Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Stack enrichment #217

Merged
merged 19 commits into from
Dec 25, 2023
Merged

feat: Stack enrichment #217

merged 19 commits into from
Dec 25, 2023

Conversation

rabbitstack
Copy link
Owner

Stack enrichment foundation is based on StackWalk events emitted by the system logger provider. The collection of return addresses is appended to supported events and symbolized afterward. The symbolization process is delegated to Debug Helper API with a couple of nuances:

  • high volume events such as CreateFile with open disposition are enriched with module information from the process state. Symbol names are not obtained.
  • for the rest of events, Debug Helper API is used in combination with module state consulting and PE export directory parsing.

The following events are eligible for stack enrichment:

  • CreateProcess
  • CreateThread
  • TerminateThread
  • LoadImage
  • RegCreateKey
  • RegDeleteKey
  • RegSetValue
  • RegDeleteValue
  • CreateFile
  • DeleteFile
  • RenameFile

@rabbitstack
Create initial symbolize package
13abff3
@rabbitstack
Initial callstack walking support
e90ad1a 
This is the groundwork for stack enrichment based on the events emitted by the kernel logger or stack trace items available in event extended properties.
@rabbitstack
Move callstack decoration to event queue
7ae91fd
@rabbitstack
Introduce event Callstack field
6e9853a
@rabbitstack
Initialize symbols with symbol options.
bba9550
@rabbitstack
More symbolizer work
afb0929 
Symbolizer is capable of decorating return addresses with symbol information as well as memory region characteristics.
@rabbitstack
Symbolization perf improvements
769ecab 
Make symbolizer aware of symbol resolution frequency to alleviate the pressure on the CPU when initializing symbol handles. Also, introduce a config option to indicate if kernel addresses are symbolized.
@rabbitstack
CreateFile callstack enrichment
4ab764c 
Callstack enrichment for CreateFile events is performed in the fs processor, as we activate the stack tracing for CreateFile and not FileOpEnd events. Also, this commit introduces a ton of improvements and facilities to ease unit testing
@rabbitstack
Add symbolizer tests
90f17c5
@rabbitstack
Fix merge conflicts
81e6b92
@rabbitstack
Fix tests
247c786
@rabbitstack
Fix tests compilation errors and other adjustments
192c256
@rabbitstack
Fix merge conflicts
b3d0d46
@rabbitstack
Disable CopyFile callstack test and adjust event queue tests
a5a84f7
@rabbitstack rabbitstack merged commit 9219cc8 into master Dec 25, 2023
3 checks passed
@rabbitstack rabbitstack deleted the stack-enrichment branch December 25, 2023 00:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rabbitstack