From 9782a3555fdd62a4839432b64418647c13291ff9 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Sat, 20 Dec 2025 18:58:57 +0100 Subject: [PATCH] cleanup(event): Remove delay event logic Delay key logic only applies to handle events, which are rarely enabled due to its immense volume. For the sake of codebase simplicity and maintainability, we are sunsetting this functionality. --- pkg/event/event_windows.go | 41 ++++----------------------- pkg/event/queue.go | 58 -------------------------------------- pkg/event/queue_test.go | 53 ++-------------------------------- rules/macros/macros.yml | 2 -- 4 files changed, 8 insertions(+), 146 deletions(-) diff --git a/pkg/event/event_windows.go b/pkg/event/event_windows.go index 70ffb16ad..87c0f1485 100644 --- a/pkg/event/event_windows.go +++ b/pkg/event/event_windows.go @@ -21,6 +21,11 @@ package event import ( "encoding/binary" "fmt" + "os" + "strings" + "sync" + "unsafe" + "github.com/rabbitstack/fibratus/pkg/event/params" "github.com/rabbitstack/fibratus/pkg/sys" "github.com/rabbitstack/fibratus/pkg/sys/etw" @@ -29,10 +34,6 @@ import ( "github.com/rabbitstack/fibratus/pkg/util/hostname" "github.com/rabbitstack/fibratus/pkg/util/ntstatus" "golang.org/x/sys/windows" - "os" - "strings" - "sync" - "unsafe" ) var ( @@ -153,18 +154,6 @@ func (e *Event) IsDropped(capture bool) bool { // current process is dropped. func IsCurrentProcDropped(pid uint32) bool { return DropCurrentProc && pid == currentPid } -// DelayKey returns the value that is used to -// store and reference delayed events in the event -// backlog state. The delayed event is indexed by -// the sequence identifier. -func (e *Event) DelayKey() uint64 { - switch e.Type { - case CreateHandle, CloseHandle: - return e.Params.MustGetUint64(params.HandleObject) - } - return 0 -} - // IsNetworkTCP determines whether the event pertains to network TCP events. func (e *Event) IsNetworkTCP() bool { return e.Category == Net && !e.IsNetworkUDP() @@ -401,26 +390,6 @@ func (e *Event) PartialKey() uint64 { return 0 } -// BacklogKey represents the key used to index the events in the backlog store. -func (e *Event) BacklogKey() uint64 { - switch e.Type { - case CreateHandle, CloseHandle: - return e.Params.MustGetUint64(params.HandleObject) - } - return 0 -} - -// CopyState adds parameters, tags, or process state from the provided event. -func (e *Event) CopyState(evt *Event) { - switch evt.Type { - case CloseHandle: - if evt.Params.Contains(params.ImagePath) { - e.Params.Append(params.ImagePath, params.UnicodeString, evt.GetParamAsString(params.ImagePath)) - } - _ = e.Params.SetValue(params.HandleObjectName, evt.GetParamAsString(params.HandleObjectName)) - } -} - // Summary returns a brief summary of this event. Various important substrings // in the summary text are highlighted by surrounding them inside HTML tags. func (e *Event) Summary() string { diff --git a/pkg/event/queue.go b/pkg/event/queue.go index 31801ab5c..ddaa6c93c 100644 --- a/pkg/event/queue.go +++ b/pkg/event/queue.go @@ -20,15 +20,8 @@ package event import ( "expvar" - "github.com/golang/groupcache/lru" - "github.com/rabbitstack/fibratus/pkg/util/multierror" ) -// backlogCacheSize specifies the max size of the backlog cache. -// When the backlog cache size is reached, the oldest entries are -// removed from the cache. -const backlogCacheSize = 800 - // eventsEnqueued counts the number of events that are pushed to the queue var eventsEnqueued = expvar.NewInt("eventsource.events.enqueued") @@ -52,7 +45,6 @@ type Listener interface { type Queue struct { q chan *Event listeners []Listener - backlog *backlog decorator *StackwalkDecorator stackEnrichment bool enqueueAlways bool @@ -63,7 +55,6 @@ func NewQueue(size int, stackEnrichment bool, enqueueAlways bool) *Queue { q := &Queue{ q: make(chan *Event, size), listeners: make([]Listener, 0), - backlog: newBacklog(backlogCacheSize), stackEnrichment: stackEnrichment, enqueueAlways: enqueueAlways, } @@ -76,7 +67,6 @@ func NewQueueWithChannel(ch chan *Event, stackEnrichment bool, enqueueAlways boo q := &Queue{ q: ch, listeners: make([]Listener, 0), - backlog: newBacklog(backlogCacheSize), stackEnrichment: stackEnrichment, enqueueAlways: enqueueAlways, } @@ -128,14 +118,6 @@ func (q *Queue) Push(e *Event) error { e = q.decorator.Pop(e) } } - if isEventDelayed(e) { - q.backlog.put(e) - return nil - } - evt := q.backlog.pop(e) - if evt != nil { - return multierror.Wrap(q.push(evt), q.push(e)) - } // drop stack walk events if e.IsStackWalk() { return nil @@ -167,43 +149,3 @@ func (q *Queue) push(e *Event) error { } return nil } - -func isEventDelayed(e *Event) bool { - return e.IsCreateHandle() -} - -type backlog struct { - cache *lru.Cache -} - -func newBacklog(size int) *backlog { - return &backlog{cache: lru.New(size)} -} - -func (b *backlog) put(evt *Event) { - if b.cache.Len() > backlogCacheSize { - b.cache.RemoveOldest() - } - key := evt.BacklogKey() - if key != 0 { - b.cache.Add(key, evt) - } -} - -func (b *backlog) pop(evt *Event) *Event { - key := evt.BacklogKey() - if key == 0 { - return nil - } - ev, ok := b.cache.Get(key) - if !ok { - return nil - } - b.cache.Remove(key) - e := ev.(*Event) - e.CopyState(evt) - return e -} - -func (b *backlog) size() int { return b.cache.Len() } -func (b *backlog) empty() bool { return b.size() == 0 } diff --git a/pkg/event/queue_test.go b/pkg/event/queue_test.go index 56dea2d83..cd3fed7a0 100644 --- a/pkg/event/queue_test.go +++ b/pkg/event/queue_test.go @@ -20,14 +20,13 @@ package event import ( "errors" + "testing" + "time" + "github.com/rabbitstack/fibratus/pkg/event/params" "github.com/rabbitstack/fibratus/pkg/fs" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" - "github.com/stretchr/testify/require" - "reflect" - "testing" - "time" ) // AddParamListener receives the event and appends a parameter to it @@ -190,49 +189,3 @@ func TestQueuePush(t *testing.T) { }) } } - -func TestPushBacklog(t *testing.T) { - e := &Event{ - Type: CreateHandle, - Tid: 2484, - PID: 859, - Category: Handle, - Params: Params{ - params.HandleID: {Name: params.HandleID, Type: params.Uint32, Value: uint32(21)}, - params.HandleObjectTypeID: {Name: params.HandleObjectTypeID, Type: params.AnsiString, Value: "Key"}, - params.HandleObject: {Name: params.HandleObject, Type: params.Uint64, Value: uint64(18446692422059208560)}, - params.HandleObjectName: {Name: params.HandleObjectName, Type: params.UnicodeString, Value: ""}, - }, - Metadata: make(Metadata), - } - - q := NewQueue(100, false, true) - q.RegisterListener(&DummyListener{}) - - require.NoError(t, q.Push(e)) - require.Len(t, q.Events(), 0) - require.False(t, q.backlog.empty()) - - e1 := &Event{ - Type: CloseHandle, - Tid: 2484, - PID: 859, - Category: Handle, - Params: Params{ - params.HandleID: {Name: params.HandleID, Type: params.Uint32, Value: uint32(21)}, - params.HandleObjectTypeID: {Name: params.HandleObjectTypeID, Type: params.AnsiString, Value: "Key"}, - params.HandleObject: {Name: params.HandleObject, Type: params.Uint64, Value: uint64(18446692422059208560)}, - params.HandleObjectName: {Name: params.HandleObjectName, Type: params.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`}, - }, - Metadata: make(Metadata), - } - - require.NoError(t, q.Push(e1)) - require.True(t, q.backlog.empty()) - - ev := <-q.Events() - require.NotNil(t, ev) - assert.Equal(t, `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, ev.GetParamAsString(params.HandleObjectName)) - - require.True(t, reflect.DeepEqual(e1, <-q.Events())) -} diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml index 5af256764..62dcfd2ea 100644 --- a/rules/macros/macros.yml +++ b/rules/macros/macros.yml @@ -126,8 +126,6 @@ - macro: load_driver expr: > (load_module and (image.name iendswith '.sys' or image.is_driver)) - or - (create_handle and handle.type = 'Driver') description: | Detects the loading of the kernel driver. Image load events are published when executable images, DLLs, or driver PE objects are loaded. On the contrary, we can