feat(kevent): VirtualAlloc and VirtualFree events (#171)

* Collecting telemetry for VirtualAlloc and VirtualFree events. VirtualAlloc events are additionally enriched with page protection and page type parameters. If the region type is mapped, then we also retrieve the name of the mapped image file. Filter fields and rule macros are provided as part of this PR.

* Fix linter warning

* Fix mem filter test after moving the flags declaration to kevent package

Author: rabbitstack

cmd/fibratus/app/capture/capture_windows.go

@@ -62,7 +62,7 @@ func capture(cmd *cobra.Command, args []string) error {
 	app, err := bootstrap.NewApp(cfg, bootstrap.WithSignals(), bootstrap.WithDebugPrivilege(),
 		bootstrap.WithHandleSnapshotFn(fn))
 	if err != nil {
-		return multierror.Wrap(err, app.Shutdown())
+		return err
 	}
 	<-wait
 	if err := app.WriteCapture(args); err != nil {

cmd/fibratus/app/replay/replay_windows.go

@@ -44,7 +44,7 @@ func init() {
 func replay(cmd *cobra.Command, args []string) error {
 	app, err := bootstrap.NewApp(cfg, bootstrap.WithSignals(), bootstrap.WithCaptureReplay())
 	if err != nil {
-		return multierror.Wrap(err, app.Shutdown())
+		return err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

cmd/fibratus/app/run_windows.go

@@ -60,7 +60,7 @@ func run(cmd *cobra.Command, args []string) error {
 	ver.Set(version)
 	app, err := bootstrap.NewApp(cfg, bootstrap.WithSignals(), bootstrap.WithDebugPrivilege())
 	if err != nil {
-		return multierror.Wrap(err, app.Shutdown())
+		return err
 	}
 	if err := app.Run(args); err != nil {
 		return multierror.Wrap(err, app.Shutdown())

configs/fibratus.yml

@@ -181,6 +181,9 @@ kstream:
   # collected by Kernel Logger provider
   #enable-handle: false
 
+  # Determines whether memory manager kernel events are collected by Kernel Logger provider
+  #enable-mem: true
+
   # Determines whether kernel Audit API calls events are collected
   #enable-audit-api: true
 

go.mod

@@ -70,6 +70,7 @@ require (
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
 	golang.org/x/crypto v0.1.0 // indirect
 	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/ini.v1 v1.51.0 // indirect
 	gopkg.in/yaml.v2 v2.3.0 // indirect

go.sum

@@ -269,6 +269,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

pkg/config/config_windows.go

@@ -342,6 +342,7 @@ func (c *Config) addFlags() {
 		c.flags.Bool(enableFileIOKevents, true, "Determines whether disk I/O kernel events are collected by Kernel Logger provider")
 		c.flags.Bool(enableImageKevents, true, "Determines whether file I/O kernel events are collected by Kernel Logger provider")
 		c.flags.Bool(enableHandleKevents, false, "Determines whether object manager kernel events (handle creation/destruction) are collected by Kernel Logger provider")
+		c.flags.Bool(enableMemKevents, true, "Determines whether memory manager kernel events are collected by Kernel Logger provider")
 		c.flags.Bool(enableAuditAPIEvents, true, "Determines whether kernel audit API calls events are published")
 		c.flags.Bool(enableAntimalwareEngineEvents, true, "Determines whether antimalware engine events are published")
 		c.flags.Int(bufferSize, int(maxBufferSize), "Represents the amount of memory allocated for each event tracing session buffer, in kilobytes. The buffer size affects the rate at which buffers fill and must be flushed (small buffer size requires less memory but it increases the rate at which buffers must be flushed)")

pkg/config/kstream.go

@@ -38,6 +38,7 @@ const (
 	enableFileIOKevents           = "kstream.enable-fileio"
 	enableImageKevents            = "kstream.enable-image"
 	enableHandleKevents           = "kstream.enable-handle"
+	enableMemKevents              = "kstream.enable-mem"
 	enableAuditAPIEvents          = "kstream.enable-audit-api"
 	enableAntimalwareEngineEvents = "kstream.enable-antimalware-engine"
 	bufferSize                    = "kstream.buffer-size"
@@ -71,6 +72,8 @@ type KstreamConfig struct {
 	EnableImageKevents bool `json:"enable-image" yaml:"enable-image"`
 	// EnableHandleKevents indicates whether handle creation/disposal events are enabled.
 	EnableHandleKevents bool `json:"enable-handle" yaml:"enable-handle"`
+	// EnableMemKevents indicates whether memory manager events are enabled.
+	EnableMemKevents bool `json:"enable-memory" yaml:"enable-memory"`
 	// EnableAuditAPIEvents indicates if kernel audit API calls events are enabled
 	EnableAuditAPIEvents bool `json:"enable-audit-api" yaml:"enable-audit-api"`
 	// EnableAntimalwareEngineEvents indicates if Antimalware Engine events are enabled
@@ -101,6 +104,7 @@ func (c *KstreamConfig) initFromViper(v *viper.Viper) {
 	c.EnableFileIOKevents = v.GetBool(enableFileIOKevents)
 	c.EnableImageKevents = v.GetBool(enableImageKevents)
 	c.EnableHandleKevents = v.GetBool(enableHandleKevents)
+	c.EnableMemKevents = v.GetBool(enableMemKevents)
 	c.EnableAuditAPIEvents = v.GetBool(enableAuditAPIEvents)
 	c.EnableAntimalwareEngineEvents = v.GetBool(enableAntimalwareEngineEvents)
 	c.BufferSize = uint32(v.GetInt(bufferSize))

pkg/config/schema_windows.go

@@ -161,6 +161,7 @@ var schema = `
 				"enable-fileio": 	{"type": "boolean"},
 				"enable-handle": 	{"type": "boolean"},
 				"enable-net": 		{"type": "boolean"},
+				"enable-mem": 		{"type": "boolean"},
 				"enable-audit-api": {"type": "boolean"},
 				"enable-antimalware-engine": {"type": "boolean"},
 				"min-buffers": 		{"type": "integer", "minimum": 1, "maximum": {{ .MinBuffers }}},

pkg/filter/accessor.go

@@ -128,6 +128,7 @@ func (f *filter) narrowAccessors() {
 		removeNetworkAccessor  = true
 		removeHandleAccessor   = true
 		removePEAccessor       = true
+		removeMemAccessor      = true
 	)
 	allFields := make([]fields.Field, 0)
 	allFields = append(allFields, f.fields...)
@@ -154,6 +155,8 @@ func (f *filter) narrowAccessors() {
 			removeHandleAccessor = false
 		case field.IsPeField():
 			removePEAccessor = false
+		case field.IsMemField():
+			removeMemAccessor = false
 		}
 	}
 	if removeKevtAccessor {
@@ -183,6 +186,9 @@ func (f *filter) narrowAccessors() {
 	if removePEAccessor {
 		f.removeAccessor(&peAccessor{})
 	}
+	if removeMemAccessor {
+		f.removeAccessor(&memAccessor{})
+	}
 }
 
 func (f *filter) removeAccessor(removed accessor) {