fix: process ancestor filters stackoverflow (#127)

* mitigate stack overflow when replying caputre with ancestor filters

* add comment

* the capture should only contain CreateFile events, regenerate test fixture

Author: rabbitstack

pkg/filter/accessor_windows.go

@@ -418,47 +418,47 @@ func ancestorFields(field string, kevt *kevent.Kevent) (kparams.Value, error) {
 
 	switch key {
 	case "root":
-		pstypes.Walk(func(proc *pstypes.PS) {
+		walk := func(proc *pstypes.PS) {
 			ps = proc
-		}, kevt.PS)
-
+		}
+		pstypes.Walk(walk, kevt.PS)
 	case "any":
 		values := make([]string, 0)
-		pstypes.Walk(func(ps *pstypes.PS) {
+		walk := func(proc *pstypes.PS) {
 			switch segment {
 			case fields.ProcessName:
-				values = append(values, ps.Name)
+				values = append(values, proc.Name)
 			case fields.ProcessID:
-				values = append(values, strconv.Itoa(int(ps.PID)))
+				values = append(values, strconv.Itoa(int(proc.PID)))
 			case fields.ProcessSID:
-				values = append(values, ps.SID)
+				values = append(values, proc.SID)
 			case fields.ProcessSessionID:
-				values = append(values, strconv.Itoa(int(ps.SessionID)))
+				values = append(values, strconv.Itoa(int(proc.SessionID)))
 			case fields.ProcessCwd:
-				values = append(values, ps.Cwd)
+				values = append(values, proc.Cwd)
 			case fields.ProcessComm:
-				values = append(values, ps.Comm)
+				values = append(values, proc.Comm)
 			case fields.ProcessArgs:
-				values = append(values, ps.Args...)
+				values = append(values, proc.Args...)
 			case fields.ProcessExe:
-				values = append(values, ps.Exe)
+				values = append(values, proc.Exe)
 			}
-		}, kevt.PS)
-
+		}
+		pstypes.Walk(walk, kevt.PS)
 		return values, nil
-
 	default:
 		depth, err := strconv.Atoi(key)
 		if err != nil {
 			return nil, err
 		}
 		var i int
-		pstypes.Walk(func(proc *pstypes.PS) {
+		walk := func(proc *pstypes.PS) {
 			i++
 			if i == depth {
 				ps = proc
 			}
-		}, kevt.PS)
+		}
+		pstypes.Walk(walk, kevt.PS)
 	}
 
 	if ps == nil {

pkg/kcap/_fixtures/cap.kcap

@@ -178,15 +178,18 @@ func (r *reader) read(kevt *kevent.Kevent, keventsc chan *kevent.Kevent) {
 
 func (r *reader) updateSnapshotters(kevt *kevent.Kevent) error {
 	switch kevt.Type {
-	case ktypes.TerminateThread, ktypes.TerminateProcess, ktypes.UnloadImage:
+	case ktypes.TerminateThread,
+		ktypes.TerminateProcess,
+		ktypes.UnloadImage:
 		if err := r.psnapshotter.Remove(kevt); err != nil {
 			return err
 		}
 	case ktypes.CreateProcess,
 		ktypes.CreateThread,
 		ktypes.LoadImage,
 		ktypes.EnumImage,
-		ktypes.EnumProcess, ktypes.EnumThread:
+		ktypes.EnumProcess,
+		ktypes.EnumThread:
 		if err := r.psnapshotter.WriteFromKcap(kevt); err != nil {
 			return err
 		}

pkg/kcap/_fixtures/cap1.kcap

@@ -65,12 +65,8 @@ func TestWrite(t *testing.T) {
 	errs := make(chan error, 10)
 
 	for i := 0; i < 100; i++ {
-		typ := ktypes.CreateFile
-		if i%2 == 0 {
-			typ = ktypes.CreateProcess
-		}
 		kevt := &kevent.Kevent{
-			Type:        typ,
+			Type:        ktypes.CreateFile,
 			Tid:         2484,
 			PID:         859,
 			CPU:         uint8(i / 2),

pkg/kcap/reader_windows.go

@@ -95,9 +95,6 @@ func NewSnapshotterFromKcap(handleSnap handle.Snapshotter, config *config.Config
 		capture:    true,
 	}
 
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
 	s.handleSnap.RegisterCreateCallback(s.onHandleCreated)
 	s.handleSnap.RegisterDestroyCallback(s.onHandleDestroyed)
 
@@ -113,12 +110,24 @@ func (s *snapshotter) WriteFromKcap(kevt *kevent.Kevent) error {
 		if ps == nil {
 			return nil
 		}
-		if ps.PID == winerrno.InvalidPID {
-			return nil
+		pid, err := kevt.Kparams.GetPid()
+		if err != nil {
+			return err
 		}
-		ps.Parent = s.procs[ps.Ppid]
-		s.procs[ps.PID] = ps
-
+		if kevt.Type == ktypes.EnumProcess {
+			// invalid process
+			if ps.PID == ps.Ppid {
+				return nil
+			}
+			s.procs[pid] = ps
+		} else {
+			s.procs[pid] = pstypes.FromKevent(unwrapParams(pid, kevt))
+		}
+		ppid, err := kevt.Kparams.GetPpid()
+		if err != nil {
+			return err
+		}
+		ps.Parent = s.procs[ppid]
 	case ktypes.CreateThread, ktypes.EnumThread:
 		pid, err := kevt.Kparams.GetPid()
 		if err != nil {
@@ -130,7 +139,6 @@ func (s *snapshotter) WriteFromKcap(kevt *kevent.Kevent) error {
 			ps.AddThread(thread)
 			ps.Parent = s.procs[ps.Ppid]
 		}
-
 	case ktypes.LoadImage, ktypes.EnumImage:
 		pid, err := kevt.Kparams.GetPid()
 		if err != nil {
@@ -340,7 +348,7 @@ func (s *snapshotter) findProcess(pid uint32, thread pstypes.Thread) *pstypes.PS
 	case 0:
 		return pstypes.NewPS(pid, pid, "idle", "", "idle", thread, nil)
 	case 4:
-		return pstypes.NewPS(pid, pid, "System", "", ntoskrnl(), thread, nil)
+		return pstypes.NewPS(pid, 0, "System", "", ntoskrnl(), thread, nil)
 	}
 	flags := process.QueryInformation | process.VMRead
 	h, err := process.Open(flags, false, pid)

pkg/kcap/writer_windows_test.go

@@ -314,7 +314,7 @@ func (m *Module) Unmarshal(b []byte) (uint16, error) {
 	// read checksum
 	m.Checksum = bytes.ReadUint32(b[4:])
 
-	// read DLL full path
+	// read module full path
 	length := bytes.ReadUint16(b[8:])
 	buf := b[10:]
 	offset := length