add param reader test, fix tests, polishing

Author: rabbitstack

pkg/kevent/kparams/readers.go

@@ -23,6 +23,7 @@ package kparams
 
 import (
 	"syscall"
+	"unicode/utf16"
 	"unsafe"
 )
 
@@ -88,7 +89,7 @@ func ConsumeUTF16String(buf uintptr, offset, length uint16) string {
 		return ""
 	}
 	s := (*[1<<30 - 1]uint16)(unsafe.Pointer(buf + uintptr(offset)))[: length-offset : length-offset]
-	return syscall.UTF16ToString(s)
+	return string(utf16.Decode(s[:len(s)/2-1]))
 }
 
 // ReadSID reads the security identifier from the provided buffer.

pkg/kevent/kparams/readers_test.go

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2021-2022 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kparams
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+	"unsafe"
+)
+
+func TestReadBuffer(t *testing.T) {
+	b := []byte{
+		0x70, 0x3B, 0xD1, 0x24, 0x8E, 0xD6, 0xFF, 0xFF, 0x9C, 0x02, 0x00, 0x00, 0x2C, 0x00, 0x5C, 0x00,
+		0x52, 0x00, 0x45, 0x00, 0x47, 0x00, 0x49, 0x00, 0x53, 0x00, 0x54, 0x00, 0x52, 0x00, 0x59, 0x00,
+		0x5C, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00, 0x52, 0x00, 0x5C, 0x00, 0x53, 0x00, 0x2D, 0x00,
+		0x31, 0x00, 0x2D, 0x00, 0x35, 0x00, 0x2D, 0x00, 0x32, 0x00, 0x31, 0x00, 0x2D, 0x00, 0x32, 0x00,
+		0x32, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30, 0x00, 0x33, 0x00, 0x34, 0x00, 0x34, 0x00, 0x35, 0x00,
+		0x32, 0x00, 0x2D, 0x00, 0x32, 0x00, 0x36, 0x00, 0x30, 0x00, 0x36, 0x00, 0x32, 0x00, 0x37, 0x00,
+		0x30, 0x00, 0x30, 0x00, 0x39, 0x00, 0x39, 0x00, 0x2D, 0x00, 0x39, 0x00, 0x38, 0x00, 0x34, 0x00,
+		0x38, 0x00, 0x37, 0x00, 0x31, 0x00, 0x35, 0x00, 0x36, 0x00, 0x39, 0x00, 0x2D, 0x00, 0x31, 0x00,
+		0x30, 0x00, 0x30, 0x00, 0x31, 0x00, 0x00, 0x00}
+	p := uintptr(unsafe.Pointer(&b[0]))
+
+	assert.Equal(t, uint64(18446698504724233072), ReadUint64(p, 0))
+	assert.Equal(t, uint32(668), ReadUint32(p, 8))
+	assert.Equal(t, uint16(44), ReadUint16(p, 12))
+	assert.Equal(t, "\\REGISTRY\\USER\\S-1-5-21-2271034452-2606270099-984871569-1001", ConsumeUTF16String(p, 14, uint16(len(b))))
+}

pkg/kstream/controller_windows.go

@@ -56,6 +56,11 @@ type TraceSession struct {
 	GUID   syscall.GUID
 }
 
+// IsKernelLogger determines if the session is tied to the NT Kernel Logger provider.
+func (s TraceSession) IsKernelLogger() bool {
+	return s.GUID == etw.KernelTraceControlGUID
+}
+
 // TraceProvider describes the ETW provider metainfo. The provider
 // acts as a source of events that are published to the tracing
 // session.

pkg/kstream/interceptors/fs_windows.go

@@ -217,15 +217,15 @@ func (f *fsInterceptor) Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, er
 			if err != nil {
 				return kevt, true, err
 			}
-			extraInfo, err := kevt.Kparams.TryGetHexAsUint8(kparams.FileExtraInfo)
+			extraInfo, err := kevt.Kparams.TryGetHexAsUint64(kparams.FileExtraInfo)
 			if err != nil {
 				return kevt, true, err
 			}
 			fkevt, ok := f.pendingKevents[irp]
 			if !ok {
 				return kevt, true, kerrors.ErrCancelUpstreamKevent
 			}
-			fkevt.Kparams.Append(kparams.FileExtraInfo, kparams.Uint8, extraInfo)
+			fkevt.Kparams.Append(kparams.FileExtraInfo, kparams.Uint64, extraInfo)
 
 			// resolve the status of the file operation
 			status, err := kevt.Kparams.GetUint32(kparams.NTStatus)
@@ -337,7 +337,7 @@ func (f *fsInterceptor) processCreateFile(kevt *kevent.Kevent) error {
 	if err != nil {
 		return err
 	}
-	extraInfo, err := kevt.Kparams.GetUint8(kparams.FileExtraInfo)
+	extraInfo, err := kevt.Kparams.GetUint64(kparams.FileExtraInfo)
 	if err != nil {
 		return err
 	}

pkg/kstream/interceptors/fs_windows_test.go

@@ -56,9 +56,9 @@ func TestCreateFile(t *testing.T) {
 		Tid:  2484,
 		PID:  859,
 		Kparams: kevent.Kparams{
-			kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: kparams.Hex("12456738026482168384")},
+			kparams.FileObject: {Name: kparams.FileObject, Type: kparams.HexInt64, Value: kparams.Hex("12456738026482168384")},
 			kparams.FileName:   {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"},
-			kparams.FileIrpPtr: {Name: kparams.FileIrpPtr, Type: kparams.Uint64, Value: kparams.Hex("1234543123112321")},
+			kparams.FileIrpPtr: {Name: kparams.FileIrpPtr, Type: kparams.HexInt64, Value: kparams.Hex("1234543123112321")},
 		},
 	})
 	require.NoError(t, err)
@@ -68,12 +68,12 @@ func TestCreateFile(t *testing.T) {
 		Tid:  2484,
 		PID:  859,
 		Kparams: kevent.Kparams{
-			kparams.FileObject:        {Name: kparams.FileObject, Type: kparams.Uint64, Value: kparams.Hex("18446738026482168384")},
+			kparams.FileObject:        {Name: kparams.FileObject, Type: kparams.HexInt64, Value: kparams.Hex("18446738026482168384")},
 			kparams.ThreadID:          {Name: kparams.ThreadID, Type: kparams.Uint32, Value: uint32(1484)},
 			kparams.FileCreateOptions: {Name: kparams.FileCreateOptions, Type: kparams.Uint32, Value: uint32(1223456)},
 			kparams.FileName:          {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll"},
 			kparams.FileShareMask:     {Name: kparams.FileShareMask, Type: kparams.Uint32, Value: uint32(5)},
-			kparams.FileIrpPtr:        {Name: kparams.FileIrpPtr, Type: kparams.Uint64, Value: kparams.Hex("1234543123112321")},
+			kparams.FileIrpPtr:        {Name: kparams.FileIrpPtr, Type: kparams.HexInt64, Value: kparams.Hex("1234543123112321")},
 		},
 	}
 	devMapper.On("Convert", "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll").Return(fmt.Sprintf("%s\\system32\\kernel32.dll", sysRoot))
@@ -89,10 +89,10 @@ func TestCreateFile(t *testing.T) {
 		Tid:  2484,
 		PID:  859,
 		Kparams: kevent.Kparams{
-			kparams.FileObject:    {Name: kparams.FileObject, Type: kparams.Uint64, Value: kparams.Hex("18446738026482168384")},
+			kparams.FileObject:    {Name: kparams.FileObject, Type: kparams.HexInt64, Value: kparams.Hex("18446738026482168384")},
 			kparams.ThreadID:      {Name: kparams.ThreadID, Type: kparams.Uint32, Value: uint32(1484)},
-			kparams.FileIrpPtr:    {Name: kparams.FileIrpPtr, Type: kparams.Uint64, Value: kparams.Hex("1234543123112321")},
-			kparams.FileExtraInfo: {Name: kparams.FileExtraInfo, Type: kparams.Uint8, Value: kparams.Hex("2")},
+			kparams.FileIrpPtr:    {Name: kparams.FileIrpPtr, Type: kparams.HexInt64, Value: kparams.Hex("1234543123112321")},
+			kparams.FileExtraInfo: {Name: kparams.FileExtraInfo, Type: kparams.Uint64, Value: uint64(2)},
 		},
 	}
 	kevt1, _, err = fsi.Intercept(opEnd)
@@ -125,7 +125,7 @@ func TestRundownFile(t *testing.T) {
 		Tid:  2484,
 		PID:  859,
 		Kparams: kevent.Kparams{
-			kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: kparams.Hex("124567380264")},
+			kparams.FileObject: {Name: kparams.FileObject, Type: kparams.HexInt64, Value: kparams.Hex("124567380264")},
 			kparams.FileName:   {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"},
 		},
 	})
@@ -155,7 +155,7 @@ func TestDeleteFile(t *testing.T) {
 		Tid:  2484,
 		PID:  859,
 		Kparams: kevent.Kparams{
-			kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: kparams.Hex("12456738026482168384")},
+			kparams.FileObject: {Name: kparams.FileObject, Type: kparams.HexInt64, Value: kparams.Hex("12456738026482168384")},
 			kparams.FileName:   {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"},
 		},
 	})
@@ -166,8 +166,8 @@ func TestDeleteFile(t *testing.T) {
 		Tid:  2484,
 		PID:  859,
 		Kparams: kevent.Kparams{
-			kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: kparams.Hex("12456738026482168384")},
-			kparams.FileKey:    {Name: kparams.FileKey, Type: kparams.Uint64, Value: kparams.Hex("12456738026482168384")},
+			kparams.FileObject: {Name: kparams.FileObject, Type: kparams.HexInt64, Value: kparams.Hex("12456738026482168384")},
+			kparams.FileKey:    {Name: kparams.FileKey, Type: kparams.HexInt64, Value: kparams.Hex("12456738026482168384")},
 			kparams.ThreadID:   {Name: kparams.ThreadID, Type: kparams.Uint32, Value: uint32(1484)},
 		},
 	}

pkg/kstream/kstreamc_windows.go

@@ -109,7 +109,7 @@ type Consumer interface {
 }
 
 type kstreamConsumer struct {
-	handles []etw.TraceHandle // trace session handles
+	traceHandles []etw.TraceHandle // trace session handles
 
 	errs  chan error          // channel for event processing errors
 	kevts chan *kevent.Kevent // channel for fanning out generated events
@@ -129,6 +129,10 @@ type kstreamConsumer struct {
 	eventCallback EventCallbackFunc // called on each incoming event
 }
 
+func (k *kstreamConsumer) addTraceHandle(traceHandle etw.TraceHandle) {
+	k.traceHandles = append(k.traceHandles, traceHandle)
+}
+
 // NewConsumer constructs a new kernel event stream consumer.
 func NewConsumer(ktraceController KtraceController, psnap ps.Snapshotter, hsnap handle.Snapshotter, config *config.Config) Consumer {
 	kconsumer := &kstreamConsumer{
@@ -159,10 +163,13 @@ func (k *kstreamConsumer) OpenKstream(traces map[string]TraceSession) error {
 	if err != nil {
 		return err
 	}
-	for loggerName := range traces {
-		err := k.openKstream(loggerName)
+	for _, trace := range traces {
+		err := k.openKstream(trace.Name)
 		if err != nil {
-			return err
+			if trace.IsKernelLogger() {
+				return err
+			}
+			log.Warnf("unable to open %s trace: %v", trace.Name, err)
 		}
 	}
 	return nil
@@ -184,9 +191,7 @@ func (k *kstreamConsumer) openKstream(loggerName string) error {
 	if uint64(traceHandle) == winerrno.InvalidProcessTraceHandle {
 		return fmt.Errorf("unable to open kernel trace: %v", syscall.GetLastError())
 	}
-
-	k.handles = append(k.handles, traceHandle)
-
+	k.addTraceHandle(traceHandle)
 	// since `ProcessTrace` blocks the current thread
 	// we invoke it in a separate goroutine but send
 	// any possible errors to the channel
@@ -214,7 +219,7 @@ func (k *kstreamConsumer) openKstream(loggerName string) error {
 
 // CloseKstream shutdowns the event stream consumer by closing all running traces.
 func (k *kstreamConsumer) CloseKstream() error {
-	for _, h := range k.handles {
+	for _, h := range k.traceHandles {
 		if err := etw.CloseTrace(h); err != nil {
 			log.Warn(err)
 		}
@@ -764,7 +769,7 @@ func (k *kstreamConsumer) produceRawParams(ktype ktypes.Ktype, evt *etw.EventRec
 		}
 		return kevent.KparamsFromSlice(
 			kevent.NewKparam(kparams.FileIrpPtr, kparams.Uint64, irp),
-			kevent.NewKparam(kparams.FileExtraInfo, kparams.Uint8, uint8(extraInfo)),
+			kevent.NewKparam(kparams.FileExtraInfo, kparams.Uint64, extraInfo),
 			kevent.NewKparam(kparams.NTStatus, kparams.Uint32, status),
 		)
 	case ktypes.FileRundown: