rabbitstack/fibratus/pkg/util/format" + "github.com/rabbitstack/fibratus/pkg/util/multierror" + log "github.com/sirupsen/logrus" + "go.mozilla.org/pkcs7" + "golang.org/x/sys/windows" ) const ( @@ -218,7 +219,7 @@ func IsWintrustFound() bool { log.Warn("unable to find wintrust.dll library. This will lead to " + "PE objects signature verification to be skipped possibly " + "causing false positive samples in detection rules relying on " + - "image signature filter fields") + "module signature filter fields") } }) return isWintrustDLLFound diff --git a/pkg/yara/config/config_test.go b/pkg/yara/config/config_test.go index aee4a9c33..5ef364f86 100644 --- a/pkg/yara/config/config_test.go +++ b/pkg/yara/config/config_test.go @@ -20,12 +20,13 @@ package config import ( "errors" + "testing" + "github.com/rabbitstack/fibratus/pkg/event" "github.com/rabbitstack/fibratus/pkg/event/params" ytypes "github.com/rabbitstack/fibratus/pkg/yara/types" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "testing" ) func TestShouldSkipProcess(t *testing.T) { @@ -123,7 +124,7 @@ func TestAlertTitle(t *testing.T) { FileThreatAlertTitle, }, { - &event.Event{Type: event.LoadImage, Category: event.Image}, + &event.Event{Type: event.LoadModule, Category: event.Module}, MemoryThreatAlertTitle, }, } @@ -148,7 +149,7 @@ func TestAlertText(t *testing.T) { { "empty template and no threat_name meta", Config{}, - &event.Event{Type: event.LoadImage, Category: event.Image}, + &event.Event{Type: event.LoadModule, Category: event.Module}, ytypes.MatchRule{Rule: "Badlands Trojan"}, "Threat detected Badlands Trojan", nil, @@ -156,7 +157,7 @@ func TestAlertText(t *testing.T) { { "empty template and threat_name meta", Config{}, - &event.Event{Type: event.LoadImage, Category: event.Image}, + &event.Event{Type: event.LoadModule, Category: event.Module}, ytypes.MatchRule{Rule: "Badlands Trojan", Metas: []ytypes.Meta{{Identifier: "threat_name", Value: "Gravity Trojan"}}}, "Threat detected Gravity Trojan", nil, @@ -169,11 +170,11 @@ func TestAlertText(t *testing.T) { Event name: {{ .Event.Name -}} `, }, - &event.Event{Type: event.LoadImage, Name: "LoadImage", Category: event.Image}, + &event.Event{Type: event.LoadModule, Name: "LoadModule", Category: event.Module}, ytypes.MatchRule{Rule: "Badlands Trojan", Metas: []ytypes.Meta{{Identifier: "threat_name", Value: "Gravity Trojan"}}}, ` Rule name: Badlands Trojan - Event name: LoadImage`, + Event name: LoadModule`, nil, }, { @@ -184,7 +185,7 @@ func TestAlertText(t *testing.T) { Event name: {{ .Evet.Name -}} `, }, - &event.Event{Type: event.LoadImage, Name: "LoadImage", Category: event.Image}, + &event.Event{Type: event.LoadModule, Name: "LoadModule", Category: event.Module}, ytypes.MatchRule{Rule: "Badlands Trojan", Metas: []ytypes.Meta{{Identifier: "threat_name", Value: "Gravity Trojan"}}}, "", errors.New("yara alert template syntax error"), diff --git a/pkg/yara/scanner.go b/pkg/yara/scanner.go index 7d2273018..823975511 100644 --- a/pkg/yara/scanner.go +++ b/pkg/yara/scanner.go @@ -195,16 +195,16 @@ func (s scanner) Scan(e *event.Event) (bool, error) { matches, err = s.scan(pid) procScans.Add(1) isScanned = true - case event.LoadImage: + case event.LoadModule: // scan the process loading unsigned/untrusted module // or loading the module from unbacked memory region pid := e.PID - addr := e.Params.MustGetUint64(params.ImageBase) - typ := e.Params.MustGetUint32(params.ImageSignatureType) + addr := e.Params.MustGetUint64(params.ModuleBase) + typ := e.Params.MustGetUint32(params.ModuleSignatureType) if typ != signature.None { return false, nil } - filename := e.GetParamAsString(params.ImagePath) + filename := e.GetParamAsString(params.ModulePath) if s.config.ShouldSkipFile(filename) { return false, nil } @@ -295,13 +295,13 @@ func (s scanner) Scan(e *event.Event) (bool, error) { size := e.Params.MustGetUint64(params.FileViewSize) if e.PID != 4 && size >= 4096 && ((prot&sys.SectionRX) != 0 && (prot&sys.SectionRWX) != 0) && !s.isMmapMatched(pid) { filename := e.GetParamAsString(params.FilePath) - // skip mappings of signed images + // skip mappings of signed Modules addr := e.Params.MustGetUint64(params.FileViewBase) sign := signature.GetSignatures().GetSignature(addr) if sign != nil && sign.IsSigned() && sign.IsTrusted() { return false, nil } - // data/image file was mapped? + // data/Module file was mapped? if filename != "" { if s.config.ShouldSkipFile(filename) { return false, nil diff --git a/pkg/yara/scanner_test.go b/pkg/yara/scanner_test.go index 500a9df1d..d3f3f66b9 100644 --- a/pkg/yara/scanner_test.go +++ b/pkg/yara/scanner_test.go @@ -22,6 +22,11 @@ package yara import ( + "os" + "path/filepath" + "testing" + "time" + "github.com/rabbitstack/fibratus/pkg/event" "github.com/rabbitstack/fibratus/pkg/ps" pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" @@ -32,10 +37,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "golang.org/x/sys/windows/registry" - "os" - "path/filepath" - "testing" - "time" "github.com/rabbitstack/fibratus/pkg/alertsender" "github.com/rabbitstack/fibratus/pkg/event/params" @@ -281,15 +282,15 @@ func TestScan(t *testing.T) { psnap.On("Find", pid).Return(true, proc) e := &event.Event{ - Type: event.LoadImage, - Name: "LoadImage", + Type: event.LoadModule, + Name: "LoadModule", Tid: 2484, PID: pid, Params: event.Params{ - params.FilePath: {Name: params.FilePath, Type: params.UnicodeString, Value: "tests.exe"}, - params.ImageBase: {Name: params.ImageBase, Type: params.Uint64, Value: uint64(0x74888fd99)}, - params.ImageSignatureType: {Name: params.ImageSignatureType, Type: params.Uint32, Value: signature.None}, - params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: pid}, + params.FilePath: {Name: params.FilePath, Type: params.UnicodeString, Value: "tests.exe"}, + params.ModuleBase: {Name: params.ModuleBase, Type: params.Uint64, Value: uint64(0x74888fd99)}, + params.ModuleSignatureType: {Name: params.ModuleSignatureType, Type: params.Uint32, Value: signature.None}, + params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: pid}, }, Metadata: make(map[event.MetadataKey]any), PS: proc, @@ -855,7 +856,7 @@ func TestScan(t *testing.T) { false, }, { - "scan rwx image file mmap", + "scan rwx Module file mmap", func() (*event.Event, error) { proc := &pstypes.PS{ Name: "tests.exe", @@ -992,7 +993,7 @@ func TestScan(t *testing.T) { assert.Contains(t, e.Metadata, event.YaraMatchesKey) } - if e.IsCreateProcess() || e.IsLoadImage() || e.IsVirtualAlloc() || e.IsMapViewFile() { + if e.IsCreateProcess() || e.IsLoadModule() || e.IsVirtualAlloc() || e.IsMapViewFile() { // cleanup proc, err := windows.OpenProcess(windows.PROCESS_TERMINATE, false, e.Params.MustGetPid()) if err == nil { diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml index efd07d8ed..6b19c7dc8 100644 --- a/rules/macros/macros.yml +++ b/rules/macros/macros.yml @@ -53,10 +53,10 @@ expr: evt.name = 'RegOpenKey' and registry.status = 'Success' - macro: load_module - expr: evt.name = 'LoadImage' + expr: evt.name = 'LoadModule' - macro: unload_module - expr: evt.name = 'UnloadImage' + expr: evt.name = 'UnloadModule' - macro: set_value expr: evt.name = 'RegSetValue' and registry.status = 'Success'