diff --git a/pkg/event/event_windows.go b/pkg/event/event_windows.go index 70ffb16ad..87c0f1485 100644 --- a/pkg/event/event_windows.go +++ b/pkg/event/event_windows.go @@ -21,6 +21,11 @@ package event import ( "encoding/binary" "fmt" + "os" + "strings" + "sync" + "unsafe" + "github.com/rabbitstack/fibratus/pkg/event/params" "github.com/rabbitstack/fibratus/pkg/sys" "github.com/rabbitstack/fibratus/pkg/sys/etw" @@ -29,10 +34,6 @@ import ( "github.com/rabbitstack/fibratus/pkg/util/hostname" "github.com/rabbitstack/fibratus/pkg/util/ntstatus" "golang.org/x/sys/windows" - "os" - "strings" - "sync" - "unsafe" ) var ( @@ -153,18 +154,6 @@ func (e *Event) IsDropped(capture bool) bool { // current process is dropped. func IsCurrentProcDropped(pid uint32) bool { return DropCurrentProc && pid == currentPid } -// DelayKey returns the value that is used to -// store and reference delayed events in the event -// backlog state. The delayed event is indexed by -// the sequence identifier. -func (e *Event) DelayKey() uint64 { - switch e.Type { - case CreateHandle, CloseHandle: - return e.Params.MustGetUint64(params.HandleObject) - } - return 0 -} - // IsNetworkTCP determines whether the event pertains to network TCP events. func (e *Event) IsNetworkTCP() bool { return e.Category == Net && !e.IsNetworkUDP() @@ -401,26 +390,6 @@ func (e *Event) PartialKey() uint64 { return 0 } -// BacklogKey represents the key used to index the events in the backlog store. -func (e *Event) BacklogKey() uint64 { - switch e.Type { - case CreateHandle, CloseHandle: - return e.Params.MustGetUint64(params.HandleObject) - } - return 0 -} - -// CopyState adds parameters, tags, or process state from the provided event. -func (e *Event) CopyState(evt *Event) { - switch evt.Type { - case CloseHandle: - if evt.Params.Contains(params.ImagePath) { - e.Params.Append(params.ImagePath, params.UnicodeString, evt.GetParamAsString(params.ImagePath)) - } - _ = e.Params.SetValue(params.HandleObjectName, evt.GetParamAsString(params.HandleObjectName)) - } -} - // Summary returns a brief summary of this event. Various important substrings // in the summary text are highlighted by surrounding them inside HTML tags. func (e *Event) Summary() string { diff --git a/pkg/event/queue.go b/pkg/event/queue.go index 31801ab5c..ddaa6c93c 100644 --- a/pkg/event/queue.go +++ b/pkg/event/queue.go @@ -20,15 +20,8 @@ package event import ( "expvar" - "github.com/golang/groupcache/lru" - "github.com/rabbitstack/fibratus/pkg/util/multierror" ) -// backlogCacheSize specifies the max size of the backlog cache. -// When the backlog cache size is reached, the oldest entries are -// removed from the cache. -const backlogCacheSize = 800 - // eventsEnqueued counts the number of events that are pushed to the queue var eventsEnqueued = expvar.NewInt("eventsource.events.enqueued") @@ -52,7 +45,6 @@ type Listener interface { type Queue struct { q chan *Event listeners []Listener - backlog *backlog decorator *StackwalkDecorator stackEnrichment bool enqueueAlways bool @@ -63,7 +55,6 @@ func NewQueue(size int, stackEnrichment bool, enqueueAlways bool) *Queue { q := &Queue{ q: make(chan *Event, size), listeners: make([]Listener, 0), - backlog: newBacklog(backlogCacheSize), stackEnrichment: stackEnrichment, enqueueAlways: enqueueAlways, } @@ -76,7 +67,6 @@ func NewQueueWithChannel(ch chan *Event, stackEnrichment bool, enqueueAlways boo q := &Queue{ q: ch, listeners: make([]Listener, 0), - backlog: newBacklog(backlogCacheSize), stackEnrichment: stackEnrichment, enqueueAlways: enqueueAlways, } @@ -128,14 +118,6 @@ func (q *Queue) Push(e *Event) error { e = q.decorator.Pop(e) } } - if isEventDelayed(e) { - q.backlog.put(e) - return nil - } - evt := q.backlog.pop(e) - if evt != nil { - return multierror.Wrap(q.push(evt), q.push(e)) - } // drop stack walk events if e.IsStackWalk() { return nil @@ -167,43 +149,3 @@ func (q *Queue) push(e *Event) error { } return nil } - -func isEventDelayed(e *Event) bool { - return e.IsCreateHandle() -} - -type backlog struct { - cache *lru.Cache -} - -func newBacklog(size int) *backlog { - return &backlog{cache: lru.New(size)} -} - -func (b *backlog) put(evt *Event) { - if b.cache.Len() > backlogCacheSize { - b.cache.RemoveOldest() - } - key := evt.BacklogKey() - if key != 0 { - b.cache.Add(key, evt) - } -} - -func (b *backlog) pop(evt *Event) *Event { - key := evt.BacklogKey() - if key == 0 { - return nil - } - ev, ok := b.cache.Get(key) - if !ok { - return nil - } - b.cache.Remove(key) - e := ev.(*Event) - e.CopyState(evt) - return e -} - -func (b *backlog) size() int { return b.cache.Len() } -func (b *backlog) empty() bool { return b.size() == 0 } diff --git a/pkg/event/queue_test.go b/pkg/event/queue_test.go index 56dea2d83..cd3fed7a0 100644 --- a/pkg/event/queue_test.go +++ b/pkg/event/queue_test.go @@ -20,14 +20,13 @@ package event import ( "errors" + "testing" + "time" + "github.com/rabbitstack/fibratus/pkg/event/params" "github.com/rabbitstack/fibratus/pkg/fs" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" - "github.com/stretchr/testify/require" - "reflect" - "testing" - "time" ) // AddParamListener receives the event and appends a parameter to it @@ -190,49 +189,3 @@ func TestQueuePush(t *testing.T) { }) } } - -func TestPushBacklog(t *testing.T) { - e := &Event{ - Type: CreateHandle, - Tid: 2484, - PID: 859, - Category: Handle, - Params: Params{ - params.HandleID: {Name: params.HandleID, Type: params.Uint32, Value: uint32(21)}, - params.HandleObjectTypeID: {Name: params.HandleObjectTypeID, Type: params.AnsiString, Value: "Key"}, - params.HandleObject: {Name: params.HandleObject, Type: params.Uint64, Value: uint64(18446692422059208560)}, - params.HandleObjectName: {Name: params.HandleObjectName, Type: params.UnicodeString, Value: ""}, - }, - Metadata: make(Metadata), - } - - q := NewQueue(100, false, true) - q.RegisterListener(&DummyListener{}) - - require.NoError(t, q.Push(e)) - require.Len(t, q.Events(), 0) - require.False(t, q.backlog.empty()) - - e1 := &Event{ - Type: CloseHandle, - Tid: 2484, - PID: 859, - Category: Handle, - Params: Params{ - params.HandleID: {Name: params.HandleID, Type: params.Uint32, Value: uint32(21)}, - params.HandleObjectTypeID: {Name: params.HandleObjectTypeID, Type: params.AnsiString, Value: "Key"}, - params.HandleObject: {Name: params.HandleObject, Type: params.Uint64, Value: uint64(18446692422059208560)}, - params.HandleObjectName: {Name: params.HandleObjectName, Type: params.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`}, - }, - Metadata: make(Metadata), - } - - require.NoError(t, q.Push(e1)) - require.True(t, q.backlog.empty()) - - ev := <-q.Events() - require.NotNil(t, ev) - assert.Equal(t, `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, ev.GetParamAsString(params.HandleObjectName)) - - require.True(t, reflect.DeepEqual(e1, <-q.Events())) -} diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml index 5af256764..62dcfd2ea 100644 --- a/rules/macros/macros.yml +++ b/rules/macros/macros.yml @@ -126,8 +126,6 @@ - macro: load_driver expr: > (load_module and (image.name iendswith '.sys' or image.is_driver)) - or - (create_handle and handle.type = 'Driver') description: | Detects the loading of the kernel driver. Image load events are published when executable images, DLLs, or driver PE objects are loaded. On the contrary, we can