feat(filter): Add file/image path stem field

pkg/filter/accessor_windows.go

@@ -21,17 +21,18 @@ package filter
 import (
 	"errors"
 	"expvar"
-	"github.com/rabbitstack/fibratus/pkg/fs"
-	"github.com/rabbitstack/fibratus/pkg/network"
-	psnap "github.com/rabbitstack/fibratus/pkg/ps"
-	"github.com/rabbitstack/fibratus/pkg/util/cmdline"
-	"github.com/rabbitstack/fibratus/pkg/util/signature"
 	"net"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/rabbitstack/fibratus/pkg/fs"
+	"github.com/rabbitstack/fibratus/pkg/network"
+	psnap "github.com/rabbitstack/fibratus/pkg/ps"
+	"github.com/rabbitstack/fibratus/pkg/util/cmdline"
+	"github.com/rabbitstack/fibratus/pkg/util/signature"
+
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/rabbitstack/fibratus/pkg/filter/fields"
@@ -777,6 +778,13 @@ func (l *fileAccessor) Get(f Field, e *event.Event) (params.Value, error) {
 	switch f.Name {
 	case fields.FilePath:
 		return e.GetParamAsString(params.FilePath), nil
+	case fields.FilePathStem:
+		path := e.GetParamAsString(params.FilePath)
+		n := strings.LastIndexByte(path, '.')
+		if n == -1 {
+			return path, nil
+		}
+		return path[:n], nil
 	case fields.FileName:
 		return filepath.Base(e.GetParamAsString(params.FilePath)), nil
 	case fields.FileExtension:
@@ -925,6 +933,13 @@ func (i *imageAccessor) Get(f Field, e *event.Event) (params.Value, error) {
 	switch f.Name {
 	case fields.ImagePath:
 		return e.GetParamAsString(params.ImagePath), nil
+	case fields.ImagePathStem:
+		path := e.GetParamAsString(params.ImagePath)
+		n := strings.LastIndexByte(path, '.')
+		if n == -1 {
+			return path, nil
+		}
+		return path[:n], nil
 	case fields.ImageName:
 		return filepath.Base(e.GetParamAsString(params.ImagePath)), nil
 	case fields.ImageDefaultAddress:

pkg/filter/fields/fields_windows.go

@@ -450,6 +450,8 @@ const (
 	FileName Field = "file.name"
 	// FilePath represents the file full path (e.g. C:\Windows\System32\cmd.exe)
 	FilePath Field = "file.path"
+	// FilePathStem represents the full file path without extension (e.g. C:\Windows\System32\cmd)
+	FilePathStem Field = "file.path.stem"
 	// FileExtension represents the file extension (e.g. .exe or .dll)
 	FileExtension Field = "file.extension"
 	// FileOperation represents the file operation (e.g. create)
@@ -522,6 +524,8 @@ const (
 	ImageDefaultAddress Field = "image.default.address"
 	// ImagePath is the module full path
 	ImagePath Field = "image.path"
+	// ImagePathStem represents the full module path without extension
+	ImagePathStem Field = "image.path.stem"
 	// ImageName is the module name
 	ImageName Field = "image.name"
 	// ImagePID is the pid of the process where the image was loaded
@@ -997,6 +1001,7 @@ var fields = map[Field]FieldInfo{
 	ThreadCallstackFinalUserModuleSignatureCertSubject: {ThreadCallstackFinalUserModuleSignatureCertSubject, "final user space stack frame module signature certificate subject", params.UnicodeString, []string{"thread.callstack.final_user_module.signature.cert.subject imatches '*Microsoft Windows*'"}, nil, nil},
 
 	ImagePath:               {ImagePath, "full image path", params.UnicodeString, []string{"image.patj = 'C:\\Windows\\System32\\advapi32.dll'"}, nil, nil},
+	ImagePathStem:           {ImagePathStem, "full image path without extension", params.UnicodeString, []string{"image.path.stem = 'C:\\Windows\\System32\\advapi32'"}, nil, nil},
 	ImageName:               {ImageName, "image name", params.UnicodeString, []string{"image.name = 'advapi32.dll'"}, nil, nil},
 	ImageBase:               {ImageBase, "the base address of process in which the image is loaded", params.Address, []string{"image.base.address = 'a65d800000'"}, nil, nil},
 	ImageChecksum:           {ImageChecksum, "image checksum", params.Uint32, []string{"image.checksum = 746424"}, nil, nil},
@@ -1019,6 +1024,7 @@ var fields = map[Field]FieldInfo{
 
 	FileObject:                      {FileObject, "file object address", params.Uint64, []string{"file.object = 18446738026482168384"}, nil, nil},
 	FilePath:                        {FilePath, "full file path", params.UnicodeString, []string{"file.path = 'C:\\Windows\\System32'"}, nil, nil},
+	FilePathStem:                    {FilePathStem, "full file path without extension", params.UnicodeString, []string{"file.path.stem = 'C:\\Windows\\System32\\cmd'"}, nil, nil},
 	FileName:                        {FileName, "full file name", params.UnicodeString, []string{"file.name contains 'mimikatz'"}, nil, nil},
 	FileOperation:                   {FileOperation, "file operation", params.AnsiString, []string{"file.operation = 'open'"}, nil, nil},
 	FileShareMask:                   {FileShareMask, "file share mask", params.AnsiString, []string{"file.share.mask = 'rw-'"}, nil, nil},

pkg/filter/filter_test.go

@@ -629,6 +629,7 @@ func TestFileFilter(t *testing.T) {
 		{`file.path ifuzzy 'C:\\WINDOWS\\sYS\\32dll'`, true},
 		{`file.path fuzzy ('C:\\Windows\\system32\\kernel', 'C:\\Windows\\system32\\ser3ll')`, true},
 		{`file.path ifuzzynorm 'C:\\WINDOWS\\sÝS\\32dll'`, true},
+		{`file.path.stem = 'C:\\Windows\\system32\\user32'`, true},
 		{`base(file.path) = 'user32.dll'`, true},
 		{`ext(base(file.path)) = '.dll'`, true},
 		{`base(file.path, false) = 'user32'`, true},
@@ -972,6 +973,7 @@ func TestImageFilter(t *testing.T) {
 		{`image.signature.level = 'AUTHENTICODE'`, true},
 		{`image.pid = 1023`, true},
 		{`image.path endswith 'System32\\kernel32.dll'`, true},
+		{`image.path.stem endswith 'System32\\kernel32'`, true},
 		{`image.name = 'kernel32.dll'`, true},
 		{`image.checksum = 2323432`, true},
 		{`image.base.address = '7ffb313833a3'`, true},