Fix defects

Remove spurious attribution of pid zero to be equal to the pid of the process generating the event. This should be the System process pid instead.

Process image rundown events in the processor. This condition was overlooked from the previous refactoring.

pkg/kevent/kevent_windows.go

@@ -211,6 +211,7 @@ func (e Kevent) IsTerminateProcess() bool { return e.Type == ktypes.TerminatePro
 func (e Kevent) IsTerminateThread() bool  { return e.Type == ktypes.TerminateThread }
 func (e Kevent) IsUnloadImage() bool      { return e.Type == ktypes.UnloadImage }
 func (e Kevent) IsLoadImage() bool        { return e.Type == ktypes.LoadImage }
+func (e Kevent) IsImageRundown() bool     { return e.Type == ktypes.ImageRundown }
 func (e Kevent) IsFileOpEnd() bool        { return e.Type == ktypes.FileOpEnd }
 func (e Kevent) IsRegSetValue() bool      { return e.Type == ktypes.RegSetValue }
 func (e Kevent) IsProcessRundown() bool   { return e.Type == ktypes.ProcessRundown }

pkg/kstream/processors/image_windows.go

@@ -90,7 +90,7 @@ func (m *imageProcessor) ProcessEvent(e *kevent.Kevent) (*kevent.Kevent, bool, e
 		}
 		return e, false, m.psnap.RemoveModule(pid, mod)
 	}
-	if e.IsLoadImage() {
+	if e.IsLoadImage() || e.IsImageRundown() {
 		return e, false, m.psnap.AddModule(e)
 	}
 	return e, true, nil

pkg/ps/snapshotter_windows.go

@@ -38,6 +38,9 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
+// SystemPID designates the pid of the system process that acts as the container for system threads
+const SystemPID uint32 = 4
+
 var (
 	// reapPeriod specifies the interval for triggering the housekeeping of dead processes
 	reapPeriod = time.Minute * 2
@@ -196,8 +199,9 @@ func (s *snapshotter) AddModule(e *kevent.Kevent) error {
 	moduleCount.Add(1)
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	if pid == 0 {
-		pid = e.PID
+	if pid == 0 && e.IsImageRundown() {
+		// assume system process if pid is zero
+		pid = SystemPID
 	}
 	proc, ok := s.procs[pid]
 	if !ok {