Skip to content

Commit efdd5e3

Browse files
rabbitstackrabbitstack
committed
refactor(filter): Introduce *.path filter fields
Historically, the file.name/image.name/registry.key.name filter fields were used to yield the full file path, image path, or registry key respectively. However, a better way to convey the referenced field is actually returning a fully-qualified path is to introduce a new set of fields. As a side effect, the previous fields return the base file/image/key names.
1 parent 324fccd commit efdd5e3

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

53 files changed

+296
-264
lines changed

internal/etw/processors/fs_windows.go

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -128,15 +128,15 @@ func (f *fsProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error) {
128128
case ktypes.FileRundown:
129129
// when the file rundown event comes in we store the file info
130130
// in internal state in order to augment the rest of file events
131-
// that lack the file name field
132-
filename := e.GetParamAsString(kparams.FileName)
131+
// that lack the file path field
132+
filepath := e.GetParamAsString(kparams.FilePath)
133133
fileObject, err := e.Kparams.GetUint64(kparams.FileObject)
134134
if err != nil {
135135
return nil, err
136136
}
137137
if _, ok := f.files[fileObject]; !ok {
138138
totalRundownFiles.Add(1)
139-
f.files[fileObject] = &FileInfo{Name: filename, Type: fs.GetFileType(filename, 0)}
139+
f.files[fileObject] = &FileInfo{Name: filepath, Type: fs.GetFileType(filepath, 0)}
140140
}
141141
case ktypes.MapFileRundown:
142142
// if the memory-mapped view refers to the image/data file
@@ -166,7 +166,7 @@ func (f *fsProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error) {
166166
name := f.devMapper.Convert(sys.GetMappedFile(process, uintptr(addr)))
167167
f.mmaps[e.PID][fileKey] = &MmapInfo{File: name, BaseAddr: viewBase, Size: viewSize}
168168
}
169-
e.AppendParam(kparams.FileName, kparams.FilePath, f.mmaps[e.PID][fileKey].File)
169+
e.AppendParam(kparams.FilePath, kparams.Path, f.mmaps[e.PID][fileKey].File)
170170
return e, f.psnap.AddFileMapping(e)
171171
case ktypes.CreateFile:
172172
// we defer the processing of the CreateFile event until we get
@@ -207,12 +207,12 @@ func (f *fsProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error) {
207207
if !ok {
208208
opts := ev.Kparams.MustGetUint32(kparams.FileCreateOptions)
209209
opts &= 0xFFFFFF
210-
filename := ev.GetParamAsString(kparams.FileName)
211-
fileinfo = f.getFileInfo(filename, opts)
210+
filepath := ev.GetParamAsString(kparams.FilePath)
211+
fileinfo = f.getFileInfo(filepath, opts)
212212
f.files[fileObject] = fileinfo
213213
}
214214
if f.config.Kstream.EnableHandleKevents {
215-
f.devPathResolver.AddPath(ev.GetParamAsString(kparams.FileName))
215+
f.devPathResolver.AddPath(ev.GetParamAsString(kparams.FilePath))
216216
}
217217
ev.AppendParam(kparams.NTStatus, kparams.Status, status)
218218
if fileinfo.Type != fs.Unknown {
@@ -262,7 +262,7 @@ func (f *fsProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error) {
262262
}
263263
mmapinfo := f.mmaps[e.PID][fileKey]
264264
if mmapinfo != nil {
265-
e.AppendParam(kparams.FileName, kparams.FilePath, mmapinfo.File)
265+
e.AppendParam(kparams.FilePath, kparams.Path, mmapinfo.File)
266266
}
267267
totalMapRundownFiles.Add(-1)
268268
delete(f.mmaps[e.PID], fileKey)
@@ -300,7 +300,7 @@ func (f *fsProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error) {
300300
name := f.devMapper.Convert(sys.GetMappedFile(process, uintptr(addr)))
301301
f.initMmap(e.PID)
302302
f.mmaps[e.PID][fileKey] = &MmapInfo{File: name, BaseAddr: viewBase, Size: viewSize}
303-
e.AppendParam(kparams.FileName, kparams.FilePath, name)
303+
e.AppendParam(kparams.FilePath, kparams.Path, name)
304304
return e, f.psnap.AddFileMapping(e)
305305
}
306306

@@ -313,15 +313,15 @@ func (f *fsProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error) {
313313
}
314314
if e.IsEnumDirectory() {
315315
if fileinfo != nil {
316-
e.AppendParam(kparams.FileDirectory, kparams.FilePath, fileinfo.Name)
316+
e.AppendParam(kparams.FileDirectory, kparams.Path, fileinfo.Name)
317317
}
318318
return e, nil
319319
}
320320
if fileinfo != nil {
321321
if fileinfo.Type != fs.Unknown {
322322
e.AppendEnum(kparams.FileType, uint32(fileinfo.Type), fs.FileTypes)
323323
}
324-
e.AppendParam(kparams.FileName, kparams.FilePath, fileinfo.Name)
324+
e.AppendParam(kparams.FilePath, kparams.Path, fileinfo.Name)
325325
}
326326
if e.IsMapViewFile() {
327327
return e, f.psnap.AddFileMapping(e)

internal/etw/processors/fs_windows_test.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ func TestFsProcessor(t *testing.T) {
5050
Category: ktypes.File,
5151
Kparams: kevent.Kparams{
5252
kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(124567380264)},
53-
kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
53+
kparams.FilePath: {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\user32.dll"},
5454
},
5555
},
5656
nil,
@@ -106,7 +106,7 @@ func TestFsProcessor(t *testing.T) {
106106
kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(18446738026482168384)},
107107
kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.Uint32, Value: uint32(1484)},
108108
kparams.FileCreateOptions: {Name: kparams.FileCreateOptions, Type: kparams.Uint32, Value: uint32(1223456)},
109-
kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\kernel32.dll"},
109+
kparams.FilePath: {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\kernel32.dll"},
110110
kparams.FileShareMask: {Name: kparams.FileShareMask, Type: kparams.Uint32, Value: uint32(5)},
111111
kparams.FileIrpPtr: {Name: kparams.FileIrpPtr, Type: kparams.Uint64, Value: uint64(1234543123112321)},
112112
},
@@ -143,7 +143,7 @@ func TestFsProcessor(t *testing.T) {
143143
Kparams: kevent.Kparams{
144144
kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12446738026482168384)},
145145
kparams.FileCreateOptions: {Name: kparams.FileCreateOptions, Type: kparams.Uint32, Value: uint32(18874368)},
146-
kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "C:\\Windows\\temp\\idxx.exe"},
146+
kparams.FilePath: {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\temp\\idxx.exe"},
147147
kparams.FileShareMask: {Name: kparams.FileShareMask, Type: kparams.Uint32, Value: uint32(5)},
148148
kparams.FileIrpPtr: {Name: kparams.FileIrpPtr, Type: kparams.Uint64, Value: uint64(1334543123112321)},
149149
},
@@ -212,7 +212,7 @@ func TestFsProcessor(t *testing.T) {
212212
},
213213
func(e *kevent.Kevent, t *testing.T, hsnap *handle.SnapshotterMock, p Processor) {
214214
fsProcessor := p.(*fsProcessor)
215-
assert.True(t, e.Kparams.Contains(kparams.FileName))
215+
assert.True(t, e.Kparams.Contains(kparams.FilePath))
216216
assert.Nil(t, fsProcessor.mmaps[3098][124567380264])
217217
},
218218
},
@@ -237,8 +237,8 @@ func TestFsProcessor(t *testing.T) {
237237
},
238238
func(e *kevent.Kevent, t *testing.T, hsnap *handle.SnapshotterMock, p Processor) {
239239
assert.Equal(t, ktypes.WriteFile, e.Type)
240-
assert.Contains(t, e.Kparams, kparams.FileName, kparams.FileType)
241-
assert.Equal(t, "C:\\Windows\\temp\\idxx.exe", e.GetParamAsString(kparams.FileName))
240+
assert.Contains(t, e.Kparams, kparams.FilePath, kparams.FileType)
241+
assert.Equal(t, "C:\\Windows\\temp\\idxx.exe", e.GetParamAsString(kparams.FilePath))
242242
assert.Equal(t, "File", e.GetParamAsString(kparams.FileType))
243243
},
244244
},
@@ -262,8 +262,8 @@ func TestFsProcessor(t *testing.T) {
262262
func(e *kevent.Kevent, t *testing.T, hsnap *handle.SnapshotterMock, p Processor) {
263263
assert.Equal(t, ktypes.WriteFile, e.Type)
264264
hsnap.AssertNumberOfCalls(t, "FindByObject", 1)
265-
assert.Contains(t, e.Kparams, kparams.FileName, kparams.FileType)
266-
assert.Equal(t, "C:\\Windows\\temp\\doc.docx", e.GetParamAsString(kparams.FileName))
265+
assert.Contains(t, e.Kparams, kparams.FilePath, kparams.FileType)
266+
assert.Equal(t, "C:\\Windows\\temp\\doc.docx", e.GetParamAsString(kparams.FilePath))
267267
assert.Equal(t, "File", e.GetParamAsString(kparams.FileType))
268268
},
269269
},
@@ -275,7 +275,7 @@ func TestFsProcessor(t *testing.T) {
275275
Kparams: kevent.Kparams{
276276
kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(18446738026482168384)},
277277
kparams.FileKey: {Name: kparams.FileKey, Type: kparams.Uint64, Value: uint64(14446538026482168384)},
278-
kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "*"},
278+
kparams.FilePath: {Name: kparams.FilePath, Type: kparams.UnicodeString, Value: "*"},
279279
},
280280
},
281281
func(p Processor) {
@@ -288,7 +288,7 @@ func TestFsProcessor(t *testing.T) {
288288
},
289289
func(e *kevent.Kevent, t *testing.T, hsnap *handle.SnapshotterMock, p Processor) {
290290
assert.Equal(t, ktypes.EnumDirectory, e.Type)
291-
assert.Contains(t, e.Kparams, kparams.FileName, kparams.FileDirectory)
291+
assert.Contains(t, e.Kparams, kparams.FilePath, kparams.FileDirectory)
292292
assert.Equal(t, "C:\\Windows\\temp", e.GetParamAsString(kparams.FileDirectory))
293293
},
294294
},

internal/etw/processors/handle_windows.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ func (h *handleProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error)
6464
pid := e.Kparams.MustGetPid()
6565
proc := h.psnap.FindAndPut(pid)
6666
if proc != nil {
67-
e.AppendParam(kparams.Exe, kparams.FilePath, proc.Exe)
67+
e.AppendParam(kparams.Exe, kparams.Path, proc.Exe)
6868
e.AppendParam(kparams.ProcessName, kparams.AnsiString, proc.Name)
6969
}
7070
return e, nil
@@ -93,7 +93,7 @@ func (h *handleProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error)
9393
driverPath = driverName
9494
}
9595
h.devPathResolver.RemovePath(driverName)
96-
e.Kparams.Append(kparams.ImageFilename, kparams.FilePath, driverPath)
96+
e.Kparams.Append(kparams.ImagePath, kparams.Path, driverPath)
9797
}
9898
// assign the formatted handle name
9999
if err := e.Kparams.SetValue(kparams.HandleObjectName, name); err != nil {

internal/etw/processors/image_windows.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ func (m *imageProcessor) ProcessEvent(e *kevent.Kevent) (*kevent.Kevent, bool, e
4444
}
4545
if e.IsUnloadImage() {
4646
pid := e.Kparams.MustGetPid()
47-
mod := e.GetParamAsString(kparams.ImageFilename)
47+
mod := e.GetParamAsString(kparams.ImagePath)
4848
if pid == 0 {
4949
pid = e.PID
5050
}

internal/etw/processors/image_windows_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ func TestImageProcessor(t *testing.T) {
4444
&kevent.Kevent{
4545
Type: ktypes.LoadImage,
4646
Kparams: kevent.Kparams{
47-
kparams.ImageFilename: {Name: kparams.ImageFilename, Type: kparams.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")},
47+
kparams.ImagePath: {Name: kparams.ImagePath, Type: kparams.UnicodeString, Value: filepath.Join(os.Getenv("windir"), "System32", "kernel32.dll")},
4848
kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1023)},
4949
kparams.ImageCheckSum: {Name: kparams.ImageCheckSum, Type: kparams.Uint32, Value: uint32(2323432)},
5050
kparams.ImageBase: {Name: kparams.ImageBase, Type: kparams.Address, Value: uint64(0x7ffb313833a3)},
@@ -69,7 +69,7 @@ func TestImageProcessor(t *testing.T) {
6969
&kevent.Kevent{
7070
Type: ktypes.UnloadImage,
7171
Kparams: kevent.Kparams{
72-
kparams.ImageFilename: {Name: kparams.ImageFilename, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\kernel32.dll"},
72+
kparams.ImagePath: {Name: kparams.ImagePath, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\kernel32.dll"},
7373
kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.AnsiString, Value: "csrss.exe"},
7474
kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(676)},
7575
kparams.ImageBase: {Name: kparams.ImageBase, Type: kparams.Address, Value: uint64(0xfffb313833a3)},

internal/etw/processors/mem_windows.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ func (m memProcessor) ProcessEvent(e *kevent.Kevent) (*kevent.Kevent, bool, erro
6060
region := m.regionProber.Query(pid, addr)
6161
if region != nil {
6262
if region.IsMapped() {
63-
e.AppendParam(kparams.FileName, kparams.FileDosPath, region.GetMappedFile())
63+
e.AppendParam(kparams.FilePath, kparams.DOSPath, region.GetMappedFile())
6464
}
6565
e.AppendEnum(kparams.MemPageType, region.Type, MemPageTypes)
6666
e.AppendFlags(kparams.MemProtect, region.Protect, kevent.MemProtectionFlags)
@@ -69,7 +69,7 @@ func (m memProcessor) ProcessEvent(e *kevent.Kevent) (*kevent.Kevent, bool, erro
6969
}
7070
proc := m.psnap.FindAndPut(pid)
7171
if proc != nil {
72-
e.AppendParam(kparams.Exe, kparams.FilePath, proc.Exe)
72+
e.AppendParam(kparams.Exe, kparams.Path, proc.Exe)
7373
e.AppendParam(kparams.ProcessName, kparams.AnsiString, proc.Name)
7474
}
7575
return e, false, nil

internal/etw/processors/processor.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ func (typ ProcessorType) String() string {
9393
// executable image, or a Windows driver.
9494
func parseImageFileCharacteristics(e *kevent.Kevent) error {
9595
var pefile *pe.PE
96-
filename := e.GetParamAsString(kparams.FileName)
96+
filename := e.GetParamAsString(kparams.FilePath)
9797
f, err := os.Open(filename)
9898
if err != nil {
9999
// read file data blob from raw device

internal/etw/processors/ps_windows.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ func (p psProcessor) ProcessEvent(e *kevent.Kevent) (*kevent.Kevent, bool, error
7373
}
7474
proc := p.psnap.FindAndPut(pid)
7575
if proc != nil {
76-
e.AppendParam(kparams.Exe, kparams.FilePath, proc.Exe)
76+
e.AppendParam(kparams.Exe, kparams.Path, proc.Exe)
7777
e.AppendParam(kparams.ProcessName, kparams.AnsiString, proc.Name)
7878
}
7979
return e, false, nil
@@ -97,7 +97,7 @@ func (p psProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, error) {
9797
if exe == "" {
9898
exe = e.GetParamAsString(kparams.ProcessName)
9999
}
100-
e.AppendParam(kparams.Exe, kparams.FilePath, exe)
100+
e.AppendParam(kparams.Exe, kparams.Path, exe)
101101

102102
if e.IsTerminateProcess() {
103103
return e, nil

internal/etw/processors/registry_windows.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,7 @@ func (r *registryProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, erro
8888
case ktypes.RegKCBRundown, ktypes.RegCreateKCB:
8989
khandle := e.Kparams.MustGetUint64(kparams.RegKeyHandle)
9090
if _, ok := r.keys[khandle]; !ok {
91-
r.keys[khandle], _ = e.Kparams.GetString(kparams.RegKeyName)
91+
r.keys[khandle], _ = e.Kparams.GetString(kparams.RegPath)
9292
}
9393
kcbCount.Add(1)
9494
case ktypes.RegDeleteKCB:
@@ -106,15 +106,15 @@ func (r *registryProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, erro
106106
// last resort is to scan process' handles and check if any of the
107107
// key handles contain the partial key name. In this case we assume
108108
// the correct key is encountered.
109-
keyName := e.Kparams.MustGetString(kparams.RegKeyName)
109+
keyName := e.Kparams.MustGetString(kparams.RegPath)
110110
if khandle != 0 {
111111
if baseKey, ok := r.keys[khandle]; ok {
112112
keyName = baseKey + "\\" + keyName
113113
} else {
114114
kcbMissCount.Add(1)
115115
keyName = r.findMatchingKey(e.PID, keyName)
116116
}
117-
if err := e.Kparams.SetValue(kparams.RegKeyName, keyName); err != nil {
117+
if err := e.Kparams.SetValue(kparams.RegPath, keyName); err != nil {
118118
return e, err
119119
}
120120
}

internal/etw/processors/registry_windows_test.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ func TestRegistryProcessor(t *testing.T) {
4343
Type: ktypes.RegKCBRundown,
4444
Category: ktypes.Registry,
4545
Kparams: kevent.Kparams{
46-
kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bthserv\Parameters`},
46+
kparams.RegPath: {Name: kparams.RegPath, Type: kparams.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bthserv\Parameters`},
4747
kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Uint64, Value: uint64(18446666033549154696)},
4848
},
4949
},
@@ -64,7 +64,7 @@ func TestRegistryProcessor(t *testing.T) {
6464
Type: ktypes.RegDeleteKCB,
6565
Category: ktypes.Registry,
6666
Kparams: kevent.Kparams{
67-
kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bthserv\Parameters`},
67+
kparams.RegPath: {Name: kparams.RegPath, Type: kparams.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bthserv\Parameters`},
6868
kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Uint64, Value: uint64(18446666033549154696)},
6969
},
7070
},
@@ -86,7 +86,7 @@ func TestRegistryProcessor(t *testing.T) {
8686
Type: ktypes.RegOpenKey,
8787
Category: ktypes.Registry,
8888
Kparams: kevent.Kparams{
89-
kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.Key, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bthserv\Parameters`},
89+
kparams.RegPath: {Name: kparams.RegPath, Type: kparams.Key, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bthserv\Parameters`},
9090
kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Uint64, Value: uint64(0)},
9191
},
9292
},
@@ -96,7 +96,7 @@ func TestRegistryProcessor(t *testing.T) {
9696
return hsnap
9797
},
9898
func(e *kevent.Kevent, t *testing.T, hsnap *handle.SnapshotterMock, p Processor) {
99-
assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv\Parameters`, e.GetParamAsString(kparams.RegKeyName))
99+
assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv\Parameters`, e.GetParamAsString(kparams.RegPath))
100100
},
101101
},
102102
{
@@ -105,7 +105,7 @@ func TestRegistryProcessor(t *testing.T) {
105105
Type: ktypes.RegOpenKey,
106106
Category: ktypes.Registry,
107107
Kparams: kevent.Kparams{
108-
kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.Key, Value: `Pid`},
108+
kparams.RegPath: {Name: kparams.RegPath, Type: kparams.Key, Value: `Pid`},
109109
kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Uint64, Value: uint64(18446666033549154696)},
110110
},
111111
},
@@ -117,7 +117,7 @@ func TestRegistryProcessor(t *testing.T) {
117117
return hsnap
118118
},
119119
func(e *kevent.Kevent, t *testing.T, hsnap *handle.SnapshotterMock, p Processor) {
120-
assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`, e.GetParamAsString(kparams.RegKeyName))
120+
assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`, e.GetParamAsString(kparams.RegPath))
121121
},
122122
},
123123
{
@@ -127,7 +127,7 @@ func TestRegistryProcessor(t *testing.T) {
127127
Category: ktypes.Registry,
128128
PID: 23234,
129129
Kparams: kevent.Kparams{
130-
kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.Key, Value: `Pid`},
130+
kparams.RegPath: {Name: kparams.RegPath, Type: kparams.Key, Value: `Pid`},
131131
kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Uint64, Value: uint64(18446666033549154696)},
132132
},
133133
},
@@ -140,7 +140,7 @@ func TestRegistryProcessor(t *testing.T) {
140140
},
141141
func(e *kevent.Kevent, t *testing.T, hsnap *handle.SnapshotterMock, p Processor) {
142142
hsnap.AssertNumberOfCalls(t, "FindHandles", 1)
143-
assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`, e.GetParamAsString(kparams.RegKeyName))
143+
assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`, e.GetParamAsString(kparams.RegPath))
144144
},
145145
},
146146
{
@@ -150,7 +150,7 @@ func TestRegistryProcessor(t *testing.T) {
150150
Category: ktypes.Registry,
151151
PID: 23234,
152152
Kparams: kevent.Kparams{
153-
kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.Key, Value: `\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Windows\Directory`},
153+
kparams.RegPath: {Name: kparams.RegPath, Type: kparams.Key, Value: `\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Windows\Directory`},
154154
kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.Uint64, Value: uint64(0)},
155155
},
156156
},
@@ -160,7 +160,7 @@ func TestRegistryProcessor(t *testing.T) {
160160
return hsnap
161161
},
162162
func(e *kevent.Kevent, t *testing.T, hsnap *handle.SnapshotterMock, p Processor) {
163-
assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\Directory`, e.GetParamAsString(kparams.RegKeyName))
163+
assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\Directory`, e.GetParamAsString(kparams.RegPath))
164164
assert.Equal(t, `REG_EXPAND_SZ`, e.GetParamAsString(kparams.RegValueType))
165165
assert.Equal(t, `%SystemRoot%`, e.GetParamAsString(kparams.RegValue))
166166
},

0 commit comments

Comments
 (0)