From e1340f151b74b884f74bd75d07b868f802bcaff0 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Sat, 28 Oct 2023 00:44:29 +0200 Subject: [PATCH 1/4] Deprecate Hex param types Hex types dates back to the era of Tdh parameter parsing, and we can safely get rid of them. The new Addr type substitutes the Hex type. --- pkg/filter/accessor_windows.go | 32 ++--------- pkg/filter/fields/fields_windows.go | 26 ++++----- pkg/kevent/kevent_windows.go | 4 +- pkg/kevent/kparam.go | 39 ++----------- pkg/kevent/kparam_windows.go | 6 +- pkg/kevent/kparams/types_windows.go | 70 ++---------------------- pkg/kevent/kparams/types_windows_test.go | 14 +---- pkg/kevent/marshaller_windows.go | 28 +--------- pkg/ps/snapshotter_windows.go | 14 ++--- pkg/ps/snapshotter_windows_test.go | 31 ++++++----- pkg/ps/types/types_windows.go | 14 ++--- 11 files changed, 67 insertions(+), 211 deletions(-) diff --git a/pkg/filter/accessor_windows.go b/pkg/filter/accessor_windows.go index ca96d9f52..793978999 100644 --- a/pkg/filter/accessor_windows.go +++ b/pkg/filter/accessor_windows.go @@ -539,35 +539,15 @@ func (t *threadAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value case fields.ThreadPagePrio: return kevt.Kparams.GetUint8(kparams.PagePrio) case fields.ThreadKstackBase: - v, err := kevt.Kparams.GetHex(kparams.KstackBase) - if err != nil { - return nil, err - } - return v.String(), nil + return kevt.GetParamAsString(kparams.KstackBase), nil case fields.ThreadKstackLimit: - v, err := kevt.Kparams.GetHex(kparams.KstackLimit) - if err != nil { - return nil, err - } - return v.String(), nil + return kevt.GetParamAsString(kparams.KstackLimit), nil case fields.ThreadUstackBase: - v, err := kevt.Kparams.GetHex(kparams.UstackBase) - if err != nil { - return nil, err - } - return v.String(), nil + return kevt.GetParamAsString(kparams.UstackBase), nil case fields.ThreadUstackLimit: - v, err := kevt.Kparams.GetHex(kparams.UstackLimit) - if err != nil { - return nil, err - } - return v.String(), nil + return kevt.GetParamAsString(kparams.UstackLimit), nil case fields.ThreadEntrypoint: - v, err := kevt.Kparams.GetHex(kparams.StartAddr) - if err != nil { - return nil, err - } - return v.String(), nil + return kevt.GetParamAsString(kparams.StartAddr), nil case fields.ThreadPID: return kevt.Kparams.GetUint32(kparams.ProcessID) case fields.ThreadAccessMask: @@ -745,7 +725,7 @@ func newHandleAccessor() accessor { return &handleAccessor{} } func (h *handleAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { switch f { case fields.HandleID: - return kevt.Kparams.GetHexAsUint32(kparams.HandleID) + return kevt.Kparams.GetUint32(kparams.HandleID) case fields.HandleType: return kevt.GetParamAsString(kparams.HandleObjectTypeID), nil case fields.HandleName: diff --git a/pkg/filter/fields/fields_windows.go b/pkg/filter/fields/fields_windows.go index 3b6a84bb3..287ad2964 100644 --- a/pkg/filter/fields/fields_windows.go +++ b/pkg/filter/fields/fields_windows.go @@ -533,7 +533,7 @@ var fields = map[Field]FieldInfo{ PsEnvs: {PsEnvs, "process environment variables", kparams.Slice, []string{"ps.envs in ('MOZ_CRASHREPORTER_DATA_DIRECTORY')"}, nil}, PsHandles: {PsHandles, "allocated process handle names", kparams.Slice, []string{"ps.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil}, PsHandleTypes: {PsHandleTypes, "allocated process handle types", kparams.Slice, []string{"ps.handle.types in ('Key', 'Mutant', 'Section')"}, nil}, - PsDTB: {PsDTB, "process directory table base address", kparams.HexInt64, []string{"ps.dtb = '7ffe0000'"}, nil}, + PsDTB: {PsDTB, "process directory table base address", kparams.Address, []string{"ps.dtb = '7ffe0000'"}, nil}, PsModules: {PsModules, "modules loaded by the process", kparams.Slice, []string{"ps.modules in ('crypt32.dll', 'xul.dll')"}, nil}, PsParentName: {PsParentName, "parent process image name including the file extension", kparams.UnicodeString, []string{"ps.parent.name contains 'cmd.exe'"}, nil}, PsParentPid: {PsParentPid, "parent process id", kparams.Uint32, []string{"ps.parent.pid = 4"}, nil}, @@ -549,7 +549,7 @@ var fields = map[Field]FieldInfo{ PsParentEnvs: {PsParentEnvs, "parent process environment variables", kparams.Slice, []string{"ps.parent.envs in ('MOZ_CRASHREPORTER_DATA_DIRECTORY')"}, nil}, PsParentHandles: {PsParentHandles, "allocated parent process handle names", kparams.Slice, []string{"ps.parent.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}, nil}, PsParentHandleTypes: {PsParentHandleTypes, "allocated parent process handle types", kparams.Slice, []string{"ps.parent.handle.types in ('File', 'SymbolicLink')"}, nil}, - PsParentDTB: {PsParentDTB, "parent process directory table base address", kparams.HexInt64, []string{"ps.parent.dtb = '7ffe0000'"}, nil}, + PsParentDTB: {PsParentDTB, "parent process directory table base address", kparams.Address, []string{"ps.parent.dtb = '7ffe0000'"}, nil}, PsAccessMask: {PsAccessMask, "process desired access rights", kparams.AnsiString, []string{"ps.access.mask = '0x1400'"}, nil}, PsAccessMaskNames: {PsAccessMaskNames, "process desired access rights as a string list", kparams.Slice, []string{"ps.access.mask.names in ('SUSPEND_RESUME')"}, nil}, PsAccessStatus: {PsAccessStatus, "process access status", kparams.UnicodeString, []string{"ps.access.status = 'access is denied.'"}, nil}, @@ -578,21 +578,21 @@ var fields = map[Field]FieldInfo{ ThreadBasePrio: {ThreadBasePrio, "scheduler priority of the thread", kparams.Int8, []string{"thread.prio = 5"}, nil}, ThreadIOPrio: {ThreadIOPrio, "I/O priority hint for scheduling I/O operations", kparams.Int8, []string{"thread.io.prio = 4"}, nil}, ThreadPagePrio: {ThreadPagePrio, "memory page priority hint for memory pages accessed by the thread", kparams.Int8, []string{"thread.page.prio = 12"}, nil}, - ThreadKstackBase: {ThreadKstackBase, "base address of the thread's kernel space stack", kparams.HexInt64, []string{"thread.kstack.base = 'a65d800000'"}, nil}, - ThreadKstackLimit: {ThreadKstackLimit, "limit of the thread's kernel space stack", kparams.HexInt64, []string{"thread.kstack.limit = 'a85d800000'"}, nil}, - ThreadUstackBase: {ThreadUstackBase, "base address of the thread's user space stack", kparams.HexInt64, []string{"thread.ustack.base = '7ffe0000'"}, nil}, - ThreadUstackLimit: {ThreadUstackLimit, "limit of the thread's user space stack", kparams.HexInt64, []string{"thread.ustack.limit = '8ffe0000'"}, nil}, - ThreadEntrypoint: {ThreadEntrypoint, "starting address of the function to be executed by the thread", kparams.HexInt64, []string{"thread.entrypoint = '7efe0000'"}, nil}, + ThreadKstackBase: {ThreadKstackBase, "base address of the thread's kernel space stack", kparams.Address, []string{"thread.kstack.base = 'a65d800000'"}, nil}, + ThreadKstackLimit: {ThreadKstackLimit, "limit of the thread's kernel space stack", kparams.Address, []string{"thread.kstack.limit = 'a85d800000'"}, nil}, + ThreadUstackBase: {ThreadUstackBase, "base address of the thread's user space stack", kparams.Address, []string{"thread.ustack.base = '7ffe0000'"}, nil}, + ThreadUstackLimit: {ThreadUstackLimit, "limit of the thread's user space stack", kparams.Address, []string{"thread.ustack.limit = '8ffe0000'"}, nil}, + ThreadEntrypoint: {ThreadEntrypoint, "starting address of the function to be executed by the thread", kparams.Address, []string{"thread.entrypoint = '7efe0000'"}, nil}, ThreadPID: {ThreadPID, "the process identifier where the thread is created", kparams.Uint32, []string{"kevt.pid != thread.pid"}, nil}, ThreadAccessMask: {ThreadAccessMask, "thread desired access rights", kparams.AnsiString, []string{"thread.access.mask = '0x1fffff'"}, nil}, ThreadAccessMaskNames: {ThreadAccessMaskNames, "thread desired access rights as a string list", kparams.Slice, []string{"thread.access.mask.names in ('IMPERSONATE')"}, nil}, ThreadAccessStatus: {ThreadAccessStatus, "thread access status", kparams.UnicodeString, []string{"thread.access.status = 'success'"}, nil}, ImageName: {ImageName, "full image name", kparams.UnicodeString, []string{"image.name contains 'advapi32.dll'"}, nil}, - ImageBase: {ImageBase, "the base address of process in which the image is loaded", kparams.HexInt64, []string{"image.base.address = 'a65d800000'"}, nil}, + ImageBase: {ImageBase, "the base address of process in which the image is loaded", kparams.Address, []string{"image.base.address = 'a65d800000'"}, nil}, ImageChecksum: {ImageChecksum, "image checksum", kparams.Uint32, []string{"image.checksum = 746424"}, nil}, ImageSize: {ImageSize, "image size", kparams.Uint32, []string{"image.size > 1024"}, nil}, - ImageDefaultAddress: {ImageDefaultAddress, "default image address", kparams.HexInt64, []string{"image.default.address = '7efe0000'"}, nil}, + ImageDefaultAddress: {ImageDefaultAddress, "default image address", kparams.Address, []string{"image.default.address = '7efe0000'"}, nil}, ImagePID: {ImagePID, "target process identifier", kparams.Uint32, []string{"image.pid = 80"}, nil}, ImageSignatureType: {ImageSignatureType, "image signature type", kparams.AnsiString, []string{"image.signature.type != 'NONE'"}, nil}, ImageSignatureLevel: {ImageSignatureLevel, "image signature level", kparams.AnsiString, []string{"image.signature.level = 'AUTHENTICODE'"}, nil}, @@ -617,7 +617,7 @@ var fields = map[Field]FieldInfo{ FileViewType: {FileViewType, "type of the mapped view section", kparams.Enum, []string{"file.view.type = 'IMAGE'"}, nil}, RegistryKeyName: {RegistryKeyName, "fully qualified key name", kparams.UnicodeString, []string{"registry.key.name contains 'HKEY_LOCAL_MACHINE'"}, nil}, - RegistryKeyHandle: {RegistryKeyHandle, "registry key object address", kparams.HexInt64, []string{"registry.key.handle = 'FFFFB905D60C2268'"}, nil}, + RegistryKeyHandle: {RegistryKeyHandle, "registry key object address", kparams.Address, []string{"registry.key.handle = 'FFFFB905D60C2268'"}, nil}, RegistryValue: {RegistryValue, "registry value content", kparams.UnicodeString, []string{"registry.value = '%SystemRoot%\\system32'"}, nil}, RegistryValueType: {RegistryValueType, "type of registry value", kparams.UnicodeString, []string{"registry.value.type = 'REG_SZ'"}, nil}, RegistryStatus: {RegistryStatus, "status of registry operation", kparams.UnicodeString, []string{"registry.status != 'success'"}, nil}, @@ -634,14 +634,14 @@ var fields = map[Field]FieldInfo{ NetDIPNames: {NetDIPNames, "destination IP names", kparams.Slice, []string{"net.dip.names in ('github.com.')"}, nil}, HandleID: {HandleID, "handle identifier", kparams.Uint16, []string{"handle.id = 24"}, nil}, - HandleObject: {HandleObject, "handle object address", kparams.HexInt64, []string{"handle.object = 'FFFFB905DBF61988'"}, nil}, + HandleObject: {HandleObject, "handle object address", kparams.Address, []string{"handle.object = 'FFFFB905DBF61988'"}, nil}, HandleName: {HandleName, "handle name", kparams.UnicodeString, []string{"handle.name = '\\Device\\NamedPipe\\chrome.12644.28.105826381'"}, nil}, HandleType: {HandleType, "handle type", kparams.AnsiString, []string{"handle.type = 'Mutant'"}, nil}, PeNumSections: {PeNumSections, "number of sections", kparams.Uint16, []string{"pe.nsections < 5"}, nil}, PeNumSymbols: {PeNumSymbols, "number of entries in the symbol table", kparams.Uint32, []string{"pe.nsymbols > 230"}, nil}, - PeBaseAddress: {PeBaseAddress, "image base address", kparams.HexInt64, []string{"pe.address.base = '140000000'"}, nil}, - PeEntrypoint: {PeEntrypoint, "address of the entrypoint function", kparams.HexInt64, []string{"pe.address.entrypoint = '20110'"}, nil}, + PeBaseAddress: {PeBaseAddress, "image base address", kparams.Address, []string{"pe.address.base = '140000000'"}, nil}, + PeEntrypoint: {PeEntrypoint, "address of the entrypoint function", kparams.Address, []string{"pe.address.entrypoint = '20110'"}, nil}, PeSections: {PeSections, "PE sections", kparams.Object, []string{"pe.sections[.text].entropy > 6.2"}, nil}, PeSymbols: {PeSymbols, "imported symbols", kparams.Slice, []string{"pe.symbols in ('GetTextFaceW', 'GetProcessHeap')"}, nil}, PeImports: {PeImports, "imported dynamic linked libraries", kparams.Slice, []string{"pe.imports in ('msvcrt.dll', 'GDI32.dll'"}, nil}, diff --git a/pkg/kevent/kevent_windows.go b/pkg/kevent/kevent_windows.go index c6d9d767a..4c1d844db 100644 --- a/pkg/kevent/kevent_windows.go +++ b/pkg/kevent/kevent_windows.go @@ -450,12 +450,12 @@ func (e *Kevent) Summary() string { exe, access)) case ktypes.CreateThread: tid, _ := e.Kparams.GetTid() - addr, _ := e.Kparams.GetHex(kparams.StartAddr) + addr := e.GetParamAsString(kparams.StartAddr) return printSummary(e, fmt.Sprintf("spawned a new thread with %d id at %s address", tid, addr)) case ktypes.TerminateThread: tid, _ := e.Kparams.GetTid() - addr, _ := e.Kparams.GetHex(kparams.StartAddr) + addr := e.GetParamAsString(kparams.StartAddr) return printSummary(e, fmt.Sprintf("terminated a thread with %d id at %s address", tid, addr)) case ktypes.OpenThread: diff --git a/pkg/kevent/kparam.go b/pkg/kevent/kparam.go index 4c18d5dfc..e88fc8dbe 100644 --- a/pkg/kevent/kparam.go +++ b/pkg/kevent/kparam.go @@ -492,44 +492,17 @@ func (kpars Kparams) GetDouble(name string) (float64, error) { return v, nil } -// GetHexAsUint32 returns the number hexadecimal representation as uint32 value. -func (kpars Kparams) GetHexAsUint32(name string) (uint32, error) { - hex, err := kpars.GetHex(name) - if err != nil { - return uint32(0), err - } - return hex.Uint32(), nil -} - -// GetHexAsUint8 returns the number hexadecimal representation as uint8 value. -func (kpars Kparams) GetHexAsUint8(name string) (uint8, error) { - hex, err := kpars.GetHex(name) - if err != nil { - return uint8(0), err - } - return hex.Uint8(), nil -} - -// GetHexAsUint64 returns the number hexadecimal representation as uint64 value. -func (kpars Kparams) GetHexAsUint64(name string) (uint64, error) { - hex, err := kpars.GetHex(name) - if err != nil { - return uint64(0), err - } - return hex.Uint64(), nil -} - -// GetHex returns the generic hexadecimal type for the specified parameter name. -func (kpars Kparams) GetHex(name string) (kparams.Hex, error) { +// TryGetAddress attempts to convert the underlying type to address. +func (kpars Kparams) TryGetAddress(name string) kparams.Addr { kpar, err := kpars.findParam(name) if err != nil { - return "", err + return 0 } - v, ok := kpar.Value.(kparams.Hex) + v, ok := kpar.Value.(uint64) if !ok { - return "", fmt.Errorf("unable to type cast %q parameter to Hex value", name) + return 0 } - return v, nil + return kparams.Addr(v) } // GetIPv4 returns the underlying IPv4 address from the parameter. diff --git a/pkg/kevent/kparam_windows.go b/pkg/kevent/kparam_windows.go index c395f9bb6..11d932f31 100644 --- a/pkg/kevent/kparam_windows.go +++ b/pkg/kevent/kparam_windows.go @@ -50,8 +50,6 @@ func NewKparam(name string, typ kparams.Type, value kparams.Value, options ...Pa } var v kparams.Value switch typ { - case kparams.HexInt8, kparams.HexInt16, kparams.HexInt32, kparams.HexInt64: - v = kparams.NewHex(value) case kparams.IPv4: v = ip.ToIPv4(value.(uint32)) case kparams.IPv6: @@ -105,9 +103,7 @@ func (k Kparam) String() string { if !ok { return "" } - return kparams.NewHex(v).String() - case kparams.HexInt32, kparams.HexInt64, kparams.HexInt16, kparams.HexInt8: - return string(k.Value.(kparams.Hex)) + return kparams.Addr(v).String() case kparams.Int8: return strconv.Itoa(int(k.Value.(int8))) case kparams.Uint8: diff --git a/pkg/kevent/kparams/types_windows.go b/pkg/kevent/kparams/types_windows.go index 9b493464c..ee42837bc 100644 --- a/pkg/kevent/kparams/types_windows.go +++ b/pkg/kevent/kparams/types_windows.go @@ -18,9 +18,7 @@ package kparams -import ( - "strconv" -) +import "strconv" const ( // NA defines absent parameter's value @@ -33,53 +31,11 @@ type Value interface{} // Type defines kernel event parameter type type Type uint16 -// Hex is the type alias for hexadecimal values -type Hex string - -// NewHex creates a new Hex type from the given integer value. -func NewHex(v Value) Hex { - switch n := v.(type) { - case uint8: - return Hex(strconv.FormatUint(uint64(n), 16)) - case uint16: - return Hex(strconv.FormatUint(uint64(n), 16)) - case uint32: - return Hex(strconv.FormatUint(uint64(n), 16)) - case int32: - return Hex(strconv.FormatInt(int64(n), 16)) - case uint64: - return Hex(strconv.FormatUint(n, 16)) - case int64: - return Hex(strconv.FormatInt(n, 16)) - default: - return "" - } -} - -// Uint8 yields an uint8 value from its hex representation. -func (hex Hex) Uint8() uint8 { return uint8(hex.parseUint(8)) } - -// Uint16 yields an uint16 value from its hex representation. -func (hex Hex) Uint16() uint16 { return uint16(hex.parseUint(16)) } +// Addr represents the memory address +type Addr uint64 -// Uint32 yields an uint32 value from its hex representation. -func (hex Hex) Uint32() uint32 { return uint32(hex.parseUint(32)) } - -// Uint64 yields an uint64 value from its hex representation. -func (hex Hex) Uint64() uint64 { return hex.parseUint(64) } - -func (hex Hex) parseUint(bitSize int) uint64 { - num, err := strconv.ParseUint(string(hex), 16, bitSize) - if err != nil { - return uint64(0) - } - return num -} - -// String returns a string representation of the hex value. -func (hex Hex) String() string { - return string(hex) -} +// Hex returns the hexadecimal representation of the memory address. +func (a Addr) String() string { return strconv.FormatUint(uint64(a), 16) } const ( // Null is a null parameter type @@ -125,14 +81,6 @@ const ( TID // WbemSID is the Web-Based Enterprise Management security identifier. WbemSID - // HexInt8 is the hexadecimal representation of 8-bit integer - HexInt8 - // HexInt16 is the hexadecimal representation of 16-bit integer - HexInt16 - // HexInt32 is the hexadecimal representation of 32-bit integer - HexInt32 - // HexInt64 is the hexadecimal representation of 64-bit integer - HexInt64 // Port represents the endpoint port number Port // IP is the IP address @@ -180,14 +128,10 @@ func (t Type) String() string { return "int8" case Uint8: return "uint8" - case HexInt8: - return "hex8" case Int16: return "int16" case Uint16: return "uint16" - case HexInt16: - return "hex16" case Int32: return "int32" case Uint32: @@ -196,10 +140,6 @@ func (t Type) String() string { return "int64" case Uint64: return "uint64" - case HexInt32: - return "hex32" - case HexInt64: - return "hex64" case SID, WbemSID: return "sid" case TID: diff --git a/pkg/kevent/kparams/types_windows_test.go b/pkg/kevent/kparams/types_windows_test.go index 478991edb..de465b691 100644 --- a/pkg/kevent/kparams/types_windows_test.go +++ b/pkg/kevent/kparams/types_windows_test.go @@ -24,15 +24,7 @@ import ( "testing" ) -func TestNewHex(t *testing.T) { - hex := NewHex(uint32(7264)) - assert.Equal(t, Hex("1c60"), hex) - assert.Equal(t, uint32(7264), hex.Uint32()) - - hex = NewHex(uint32(4294967295)) - assert.Equal(t, Hex("ffffffff"), hex) - - hex = NewHex(uint64(18446744073709551615)) - assert.Equal(t, Hex("ffffffffffffffff"), hex) - assert.Equal(t, uint64(18446744073709551615), hex.Uint64()) +func TestAddr(t *testing.T) { + addr := Addr(uint32(86372352)) + assert.Equal(t, "525f000", addr.String()) } diff --git a/pkg/kevent/marshaller_windows.go b/pkg/kevent/marshaller_windows.go index de7156bd3..91cef4ad8 100644 --- a/pkg/kevent/marshaller_windows.go +++ b/pkg/kevent/marshaller_windows.go @@ -107,14 +107,6 @@ func (e *Kevent) MarshalRaw() []byte { b = append(b, kpar.Value.(uint8)) case kparams.Int8: b = append(b, byte(kpar.Value.(int8))) - case kparams.HexInt8: - b = append(b, kpar.Value.(kparams.Hex).Uint8()) - case kparams.HexInt16: - b = append(b, bytes.WriteUint16(kpar.Value.(kparams.Hex).Uint16())...) - case kparams.HexInt32: - b = append(b, bytes.WriteUint32(kpar.Value.(kparams.Hex).Uint32())...) - case kparams.HexInt64: - b = append(b, bytes.WriteUint64(kpar.Value.(kparams.Hex).Uint64())...) case kparams.Uint16, kparams.Port: b = append(b, bytes.WriteUint16(kpar.Value.(uint16))...) case kparams.Int16: @@ -325,22 +317,6 @@ func (e *Kevent) UnmarshalRaw(b []byte, ver kcapver.Version) error { case kparams.Int8: kval = int8(b[pi+offset+kparamNameLength+poffset : pi+offset+kparamNameLength+poffset+1][0]) poffset += kparamNameLength + 4 + 1 - case kparams.HexInt8: - v := b[pi+offset+kparamNameLength+poffset : pi+offset+kparamNameLength+poffset+1][0] - kval = kparams.NewHex(v) - poffset += kparamNameLength + 4 + 1 - case kparams.HexInt16: - v := bytes.ReadUint16(b[pi+offset+kparamNameLength+poffset:]) - kval = kparams.NewHex(v) - poffset += kparamNameLength + 4 + 2 - case kparams.HexInt32: - v := bytes.ReadUint32(b[pi+offset+kparamNameLength+poffset:]) - kval = kparams.NewHex(v) - poffset += kparamNameLength + 4 + 4 - case kparams.HexInt64: - v := bytes.ReadUint64(b[pi+offset+kparamNameLength+poffset:]) - kval = kparams.NewHex(v) - poffset += kparamNameLength + 4 + 8 case kparams.Bool: v := b[pi+offset+kparamNameLength+poffset : pi+offset+kparamNameLength+poffset+1][0] if v == 1 { @@ -497,8 +473,6 @@ func (e *Kevent) MarshalJSON() []byte { js.writeUint32(kpar.Value.(uint32)) case kparams.IPv4, kparams.IPv6: js.writeString(kpar.Value.(net.IP).String()) - case kparams.HexInt8, kparams.HexInt16, kparams.HexInt32, kparams.HexInt64: - js.writeString(kpar.Value.(kparams.Hex).String()) case kparams.Bool: js.writeBool(kpar.Value.(bool)) case kparams.Time: @@ -673,7 +647,7 @@ func (e *Kevent) MarshalJSON() []byte { js.writeObjectField("name").writeEscapeString(handle.Name).writeMore() js.writeObjectField("type").writeString(handle.Type).writeMore() js.writeObjectField("id").writeUint64(uint64(handle.Num)).writeMore() - js.writeObjectField("object").writeEscapeString(string(kparams.NewHex(handle.Object))) + js.writeObjectField("object").writeEscapeString(kparams.Addr(handle.Object).String()) js.writeObjectEnd() if writeMore { diff --git a/pkg/ps/snapshotter_windows.go b/pkg/ps/snapshotter_windows.go index fc31f7d8f..756b359e6 100644 --- a/pkg/ps/snapshotter_windows.go +++ b/pkg/ps/snapshotter_windows.go @@ -176,14 +176,14 @@ func (s *snapshotter) AddThread(e *kevent.Kevent) error { } thread := pstypes.Thread{} thread.Tid, _ = e.Kparams.GetTid() - thread.UstackBase, _ = e.Kparams.GetHex(kparams.UstackBase) - thread.UstackLimit, _ = e.Kparams.GetHex(kparams.UstackLimit) - thread.KstackBase, _ = e.Kparams.GetHex(kparams.KstackBase) - thread.KstackLimit, _ = e.Kparams.GetHex(kparams.KstackLimit) + thread.UstackBase = e.Kparams.TryGetAddress(kparams.UstackBase) + thread.UstackLimit = e.Kparams.TryGetAddress(kparams.UstackLimit) + thread.KstackBase = e.Kparams.TryGetAddress(kparams.KstackBase) + thread.KstackLimit = e.Kparams.TryGetAddress(kparams.KstackLimit) thread.IOPrio, _ = e.Kparams.GetUint8(kparams.IOPrio) thread.BasePrio, _ = e.Kparams.GetUint8(kparams.BasePrio) thread.PagePrio, _ = e.Kparams.GetUint8(kparams.PagePrio) - thread.Entrypoint, _ = e.Kparams.GetHex(kparams.StartAddr) + thread.Entrypoint = e.Kparams.TryGetAddress(kparams.StartAddr) proc.AddThread(thread) return nil } @@ -207,8 +207,8 @@ func (s *snapshotter) AddModule(e *kevent.Kevent) error { module.Size, _ = e.Kparams.GetUint64(kparams.ImageSize) module.Checksum, _ = e.Kparams.GetUint32(kparams.ImageCheckSum) module.Name = e.GetParamAsString(kparams.ImageFilename) - module.BaseAddress, _ = e.Kparams.GetHex(kparams.ImageBase) - module.DefaultBaseAddress, _ = e.Kparams.GetHex(kparams.ImageDefaultBase) + module.BaseAddress = e.Kparams.TryGetAddress(kparams.ImageBase) + module.DefaultBaseAddress = e.Kparams.TryGetAddress(kparams.ImageDefaultBase) module.SignatureLevel, _ = e.Kparams.GetUint32(kparams.ImageSignatureLevel) module.SignatureType, _ = e.Kparams.GetUint32(kparams.ImageSignatureType) proc.AddModule(module) diff --git a/pkg/ps/snapshotter_windows_test.go b/pkg/ps/snapshotter_windows_test.go index 0cb9ad521..ef5e20d23 100644 --- a/pkg/ps/snapshotter_windows_test.go +++ b/pkg/ps/snapshotter_windows_test.go @@ -249,13 +249,13 @@ func TestAddThread(t *testing.T) { kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(os.Getpid())}, kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.TID, Value: uint32(3453)}, kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Uint8, Value: uint8(13)}, - kparams.StartAddr: {Name: kparams.StartAddr, Type: kparams.HexInt64, Value: kparams.Hex("0x7ffe2557ff80")}, + kparams.StartAddr: {Name: kparams.StartAddr, Type: kparams.Address, Value: uint64(140729524944768)}, kparams.IOPrio: {Name: kparams.IOPrio, Type: kparams.Uint8, Value: uint8(2)}, - kparams.KstackBase: {Name: kparams.KstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810d6000")}, - kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810cf000")}, + kparams.KstackBase: {Name: kparams.KstackBase, Type: kparams.Address, Value: uint64(18446677035730165760)}, + kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.Address, Value: uint64(18446677035730137088)}, kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(5)}, - kparams.UstackBase: {Name: kparams.UstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0x5260000")}, - kparams.UstackLimit: {Name: kparams.UstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0x525f000")}, + kparams.UstackBase: {Name: kparams.UstackBase, Type: kparams.Address, Value: uint64(86376448)}, + kparams.UstackLimit: {Name: kparams.UstackLimit, Type: kparams.Address, Value: uint64(86372352)}, }, }, true, @@ -267,13 +267,13 @@ func TestAddThread(t *testing.T) { kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(os.Getpid() + 1)}, kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.TID, Value: uint32(3453)}, kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Uint8, Value: uint8(13)}, - kparams.StartAddr: {Name: kparams.StartAddr, Type: kparams.HexInt64, Value: kparams.Hex("0x7ffe2557ff80")}, + kparams.StartAddr: {Name: kparams.StartAddr, Type: kparams.Address, Value: uint64(140729524944768)}, kparams.IOPrio: {Name: kparams.IOPrio, Type: kparams.Uint8, Value: uint8(2)}, - kparams.KstackBase: {Name: kparams.KstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810d6000")}, - kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810cf000")}, + kparams.KstackBase: {Name: kparams.KstackBase, Type: kparams.Address, Value: uint64(18446677035730165760)}, + kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.Address, Value: uint64(18446677035730137088)}, kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(5)}, - kparams.UstackBase: {Name: kparams.UstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0x5260000")}, - kparams.UstackLimit: {Name: kparams.UstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0x525f000")}, + kparams.UstackBase: {Name: kparams.UstackBase, Type: kparams.Address, Value: uint64(86376448)}, + kparams.UstackLimit: {Name: kparams.UstackLimit, Type: kparams.Address, Value: uint64(86372352)}, }, }, false, @@ -290,6 +290,7 @@ func TestAddThread(t *testing.T) { require.Equal(t, exists, ok) if ok { assert.Contains(t, proc.Threads, evt.Kparams.MustGetTid()) + assert.Equal(t, kparams.Addr(140729524944768), proc.Threads[evt.Kparams.MustGetTid()].Entrypoint) } }) } @@ -322,13 +323,13 @@ func TestRemoveThread(t *testing.T) { kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(os.Getpid())}, kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.TID, Value: uint32(3453)}, kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Uint8, Value: uint8(13)}, - kparams.StartAddr: {Name: kparams.StartAddr, Type: kparams.HexInt64, Value: kparams.Hex("0x7ffe2557ff80")}, + kparams.StartAddr: {Name: kparams.StartAddr, Type: kparams.Address, Value: uint64(140729524944768)}, kparams.IOPrio: {Name: kparams.IOPrio, Type: kparams.Uint8, Value: uint8(2)}, - kparams.KstackBase: {Name: kparams.KstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810d6000")}, - kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810cf000")}, + kparams.KstackBase: {Name: kparams.KstackBase, Type: kparams.Address, Value: uint64(18446677035730165760)}, + kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.Address, Value: uint64(18446677035730137088)}, kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(5)}, - kparams.UstackBase: {Name: kparams.UstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0x5260000")}, - kparams.UstackLimit: {Name: kparams.UstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0x525f000")}, + kparams.UstackBase: {Name: kparams.UstackBase, Type: kparams.Address, Value: uint64(86376448)}, + kparams.UstackLimit: {Name: kparams.UstackLimit, Type: kparams.Address, Value: uint64(86372352)}, }, } diff --git a/pkg/ps/types/types_windows.go b/pkg/ps/types/types_windows.go index 195065048..1c15b7a2e 100644 --- a/pkg/ps/types/types_windows.go +++ b/pkg/ps/types/types_windows.go @@ -180,15 +180,15 @@ type Thread struct { // PagePrio is a memory page priority hint for memory pages accessed by the thread. PagePrio uint8 // UstackBase is the base address of the thread's user space stack. - UstackBase kparams.Hex + UstackBase kparams.Addr // UstackLimit is the limit of the thread's user space stack. - UstackLimit kparams.Hex + UstackLimit kparams.Addr // KStackBase is the base address of the thread's kernel space stack. - KstackBase kparams.Hex + KstackBase kparams.Addr // KstackLimit is the limit of the thread's kernel space stack. - KstackLimit kparams.Hex + KstackLimit kparams.Addr // Entrypoint is the starting address of the function to be executed by the thread. - Entrypoint kparams.Hex + Entrypoint kparams.Addr } // String returns the thread as a human-readable string. @@ -205,9 +205,9 @@ type Module struct { // Name represents the full path of this image. Name string // BaseAddress is the base address of process in which the image is loaded. - BaseAddress kparams.Hex + BaseAddress kparams.Addr // DefaultBaseAddress is the default base address. - DefaultBaseAddress kparams.Hex + DefaultBaseAddress kparams.Addr // SignatureLevel designates the image signature level. (e.g. MICROSOFT) SignatureLevel uint32 // SignatureType designates the image signature type (e.g. EMBEDDED) From 1a91540deefb7d692fd3c3bd486c2a161742947e Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Sat, 28 Oct 2023 21:16:32 +0200 Subject: [PATCH 2/4] Refactor tests to reflect the new kparams.Addr type --- .../transformers/replace/replace_test.go | 2 +- pkg/aggregator/transformers/trim/trim_test.go | 2 +- pkg/alertsender/renderer/renderer_test.go | 8 ++++---- pkg/filter/filter_test.go | 10 +++++----- pkg/kevent/batch_test.go | 12 ++++++------ pkg/kevent/formatter_test.go | 6 +++--- pkg/kevent/marshaller_test.go | 14 +++++++------- pkg/outputs/amqp/amqp_test.go | 12 ++++++------ pkg/outputs/elasticsearch/elasticsearch_test.go | 12 ++++++------ pkg/outputs/eventlog/eventlog_test.go | 8 ++++---- pkg/outputs/http/http_test.go | 12 ++++++------ 11 files changed, 49 insertions(+), 49 deletions(-) diff --git a/pkg/aggregator/transformers/replace/replace_test.go b/pkg/aggregator/transformers/replace/replace_test.go index 785eb21db..472768a7e 100644 --- a/pkg/aggregator/transformers/replace/replace_test.go +++ b/pkg/aggregator/transformers/replace/replace_test.go @@ -35,7 +35,7 @@ func TestTransform(t *testing.T) { PID: 859, Kparams: kevent.Kparams{ kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`}, - kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.HexInt64, Value: kparams.NewHex(uint64(18446666033449935464))}, + kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Address, Value: uint64(18446666033449935464)}, }, } diff --git a/pkg/aggregator/transformers/trim/trim_test.go b/pkg/aggregator/transformers/trim/trim_test.go index 0cc1c77c1..f86526644 100644 --- a/pkg/aggregator/transformers/trim/trim_test.go +++ b/pkg/aggregator/transformers/trim/trim_test.go @@ -47,7 +47,7 @@ func TestTransform(t *testing.T) { kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "overwriteif"}, kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, - kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.HexInt8, Value: kparams.Hex("ff")}, + kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.Address, Value: uint64(18884888488889)}, kparams.StartTime: {Name: kparams.StartTime, Type: kparams.Time, Value: time.Now()}, kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1204)}, }, diff --git a/pkg/alertsender/renderer/renderer_test.go b/pkg/alertsender/renderer/renderer_test.go index a10d15a13..3124676d2 100644 --- a/pkg/alertsender/renderer/renderer_test.go +++ b/pkg/alertsender/renderer/renderer_test.go @@ -91,8 +91,8 @@ func TestHTMLFormatterRuleAlert(t *testing.T) { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit", "Path": "C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Git\\cmd;C:\\msys64\\mingw64\\bin;C:\\WINDOWS\\System32\\OpenSSH\\;C:\\Program Files (x86)\\Windows Kits\\10\\Windows Performance Toolkit\\;C:\\Program Files\\nodejs\\;C:\\rubyinstaller-2.5.7-1-x64\\bin;C:\\Program Files (x86)\\WiX Toolset v3.11\\bin;C:\\Program Files (x86)\\Windows Kits\\10\\App Certification Kit;C:\\Program Files (x86)\\Graphviz2.38\\bin;C:\\Program Files (x86)\\NSIS\\Bin;C:\\Program Files\\Jdk11\\bin;C:\\Python310;C:\\msys64\\usr\\bin;C:\\Program Files\\dotnet\\;C:\\Program Files\\Go\\bin;C:\\Program Files\\Fibratus\\Bin;C:\\Program Files\\AutoFirma\\AutoFirma;C:\\Users\\nedo\\AppData\\Local\\Programs\\Python\\Launcher\\;C:\\Scripts\\;C:\\;C:\\Users\\nedo\\AppData\\Local\\Programs\\Microsoft VS Code\\bin;C:\\Users\\nedo\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\nedo\\AppData\\Roaming\\npm;C:\\Users\\nedo\\AppData\\Local\\Programs\\oh-my-posh\\bin;C:\\Users\\nedo\\go\\bin"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Modules: []pstypes.Module{ {Name: "C:\\Windows\\System32\\kernel32.dll", Size: 1233405456}, @@ -185,8 +185,8 @@ func TestHTMLFormatterRuleAlert(t *testing.T) { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Modules: []pstypes.Module{ {Name: "C:\\Windows\\System32\\kernel32.dll", Size: 1233405456}, diff --git a/pkg/filter/filter_test.go b/pkg/filter/filter_test.go index f8ee29897..3e4b7e6e6 100644 --- a/pkg/filter/filter_test.go +++ b/pkg/filter/filter_test.go @@ -148,8 +148,8 @@ func TestProcFilter(t *testing.T) { SID: "S-1-5-18", Envs: map[string]string{"ALLUSERSPROFILE": "C:\\ProgramData", "OS": "Windows_NT", "ProgramFiles(x86)": "C:\\Program Files (x86)"}, Modules: []pstypes.Module{ - {Name: "C:\\Windows\\System32\\kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Hex("fff23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, - {Name: "C:\\Windows\\System32\\user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Hex("fef23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, + {Name: "C:\\Windows\\System32\\kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Addr(4294066175), DefaultBaseAddress: kparams.Addr(4293993725)}, + {Name: "C:\\Windows\\System32\\user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Addr(4277288959), DefaultBaseAddress: kparams.Addr(4293993725)}, }, }, } @@ -167,8 +167,8 @@ func TestProcFilter(t *testing.T) { Ppid: 345, Envs: map[string]string{"ALLUSERSPROFILE": "C:\\ProgramData", "OS": "Windows_NT", "ProgramFiles(x86)": "C:\\Program Files (x86)"}, Modules: []pstypes.Module{ - {Name: "C:\\Windows\\System32\\kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Hex("fff23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, - {Name: "C:\\Windows\\System32\\user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Hex("fef23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, + {Name: "C:\\Windows\\System32\\kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Addr(4294066175), DefaultBaseAddress: kparams.Addr(4293993725)}, + {Name: "C:\\Windows\\System32\\user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Addr(4277288959), DefaultBaseAddress: kparams.Addr(4293993725)}, }, }, } @@ -523,7 +523,7 @@ func TestRegistryFilter(t *testing.T) { kparams.RegValue: {Name: kparams.RegValue, Type: kparams.Uint32, Value: uint32(10234)}, kparams.RegValueType: {Name: kparams.RegValueType, Type: kparams.AnsiString, Value: "DWORD"}, kparams.NTStatus: {Name: kparams.NTStatus, Type: kparams.AnsiString, Value: "success"}, - kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.HexInt64, Value: kparams.NewHex(uint64(18446666033449935464))}, + kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Address, Value: uint64(18446666033449935464)}, }, } diff --git a/pkg/kevent/batch_test.go b/pkg/kevent/batch_test.go index 44dd7d461..48070d4ff 100644 --- a/pkg/kevent/batch_test.go +++ b/pkg/kevent/batch_test.go @@ -64,8 +64,8 @@ func TestBatchMarshalJSON(t *testing.T) { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), @@ -132,8 +132,8 @@ func TestBatchMarshalJSON(t *testing.T) { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), @@ -200,8 +200,8 @@ func TestBatchMarshalJSON(t *testing.T) { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), diff --git a/pkg/kevent/formatter_test.go b/pkg/kevent/formatter_test.go index 217c6f217..46198f20f 100644 --- a/pkg/kevent/formatter_test.go +++ b/pkg/kevent/formatter_test.go @@ -55,10 +55,10 @@ func TestFormat(t *testing.T) { f, err := NewFormatter(template) require.NoError(t, err) params := Kparams{ - kpars.ProcessID: {Name: kpars.ProcessID, Type: kpars.HexInt32, Value: kpars.Hex("0x36c")}, + kpars.ProcessID: {Name: kpars.ProcessID, Type: kpars.PID, Value: uint32(876)}, } s := f.Format(&Kevent{CPU: uint8(4), Name: "CreateProcess", Seq: uint64(1999), Kparams: params, Metadata: map[MetadataKey]any{"key1": "value1"}}) - assert.Equal(t, "1999 4 - (CreateProcess) -- pid: 0x36c (pid➜ 0x36c) key1: value1", string(s)) + assert.Equal(t, "1999 4 - (CreateProcess) -- pid: 876 (pid➜ 876) key1: value1", string(s)) } func TestFormatPS(t *testing.T) { @@ -66,7 +66,7 @@ func TestFormatPS(t *testing.T) { f, err := NewFormatter(template) require.NoError(t, err) params := Kparams{ - kpars.ProcessID: {Name: kpars.ProcessID, Type: kpars.HexInt32, Value: kpars.Hex("0x36c")}, + kpars.ProcessID: {Name: kpars.ProcessID, Type: kpars.PID, Value: uint32(876)}, } s := f.Format(&Kevent{ CPU: uint8(4), diff --git a/pkg/kevent/marshaller_test.go b/pkg/kevent/marshaller_test.go index 3d23100d2..8e54be57e 100644 --- a/pkg/kevent/marshaller_test.go +++ b/pkg/kevent/marshaller_test.go @@ -65,7 +65,7 @@ func TestMarshaller(t *testing.T) { kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, - kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.HexInt8, Value: kparams.Hex("ff")}, + kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.Address, Value: uint64(1888833888)}, kparams.StartTime: {Name: kparams.StartTime, Type: kparams.Time, Value: time.Now()}, kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1204)}, kparams.NetDIPNames: {Name: kparams.NetDIPNames, Type: kparams.Slice, Value: []string{"dns.google.", "github.com."}}, @@ -145,8 +145,8 @@ func TestKeventMarshalJSON(t *testing.T) { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), @@ -254,8 +254,8 @@ func TestUnmarshalHugeHandles(t *testing.T) { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: handles, PE: &pex.PE{ @@ -316,8 +316,8 @@ func TestKeventMarshalJSONMultiple(t *testing.T) { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), diff --git a/pkg/outputs/amqp/amqp_test.go b/pkg/outputs/amqp/amqp_test.go index 6630872aa..956f340fb 100644 --- a/pkg/outputs/amqp/amqp_test.go +++ b/pkg/outputs/amqp/amqp_test.go @@ -225,8 +225,8 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), @@ -293,8 +293,8 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), @@ -361,8 +361,8 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), diff --git a/pkg/outputs/elasticsearch/elasticsearch_test.go b/pkg/outputs/elasticsearch/elasticsearch_test.go index b62b684af..3b99c7afe 100644 --- a/pkg/outputs/elasticsearch/elasticsearch_test.go +++ b/pkg/outputs/elasticsearch/elasticsearch_test.go @@ -192,8 +192,8 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), @@ -260,8 +260,8 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), @@ -328,8 +328,8 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), diff --git a/pkg/outputs/eventlog/eventlog_test.go b/pkg/outputs/eventlog/eventlog_test.go index 6cc617235..795931fc8 100644 --- a/pkg/outputs/eventlog/eventlog_test.go +++ b/pkg/outputs/eventlog/eventlog_test.go @@ -86,12 +86,12 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Modules: []pstypes.Module{ - {Name: "kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Hex("fff23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, - {Name: "user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Hex("fef23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, + {Name: "kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Addr(4294066175), DefaultBaseAddress: kparams.Addr(4293993725)}, + {Name: "user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Addr(4277288959), DefaultBaseAddress: kparams.Addr(4293993725)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), diff --git a/pkg/outputs/http/http_test.go b/pkg/outputs/http/http_test.go index d113a4304..9e880092a 100644 --- a/pkg/outputs/http/http_test.go +++ b/pkg/outputs/http/http_test.go @@ -179,8 +179,8 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), @@ -247,8 +247,8 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), @@ -315,8 +315,8 @@ func getBatch() *kevent.Batch { SessionID: 4, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), From 546395ddc41638792f2ccafee671ee903b2a35c6 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Sat, 28 Oct 2023 22:53:43 +0200 Subject: [PATCH 3/4] Remove remnants of kparams.Hex in yara tests --- pkg/yara/scanner_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/yara/scanner_test.go b/pkg/yara/scanner_test.go index 25859586f..dd9cf3453 100644 --- a/pkg/yara/scanner_test.go +++ b/pkg/yara/scanner_test.go @@ -119,13 +119,13 @@ func TestScan(t *testing.T) { Cwd: `C:\Windows\`, SessionID: 1, Threads: map[uint32]pstypes.Thread{ - 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, - 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3453: {Tid: 3453, Entrypoint: kparams.Addr(140729524944768), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, + 3455: {Tid: 3455, Entrypoint: kparams.Addr(140729524944768), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Addr(18446677035730165760), KstackLimit: kparams.Addr(18446677035730137088), UstackLimit: kparams.Addr(86376448), UstackBase: kparams.Addr(86372352)}, }, Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, Modules: []pstypes.Module{ - {Name: "kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Hex("fff23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, - {Name: "user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Hex("fef23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, + {Name: "kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Addr(4294066175), DefaultBaseAddress: kparams.Addr(4293993725)}, + {Name: "user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Addr(4277288959), DefaultBaseAddress: kparams.Addr(4293993725)}, }, Handles: []htypes.Handle{ {Num: windows.Handle(0xffffd105e9baaf70), From d86874e8a75361403ef7abd67a832eb92fc7a9b5 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Sat, 28 Oct 2023 23:18:49 +0200 Subject: [PATCH 4/4] Remove remnants of kparams.Hex in filament tests --- pkg/filament/filament_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/filament/filament_test.go b/pkg/filament/filament_test.go index 48e1c3f09..f01fef660 100644 --- a/pkg/filament/filament_test.go +++ b/pkg/filament/filament_test.go @@ -80,7 +80,7 @@ func TestOnNextKevent(t *testing.T) { Timestamp: time.Now(), Kparams: kevent.Kparams{ kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `HKEY_LOCAL_MACHINE\SYSTEM\Setup`}, - kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.HexInt64, Value: kparams.NewHex(uint64(18446666033449935464))}, + kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Address, Value: uint64(18446666033449935464)}, kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, }, }