feat(event): Parse RegSetValueInternal event parameters

Author: rabbitstack

pkg/event/event_windows.go

@@ -233,6 +233,7 @@ func (e *Event) IsLoadImageInternal() bool      { return e.Type == LoadImageInte
 func (e *Event) IsImageRundown() bool           { return e.Type == ImageRundown }
 func (e *Event) IsFileOpEnd() bool              { return e.Type == FileOpEnd }
 func (e *Event) IsRegSetValue() bool            { return e.Type == RegSetValue }
+func (e *Event) IsRegSetValueInternal() bool    { return e.Type == RegSetValueInternal }
 func (e *Event) IsProcessRundown() bool         { return e.Type == ProcessRundown }
 func (e *Event) IsProcessRundownInternal() bool { return e.Type == ProcessRundownInternal }
 func (e *Event) IsVirtualAlloc() bool           { return e.Type == VirtualAlloc }

pkg/event/metainfo_windows.go

@@ -241,6 +241,7 @@ func AllWithState() []Type {
 	s = append(s, CreateProcessInternal)
 	s = append(s, ProcessRundownInternal)
 	s = append(s, LoadImageInternal)
+	s = append(s, RegSetValueInternal)
 
 	return s
 }

pkg/event/param_windows.go

@@ -19,6 +19,7 @@
 package event
 
 import (
+	"encoding/binary"
 	"expvar"
 	"fmt"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
@@ -33,7 +34,9 @@ import (
 	"github.com/rabbitstack/fibratus/pkg/util/signature"
 	"github.com/rabbitstack/fibratus/pkg/util/va"
 	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/registry"
 	"net"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -255,7 +258,7 @@ func (e *Event) produceParams(evt *etw.EventRecord) {
 		}
 		sid, soffset = evt.ReadSID(offset, true)
 		name, noffset = evt.ReadAnsiString(soffset)
-		cmdline, _ = evt.ReadUTF16String(soffset + noffset)
+		cmdline, _ = evt.ReadUTF16String(noffset)
 		e.AppendParam(params.ProcessObject, params.Address, kproc)
 		e.AppendParam(params.ProcessID, params.PID, pid)
 		e.AppendParam(params.ProcessParentID, params.PID, ppid)
@@ -508,6 +511,34 @@ func (e *Event) produceParams(evt *etw.EventRecord) {
 		e.AppendParam(params.RegKeyHandle, params.Address, keyHandle)
 		e.AppendParam(params.RegPath, params.Key, keyName)
 		e.AppendParam(params.NTStatus, params.Status, status)
+	case RegSetValueInternal:
+		keyObject := evt.ReadUint64(0)
+		status := evt.ReadUint32(8)
+		valueType := evt.ReadUint32(12)
+		keyName, koffset := evt.ReadUTF16String(20) // skip data size param (4 bytes)
+		valueName, voffset := evt.ReadUTF16String(koffset)
+		capturedSize := evt.ReadUint16(voffset)
+		capturedData := evt.ReadBytes(2+voffset, capturedSize)
+
+		e.AppendParam(params.RegKeyHandle, params.Address, keyObject)
+		e.AppendParam(params.NTStatus, params.Status, status)
+		e.AppendParam(params.RegPath, params.Key, filepath.Join(keyName, valueName))
+		e.AppendEnum(params.RegValueType, valueType, key.RegistryValueTypes)
+
+		if len(capturedData) > 0 {
+			switch valueType {
+			case registry.SZ, registry.MULTI_SZ, registry.EXPAND_SZ:
+				e.AppendParam(params.RegData, params.UnicodeString, string(capturedData))
+			case registry.BINARY:
+				e.AppendParam(params.RegData, params.Binary, capturedData)
+			case registry.DWORD:
+				e.AppendParam(params.RegData, params.Uint32, binary.LittleEndian.Uint32(capturedData))
+			case registry.DWORD_BIG_ENDIAN:
+				e.AppendParam(params.RegData, params.Uint32, binary.BigEndian.Uint32(capturedData))
+			case registry.QWORD:
+				e.AppendParam(params.RegData, params.Uint64, binary.LittleEndian.Uint64(capturedData))
+			}
+		}
 	case CreateFile:
 		var (
 			irp            uint64

pkg/event/params/params_windows.go

@@ -149,6 +149,8 @@ const (
 	RegValue = "value"
 	// RegValueType identifies the parameter that represents registry value type e.g (DWORD, BINARY)
 	RegValueType = "value_type"
+	// RegData identifies the parameter that stores the captured registry data
+	RegData = "data"
 
 	// ImageBase identifies the parameter name for the base address of the process in which the image is loaded.
 	ImageBase = "base_address"

pkg/event/types_windows.go

@@ -67,6 +67,8 @@ var (
 	ThreadpoolGUID = windows.GUID{Data1: 0xc861d0e2, Data2: 0xa2c1, Data3: 0x4d36, Data4: [8]byte{0x9f, 0x9c, 0x97, 0x0b, 0xab, 0x94, 0x3a, 0x12}}
 	// ProcessKernelEventGUID represents the Process Kernel event GUID
 	ProcessKernelEventGUID = windows.GUID{Data1: 0x22fb2cd6, Data2: 0x0e7b, Data3: 0x422b, Data4: [8]byte{0xa0, 0xc7, 0x2f, 0xad, 0x1f, 0xd0, 0xe7, 0x16}}
+	// RegistryKernelEventGUID represents the Registry Kernel event GUID
+	RegistryKernelEventGUID = windows.GUID{Data1: 0x70eb4f03, Data2: 0xc1de, Data3: 0x4f73, Data4: [8]byte{0xa0, 0x51, 0x33, 0xd1, 0x3d, 0x54, 0x13, 0xbd}}
 )
 
 var (
@@ -149,6 +151,10 @@ var (
 	RegDeleteKCB = pack(RegistryEventGUID, 23)
 	// RegKCBRundown enumerates the registry keys open at the start of the kernel session.
 	RegKCBRundown = pack(RegistryEventGUID, 25)
+	// RegSetValueInternal is the internal event that is used to
+	// enrich the corresponding public RegSetValue event with
+	// extra attributes
+	RegSetValueInternal = pack(RegistryKernelEventGUID, 36)
 
 	// UnloadImage represents unload image kernel events
 	UnloadImage = pack(ImageEventGUID, 2)
@@ -309,7 +315,7 @@ func (t Type) String() string {
 		return "RegQueryValue"
 	case RegCreateKCB:
 		return "RegCreateKCB"
-	case RegSetValue:
+	case RegSetValue, RegSetValueInternal:
 		return "RegSetValue"
 	case LoadImage, LoadImageInternal:
 		return "LoadImage"
@@ -367,7 +373,7 @@ func (t Type) Category() Category {
 		FileRundown, FileOpEnd, ReleaseFile, MapViewFile, UnmapViewFile, MapFileRundown:
 		return File
 	case RegCreateKey, RegDeleteKey, RegOpenKey, RegCloseKey, RegQueryKey, RegQueryValue, RegSetValue, RegDeleteValue,
-		RegKCBRundown, RegDeleteKCB, RegCreateKCB:
+		RegKCBRundown, RegDeleteKCB, RegCreateKCB, RegSetValueInternal:
 		return Registry
 	case AcceptTCPv4, AcceptTCPv6,
 		ConnectTCPv4, ConnectTCPv6,
@@ -527,7 +533,8 @@ func (t Type) OnlyState() bool {
 		ReleaseFile,
 		MapFileRundown,
 		RegCreateKCB,
-		RegDeleteKCB:
+		RegDeleteKCB,
+		RegSetValueInternal:
 		return true
 	default:
 		return false
@@ -600,7 +607,7 @@ func (t Type) ID() uint {
 // Source designates the provenance of this event type.
 func (t Type) Source() Source {
 	switch t.GUID() {
-	case AuditAPIEventGUID, DNSEventGUID, ThreadpoolGUID, ProcessKernelEventGUID:
+	case AuditAPIEventGUID, DNSEventGUID, ThreadpoolGUID, ProcessKernelEventGUID, RegistryKernelEventGUID:
 		return SecurityTelemetryLogger
 	default:
 		return SystemLogger