fix(ps): Use start time from event timestamp

rabbitstack · rabbitstack · commit eddefd2b3dea · 2024-12-23T10:37:32.000+01:00
If we fail to obtain the process start time
use the one from the event timestamp.
diff --git a/internal/etw/processors/ps_windows.go b/internal/etw/processors/ps_windows.go
@@ -48,6 +48,7 @@ func (p psProcessor) ProcessEvent(e *kevent.Kevent) (*kevent.Kevent, bool, error
 			p.regionProber.Remove(evt.Kparams.MustGetPid())
 			return evt, false, multierror.Wrap(err, p.psnap.Remove(evt))
 		}
+
 		return evt, false, multierror.Wrap(err, p.psnap.Write(evt))
 	case ktypes.CreateThread, ktypes.TerminateThread, ktypes.ThreadRundown:
 		pid, err := e.Kparams.GetPid()
@@ -65,6 +66,7 @@ func (p psProcessor) ProcessEvent(e *kevent.Kevent) (*kevent.Kevent, bool, error
 		if err != nil {
 			return e, false, err
 		}
+
 		return e, false, p.psnap.RemoveThread(pid, tid)
 	case ktypes.OpenProcess, ktypes.OpenThread:
 		pid, err := e.Kparams.GetPid()
@@ -76,8 +78,10 @@ func (p psProcessor) ProcessEvent(e *kevent.Kevent) (*kevent.Kevent, bool, error
 			e.AppendParam(kparams.Exe, kparams.FilePath, proc.Exe)
 			e.AppendParam(kparams.ProcessName, kparams.AnsiString, proc.Name)
 		}
+
 		return e, false, nil
 	}
+
 	return e, true, nil
 }
 
@@ -105,7 +109,7 @@ func (p psProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error) {
 
 	// query process start time
 	pid := e.Kparams.MustGetPid()
-	started, err := getStartTime(pid)
+	started, err := getStartTime(pid, e)
 	if err != nil {
 		started = e.Timestamp
 	}
@@ -117,10 +121,10 @@ func (p psProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error) {
 func (psProcessor) Name() ProcessorType { return Ps }
 func (p psProcessor) Close()            {}
 
-func getStartTime(pid uint32) (time.Time, error) {
+func getStartTime(pid uint32, e *kevent.Kevent) (time.Time, error) {
 	proc, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pid)
 	if err != nil {
-		return time.Now(), err
+		return e.Timestamp, err
 	}
 	//nolint:errcheck
 	defer windows.CloseHandle(proc)
@@ -132,7 +136,7 @@ func getStartTime(pid uint32) (time.Time, error) {
 	)
 	err = windows.GetProcessTimes(proc, &ct, &xt, &kt, &ut)
 	if err != nil {
-		return time.Now(), err
+		return e.Timestamp, err
 	}
 	return time.Unix(0, ct.Nanoseconds()), nil
 }

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ func (p psProcessor) ProcessEvent(e kevent.Kevent) (kevent.Kevent, bool, error`
`48`	`48`	`p.regionProber.Remove(evt.Kparams.MustGetPid())`
`49`	`49`	`return evt, false, multierror.Wrap(err, p.psnap.Remove(evt))`
`50`	`50`	`}`
	`51`	`+`
`51`	`52`	`return evt, false, multierror.Wrap(err, p.psnap.Write(evt))`
`52`	`53`	`case ktypes.CreateThread, ktypes.TerminateThread, ktypes.ThreadRundown:`
`53`	`54`	`pid, err := e.Kparams.GetPid()`
`@@ -65,6 +66,7 @@ func (p psProcessor) ProcessEvent(e kevent.Kevent) (kevent.Kevent, bool, error`
`65`	`66`	`if err != nil {`
`66`	`67`	`return e, false, err`
`67`	`68`	`}`
	`69`	`+`
`68`	`70`	`return e, false, p.psnap.RemoveThread(pid, tid)`
`69`	`71`	`case ktypes.OpenProcess, ktypes.OpenThread:`
`70`	`72`	`pid, err := e.Kparams.GetPid()`
`@@ -76,8 +78,10 @@ func (p psProcessor) ProcessEvent(e kevent.Kevent) (kevent.Kevent, bool, error`
`76`	`78`	`e.AppendParam(kparams.Exe, kparams.FilePath, proc.Exe)`
`77`	`79`	`e.AppendParam(kparams.ProcessName, kparams.AnsiString, proc.Name)`
`78`	`80`	`}`
	`81`	`+`
`79`	`82`	`return e, false, nil`
`80`	`83`	`}`
	`84`	`+`
`81`	`85`	`return e, true, nil`
`82`	`86`	`}`
`83`	`87`
`@@ -105,7 +109,7 @@ func (p psProcessor) processEvent(e kevent.Kevent) (kevent.Kevent, error) {`
`105`	`109`
`106`	`110`	`// query process start time`
`107`	`111`	`pid := e.Kparams.MustGetPid()`
`108`		`- started, err := getStartTime(pid)`
	`112`	`+ started, err := getStartTime(pid, e)`
`109`	`113`	`if err != nil {`
`110`	`114`	`started = e.Timestamp`
`111`	`115`	`}`
`@@ -117,10 +121,10 @@ func (p psProcessor) processEvent(e kevent.Kevent) (kevent.Kevent, error) {`
`117`	`121`	`func (psProcessor) Name() ProcessorType { return Ps }`
`118`	`122`	`func (p psProcessor) Close() {}`
`119`	`123`
`120`		`-func getStartTime(pid uint32) (time.Time, error) {`
	`124`	`+func getStartTime(pid uint32, e *kevent.Kevent) (time.Time, error) {`
`121`	`125`	`proc, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pid)`
`122`	`126`	`if err != nil {`
`123`		`- return time.Now(), err`
	`127`	`+ return e.Timestamp, err`
`124`	`128`	`}`
`125`	`129`	`//nolint:errcheck`
`126`	`130`	`defer windows.CloseHandle(proc)`
`@@ -132,7 +136,7 @@ func getStartTime(pid uint32) (time.Time, error) {`
`132`	`136`	`)`
`133`	`137`	`err = windows.GetProcessTimes(proc, &ct, &xt, &kt, &ut)`
`134`	`138`	`if err != nil {`
`135`		`- return time.Now(), err`
	`139`	`+ return e.Timestamp, err`
`136`	`140`	`}`
`137`	`141`	`return time.Unix(0, ct.Nanoseconds()), nil`
`138`	`142`	`}`