feat(filter): Add evt.is_direct_syscall and evt.is_indirect_syscall fields

Author: rabbitstack

internal/evasion/direct_syscall.go

@@ -68,3 +68,7 @@ func (d *directSyscall) Eval(e *event.Event) (bool, error) {
 }
 
 func (*directSyscall) Type() Type { return DirectSyscall }
+
+func (*directSyscall) SetMask(e *event.Event) {
+	e.Evasions |= uint32(DirectSyscall)
+}

internal/evasion/indirect_syscall.go

@@ -159,3 +159,7 @@ func (i *indirectSyscall) Eval(e *event.Event) (bool, error) {
 }
 
 func (*indirectSyscall) Type() Type { return IndirectSyscall }
+
+func (*indirectSyscall) SetMask(e *event.Event) {
+	e.Evasions |= uint32(IndirectSyscall)
+}

internal/evasion/scanner.go

@@ -35,19 +35,21 @@ var evasionsCount expvar.Map
 // that yields the evasion techniques, such as direct syscall.
 type Scanner struct {
 	evasions []Evasion
+	config   Config
 }
 
 // NewScanner instantiates the new evasion scanner.
 func NewScanner(config Config) *Scanner {
 	s := &Scanner{
 		evasions: make([]Evasion, 0),
+		config:   config,
 	}
 
 	if config.EnableDirectSyscall {
-		s.registerEvasion(NewDirectSyscall())
+		s.addEvasion(NewDirectSyscall())
 	}
 	if config.EnableIndirectSyscall {
-		s.registerEvasion(NewIndirectSyscall())
+		s.addEvasion(NewIndirectSyscall())
 	}
 
 	return s
@@ -71,8 +73,9 @@ func (s *Scanner) ProcessEvent(e *event.Event) (bool, error) {
 		}
 		if matches {
 			enq = true
-			e.AddSliceMetaOrAppend(event.EvasionsKey, evasion.Type().String())
+			evasion.SetMask(e)
 			evasionsCount.Add(evasion.Type().String(), 1)
+			e.AddOrAppendMetaSlice(event.EvasionsKey, evasion.Type().String())
 			log.Debugf("detected evasion %q on event [%s] and callstack [%s]", evasion.Type(), e, e.Callstack)
 		}
 	}
@@ -82,6 +85,8 @@ func (s *Scanner) ProcessEvent(e *event.Event) (bool, error) {
 
 func (s *Scanner) CanEnqueue() bool { return false }
 
-func (s *Scanner) registerEvasion(evasion Evasion) {
-	s.evasions = append(s.evasions, evasion)
+func (s *Scanner) addEvasion(evasion Evasion) {
+	if s.config.Enabled {
+		s.evasions = append(s.evasions, evasion)
+	}
 }

internal/evasion/scanner_test.go

@@ -19,14 +19,15 @@
 package evasion
 
 import (
+	"strings"
+	"testing"
+	"time"
+
 	"github.com/rabbitstack/fibratus/pkg/callstack"
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/rabbitstack/fibratus/pkg/fs"
 	"github.com/stretchr/testify/require"
-	"strings"
-	"testing"
-	"time"
 )
 
 func TestScannerProcessEvent(t *testing.T) {
@@ -66,6 +67,7 @@ func TestScannerProcessEvent(t *testing.T) {
 			require.NoError(t, err)
 			require.True(t, matches && len(tt.expectedEvasions) > 0)
 			if len(tt.expectedEvasions) > 0 {
+				require.True(t, tt.evt.Evasions&uint32(DirectSyscall) != 0)
 				require.True(t, tt.evt.ContainsMeta(event.EvasionsKey))
 				require.Equal(t, tt.expectedEvasions, tt.evt.GetMeta(event.EvasionsKey).([]string))
 			}

internal/evasion/types.go

@@ -21,11 +21,11 @@ package evasion
 import "github.com/rabbitstack/fibratus/pkg/event"
 
 // Type is the alias for the evasion technique type.
-type Type uint8
+type Type uint32
 
 const (
 	// DirectSyscall represents the direct syscall evasion.
-	DirectSyscall Type = iota
+	DirectSyscall Type = 1 << iota
 	// IndirectSyscall represents the indirect syscall evasion.
 	IndirectSyscall
 )
@@ -47,8 +47,10 @@ type Evasion interface {
 	// Eval executes the evasion logic. The evasion detector usually accesses
 	// the callstack from the given event to determine if any evasions are
 	// performed on behalf of the process. If the evasion is recognized, this
-	// method return true, or false otherwise.
+	// method returns true, or false otherwise.
 	Eval(*event.Event) (bool, error)
 	// Type returns the type of the evasion technique.
 	Type() Type
+	// SetMask sets the type in the event evasions bitmask.
+	SetMask(*event.Event)
 }

pkg/event/event.go

@@ -20,13 +20,14 @@ package event
 
 import (
 	"fmt"
+	"strings"
+	"sync"
+	"time"
+
 	"github.com/rabbitstack/fibratus/pkg/callstack"
 	capver "github.com/rabbitstack/fibratus/pkg/cap/version"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	pstypes "github.com/rabbitstack/fibratus/pkg/ps/types"
-	"strings"
-	"sync"
-	"time"
 )
 
 // TimestampFormat is the Go valid format for the event timestamp
@@ -73,6 +74,8 @@ type Event struct {
 	PID uint32 `json:"pid"`
 	// Tid is the thread identifier of the thread that generated the event.
 	Tid uint32 `json:"tid"`
+	// Evasions is the bitmask that stores detected evasion types on this event.
+	Evasions uint32 `json:"-"`
 	// Type is the internal representation of the event. This field should be ignored by serializers.
 	Type Type `json:"-"`
 	// CPU designates the processor logical core where the event was originated.
@@ -245,9 +248,9 @@ func (e *Event) AddMeta(k MetadataKey, v any) {
 	e.Metadata[k] = v
 }
 
-// AddSliceMetaOrAppend puts the provided string into the slice if the key
+// AddOrAppendMetaSlice puts the provided string into the slice if the key
 // doesn't exist or appends the string to the slice.
-func (e *Event) AddSliceMetaOrAppend(k MetadataKey, s string) {
+func (e *Event) AddOrAppendMetaSlice(k MetadataKey, s string) {
 	if e.ContainsMeta(k) {
 		v := append(e.GetMeta(k).([]string), s)
 		e.AddMeta(k, v)

pkg/filter/accessor.go

@@ -20,10 +20,12 @@ package filter
 
 import (
 	"errors"
+	"reflect"
+
+	"github.com/rabbitstack/fibratus/internal/evasion"
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/rabbitstack/fibratus/pkg/filter/fields"
-	"reflect"
 )
 
 var (
@@ -134,6 +136,10 @@ func (k *evtAccessor) Get(f Field, evt *event.Event) (params.Value, error) {
 		default:
 			return evt.GetParamAsString(name), nil
 		}
+	case fields.EvtIsDirectSyscall:
+		return evt.Evasions&uint32(evasion.DirectSyscall) != 0, nil
+	case fields.EvtIsIndirectSyscall:
+		return evt.Evasions&uint32(evasion.IndirectSyscall) != 0, nil
 	}
 
 	return nil, nil

pkg/filter/fields/fields_windows.go

@@ -344,6 +344,12 @@ const (
 	EvtNparams Field = "evt.nparams"
 	// EvtArg represents the field sequence for generic argument access
 	EvtArg Field = "evt.arg"
+	// EvtIsDirectSyscall represents the field that designates if this event is
+	// performing a direct syscall.
+	EvtIsDirectSyscall Field = "evt.is_direct_syscall"
+	// EvtIsIndirectSyscall represents the field that designates if this event is
+	// performing an indirect syscall.
+	EvtIsIndirectSyscall Field = "evt.is_indirect_syscall"
 
 	// KevtSeq is the event sequence number
 	KevtSeq Field = "kevt.seq"
@@ -812,6 +818,9 @@ var fields = map[Field]FieldInfo{
 		}
 		return true
 	}}},
+	EvtIsDirectSyscall:   {EvtIsDirectSyscall, "indicates if the event is performing a direct syscall", params.Bool, []string{"evt.is_direct_syscall = true"}, nil, nil},
+	EvtIsIndirectSyscall: {EvtIsIndirectSyscall, "indicates if the event is performing an indirect syscall", params.Bool, []string{"evt.is_indirect_syscall = true"}, nil, nil},
+
 	KevtSeq:         {KevtSeq, "event sequence number", params.Uint64, []string{"kevt.seq > 666"}, &Deprecation{Since: "3.0.0", Fields: []Field{EvtSeq}}, nil},
 	KevtPID:         {KevtPID, "process identifier generating the event", params.Uint32, []string{"kevt.pid = 6"}, &Deprecation{Since: "3.0.0", Fields: []Field{EvtPID}}, nil},
 	KevtTID:         {KevtTID, "thread identifier generating the event", params.Uint32, []string{"kevt.tid = 1024"}, &Deprecation{Since: "3.0.0", Fields: []Field{EvtTID}}, nil},

pkg/filter/filter_test.go

@@ -19,7 +19,15 @@
 package filter
 
 import (
+	"net"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+	"unsafe"
+
 	"github.com/rabbitstack/fibratus/internal/etw/processors"
+	"github.com/rabbitstack/fibratus/internal/evasion"
 	"github.com/rabbitstack/fibratus/pkg/callstack"
 	"github.com/rabbitstack/fibratus/pkg/config"
 	"github.com/rabbitstack/fibratus/pkg/event"
@@ -36,12 +44,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows"
-	"net"
-	"os"
-	"path/filepath"
-	"testing"
-	"time"
-	"unsafe"
 )
 
 var cfg = &config.Config{
@@ -701,6 +703,7 @@ func TestEventFilter(t *testing.T) {
 		Category:    event.File,
 		Host:        "archrabbit",
 		Description: "Creates or opens a new file, directory, I/O device, pipe, console",
+		Evasions:    uint32(evasion.IndirectSyscall),
 		Params: event.Params{
 			params.ProcessID:     {Name: params.ProcessID, Type: params.PID, Value: uint32(3434)},
 			params.FileObject:    {Name: params.FileObject, Type: params.Uint64, Value: uint64(12456738026482168384)},
@@ -729,6 +732,8 @@ func TestEventFilter(t *testing.T) {
 		{`evt.arg[file_path] = '\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll'`, true},
 		{`evt.arg[type] = 'file'`, true},
 		{`evt.arg[pid] = 3434`, true},
+		{`evt.is_direct_syscall = false`, true},
+		{`evt.is_indirect_syscall`, true},
 
 		{`evt.desc contains 'Creates or opens a new file'`, true},