chore(process): Populate process modules from internal events

If the event arrives from the provider and the process
state hasn't been populated with the expected module,
we leverage the internal load image event to append the
module.

Author: rabbitstack

internal/etw/processors/image_windows.go

@@ -55,6 +55,11 @@ func newImageProcessor(psnap ps.Snapshotter) Processor {
 func (*imageProcessor) Name() ProcessorType { return Image }
 
 func (m *imageProcessor) ProcessEvent(e *event.Event) (*event.Event, bool, error) {
+	if e.IsLoadImageInternal() {
+		// state management
+		return e, false, m.psnap.AddModule(e)
+	}
+
 	if e.IsLoadImage() {
 		// is image characteristics data cached?
 		path := e.GetParamAsString(params.ImagePath)

internal/etw/source.go

@@ -168,7 +168,7 @@ func (e *EventSource) Open(config *config.Config) error {
 	// additional attributes and guaranteeing that any event published by
 	// the security telemetry session doesn't miss its respective process
 	// from the snapshotter
-	trace.AddProvider(etw.WindowsKernelProcessGUID, false, WithKeywords(etw.ProcessKeyword), WithCaptureState())
+	trace.AddProvider(etw.WindowsKernelProcessGUID, false, WithKeywords(etw.ProcessKeyword|etw.ImageKeyword), WithCaptureState())
 
 	if config.EventSource.EnableDNSEvents {
 		trace.AddProvider(etw.DNSClientGUID, false)

pkg/event/event_windows.go

@@ -229,6 +229,7 @@ func (e *Event) IsTerminateProcess() bool       { return e.Type == TerminateProc
 func (e *Event) IsTerminateThread() bool        { return e.Type == TerminateThread }
 func (e *Event) IsUnloadImage() bool            { return e.Type == UnloadImage }
 func (e *Event) IsLoadImage() bool              { return e.Type == LoadImage }
+func (e *Event) IsLoadImageInternal() bool      { return e.Type == LoadImageInternal }
 func (e *Event) IsImageRundown() bool           { return e.Type == ImageRundown }
 func (e *Event) IsFileOpEnd() bool              { return e.Type == FileOpEnd }
 func (e *Event) IsRegSetValue() bool            { return e.Type == RegSetValue }

pkg/event/metainfo_windows.go

@@ -240,6 +240,7 @@ func AllWithState() []Type {
 	s = append(s, StackWalk)
 	s = append(s, CreateProcessInternal)
 	s = append(s, ProcessRundownInternal)
+	s = append(s, LoadImageInternal)
 
 	return s
 }

pkg/event/param_windows.go

@@ -459,6 +459,29 @@ func (e *Event) produceParams(evt *etw.EventRecord) {
 		e.AppendParam(params.ImagePath, params.DOSPath, filename)
 		e.AppendParam(params.ImageSignatureLevel, params.Enum, uint32(sigLevel), WithEnum(signature.Levels))
 		e.AppendParam(params.ImageSignatureType, params.Enum, uint32(sigType), WithEnum(signature.Types))
+	case LoadImageInternal:
+		var (
+			pid         uint32
+			checksum    uint32
+			defaultBase uint64
+			imageBase   uint64
+			imageSize   uint64
+			filename    string
+		)
+
+		imageBase = evt.ReadUint64(0)
+		imageSize = evt.ReadUint64(8)
+		pid = evt.ReadUint32(16)
+		checksum = evt.ReadUint32(20)
+		defaultBase = evt.ReadUint64(28) // skip timestamp (4 bytes)
+		filename = evt.ConsumeUTF16String(36)
+
+		e.AppendParam(params.ProcessID, params.PID, pid)
+		e.AppendParam(params.ImageCheckSum, params.Uint32, checksum)
+		e.AppendParam(params.ImageDefaultBase, params.Address, defaultBase)
+		e.AppendParam(params.ImageBase, params.Address, imageBase)
+		e.AppendParam(params.ImageSize, params.Uint64, imageSize)
+		e.AppendParam(params.ImagePath, params.DOSPath, filename)
 	case RegOpenKey, RegCloseKey,
 		RegCreateKCB, RegDeleteKCB,
 		RegKCBRundown, RegCreateKey,

pkg/event/types_windows.go

@@ -156,6 +156,8 @@ var (
 	ImageRundown = pack(ImageEventGUID, 3)
 	// LoadImage represents load image kernel events that are triggered when a DLL or executable file  is loaded
 	LoadImage = pack(ImageEventGUID, 10)
+	// LoadImageInternal same as for process internal event originating from the Microsoft Windows Kernel Process provider.
+	LoadImageInternal = pack(ProcessKernelEventGUID, 5)
 
 	// AcceptTCPv4 represents the TCPv4 kernel events for accepting connection requests from the socket queue.
 	AcceptTCPv4 = pack(NetworkTCPEventGUID, 15)
@@ -309,7 +311,7 @@ func (t Type) String() string {
 		return "RegCreateKCB"
 	case RegSetValue:
 		return "RegSetValue"
-	case LoadImage:
+	case LoadImage, LoadImageInternal:
 		return "LoadImage"
 	case UnloadImage:
 		return "UnloadImage"
@@ -359,7 +361,7 @@ func (t Type) Category() Category {
 		return Process
 	case CreateThread, TerminateThread, OpenThread, SetThreadContext, ThreadRundown, StackWalk:
 		return Thread
-	case LoadImage, UnloadImage, ImageRundown:
+	case LoadImage, UnloadImage, ImageRundown, LoadImageInternal:
 		return Image
 	case CreateFile, ReadFile, WriteFile, EnumDirectory, DeleteFile, RenameFile, CloseFile, SetFileInformation,
 		FileRundown, FileOpEnd, ReleaseFile, MapViewFile, UnmapViewFile, MapFileRundown:
@@ -518,6 +520,7 @@ func (t Type) OnlyState() bool {
 		CreateProcessInternal,
 		ThreadRundown,
 		ImageRundown,
+		LoadImageInternal,
 		FileRundown,
 		RegKCBRundown,
 		FileOpEnd,

pkg/ps/snapshotter_windows.go

@@ -246,7 +246,6 @@ func (s *snapshotter) AddModule(e *event.Event) error {
 	if err != nil {
 		return err
 	}
-	moduleCount.Add(1)
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
@@ -265,6 +264,14 @@ func (s *snapshotter) AddModule(e *event.Event) error {
 	module.Name = e.GetParamAsString(params.ImagePath)
 	module.BaseAddress = e.Params.TryGetAddress(params.ImageBase)
 	module.DefaultBaseAddress = e.Params.TryGetAddress(params.ImageDefaultBase)
+
+	if e.IsLoadImageInternal() {
+		proc.AddModule(module)
+		return nil
+	}
+
+	moduleCount.Add(1)
+
 	module.SignatureLevel, _ = e.Params.GetUint32(params.ImageSignatureLevel)
 	module.SignatureType, _ = e.Params.GetUint32(params.ImageSignatureType)
 

pkg/sys/etw/types.go

@@ -57,6 +57,9 @@ const (
 // ProcessKeyword enables process events for Microsoft Windows Kernel Process provider
 const ProcessKeyword = 0x10
 
+// ImageKeyword enables images events for Microsoft Windows Kernel Process provider
+const ImageKeyword = 0x40
+
 const (
 	// EventHeaderExtTypeStackTrace64 indicates that the extended data contains the call stack if the event is captured on a 64-bit host
 	EventHeaderExtTypeStackTrace64 uint16 = 0x0006