new generation fibratus initial commit

.gitignore

@@ -1,24 +1,8 @@
-/fibratus/__pycache__
-/.cache
-.coverage
-coverage.xml
-/.idea
-/build
-/kstream/build
-/kstream/*.pyd
-/kstream/*.c
-/kstream/*.cpp
-/tests/.cache
-/tests/__pycache__
-/tests/*/__pycache__
-/tests/*/.cache
-/tests/htmlcov
-/tests/.coverage
-/tests/unit/.coverage
-/tests/*/htmlcov
-/tests/coverage.xml
-/tests/*/coverage.xml
-/kstreamc.pyd
-/htmlcov
-dist
-fibratus.egg-info
+cmd/fibratus/fibratus.exe
+cmd/fibratus/fibratus.syso
+
+build/package/release
+build/package/*.exe
+
+.idea
+filaments/__pycache__

build/package/LICENSE.txt

@@ -0,0 +1,11 @@
+Copyright 2019-2020 by Nedim Sabic Sabic
+
+All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. 
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 
+CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

build/package/fibratus.nsi

@@ -0,0 +1,163 @@
+!define APPNAME "Fibratus"
+!define COMPANYNAME "Fibratus"
+!define DESCRIPTION "Fibratus is a modern tool for exploration and tracing of the Windows kernel"
+
+
+# These will be displayed by the "Click here for support information" link in "Add/Remove Programs"
+!define HELPURL "https://www.fibratus.io" # "Support Information" link
+!define UPDATEURL "https://www.fibratus.io" # "Product Updates" link
+!define ABOUTURL "https://www.fibratus.io" # "Publisher" link
+
+RequestExecutionLevel admin ;Require admin rights on NT6+ (When UAC is turned on)
+
+InstallDir "$PROGRAMFILES64\${COMPANYNAME}"
+!define UNINSTALLDIR "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME}"
+BrandingText " "
+
+# This will be in the installer/uninstaller's title bar
+Name "${APPNAME}"
+OutFile "fibratus-${VERSION}-amd64.exe"
+
+!include "LogicLib.nsh"
+!include "MUI2.nsh"       ; Modern UI
+
+!define MUI_FINISHPAGE_NOAUTOCLOSE
+!define MUI_UNFINISHPAGE_NOAUTOCLOSE
+
+!insertmacro MUI_PAGE_WELCOME
+!insertmacro MUI_PAGE_LICENSE "LICENSE.txt"
+!insertmacro MUI_PAGE_INSTFILES
+!insertmacro MUI_PAGE_FINISH
+
+!insertmacro MUI_UNPAGE_WELCOME
+!insertmacro MUI_UNPAGE_CONFIRM
+!insertmacro MUI_UNPAGE_INSTFILES
+!insertmacro MUI_UNPAGE_FINISH
+
+; Set languages (first is default language)
+;!insertmacro MUI_LANGUAGE "English"
+!define MUI_LANGDLL_ALLLANGUAGES
+;Languages
+
+  !insertmacro MUI_LANGUAGE "English"
+  !insertmacro MUI_LANGUAGE "French"
+  !insertmacro MUI_LANGUAGE "TradChinese"
+  !insertmacro MUI_LANGUAGE "Spanish"
+  !insertmacro MUI_LANGUAGE "Hungarian"
+  !insertmacro MUI_LANGUAGE "Russian"
+  !insertmacro MUI_LANGUAGE "German"
+  !insertmacro MUI_LANGUAGE "Dutch"
+  !insertmacro MUI_LANGUAGE "SimpChinese"
+  !insertmacro MUI_LANGUAGE "Italian"
+  !insertmacro MUI_LANGUAGE "Danish"
+  !insertmacro MUI_LANGUAGE "Polish"
+  !insertmacro MUI_LANGUAGE "Czech"
+  !insertmacro MUI_LANGUAGE "Slovenian"
+  !insertmacro MUI_LANGUAGE "Slovak"
+  !insertmacro MUI_LANGUAGE "Swedish"
+  !insertmacro MUI_LANGUAGE "Norwegian"
+  !insertmacro MUI_LANGUAGE "PortugueseBR"
+  !insertmacro MUI_LANGUAGE "Ukrainian"
+  !insertmacro MUI_LANGUAGE "Turkish"
+  !insertmacro MUI_LANGUAGE "Catalan"
+  !insertmacro MUI_LANGUAGE "Arabic"
+  !insertmacro MUI_LANGUAGE "Lithuanian"
+  !insertmacro MUI_LANGUAGE "Finnish"
+  !insertmacro MUI_LANGUAGE "Greek"
+  !insertmacro MUI_LANGUAGE "Korean"
+  !insertmacro MUI_LANGUAGE "Hebrew"
+  !insertmacro MUI_LANGUAGE "Portuguese"
+  !insertmacro MUI_LANGUAGE "Farsi"
+  !insertmacro MUI_LANGUAGE "Bulgarian"
+  !insertmacro MUI_LANGUAGE "Indonesian"
+  !insertmacro MUI_LANGUAGE "Japanese"
+  !insertmacro MUI_LANGUAGE "Croatian"
+  !insertmacro MUI_LANGUAGE "Serbian"
+  !insertmacro MUI_LANGUAGE "Thai"
+  !insertmacro MUI_LANGUAGE "NorwegianNynorsk"
+  !insertmacro MUI_LANGUAGE "Belarusian"
+  !insertmacro MUI_LANGUAGE "Albanian"
+  !insertmacro MUI_LANGUAGE "Malay"
+  !insertmacro MUI_LANGUAGE "Galician"
+  !insertmacro MUI_LANGUAGE "Basque"
+  !insertmacro MUI_LANGUAGE "Luxembourgish"
+  !insertmacro MUI_LANGUAGE "Afrikaans"
+  !insertmacro MUI_LANGUAGE "Uzbek"
+  !insertmacro MUI_LANGUAGE "Macedonian"
+  !insertmacro MUI_LANGUAGE "Latvian"
+  !insertmacro MUI_LANGUAGE "Bosnian"
+  !insertmacro MUI_LANGUAGE "Mongolian"
+  !insertmacro MUI_LANGUAGE "Estonian"
+
+!insertmacro MUI_RESERVEFILE_LANGDLL
+
+Function .onInit
+
+  !insertmacro MUI_LANGDLL_DISPLAY
+
+FunctionEnd
+
+Section "Install"
+	# Files for the install directory
+	SetOutPath $INSTDIR
+
+    # Create directories
+    CreateDirectory $INSTDIR\Logs
+
+	# Files added here should be removed by the uninstaller
+	File /r "release\Bin"
+	File /r "release\Config"
+	File /r /x .idea /x __pycache__ "release\Filaments"
+	File /r "release\Python"
+
+	# Uninstaller - See function un.onInit and section "uninstall" for configuration
+	WriteUninstaller "$INSTDIR\uninstall.exe"
+
+	# Registry information for add/remove programs
+	WriteRegStr HKLM "${UNINSTALLDIR}" "DisplayName" "${APPNAME} - ${DESCRIPTION}"
+	WriteRegStr HKLM "${UNINSTALLDIR}" "UninstallString" "$\"$INSTDIR\uninstall.exe$\""
+	WriteRegStr HKLM "${UNINSTALLDIR}" "QuietUninstallString" "$\"$INSTDIR\uninstall.exe$\" /S"
+	WriteRegStr HKLM "${UNINSTALLDIR}" "InstallLocation" "$\"$INSTDIR$\""
+	WriteRegStr HKLM "${UNINSTALLDIR}" "Publisher" "${COMPANYNAME}"
+	WriteRegStr HKLM "${UNINSTALLDIR}" "HelpLink" "$\"${HELPURL}$\""
+	WriteRegStr HKLM "${UNINSTALLDIR}" "URLUpdateInfo" "$\"${UPDATEURL}$\""
+	WriteRegStr HKLM "${UNINSTALLDIR}" "URLInfoAbout" "$\"${ABOUTURL}$\""
+	WriteRegStr HKLM "${UNINSTALLDIR}" "DisplayVersion" "${VERSION}"
+
+    # There is no option for modifying or repairing the install
+	WriteRegDWORD HKLM "${UNINSTALLDIR}" "NoModify" 1
+	WriteRegDWORD HKLM "${UNINSTALLDIR}" "NoRepair" 1
+
+    # Set the INSTALLSIZE constant (!defined at the top of this script) so Add/Remove Programs can accurately report the size
+	WriteRegDWORD HKLM "${UNINSTALLDIR}" "EstimatedSize" ${INSTALLSIZE}
+
+	# Add executable to PATH
+	EnVar::SetHKCU
+	EnVar::AddValue "Path" "$INSTDIR\Bin\"
+
+
+SectionEnd
+
+Section "Uninstall"
+
+	# Remove uninstalled executable from PATH
+	EnVar::SetHKCU
+    EnVar::DeleteValue  "Path" "$INSTDIR\Bin\"
+
+	# Remove files/directories
+	RMDir /r /REBOOTOK $INSTDIR\Bin
+	RMDir /r /REBOOTOK $INSTDIR\Logs
+	RMDir /r /REBOOTOK $INSTDIR\Config
+    RMDir /r /REBOOTOK $INSTDIR\Filaments
+    RMDir /r /REBOOTOK $INSTDIR\Python
+
+	# Always delete uninstaller as the last action
+	Delete /REBOOTOK $INSTDIR\uninstall.exe
+
+	# Try to remove the install directory - this will only happen if it is empty
+	RmDir /REBOOTOK $INSTDIR
+
+	# Remove uninstaller information from the registry
+	DeleteRegKey HKLM "${UNINSTALLDIR}"
+
+SectionEnd

cmd/fibratus/app/capture.go

@@ -0,0 +1,143 @@
+/*
+ * Copyright 2019-2020 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package app
+
+import (
+	"github.com/rabbitstack/fibratus/pkg/api"
+	"github.com/rabbitstack/fibratus/pkg/config"
+	"github.com/rabbitstack/fibratus/pkg/filter"
+	"github.com/rabbitstack/fibratus/pkg/handle"
+	"github.com/rabbitstack/fibratus/pkg/kcap"
+	"github.com/rabbitstack/fibratus/pkg/kstream"
+	"github.com/rabbitstack/fibratus/pkg/ps"
+	"github.com/rabbitstack/fibratus/pkg/syscall/security"
+	logger "github.com/rabbitstack/fibratus/pkg/util/log"
+	"github.com/rabbitstack/fibratus/pkg/util/spinner"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"os"
+	"os/signal"
+	"time"
+)
+
+var captureCmd = &cobra.Command{
+	Use:   "capture [filter]",
+	Short: "Capture kernel event stream to the kcap file",
+	RunE:  capture,
+}
+
+var captureConfig = config.NewWithOpts(config.WithCapture())
+
+func init() {
+	captureConfig.MustViperize(captureCmd)
+}
+
+func capture(cmd *cobra.Command, args []string) error {
+	if err := captureConfig.TryLoadFile(captureConfig.File()); err != nil {
+		return err
+	}
+	if err := captureConfig.Init(); err != nil {
+		return err
+	}
+	if err := captureConfig.Validate(); err != nil {
+		return err
+	}
+	if captureConfig.DebugPrivilege {
+		security.SetDebugPrivilege()
+	}
+	if err := logger.InitFromConfig(captureConfig.Log); err != nil {
+		return err
+	}
+
+	spin := spinner.Show("Snapshotting processes and handles")
+	// make sure to not wait more than a minute if system handle enumeration
+	// got stuck or taking too much time to complete.
+	wait := make(chan struct{}, 1)
+	deadline := time.AfterFunc(time.Minute, func() {
+		wait <- struct{}{}
+	})
+	cb := func(total uint64, withName uint64) {
+		deadline.Stop()
+		spin.Stop()
+		wait <- struct{}{}
+	}
+
+	// the capture will start after all system handles have been enumerated. This gives us a
+	// chance to build the handle state before writing the event flow
+	hsnap := handle.NewSnapshotter(captureConfig, cb)
+	psnap := ps.NewSnapshotter(hsnap, captureConfig)
+
+	// we'll start writing to the kcap file once we receive on the wait channel
+	<-wait
+
+	// initiate the kernel trace and start consuming from the event stream
+	ktracec := kstream.NewKtraceController(captureConfig.Kstream)
+	err := ktracec.StartKtrace()
+	if err != nil {
+		return err
+	}
+	defer ktracec.CloseKtrace()
+
+	kstreamc := kstream.NewConsumer(ktracec, psnap, hsnap, captureConfig)
+	kfilter, err := filter.NewFromCLI(args)
+	if err != nil {
+		return err
+	}
+	if kfilter != nil {
+		kstreamc.SetFilter(kfilter)
+	}
+	err = kstreamc.OpenKstream()
+	if err != nil {
+		return err
+	}
+	defer kstreamc.CloseKstream()
+
+	// bootstrap kcap writer with inbound event channel
+	writer, err := kcap.NewWriter(captureConfig.KcapFile, psnap, hsnap)
+	if err != nil {
+		return err
+	}
+	errsc := writer.Write(kstreamc.Events(), kstreamc.Errors())
+	go func() {
+		for err := range errsc {
+			log.Warnf("fail to write event to kcap: %v", err)
+		}
+	}()
+
+	// start rendering the spinner
+	spin = spinner.Show("Capturing")
+
+	// start the HTTP server
+	if err := api.StartServer(captureConfig); err != nil {
+		return err
+	}
+
+	signal.Notify(sig, os.Kill, os.Interrupt)
+	<-sig
+	spin.Stop()
+
+	if err := writer.Close(); err != nil {
+		return err
+	}
+	if err := api.CloseServer(); err != nil {
+		return err
+	}
+
+	return nil
+}