diff --git a/.gitignore b/.gitignore index e8b82ccc1..a43f99d63 100644 --- a/.gitignore +++ b/.gitignore @@ -1,24 +1,8 @@ -/fibratus/__pycache__ -/.cache -.coverage -coverage.xml -/.idea -/build -/kstream/build -/kstream/*.pyd -/kstream/*.c -/kstream/*.cpp -/tests/.cache -/tests/__pycache__ -/tests/*/__pycache__ -/tests/*/.cache -/tests/htmlcov -/tests/.coverage -/tests/unit/.coverage -/tests/*/htmlcov -/tests/coverage.xml -/tests/*/coverage.xml -/kstreamc.pyd -/htmlcov -dist -fibratus.egg-info \ No newline at end of file +cmd/fibratus/fibratus.exe +cmd/fibratus/fibratus.syso + +build/package/release +build/package/*.exe + +.idea +filaments/__pycache__ diff --git a/.landscape.yml b/.landscape.yml deleted file mode 100644 index e9816b1b0..000000000 --- a/.landscape.yml +++ /dev/null @@ -1,4 +0,0 @@ -ignore-paths: - - filaments -python-targets: - - 3 \ No newline at end of file diff --git a/MANIFEST.in b/MANIFEST.in deleted file mode 100644 index 9a961e1f1..000000000 --- a/MANIFEST.in +++ /dev/null @@ -1,8 +0,0 @@ -recursive-include filaments * -recursive-include kstream *.pxd - -include fibratus.yml -include requirements.txt -include LICENSE.MD - -recursive-exclude * __pycache__ \ No newline at end of file diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index 4305133b7..000000000 --- a/appveyor.yml +++ /dev/null @@ -1,28 +0,0 @@ -environment: - - MSVS_VERSION: 2015 - - matrix: - - PYTHON: "C:\\Python34-x64" - DISTUTILS_USE_SDK: "1" - -platform: - - x64 - -install: - - call "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x64 - - "SET PATH=%PYTHON%;%PYTHON%\\Scripts;%PATH%" - - "pip install -r requirements.txt" - -build_script: - - call "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x64 - - "python setup.py build_ext install" - -test_script: - - py.test tests/" - -artifacts: - - path: dist\* - -on_success: - - "codecov" diff --git a/build/package/LICENSE.txt b/build/package/LICENSE.txt new file mode 100644 index 000000000..d9eb5356b --- /dev/null +++ b/build/package/LICENSE.txt @@ -0,0 +1,11 @@ +Copyright 2019-2020 by Nedim Sabic Sabic + +All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. diff --git a/build/package/fibratus.nsi b/build/package/fibratus.nsi new file mode 100644 index 000000000..6d95f15cb --- /dev/null +++ b/build/package/fibratus.nsi @@ -0,0 +1,163 @@ +!define APPNAME "Fibratus" +!define COMPANYNAME "Fibratus" +!define DESCRIPTION "Fibratus is a modern tool for exploration and tracing of the Windows kernel" + + +# These will be displayed by the "Click here for support information" link in "Add/Remove Programs" +!define HELPURL "https://www.fibratus.io" # "Support Information" link +!define UPDATEURL "https://www.fibratus.io" # "Product Updates" link +!define ABOUTURL "https://www.fibratus.io" # "Publisher" link + +RequestExecutionLevel admin ;Require admin rights on NT6+ (When UAC is turned on) + +InstallDir "$PROGRAMFILES64\${COMPANYNAME}" +!define UNINSTALLDIR "Software\Microsoft\Windows\CurrentVersion\Uninstall\${COMPANYNAME}" +BrandingText " " + +# This will be in the installer/uninstaller's title bar +Name "${APPNAME}" +OutFile "fibratus-${VERSION}-amd64.exe" + +!include "LogicLib.nsh" +!include "MUI2.nsh" ; Modern UI + +!define MUI_FINISHPAGE_NOAUTOCLOSE +!define MUI_UNFINISHPAGE_NOAUTOCLOSE + +!insertmacro MUI_PAGE_WELCOME +!insertmacro MUI_PAGE_LICENSE "LICENSE.txt" +!insertmacro MUI_PAGE_INSTFILES +!insertmacro MUI_PAGE_FINISH + +!insertmacro MUI_UNPAGE_WELCOME +!insertmacro MUI_UNPAGE_CONFIRM +!insertmacro MUI_UNPAGE_INSTFILES +!insertmacro MUI_UNPAGE_FINISH + +; Set languages (first is default language) +;!insertmacro MUI_LANGUAGE "English" +!define MUI_LANGDLL_ALLLANGUAGES +;Languages + + !insertmacro MUI_LANGUAGE "English" + !insertmacro MUI_LANGUAGE "French" + !insertmacro MUI_LANGUAGE "TradChinese" + !insertmacro MUI_LANGUAGE "Spanish" + !insertmacro MUI_LANGUAGE "Hungarian" + !insertmacro MUI_LANGUAGE "Russian" + !insertmacro MUI_LANGUAGE "German" + !insertmacro MUI_LANGUAGE "Dutch" + !insertmacro MUI_LANGUAGE "SimpChinese" + !insertmacro MUI_LANGUAGE "Italian" + !insertmacro MUI_LANGUAGE "Danish" + !insertmacro MUI_LANGUAGE "Polish" + !insertmacro MUI_LANGUAGE "Czech" + !insertmacro MUI_LANGUAGE "Slovenian" + !insertmacro MUI_LANGUAGE "Slovak" + !insertmacro MUI_LANGUAGE "Swedish" + !insertmacro MUI_LANGUAGE "Norwegian" + !insertmacro MUI_LANGUAGE "PortugueseBR" + !insertmacro MUI_LANGUAGE "Ukrainian" + !insertmacro MUI_LANGUAGE "Turkish" + !insertmacro MUI_LANGUAGE "Catalan" + !insertmacro MUI_LANGUAGE "Arabic" + !insertmacro MUI_LANGUAGE "Lithuanian" + !insertmacro MUI_LANGUAGE "Finnish" + !insertmacro MUI_LANGUAGE "Greek" + !insertmacro MUI_LANGUAGE "Korean" + !insertmacro MUI_LANGUAGE "Hebrew" + !insertmacro MUI_LANGUAGE "Portuguese" + !insertmacro MUI_LANGUAGE "Farsi" + !insertmacro MUI_LANGUAGE "Bulgarian" + !insertmacro MUI_LANGUAGE "Indonesian" + !insertmacro MUI_LANGUAGE "Japanese" + !insertmacro MUI_LANGUAGE "Croatian" + !insertmacro MUI_LANGUAGE "Serbian" + !insertmacro MUI_LANGUAGE "Thai" + !insertmacro MUI_LANGUAGE "NorwegianNynorsk" + !insertmacro MUI_LANGUAGE "Belarusian" + !insertmacro MUI_LANGUAGE "Albanian" + !insertmacro MUI_LANGUAGE "Malay" + !insertmacro MUI_LANGUAGE "Galician" + !insertmacro MUI_LANGUAGE "Basque" + !insertmacro MUI_LANGUAGE "Luxembourgish" + !insertmacro MUI_LANGUAGE "Afrikaans" + !insertmacro MUI_LANGUAGE "Uzbek" + !insertmacro MUI_LANGUAGE "Macedonian" + !insertmacro MUI_LANGUAGE "Latvian" + !insertmacro MUI_LANGUAGE "Bosnian" + !insertmacro MUI_LANGUAGE "Mongolian" + !insertmacro MUI_LANGUAGE "Estonian" + +!insertmacro MUI_RESERVEFILE_LANGDLL + +Function .onInit + + !insertmacro MUI_LANGDLL_DISPLAY + +FunctionEnd + +Section "Install" + # Files for the install directory + SetOutPath $INSTDIR + + # Create directories + CreateDirectory $INSTDIR\Logs + + # Files added here should be removed by the uninstaller + File /r "release\Bin" + File /r "release\Config" + File /r /x .idea /x __pycache__ "release\Filaments" + File /r "release\Python" + + # Uninstaller - See function un.onInit and section "uninstall" for configuration + WriteUninstaller "$INSTDIR\uninstall.exe" + + # Registry information for add/remove programs + WriteRegStr HKLM "${UNINSTALLDIR}" "DisplayName" "${APPNAME} - ${DESCRIPTION}" + WriteRegStr HKLM "${UNINSTALLDIR}" "UninstallString" "$\"$INSTDIR\uninstall.exe$\"" + WriteRegStr HKLM "${UNINSTALLDIR}" "QuietUninstallString" "$\"$INSTDIR\uninstall.exe$\" /S" + WriteRegStr HKLM "${UNINSTALLDIR}" "InstallLocation" "$\"$INSTDIR$\"" + WriteRegStr HKLM "${UNINSTALLDIR}" "Publisher" "${COMPANYNAME}" + WriteRegStr HKLM "${UNINSTALLDIR}" "HelpLink" "$\"${HELPURL}$\"" + WriteRegStr HKLM "${UNINSTALLDIR}" "URLUpdateInfo" "$\"${UPDATEURL}$\"" + WriteRegStr HKLM "${UNINSTALLDIR}" "URLInfoAbout" "$\"${ABOUTURL}$\"" + WriteRegStr HKLM "${UNINSTALLDIR}" "DisplayVersion" "${VERSION}" + + # There is no option for modifying or repairing the install + WriteRegDWORD HKLM "${UNINSTALLDIR}" "NoModify" 1 + WriteRegDWORD HKLM "${UNINSTALLDIR}" "NoRepair" 1 + + # Set the INSTALLSIZE constant (!defined at the top of this script) so Add/Remove Programs can accurately report the size + WriteRegDWORD HKLM "${UNINSTALLDIR}" "EstimatedSize" ${INSTALLSIZE} + + # Add executable to PATH + EnVar::SetHKCU + EnVar::AddValue "Path" "$INSTDIR\Bin\" + + +SectionEnd + +Section "Uninstall" + + # Remove uninstalled executable from PATH + EnVar::SetHKCU + EnVar::DeleteValue "Path" "$INSTDIR\Bin\" + + # Remove files/directories + RMDir /r /REBOOTOK $INSTDIR\Bin + RMDir /r /REBOOTOK $INSTDIR\Logs + RMDir /r /REBOOTOK $INSTDIR\Config + RMDir /r /REBOOTOK $INSTDIR\Filaments + RMDir /r /REBOOTOK $INSTDIR\Python + + # Always delete uninstaller as the last action + Delete /REBOOTOK $INSTDIR\uninstall.exe + + # Try to remove the install directory - this will only happen if it is empty + RmDir /REBOOTOK $INSTDIR + + # Remove uninstaller information from the registry + DeleteRegKey HKLM "${UNINSTALLDIR}" + +SectionEnd diff --git a/cmd/fibratus/app/capture.go b/cmd/fibratus/app/capture.go new file mode 100644 index 000000000..15ab22cf9 --- /dev/null +++ b/cmd/fibratus/app/capture.go @@ -0,0 +1,143 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "github.com/rabbitstack/fibratus/pkg/api" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/filter" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kcap" + "github.com/rabbitstack/fibratus/pkg/kstream" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/syscall/security" + logger "github.com/rabbitstack/fibratus/pkg/util/log" + "github.com/rabbitstack/fibratus/pkg/util/spinner" + log "github.com/sirupsen/logrus" + "github.com/spf13/cobra" + "os" + "os/signal" + "time" +) + +var captureCmd = &cobra.Command{ + Use: "capture [filter]", + Short: "Capture kernel event stream to the kcap file", + RunE: capture, +} + +var captureConfig = config.NewWithOpts(config.WithCapture()) + +func init() { + captureConfig.MustViperize(captureCmd) +} + +func capture(cmd *cobra.Command, args []string) error { + if err := captureConfig.TryLoadFile(captureConfig.File()); err != nil { + return err + } + if err := captureConfig.Init(); err != nil { + return err + } + if err := captureConfig.Validate(); err != nil { + return err + } + if captureConfig.DebugPrivilege { + security.SetDebugPrivilege() + } + if err := logger.InitFromConfig(captureConfig.Log); err != nil { + return err + } + + spin := spinner.Show("Snapshotting processes and handles") + // make sure to not wait more than a minute if system handle enumeration + // got stuck or taking too much time to complete. + wait := make(chan struct{}, 1) + deadline := time.AfterFunc(time.Minute, func() { + wait <- struct{}{} + }) + cb := func(total uint64, withName uint64) { + deadline.Stop() + spin.Stop() + wait <- struct{}{} + } + + // the capture will start after all system handles have been enumerated. This gives us a + // chance to build the handle state before writing the event flow + hsnap := handle.NewSnapshotter(captureConfig, cb) + psnap := ps.NewSnapshotter(hsnap, captureConfig) + + // we'll start writing to the kcap file once we receive on the wait channel + <-wait + + // initiate the kernel trace and start consuming from the event stream + ktracec := kstream.NewKtraceController(captureConfig.Kstream) + err := ktracec.StartKtrace() + if err != nil { + return err + } + defer ktracec.CloseKtrace() + + kstreamc := kstream.NewConsumer(ktracec, psnap, hsnap, captureConfig) + kfilter, err := filter.NewFromCLI(args) + if err != nil { + return err + } + if kfilter != nil { + kstreamc.SetFilter(kfilter) + } + err = kstreamc.OpenKstream() + if err != nil { + return err + } + defer kstreamc.CloseKstream() + + // bootstrap kcap writer with inbound event channel + writer, err := kcap.NewWriter(captureConfig.KcapFile, psnap, hsnap) + if err != nil { + return err + } + errsc := writer.Write(kstreamc.Events(), kstreamc.Errors()) + go func() { + for err := range errsc { + log.Warnf("fail to write event to kcap: %v", err) + } + }() + + // start rendering the spinner + spin = spinner.Show("Capturing") + + // start the HTTP server + if err := api.StartServer(captureConfig); err != nil { + return err + } + + signal.Notify(sig, os.Kill, os.Interrupt) + <-sig + spin.Stop() + + if err := writer.Close(); err != nil { + return err + } + if err := api.CloseServer(); err != nil { + return err + } + + return nil +} diff --git a/cmd/fibratus/app/config.go b/cmd/fibratus/app/config.go new file mode 100644 index 000000000..1217ada8f --- /dev/null +++ b/cmd/fibratus/app/config.go @@ -0,0 +1,60 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/util/rest" + "github.com/spf13/cobra" + "os" +) + +var configCmd = &cobra.Command{ + Use: "config", + Short: "Show runtime config", + RunE: printConfig, +} + +var c = config.NewWithOpts(config.WithStats()) + +func init() { + c.MustViperize(configCmd) +} + +func printConfig(cmd *cobra.Command, args []string) error { + if err := c.TryLoadFile(c.File()); err != nil { + return err + } + if err := c.Init(); err != nil { + return err + } + if err := c.Validate(); err != nil { + return err + } + body, err := rest.Get(rest.WithTransport(c.API.Transport), rest.WithURI("config")) + if err != nil { + return err + } + _, err = fmt.Fprintln(os.Stdout, string(body)) + if err != nil { + return err + } + return nil +} diff --git a/cmd/fibratus/app/control_service.go b/cmd/fibratus/app/control_service.go new file mode 100644 index 000000000..c66904628 --- /dev/null +++ b/cmd/fibratus/app/control_service.go @@ -0,0 +1,265 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/aggregator" + "github.com/rabbitstack/fibratus/pkg/api" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kstream" + "github.com/rabbitstack/fibratus/pkg/outputs" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/syscall/security" + logger "github.com/rabbitstack/fibratus/pkg/util/log" + "github.com/spf13/cobra" + "golang.org/x/sys/windows" + "golang.org/x/sys/windows/svc" + "golang.org/x/sys/windows/svc/debug" + "golang.org/x/sys/windows/svc/eventlog" + "golang.org/x/sys/windows/svc/mgr" + "time" +) + +var startSvcCmd = &cobra.Command{ + Use: "start-service", + RunE: startService, + Short: "Start fibratus service", +} + +var stopSvcCmd = &cobra.Command{ + Use: "stop-service", + RunE: stopService, + Short: "Stop fibratus service", +} + +var restartSvcCmd = &cobra.Command{ + Use: "restart-service", + RunE: restartService, + Short: "Restart fibratus service", +} + +var svcConfig = config.NewWithOpts(config.WithRun()) + +func init() { + svcConfig.MustViperize(startSvcCmd) +} + +func startService(cmd *cobra.Command, args []string) error { + h, err := windows.OpenSCManager(nil, nil, windows.SC_MANAGER_CONNECT) + if err != nil { + return fmt.Errorf("couldn't connect to Windows Service Manager: %v", err) + } + m := &mgr.Mgr{Handle: h} + defer m.Disconnect() + s, err := windows.OpenService( + m.Handle, + windows.StringToUTF16Ptr(svcName), + windows.SERVICE_START|windows.SERVICE_STOP, + ) + if err != nil { + return fmt.Errorf("could not open fibratus service: %v", err) + } + scm := &mgr.Service{Name: svcName, Handle: s} + defer scm.Close() + err = scm.Start() + if err != nil { + return fmt.Errorf("could not start fibratus service: %v", err) + } + + start := time.Now() + var status svc.Status + for time.Since(start) > 5*time.Second { + status, err = scm.Query() + if err != nil { + return fmt.Errorf("failed to get fibratus service status: %v", err) + } + + if status.State == svc.Running { + return nil + } + } + return nil +} + +func stopService(cmd *cobra.Command, args []string) error { + return stopSvc() +} + +func restartService(cmd *cobra.Command, args []string) error { + if err := stopSvc(); err != nil { + return err + } + return startService(cmd, args) +} + +func stopSvc() error { + h, err := windows.OpenSCManager(nil, nil, windows.SC_MANAGER_CONNECT) + if err != nil { + return fmt.Errorf("couldn't connect to Windows Service Manager: %v", err) + } + m := &mgr.Mgr{Handle: h} + defer m.Disconnect() + + s, err := windows.OpenService( + m.Handle, + windows.StringToUTF16Ptr(svcName), + windows.SERVICE_START|windows.SERVICE_STOP|windows.SERVICE_QUERY_STATUS, + ) + if err != nil { + return fmt.Errorf("could not open fibratus service: %v", err) + } + scm := &mgr.Service{Name: svcName, Handle: s} + defer scm.Close() + + status, err := scm.Control(svc.Stop) + if err != nil { + return fmt.Errorf("couldn't stop fibratus service: %v", err) + } + timeout := time.Now().Add(10 * time.Second) + for status.State != svc.Stopped { + if timeout.Before(time.Now()) { + return fmt.Errorf("timeout waiting for service to go to state=%d", svc.Stopped) + } + time.Sleep(300 * time.Millisecond) + status, err = scm.Query() + if err != nil { + return fmt.Errorf("could not retrieve service status: %v", err) + } + } + return nil +} + +type fsvc struct{} + +var evtlog debug.Log + +var sktracec kstream.KtraceController +var skstreamc kstream.Consumer +var sagg *aggregator.BufferedAggregator + +func (s *fsvc) Execute(args []string, r <-chan svc.ChangeRequest, changes chan<- svc.Status) (bool, uint32) { + const cmdsAccepted = svc.AcceptStop | svc.AcceptShutdown + changes <- svc.Status{State: svc.StartPending} + changes <- svc.Status{State: svc.Running, Accepts: cmdsAccepted} + + if err := s.run(); err != nil { + evtlog.Error(0xc000000B, err.Error()) + changes <- svc.Status{State: svc.Stopped} + return false, 1 + } + +loop: + for { + select { + case c := <-r: + switch c.Cmd { + case svc.Interrogate: + changes <- c.CurrentStatus + time.Sleep(100 * time.Millisecond) + changes <- c.CurrentStatus + case svc.Stop: + break loop + case svc.Shutdown: + break loop + } + } + } + + changes <- svc.Status{State: svc.StopPending} + if sktracec != nil { + sktracec.CloseKtrace() + } + if skstreamc != nil { + skstreamc.CloseKstream() + } + if sagg != nil { + sagg.Stop() + } + handle.CloseTimeout() + api.CloseServer() + changes <- svc.Status{State: svc.Stopped} + + return true, 0 +} + +func (s *fsvc) run() error { + if err := svcConfig.TryLoadFile(svcConfig.GetConfigFile()); err != nil { + return err + } + if err := svcConfig.Init(); err != nil { + return err + } + if err := svcConfig.Validate(); err != nil { + return err + } + // ask for debug privileges + if svcConfig.DebugPrivilege { + security.SetDebugPrivilege() + } + if err := logger.InitFromConfig(svcConfig.Log); err != nil { + return err + } + sktracec = kstream.NewKtraceController(svcConfig.Kstream) + err := sktracec.StartKtrace() + if err != nil { + return err + } + // initialize handle/process snapshotters and try to open the kernel event stream + hsnap := handle.NewSnapshotter(svcConfig, nil) + psnap := ps.NewSnapshotter(hsnap, svcConfig) + skstreamc = kstream.NewConsumer(sktracec, psnap, hsnap, svcConfig) + // open the kernel event stream, start processing events and forwarding to outputs + err = skstreamc.OpenKstream() + if err != nil { + return err + } + sagg, err = aggregator.NewBuffered( + skstreamc.Events(), + skstreamc.Errors(), + svcConfig.Aggregator, + outputs.Config{Type: svcConfig.Output.Type, Output: svcConfig.Output.Output}, + svcConfig.Transformers, + svcConfig.Alertsenders, + ) + if err != nil { + return err + } + if err := api.StartServer(svcConfig); err != nil { + return err + } + return nil +} + +// RunService runs the service handler. +func RunService() { + var err error + evtlog, err = eventlog.Open(svcName) + if err != nil { + return + } + defer evtlog.Close() + + err = svc.Run(svcName, &fsvc{}) + if err != nil { + evtlog.Error(0xc0000008, err.Error()) + return + } +} diff --git a/cmd/fibratus/app/docs.go b/cmd/fibratus/app/docs.go new file mode 100644 index 000000000..db95375ce --- /dev/null +++ b/cmd/fibratus/app/docs.go @@ -0,0 +1,32 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "github.com/spf13/cobra" + "os/exec" +) + +var docsCmd = &cobra.Command{ + Use: "docs", + Short: "Open Fibratus docs in the web browser", + RunE: func(cmd *cobra.Command, args []string) error { + return exec.Command("rundll32", "url.dll,FileProtocolHandler", "https://www.fibratus.io").Start() + }, +} diff --git a/cmd/fibratus/app/install_service.go b/cmd/fibratus/app/install_service.go new file mode 100644 index 000000000..c42236aea --- /dev/null +++ b/cmd/fibratus/app/install_service.go @@ -0,0 +1,72 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "errors" + "fmt" + "github.com/spf13/cobra" + "golang.org/x/sys/windows/svc/eventlog" + "golang.org/x/sys/windows/svc/mgr" + "os" +) + +const svcName = "fibratus" + +var errServiceAlreadyInstalled = errors.New("fibratus service is already installed") + +var installSvcCmd = &cobra.Command{ + Use: "install-service", + Short: "Install fibratus within the Windows service control manager", + RunE: installService, +} + +func installService(cmd *cobra.Command, args []string) error { + exe, err := os.Executable() + if err != nil { + return err + } + m, err := mgr.Connect() + if err != nil { + return err + } + defer m.Disconnect() + s, err := m.OpenService(svcName) + if err == nil { + s.Close() + return errServiceAlreadyInstalled + } + svccfg := mgr.Config{ + DisplayName: "Fibratus Service", + Description: "Exploration and tracing of the Windows kernel", + } + s, err = m.CreateService(svcName, exe, svccfg) + if err != nil { + return err + } + defer s.Close() + err = eventlog.InstallAsEventCreate(svcName, eventlog.Error|eventlog.Warning|eventlog.Info) + if err != nil { + if err := s.Delete(); err != nil { + return err + } + return fmt.Errorf("couldn't create event log record: %v", err) + } + return nil +} diff --git a/cmd/fibratus/app/list.go b/cmd/fibratus/app/list.go new file mode 100644 index 000000000..6a7a3653d --- /dev/null +++ b/cmd/fibratus/app/list.go @@ -0,0 +1,154 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "bufio" + "fmt" + "github.com/jedib0t/go-pretty/v6/table" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/filter/fields" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/spf13/cobra" + "io/ioutil" + "os" + "path/filepath" + "strings" +) + +var listCmd = &cobra.Command{ + Use: "list", + Short: "Show info about filaments, filter fields or kernel event types", +} + +var listFilamentsCmd = &cobra.Command{ + Use: "filaments", + Short: "List available filaments", + RunE: listFilaments, +} + +var listFieldsCmd = &cobra.Command{ + Use: "fields", + Short: "List available filtering fields", + Run: listFields, +} + +var listsKeventsCmd = &cobra.Command{ + Use: "kevents", + Short: "List supported kernel event types", + Run: listKevents, +} + +var listConfig = config.NewWithOpts(config.WithList()) + +func init() { + listConfig.MustViperize(listFilamentsCmd) + + listCmd.AddCommand(listFilamentsCmd) + listCmd.AddCommand(listFieldsCmd) + listCmd.AddCommand(listsKeventsCmd) + + RootCmd.AddCommand(listCmd) +} + +// listFilaments renders a table with all available filaments. +func listFilaments(cmd *cobra.Command, args []string) error { + if err := listConfig.Init(); err != nil { + return err + } + + dir := listConfig.Filament.Path + if _, err := os.Stat(dir); err != nil { + if os.IsNotExist(err) { + return fmt.Errorf("%q directory does not exist", dir) + } + return err + } + + filaments, err := ioutil.ReadDir(dir) + if err != nil { + return err + } + + t := table.NewWriter() + t.SetOutputMirror(os.Stdout) + t.AppendHeader(table.Row{"Name", "Description"}) + t.SetStyle(table.StyleLight) + + for _, f := range filaments { + if f.IsDir() { + continue + } + py, err := os.Open(filepath.Join(dir, f.Name())) + if err != nil { + continue + } + if filepath.Ext(f.Name()) != ".py" { + continue + } + + sn := bufio.NewScanner(py) + var docStart bool + var doc string + for sn.Scan() { + ln := sn.Text() + if docStart { + doc = ln + break + } + if ln == `"""` { + docStart = true + } + + } + _ = py.Close() + t.AppendRow(table.Row{strings.TrimSuffix(f.Name(), ".py"), doc}) + } + t.Render() + + return nil +} + +// listKevents renders a table with supported kernel event types showing the category to which their pertain and a short description. +func listKevents(cmd *cobra.Command, args []string) { + t := table.NewWriter() + t.SetOutputMirror(os.Stdout) + t.AppendHeader(table.Row{"Name", "Category", "Description"}) + t.SetStyle(table.StyleLight) + + for _, ktyp := range ktypes.GetKtypesMeta() { + t.AppendRow(table.Row{ktyp.Name, ktyp.Category, ktyp.Description}) + } + + t.Render() +} + +// listFields renders a table with available filtering fields containing the name, description and the example filtering expression. +func listFields(cmd *cobra.Command, args []string) { + t := table.NewWriter() + t.SetOutputMirror(os.Stdout) + t.AppendHeader(table.Row{"Name", "Description", "Example"}) + t.SetStyle(table.StyleLight) + + for _, field := range fields.Get() { + t.AppendRow(table.Row{field.Field, field.Desc, strings.Join(field.Examples, ",")}) + } + + t.Render() +} diff --git a/cmd/fibratus/app/remove_service.go b/cmd/fibratus/app/remove_service.go new file mode 100644 index 000000000..db6d6cf02 --- /dev/null +++ b/cmd/fibratus/app/remove_service.go @@ -0,0 +1,57 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "errors" + "fmt" + "github.com/spf13/cobra" + "golang.org/x/sys/windows/svc/eventlog" + "golang.org/x/sys/windows/svc/mgr" +) + +var removeSvcCmd = &cobra.Command{ + Use: "remove-service", + Short: "Remove fibratus from the Windows service control manager", + RunE: removeService, +} + +var errServiceNotInstalled = errors.New("fibratus service is not installed") + +func removeService(cmd *cobra.Command, args []string) error { + m, err := mgr.Connect() + if err != nil { + return err + } + defer m.Disconnect() + s, err := m.OpenService(svcName) + if err != nil { + return errServiceNotInstalled + } + defer s.Close() + err = s.Delete() + if err != nil { + return err + } + err = eventlog.Remove(svcName) + if err != nil { + return fmt.Errorf("couldn't create eventlog remove record: %v", err) + } + return nil +} diff --git a/cmd/fibratus/app/replay.go b/cmd/fibratus/app/replay.go new file mode 100644 index 000000000..f35e201e2 --- /dev/null +++ b/cmd/fibratus/app/replay.go @@ -0,0 +1,142 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "context" + "github.com/rabbitstack/fibratus/pkg/aggregator" + "github.com/rabbitstack/fibratus/pkg/api" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/filament" + "github.com/rabbitstack/fibratus/pkg/filter" + "github.com/rabbitstack/fibratus/pkg/kcap" + "github.com/rabbitstack/fibratus/pkg/outputs" + logger "github.com/rabbitstack/fibratus/pkg/util/log" + "github.com/spf13/cobra" + "os" + "os/signal" +) + +var replayCmd = &cobra.Command{ + Use: "replay", + Short: "Replay kernel event flow from the kcap file", + RunE: replay, +} + +var replayConfig = config.NewWithOpts(config.WithReplay()) + +func init() { + replayConfig.MustViperize(replayCmd) +} + +func replay(cmd *cobra.Command, args []string) error { + if err := replayConfig.TryLoadFile(replayConfig.File()); err != nil { + return err + } + if err := replayConfig.Init(); err != nil { + return err + } + if err := replayConfig.Validate(); err != nil { + return err + } + if err := logger.InitFromConfig(replayConfig.Log); err != nil { + return err + } + kfilter, err := filter.NewFromCLI(args) + if err != nil { + return err + } + // initialize kcap reader and try to recover the snapshotters + // from the captured state + reader, err := kcap.NewReader(replayConfig.KcapFile, replayConfig) + if err != nil { + return err + } + hsnap, psnap, err := reader.RecoverSnapshotters() + if err != nil { + return err + } + + ctx, cancel := context.WithCancel(context.Background()) + + filamentConfig := replayConfig.Filament + filamentName := filamentConfig.Name + // we don't need the aggregator is user decided to replay the + // kcap on the filament. Otwherise, we setup the full-fledged + // buffered aggregator + var agg *aggregator.BufferedAggregator + + if filamentName != "" { + f, err := filament.New(filamentName, psnap, hsnap, filamentConfig) + if err != nil { + return err + } + if f.Filter() != nil { + kfilter = f.Filter() + } + reader.SetFilter(kfilter) + + // returns the channel where events are read from the kcap + kevents, errs := reader.Read(ctx) + + go func() { + defer f.Close() + err = f.Run(kevents, errs) + if err != nil { + sig <- os.Interrupt + } + }() + } else { + if kfilter != nil { + reader.SetFilter(kfilter) + } + + // use the channels where events are read from the kcap as aggregator source + kevents, errs := reader.Read(ctx) + + var err error + agg, err = aggregator.NewBuffered( + kevents, + errs, + replayConfig.Aggregator, + outputs.Config{Type: replayConfig.Output.Type, Output: replayConfig.Output.Output}, + replayConfig.Transformers, + replayConfig.Alertsenders, + ) + if err != nil { + return err + } + } + // start the HTTP server + if err := api.StartServer(replayConfig); err != nil { + return err + } + signal.Notify(sig, os.Kill, os.Interrupt) + <-sig + // stop reader consumer goroutines + cancel() + + if agg != nil { + if err := agg.Stop(); err != nil { + return err + } + } + + return nil +} diff --git a/cmd/fibratus/app/root.go b/cmd/fibratus/app/root.go new file mode 100644 index 000000000..821f7f48e --- /dev/null +++ b/cmd/fibratus/app/root.go @@ -0,0 +1,65 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "errors" + "github.com/spf13/cobra" + "os" + "runtime" +) + +var sig = make(chan os.Signal, 2) + +var RootCmd = &cobra.Command{ + Use: "fibratus", + Short: "Modern tool for the kernel observability and exploration", + Long: ` + Fibratus is a tool for exploration and tracing of the Windows kernel. + It lets you trap system-wide events such as process life-cycle, file system I/O, + registry modifications or network requests among many other observability signals. + In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows + kernel but also processes running on top of it. + `, + SilenceUsage: true, + PersistentPreRunE: func(cmd *cobra.Command, args []string) error { + if runtime.GOOS != "windows" { + return errors.New("fibratus can only be run on Windows operating systems") + } + if runtime.GOARCH == "386" { + return errors.New("fibratus can't be run on 32-bits Windows operating systems") + } + return nil + }, +} + +func init() { + RootCmd.AddCommand(runCmd) + RootCmd.AddCommand(captureCmd) + RootCmd.AddCommand(replayCmd) + RootCmd.AddCommand(installSvcCmd) + RootCmd.AddCommand(removeSvcCmd) + RootCmd.AddCommand(startSvcCmd) + RootCmd.AddCommand(stopSvcCmd) + RootCmd.AddCommand(restartSvcCmd) + RootCmd.AddCommand(statsCmd) + RootCmd.AddCommand(configCmd) + RootCmd.AddCommand(docsCmd) + RootCmd.AddCommand(versionCmd) +} diff --git a/cmd/fibratus/app/run.go b/cmd/fibratus/app/run.go new file mode 100644 index 000000000..6a1069aa8 --- /dev/null +++ b/cmd/fibratus/app/run.go @@ -0,0 +1,187 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator" + "github.com/rabbitstack/fibratus/pkg/alertsender" + "github.com/rabbitstack/fibratus/pkg/api" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/filament" + "github.com/rabbitstack/fibratus/pkg/filter" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kstream" + "github.com/rabbitstack/fibratus/pkg/outputs" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/syscall/security" + logger "github.com/rabbitstack/fibratus/pkg/util/log" + log "github.com/sirupsen/logrus" + "github.com/spf13/cobra" + "os" + "os/signal" +) + +var runCmd = &cobra.Command{ + Use: "run [filter]", + Short: "Bootstrap fibratus or a filament", + Aliases: []string{"start"}, + RunE: run, + Example: ` + # Run without the filter + fibratus run + + # Run with the filter that drops all but events produced by the svchost.exe process + fibratus run ps.name = 'svchost.exe' + + # Run with the filter that traps all events that were generated by process that contains the 'svc' string and it was started by 'SYSTEM' or 'admin' users + fibratus run ps.name contains 'svc' and ps.sid in ('NT AUTHORITY\\SYSTEM', 'ARCHRABBIT\\admin') + + # Run the top_keys filament + fibratus run -f top_keys + `, +} + +var cfg = config.NewWithOpts(config.WithRun()) + +func init() { + cfg.MustViperize(runCmd) +} + +func run(cmd *cobra.Command, args []string) error { + // even though it is possible to bootstrap with default config, we'll + // return an error if for some reason the config can't be loaded from the file + if err := cfg.TryLoadFile(cfg.File()); err != nil { + return err + } + // initialize and validate the config + if err := cfg.Init(); err != nil { + return err + } + if err := cfg.Validate(); err != nil { + return err + } + // inject the debug privilege if enabled + if cfg.DebugPrivilege { + security.SetDebugPrivilege() + } + if err := logger.InitFromConfig(cfg.Log); err != nil { + return err + } + // initialize kernel trace controller and try to start the trace + ktracec := kstream.NewKtraceController(cfg.Kstream) + err := ktracec.StartKtrace() + if err != nil { + return err + } + defer ktracec.CloseKtrace() + // bootstrap essential components, including handle, process snapshotters + // and the kernel stream consumer that will actually collect all the events + hsnap := handle.NewSnapshotter(cfg, nil) + psnap := ps.NewSnapshotter(hsnap, cfg) + kstreamc := kstream.NewConsumer(ktracec, psnap, hsnap, cfg) + // build the filter from the CLI argument. If we got a valid expression the filter + // is linked to the kernel stream consumer so it can drop any events that don't match + // the filter criteria + kfilter, err := filter.NewFromCLI(args) + if err != nil { + return err + } + if kfilter != nil { + kstreamc.SetFilter(kfilter) + } + log.Infof("bootstrapping with pid %d", os.Getpid()) + // user can either instruct to bootstrap a filament or start a regular run. We'll setup + // the corresponding components accordingly to what we got from the CLI options. If a filament + // was given, we'll assign it the previous filter if it wasn't provided in the filament init function. + // Finally, we open the kernel stream flow and run the filament i.e. Python main thread in a new goroutine. + // In case of a regular run, we additionally setup the aggregator. The aggregator will grab the events + // from the queue, assemble them into batches and hand over to output sinks. + var f filament.Filament + filamentName := cfg.Filament.Name + if filamentName != "" { + f, err = filament.New(filamentName, psnap, hsnap, cfg.Filament) + if err != nil { + return err + } + if f.Filter() != nil { + kstreamc.SetFilter(f.Filter()) + } + err = kstreamc.OpenKstream() + if err != nil { + return err + } + defer kstreamc.CloseKstream() + // load alert senders so emitting alerts is possible from filaments + err = alertsender.LoadAll(cfg.Alertsenders) + if err != nil { + log.Warnf("couldn't load alertsenders: %v", err) + } + go func() { + err = f.Run(kstreamc.Events(), kstreamc.Errors()) + if err != nil { + log.Error(err) + sig <- os.Interrupt + } + }() + } else { + err = kstreamc.OpenKstream() + if err != nil { + return err + } + defer kstreamc.CloseKstream() + // setup the aggregator that forwards events to outputs + agg, err := aggregator.NewBuffered( + kstreamc.Events(), + kstreamc.Errors(), + cfg.Aggregator, + outputs.Config{Type: cfg.Output.Type, Output: cfg.Output.Output}, + cfg.Transformers, + cfg.Alertsenders, + ) + if err != nil { + return err + } + defer func() { + if err := agg.Stop(); err != nil { + log.Error(err) + } + }() + } + // start the HTTP server + if err := api.StartServer(cfg); err != nil { + return err + } + // wait for signals + signal.Notify(sig, os.Interrupt, os.Kill) + <-sig + log.Infof("shutting down...") + // shutdown everything gracefully + if f != nil { + if err := f.Close(); err != nil { + return err + } + } + if err := handle.CloseTimeout(); err != nil { + return err + } + if err := api.CloseServer(); err != nil { + return err + } + return nil +} diff --git a/cmd/fibratus/app/stats.go b/cmd/fibratus/app/stats.go new file mode 100644 index 000000000..35c2e67ff --- /dev/null +++ b/cmd/fibratus/app/stats.go @@ -0,0 +1,162 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "encoding/json" + "github.com/jedib0t/go-pretty/v6/table" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/util/rest" + "github.com/spf13/cobra" + "os" + "reflect" +) + +var statsCmd = &cobra.Command{ + Use: "stats", + Short: "Show runtime stats", + RunE: stats, +} + +var statsConfig = config.NewWithOpts(config.WithStats()) + +func init() { + statsConfig.MustViperize(statsCmd) +} + +// Stats stores runtime statistics that are retrieved from the expvar endpoint. +type Stats struct { + AggregatorBatchEvents int `json:"aggregator.batch.events"` + AggregatorFlushesCount int `json:"aggregator.flushes.count"` + AggregatorKeventErrors int `json:"aggregator.kevent.errors"` + AggregatorTransformerErrors map[string]int `json:"aggregator.transformer.errors"` + AggregatorWorkerClientPublishErrors int `json:"aggregator.worker.client.publish.errors"` + FilamentKdictErrors int `json:"filament.kdict.errors"` + FilamentKeventBatchFlushes int `json:"filament.kevent.batch.flushes"` + FilamentKeventErrors map[string]int `json:"filament.kevent.errors"` + FilamentKeventProcessErrors int `json:"filament.kevent.process.errors"` + FilterAccessorErrors map[string]int `json:"filter.accessor.errors"` + FsFileObjectHandleHits int `json:"fs.file.object.handle.hits"` + FsFileObjectMisses int `json:"fs.file.object.misses"` + FsFileReleases int `json:"fs.file.releases"` + FsTotalRundownFiles int `json:"fs.total.rundown.files"` + HandleDeferredEvictions int `json:"handle.deferred.evictions"` + HandleNameQueryFailures map[string]int `json:"handle.name.query.failures"` + HandleSnapshotCount int `json:"handle.snapshot.count"` + HandleSnapshotBytes int `json:"handle.snapshot.bytes"` + HandleTypesCount int `json:"handle.types.count"` + HandleTypeNameMisses int `json:"handle.type.name.misses"` + HandleWaitTimeouts int `json:"handle.wait.timeouts"` + HostnameErrors map[string]int `json:"hostname.errors"` + KcapDroppedKevents int `json:"kcap.dropped.kevents"` + KcapFlusherErrors map[string]int `json:"kcap.flusher.errors"` + KcapHandleWriteErrors int `json:"kcap.handle.write.errors"` + KcapKeventUnmarshalErrors int `json:"kcap.kevent.unmarshal.errors"` + KcapKeventWriteErrors int `json:"kcap.kevent.write.errors"` + KcapKstreamConsumerErrors int `json:"kcap.kstream.consumer.errors"` + KcapOverflowErrors int `json:"kcap.overflow.errors"` + KcapReadBytes int `json:"kcap.read.bytes"` + KcapReadKevents int `json:"kcap.read.kevents"` + KcapReaderDroppedByFilter int `json:"kcap.reader.dropped.by.filter"` + KcapReaderHandleUnmarshalErrors int `json:"kcap.reader.handle.unmarshal.errors"` + KeventInterceptorFailures int `json:"kevent.interceptor.failures"` + KeventSeqInitErrors map[string]int `json:"kevent.seq.init.errors"` + KeventSeqStoreErrors int `json:"kevent.seq.store.errors"` + KeventTimestampUnmarshalErrors int `json:"kevent.timestamp.unmarshal.errors"` + KstreamBlacklistDroppedKevents map[string]int `json:"kstream.blacklist.dropped.kevents"` + KstreamBlacklistDroppedProcs map[string]int `json:"kstream.blacklist.dropped.procs"` + KstreamKbuffersRead int `json:"kstream.kbuffers.read"` + KstreamKeventParamFailures int `json:"kstream.kevent.param.failures"` + KstreamKeventsEnqueued int `json:"kstream.kevents.enqueued"` + KstreamKeventsDequeued int `json:"kstream.kevents.dequeued"` + KstreamKeventsFailures map[string]int `json:"kstream.kevents.failures"` + KstreamKeventsMissingSchemaErrors map[string]int `json:"kstream.kevents.missing.schema.errors"` + KstreamUpstreamCancellations int `json:"kstream.upstream.cancellations"` + LoggerErrors map[string]int `json:"logger.errors"` + OutputAmqpChannelFailures int `json:"output.amqp.channel.failures"` + OutputAmqpConnectionFailures int `json:"output.amqp.connection.failures"` + OutputAmqpPublishErrors int `json:"output.amqp.publish.errors"` + OutputConsoleErrors int `json:"output.console.errors"` + OutputNullBlackholeEvents int `json:"output.null.blackhole.events"` + PeFailedResourceEntryReads int `json:"pe.failed.resource.entry.reads"` + PeMaxResourceEntriesExceeded int `json:"pe.max.resource.entries.exceeded"` + ProcessCount int `json:"process.count"` + ProcessModuleCount int `json:"process.module.count"` + ProcessLookupFailureCount map[int]int `json:"process.lookup.failure.count"` + ProcessPebReadErrors int `json:"process.peb.read.errors"` + ProcessReaped int `json:"process.reaped"` + ProcessThreadCount int `json:"process.thread.count"` + RegistryKcbCount int `json:"registry.kcb.count"` + RegistryKcbMisses int `json:"registry.kcb.misses"` + RegistryKeyHandleHits int `json:"registry.key.handle.hits"` + RegistryUnknownKeysCount int `json:"registry.unknown.keys.count"` + SidsCount int `json:"sids.count"` + YaraImageScans int `json:"yara.image.scans"` + YaraProcScans int `json:"yara.proc.scans"` + YaraRuleMatches int `json:"yara.rule.matches"` +} + +func stats(cmd *cobra.Command, args []string) error { + if err := statsConfig.TryLoadFile(statsConfig.File()); err != nil { + return err + } + if err := statsConfig.Init(); err != nil { + return err + } + if err := statsConfig.Validate(); err != nil { + return err + } + + c := statsConfig.API + body, err := rest.Get(rest.WithTransport(c.Transport), rest.WithURI("debug/vars")) + if err != nil { + return err + } + var stats Stats + if err := json.Unmarshal(body, &stats); err != nil { + return err + } + + t := table.NewWriter() + t.SetOutputMirror(os.Stdout) + t.AppendHeader(table.Row{"Name", "Value"}) + t.SetStyle(table.StyleLight) + + typ := reflect.TypeOf(stats) + val := reflect.ValueOf(stats) + + for i := 0; i < typ.NumField(); i++ { + f := typ.Field(i) + tag := f.Tag.Get("json") + + if tag == "" { + continue + } + + if !val.Field(i).CanInterface() { + continue + } + + t.AppendRow(table.Row{tag, val.Field(i).Interface()}) + } + + t.Render() + + return nil +} diff --git a/cmd/fibratus/app/version.go b/cmd/fibratus/app/version.go new file mode 100644 index 000000000..3e04e0e2f --- /dev/null +++ b/cmd/fibratus/app/version.go @@ -0,0 +1,40 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package app + +import ( + "fmt" + "github.com/spf13/cobra" + "os" + "runtime" +) + +var version string +var commit string + +var versionCmd = &cobra.Command{ + Use: "version", + Short: "Show version info", + Run: func(cmd *cobra.Command, args []string) { + if version == "" { + version = "dev" + } + _, _ = fmt.Fprintln(os.Stdout, "Version:", version, "Commit:", commit, "Go compiler:", runtime.Version()) + }, +} diff --git a/cmd/fibratus/fibratus.exe.manifest b/cmd/fibratus/fibratus.exe.manifest new file mode 100644 index 000000000..c1cb48310 --- /dev/null +++ b/cmd/fibratus/fibratus.exe.manifest @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file diff --git a/cmd/fibratus/fibratus.rc b/cmd/fibratus/fibratus.rc new file mode 100644 index 000000000..64be5cbd6 --- /dev/null +++ b/cmd/fibratus/fibratus.rc @@ -0,0 +1,38 @@ +#include "version.h" +#define RT_MANIFEST 24 + +#define VS_VERSION_INFO 1 +VS_VERSION_INFO VERSIONINFO + FILEVERSION RC_FILE_VERSION + PRODUCTVERSION RC_FILE_VERSION + FILEFLAGSMASK 0x3fL +#ifdef _DEBUG + FILEFLAGS 0x1L +#else + FILEFLAGS 0x0L +#endif + FILEOS 0x40004L + FILETYPE 0x0L + FILESUBTYPE 0x0L +BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904b0" + BEGIN + VALUE "CompanyName", "Fibratus" + VALUE "FileDescription", "Kernel tracing and exploration tool" + VALUE "FileVersion", FILE_VERSION_STRING + VALUE "InternalName", "fibratus" + VALUE "LegalCopyright", "Copyright (C) 2019-2020" + VALUE "OriginalFilename", "fibratus.exe" + VALUE "ProductName", "Fibratus" + VALUE "ProductVersion", FILE_VERSION_STRING + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 1200 + END +END + +1 RT_MANIFEST "fibratus.exe.manifest" \ No newline at end of file diff --git a/cmd/fibratus/main.go b/cmd/fibratus/main.go new file mode 100644 index 000000000..315296881 --- /dev/null +++ b/cmd/fibratus/main.go @@ -0,0 +1,42 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package main + +import ( + "fmt" + "github.com/rabbitstack/fibratus/cmd/fibratus/app" + "golang.org/x/sys/windows/svc" + "os" +) + +func main() { + // determine if we are running in an interactive session + in, err := svc.IsAnInteractiveSession() + if err != nil { + fmt.Printf("interactive session check failed: %v\n", err) + os.Exit(-1) + } + if !in { + app.RunService() + return + } + if err := app.RootCmd.Execute(); err != nil { + os.Exit(-1) + } +} diff --git a/cmd/fibratus/version.h b/cmd/fibratus/version.h new file mode 100644 index 000000000..237ddd52b --- /dev/null +++ b/cmd/fibratus/version.h @@ -0,0 +1,6 @@ +#define RC_FILE_VERSION RC_VER,0 + +#define STRINGIFY(x) #x +#define TO_STRING(x) STRINGIFY(x) + +#define FILE_VERSION_STRING TO_STRING(VER) diff --git a/configs/fibratus.json b/configs/fibratus.json new file mode 100644 index 000000000..cac66b122 --- /dev/null +++ b/configs/fibratus.json @@ -0,0 +1,55 @@ +{ + "aggregator": { + "flush-period": "500ms", + "flush-timeout": "4s" + }, + + "alertsenders": { + "mail": { + "enabled": false + }, + + "slack": { + "enabled": false + } + }, + + "api": { + "transport": "localhost:8090", + "timeout": "5s" + }, + + "debug-privilege": true, + + "filament": { + "name": "", + "flush-period": "200ms" + }, + + "handle": { + "init-snapshot": true + }, + + "kevent": { + + }, + + "kcap": { + + }, + + "kstream": {}, + "logging": {}, + + "output": { + "console": { + "enabled": true, + "format": "pretty", + "kv-delimiter": "->" + } + }, + + "pe": {}, + "transformers": {}, + "yara": {} +} \ No newline at end of file diff --git a/configs/fibratus.yml b/configs/fibratus.yml new file mode 100644 index 000000000..62e9b60c5 --- /dev/null +++ b/configs/fibratus.yml @@ -0,0 +1,476 @@ +###################### Fibratus Configuration File ##################################### + +# =============================== Aggregator ========================================== + +# Aggregator is responsible for creating kernel event batches, applying transformers to each event +# present in the batch, and forwarding those batches to the output sinks. +aggregator: + # Determines the flush period that triggers the flushing of the kernel event batches to output sinks + flush-period: 500ms + + # Represents the max time to wait before announcing failed flushing of enqueued events when fibratus + # is stopped + flush-timeout: 4s + +# =============================== Alert senders ======================================== + +# Alert senders deal with emitting alerts via different channels. +alertsenders: + # Mail sender transports the alerts via SMTP protocol. + mail: + # Enables/disables mail alert sender + enabled: false + + # Represents the host of the SMTP server + #host: + + # Represents the port of the SMTP server + #port: 25 + + # Specifies the user name when authenticating to the SMTP server + #user: + + # Specifies the password when authenticating to the SMTP server + #password: + + # Specifies the sender's address + #from: + + # Specifies all the recipients that'll receive the alert + #to: + # - "" + + # Slack sender transports the alerts to the Slack workspace. + slack: + # Enables/disables Slack alert sender + enabled: false + + # Represents the Webhook URL of the workspace where alerts will be dispatched + #url: + + # Designates the Slack workspace where alerts will be routed + #workspace: + + # Is the slack channel in which to post alerts + #channel: + + # Represents the emoji icon surrounded in ':' characters for the Slack bot + #emoji: "" + +# =============================== API ================================================== + +# Settings that influence the behaviour of the HTTP server that exposes a number of endpoints such as +# expvar metrics, internal state, and so on +api: + # Specifies the underlying transport protocol for the API HTTP server. The transport can either be the + # named pipe or TCP socket. Default is named pipe but you can override it to expose the API server on + # TCP address, e.g. 192.168.1.32:8084. + transport: localhost:8482 + + # Represents the timeout interval for the HTTP server responses. + timeout: 5s + +# =============================== General ============================================== + +# Indicates whether debug privilege is set in Fibratus process' token. Enabling this security policy allows +# Fibratus to obtain handles of protected processes for the purpose of querying the Process Environment Block +# regions. +debug-privilege: true + + +# =============================== Filament ============================================= + +# Filaments are lightweight Python scriplets that are executed on top of the kernel event stream. You can easily +# extend Fibratus with custom features that is encapsulated in filaments. This section controls the behaviour of +# the filament engine. +filament: + # Specifies the name of the filament that is executed by the run command + name: "" + + # The directory where all filaments are located. By default, filaments are stored in the ${PROGRAMFILES}/fibratus/filaments directory. + #path: ${PROGRAMFILES}/fibratus/filaments + + # Determines how often event batches are propagated to the filament callback function + #flush-period: 200ms + +# =============================== Handle =============================================== + +# Indicates whether initial handle snapshot is built. The snapshot contains the state of system handles. +handle: + init-snapshot: true + +# =============================== Kevent =============================================== + +# The following settings control the state of the kernel event. +kevent: + # Indicates if threads are serialized as part of the process state + serialize-threads: false + + # Indicates if modules such as Dynamic Linked Libraries are serialized as part of the process state + serialize-images: false + + # Indicates if handles are serialized as part of the process state + serialize-handles: false + + # Indicates if PE (Portable Executable) metadata are serialized as part of the process state + serialize-pe: false + + # Indicates if environment variables are serialized as part of the process state + serialize-envs: false + +# =============================== Kcap ================================================= + +# Contains the settings that dictate the behaviour of the kernel event captures. + +kcap: + # Specifies the name of the output kcap file. If not empty, capture files are always stored + # to this file by overwriting any existing capture file + file: "" + +# =============================== Kstream ============================================== + +# Tweaks for controlling the behaviour of the kernel stream consumer. +kstream: + # Determines the maximum number of buffers allocated for the event tracing session's buffer pool + #max-buffers: + + # Determines the minimum number of buffers allocated for the event tracing session's buffer pool + #min-buffers: + + # Specifies how often the trace buffers are forcibly flushed + #flush-interval: 1s + + # Represents the amount of memory allocated for each event tracing session buffer, in kilobytes. + # The buffer size affects the rate at which buffers fill and must be flushed (small buffer size requires + # less memory but it increases the rate at which buffers must be flushed) + #buffer-size: + + # Determines whether thread kernel events are collected by Kernel Logger provider + #enable-thread: true + + # Determines whether registry kernel events are collected by Kernel Logger provider + #enable-registry: true + + # Determines whether network kernel events are collected by Kernel Logger provider + #enable-net: true + + # Determines whether file kernel events are collected by Kernel Logger provider + #enable-fileio: true + + # Determines whether image kernel events are collected by Kernel Logger provider + #enable-image: true + + # Determines whether object manager kernel events (handle creation/destruction) are + # collected by Kernel Logger provider + #enable-handle: false + + # Determines which events are dropped either by the event name or the process' image + # name that triggered the event. + blacklist: + # Contains a list of kernel event names that are dropped from the event stream + events: + - CloseFile + # Contains a list of case-insensitive process image names including the extension. + # Any event originated by the image specified in this list is dropped from the event stream + images: + - System + + +# =============================== Logging ================================================ + +# Contains the tweaks for fine-tuning the behaviour of the log files produced by Fibratus. +logging: + # Specifies the minimum allowed log level. Anything logged below this log level will + # not get dumped to a file or stdout stream + level: info + + # Represents the maximum number of days to retain old log files based on the timestamp + # encoded in their filename. By default, all log files are retained + # max-age: 0 + + # Specifies the maximum number of old log files to retain + #max-backups: 15 + + # Specifies the maximum size in megabytes of the log file before it gets rotated + #max-size: 100 + + # Represents the log file format. By default, Fibratus will dump the logs in JSON format + #formatter: json + + # Represents the alternative paths for storing the logs. Logs are usually stored in the + # same directory where Fibratus was installed + #path: + + # Indicates whether log lines are written to standard output in addition to writing them to log files + #log-stdout: false + + +# =============================== Output ================================================ + +# Outputs transport the event flowing through kernel event stream to its final destination. Only one output +# can be active at the time. The following section contains available outputs and their preferences. +output: + # Console output writes the event to standard output stream. + console: + # Indicates whether the console output is active + enabled: true + + # Specifies the console output format. The "pretty" format dictates that formatting is accomplished + # by replacing the specifiers in the template. The "json" format outputs the event as a raw JSON string + format: pretty + + # Template that's feed into event formatter. The default event formatter template is: + # + # {{ .Seq }} {{ .Timestamp }} - {{ .CPU }} {{ .Process }} ({{ .Pid }}) - {{ .Type }} ({{ .Kparams }}) + # + #template: + + # Specifies the separator that's rendered between the event parameter's key and its value. + #kv-delimiter: + + # Elasticsearch output indexes event bulks into Elasticsearch clusters. + elasticsearch: + # Indicates whether the Elasticsearch output is enabled + enabled: false + + # Defines the URL endpoints of the Elasticsearch nodes + #servers: + # - http://localhost:9200 + + # Represents the initial HTTP connection timeout + #timeout: 5s + + # Specifies when to flush the bulk at the end of the given interval + #flush-period: 1s + + # Determines the number of workers that commit docs to Elasticsearch + #bulk-workers: 1 + + # Enables/disables nodes health checking + #healthcheck: true + + # Specifies the interval for checking if the Elasticsearch nodes are available + #healthcheck-interval: 10s + + # Specifies the timeout for periodic health checks + #healthcheck-timeout: 5s + + # Identifies the user name for the basic HTTP authentication + #username: + + # Identifies the password for the basic HTTP authentication + #password: + + # Enables the discovery of all Elasticsearch nodes in the cluster. This avoids populating the list + # of available Elasticsearch nodes + #sniff: false + + # Determines if the Elasticsearch trace log is enabled. Useful for troubleshooting + #trace-log: false + + # Specifies if gzip compression is enabled + #gzip-compression: false + + # Specifies the name of the index template + #template-name: fibratus + + # Represents the target index for kernel events. It allows time specifiers to create indices per time frame. + # For example, fibratus-%Y-%m generates the index name with current year and and month time specifiers + #index-name: fibratus + + # Contains the full JSON body of the index template. For more information refer to + # https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html + #template-config: + + # Path to the public/private key file + #tls-key: + + # Path to certificate file + #tls-cert: + + # Represents the path of the certificate file that is associated with the Certification Authority (CA) + #tls-ca: + + # Indicates if the chain and host verification stage is skipped + #tls-insecure-skip-verify: false + + # Amqp output emits event batches to RabbitMQ brokers. + amqp: + # Indicates if the AMQP output is enabled + enabled: false + + # Represents the AMQP connection string + #url: amqp://localhost:5672 + + # Specifies the AMQP connection timeout + #timeout: 5s + + # Specifies target exchange name that receives inbound kernel events + #exchange: fibratus + + # Represents the AMQP exchange type. Available exchange type include common types are "direct", "fanout", + # "topic", "header", and "x-consistent-hash" + #exchange-type: topic + + # Represents the static routing key to link exchanges with queues. + #routing-key: fibratus + + # Represents the virtual host name + #vhost: / + + # Indicates if the exchange is marked as durable. Durable exchanges can survive server restarts + #durable: false + + # Indicates if the server checks whether the exchange already exists and raises an error if it doesn't exist + #passive: false + + # Determines if a published message is persistent or transient + #delivery-mode: transient + + # The username for the plain authentication method + #username: + # The password for the plain authentication method + #password: + + # Designates static headers that are added to each published message + #headers: + # env: dev + + # Path to the public/private key file + #tls-key: + + # Path to certificate file + #tls-cert: + + # Represents the path of the certificate file that is associated with the Certification Authority (CA) + #tls-ca: + + # Indicates if the chain and host verification stage is skipped + #tls-insecure-skip-verify: false + +# =============================== Portable Executable (PE) ============================= + +# Tweaks for controlling the fetching of the PE (Portable Executable) metadata from the process' binary image. +pe: + # Designates whether inspecting PE metadata is allowed. + enabled: false + + # Contains a list of image names that are excluded from PE parsing + excluded-images: + - svchost.exe + + # Determines if resources are read from the PE resource directory + #read-resources: false + + # Indicates if symbols are read from the PE headers + #read-symbols: false + + # Indicates if full section inspection is allowed. When se to true, section's individual bytes are + # consulted for computing section hashes, calculating the entropy, and so on + #read-sections: false + +# =============================== Transformers ========================================= + +# Transformers are responsible for augmenting, parsing or enriching kernel events. +transformers: + # Remove transformer deletes provided event parameters. + remove: + # Indicates if the remove transformer is enabled + enabled: false + + # Represents the list of parameters that are removed from the event + #kparams: + # - irp + + # Rename transformer renames parameter from old to new name. + rename: + # Indicates if the rename transformer is enabled + enabled: false + + # Contains the list of old/new mappings. Old represents the original + # parameter name, while new is the new parameter name + #kparams: + # - old: + # new: + + # Replace transformer replaces all non-overlapping instances of old parameter's value with the new one. + replace: + # Indicates if the replace transformer is enabled + enabled: false + + # Contains the list of parameter replacements. For each target event parameter, the old represent the substring + # that gets replaced by the new string. + #replacements: + # - kparam: + # old: + # new: + + # Tags transformer appends custom key/value pairs to event metadata. + tags: + # Indicates if the tags transformer is enabled + enabled: false + + # Contains the list of tags that are appended to event metadata. Values can be fetched from environment + # variables by enclosing them in % symbols + #tags: + # - key: + # value: + + # Trim transformer removes prefixes/suffixes from event parameter values. + trim: + # # Indicates if the trim transformer is enabled + enabled: false + + # Contains the list of parameters associated with the prefix that is trimmed from the parameter's value + #prefixes: + # - kparam: + # trim: + + # Contains the list of parameters associated with the suffix that is trimmed from the parameter's value + #suffixes: + # - kparam: + # trim: + +# =============================== YARA ================================================= + +# Tweaks that influence the behaviour of the YARA scanner. +yara: + # Indicates if the YARA scanner is enabled. When enabled, each newly created process is scanned for pattern matches. + enabled: false + + # Contains rule paths and rule definition information + rule: + # Represents the paths within the file system along with the YARA namespace identifier + paths: + - path: "" + namespace: "" + + # Represents the string with the rule definition along with the YARA namespace identifier + strings: + - string: + namespace: + + # Indicates which sender is used to transport the alert generated by scanner + #alert-via: mail + + # Specifies templates for the alert title and text in Go templating language (https://golang.org/pkg/text/template) + #alert-template: + # title: + # text: + + # Determines when multiple matches of the same string can be avoided when not necessary + #fastscan: true + + # Specifies the timeout for the scanner. If the timeout is reached, the scan operation is cancelled + #scan-timeout: 20s + + # Indicates whether file scanning is disabled. This affects the scan triggered by the image loading events. + #skip-files: true + + # Contains the list of file names that shouldn't be scanned + #excluded-files: + # - kernel32.dll + + # Contains the list of the process' image names that shouldn't be scanned + #excluded-procs: + # - System diff --git a/fibratus.spec b/fibratus.spec deleted file mode 100644 index d9180136b..000000000 --- a/fibratus.spec +++ /dev/null @@ -1,30 +0,0 @@ -# -*- mode: python -*- - -block_cipher = None - - -a = Analysis(['fibratus\\cli.py'], - pathex=[], - binaries=[], - datas=[('schema.yml', '.')], - hiddenimports=[], - hookspath=[], - runtime_hooks=[], - excludes=[], - win_no_prefer_redirects=False, - win_private_assemblies=False, - cipher=block_cipher) -pyz = PYZ(a.pure, a.zipped_data, - cipher=block_cipher) -exe = EXE(pyz, - a.scripts, - a.binaries + [('msvcp140.dll', 'C:\\Windows\\System32\\msvcp140.dll', 'BINARY'), - ('vcruntime140.dll', 'C:\\Windows\\System32\\vcruntime140.dll', 'BINARY')], - a.zipfiles, - a.datas, - name='fibratus', - debug=False, - strip=False, - upx=True, - console=True, - icon=None) diff --git a/fibratus.yml b/fibratus.yml deleted file mode 100644 index f6dc466a7..000000000 --- a/fibratus.yml +++ /dev/null @@ -1,55 +0,0 @@ -image_meta: - enabled: false - imports: false - file_info: false - -skips: - images: - - svchost.exe - - smss.exe - - services.exe - - taskmgr.exe - - dwm.exe - - vprot.exe - - lsass.exe - - sihost.exe - - system - -output: - - console: - format: pretty -# - amqp: -# host: 127.0.0.1 -# port: 5672 -# username: guest -# password: guest -# vhost: / -# exchange: amq.direct -# routingkey: fibratus -# - smtp: -# host: smtp.gmail.com -# port: 587 -# from: info@github.io -# password: secret -# to: -# - fibratus@github.io -# - netmutatus@github.io -# - elasticsearch: -# hosts: -# - localhost:9200 -# index: kernelstream -# index_type: daily -# daily_index_format: %Y.%m.%d -# document: threads -# bulk: False -# username: elastic -# password: changeme -# ssl: True -# - fs: -# path: D:\\ -# mode: a -# format: json - -#binding: -# - yara: -# path: D:\yara-rules diff --git a/fibratus/__init__.py b/fibratus/__init__.py deleted file mode 100644 index 1a28ab226..000000000 --- a/fibratus/__init__.py +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. diff --git a/fibratus/apidefs/__init__.py b/fibratus/apidefs/__init__.py deleted file mode 100644 index 23b74303e..000000000 --- a/fibratus/apidefs/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. \ No newline at end of file diff --git a/fibratus/apidefs/cdefs.py b/fibratus/apidefs/cdefs.py deleted file mode 100644 index 79f3cc230..000000000 --- a/fibratus/apidefs/cdefs.py +++ /dev/null @@ -1,74 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from ctypes import Structure -from ctypes import c_void_p, c_ubyte, c_ushort, c_ulong, c_size_t, c_wchar_p -import re -import ctypes - -# undefined ctypes wintypes -LPVOID = c_void_p -PVOID = c_void_p -UCHAR = c_ubyte -SIZE_T = c_size_t -LPTSTR = c_wchar_p - -# status codes -STATUS_INFO_LENGTH_MISMATCH = 0xc0000004 -STATUS_SUCCESS = 0 - -# error codes -ERROR_SUCCESS = 0x0 -ERROR_ACCESS_DENIED = 0x5 -ERROR_BAD_LENGTH = 0x18 -ERROR_INVALID_PARAMETER = 0x57 -ERROR_ALREADY_EXISTS = 0xB7 - - -def get_last_error(): - return ctypes.GetLastError() - - -class UNICODE_STRING(Structure): - _fields_ = [('length', c_ushort), - ('maximum_length', c_ushort), - ('buffer', c_void_p)] - - -class GUID(Structure): - _fields_ = [("Data1", c_ulong), - ("Data2", c_ushort), - ("Data3", c_ushort), - ("Data4", c_ubyte * 8)] - _GUID_REGEX = re.compile('{([0-9A-F]{8})-([0-9A-F]{4})-([0-9A-F]{4})-([0-9A-F]{2})([0-9A-F]{2})-' - '([0-9A-F]{2})([0-9A-F]{2})([0-9A-F]{2})' - '([0-9A-F]{2})([0-9A-F]{2})([0-9A-F]{2})}', re.I) - - def __init__(self, gs=None): - if gs: - match = self._GUID_REGEX.match(gs) - g = [int(i, 16) for i in match.groups()] - self.Data1 = g[0] - self.Data2 = g[1] - self.Data3 = g[2] - for i in range(8): - self.Data4[i] = g[3 + i] - - def __str__(self): - return "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}" % \ - (self.Data1, self.Data2, self.Data3, - self.Data4[0], self.Data4[1], - self.Data4[2], self.Data4[3], self.Data4[4], - self.Data4[5], self.Data4[6], self.Data4[7]) diff --git a/fibratus/apidefs/declarer.py b/fibratus/apidefs/declarer.py deleted file mode 100644 index d6ed2bc54..000000000 --- a/fibratus/apidefs/declarer.py +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from ctypes import windll, CDLL - - -ADVAPI = 0 -KERNEL = 1 -NT = 2 -C = 3 -USER = 4 - -__LIBS__ = {ADVAPI: windll.advapi32, - KERNEL: windll.kernel32, - NT: windll.ntdll, - C: CDLL('msvcrt'), - USER: windll.user32} - - -def declare(lib_name, function_name, args, restype): - if lib_name in __LIBS__: - lib = __LIBS__[lib_name] - function = getattr(lib, function_name) - if function: - if len(args) > 0: - function.argtypes = args - if restype: - function.restype = restype - return function - else: - raise AttributeError('The library %s cannot be loaded' % lib_name) \ No newline at end of file diff --git a/fibratus/apidefs/etw.py b/fibratus/apidefs/etw.py deleted file mode 100644 index bd193293d..000000000 --- a/fibratus/apidefs/etw.py +++ /dev/null @@ -1,143 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from ctypes import Structure, POINTER -from ctypes import c_uint64, c_ulong, c_long, c_ulonglong, c_wchar_p, c_ubyte -from ctypes.wintypes import LARGE_INTEGER, HANDLE - -from fibratus.apidefs.guiddef import GUID -import fibratus.apidefs.declarer as declarer - - -TRACEHANDLE = c_uint64 - -WNODE_FLAG_TRACED_GUID = 0x00020000 -PROCESS_TRACE_MODE_REAL_TIME = 0x00000100 - - -KERNEL_TRACE_CONTROL_GUID = GUID('{9e814aad-3204-11d2-9a82-006008a86939}') -KERNEL_LOGGER_NAME = "NT Kernel Logger" - - -# enable flags for kernel events -EVENT_TRACE_FLAG_PROCESS = 0x00000001 -EVENT_TRACE_FLAG_THREAD = 0x00000002 -EVENT_TRACE_FLAG_IMAGE_LOAD = 0x00000004 - -EVENT_TRACE_FLAG_DISK_IO = 0x00000100 -EVENT_TRACE_FLAG_DISK_FILE_IO = 0x00000200 - -EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS = 0x00001000 -EVENT_TRACE_FLAG_MEMORY_HARD_FAULTS = 0x00002000 - -EVENT_TRACE_FLAG_NETWORK_TCPIP = 0x00010000 - -EVENT_TRACE_FLAG_REGISTRY = 0x00020000 -EVENT_TRACE_FLAG_DBGPRINT = 0x00040000 - -EVENT_TRACE_FLAG_PROCESS_COUNTERS = 0x00000008 -EVENT_TRACE_FLAG_CSWITCH = 0x00000010 -EVENT_TRACE_FLAG_DPC = 0x00000020 -EVENT_TRACE_FLAG_INTERRUPT = 0x00000040 -EVENT_TRACE_FLAG_SYSTEMCALL = 0x00000080 - -EVENT_TRACE_FLAG_DISK_IO_INIT = 0x00000400 - -EVENT_TRACE_FLAG_ALPC = 0x00100000 -EVENT_TRACE_FLAG_SPLIT_IO = 0x00200000 - -EVENT_TRACE_FLAG_DRIVER = 0x00800000 -EVENT_TRACE_FLAG_PROFILE = 0x01000000 -EVENT_TRACE_FLAG_FILE_IO = 0x02000000 -EVENT_TRACE_FLAG_FILE_IO_INIT = 0x04000000 - - -EVENT_TRACE_FLAG_DISPATCHER = 0x00000800 -EVENT_TRACE_FLAG_VIRTUAL_ALLOC = 0x00004000 - - -EVENT_TRACE_CONTROL_QUERY = 0 -EVENT_TRACE_CONTROL_STOP = 1 -EVENT_TRACE_CONTROL_UPDATE = 2 - - -EVENT_CONTROL_CODE_DISABLE_PROVIDER = 0 -EVENT_CONTROL_CODE_ENABLE_PROVIDER = 1 -EVENT_CONTROL_CODE_CAPTURE_STATE = 2 - - -class WNODE_HEADER(Structure): - _fields_ = [('buffer_size', c_ulong), - ('provider_id', c_ulong), - ('historical_context', c_uint64), - ('timestamp', LARGE_INTEGER), - ('guid', GUID), - ('client_context', c_ulong), - ('flags', c_ulong)] - - -class EVENT_TRACE_PROPERTIES(Structure): - _fields_ = [('wnode', WNODE_HEADER), - ('buffer_size', c_ulong), - ('minimum_buffers', c_ulong), - ('maximum_buffers', c_ulong), - ('maximum_file_size', c_ulong), - ('log_file_mode', c_ulong), - ('flush_timer', c_ulong), - ('enable_flags', c_ulong), - ('age_limit', c_long), - ('number_of_buffers', c_ulong), - ('free_buffers', c_ulong), - ('events_lost', c_ulong), - ('buffers_written', c_ulong), - ('log_buffers_lost', c_ulong), - ('real_time_buffer_lost', c_ulong), - ('logger_thread_id', HANDLE), - ('log_file_name_offset', c_ulong), - ('logger_name_offset', c_ulong)] - - -class TRACE_GUID_REGISTRATION(Structure): - _fields_ = [('guid', POINTER(GUID)), - ('reg_handle', HANDLE)] - - -class EVENT_FILTER_DESCRIPTOR(Structure): - _fields_ = [('Ptr', c_ulonglong), - ('Size', c_ulong), - ('Type', c_ulong)] - - -class ENABLE_TRACE_PARAMETERS(Structure): - _fields_ = [('Version', c_ulong), - ('EnableProperty', c_ulong), - ('ControlFlags', c_ulong), - ('SourceId', GUID), - ('EnableFilterDesc', POINTER(EVENT_FILTER_DESCRIPTOR)), - ('FilterDescCount', c_ulong)] - - -start_trace = declarer.declare(declarer.ADVAPI, 'StartTraceW', - [POINTER(TRACEHANDLE), c_wchar_p, POINTER(EVENT_TRACE_PROPERTIES)], - c_ulong) - - -control_trace = declarer.declare(declarer.ADVAPI, 'ControlTraceW', - [TRACEHANDLE, c_wchar_p, POINTER(EVENT_TRACE_PROPERTIES), c_ulong], - c_ulong) - -enable_trace_ex = declarer.declare(declarer.ADVAPI, 'EnableTraceEx2', - [TRACEHANDLE, POINTER(GUID), c_ulong, c_ubyte, c_ulonglong, - c_ulonglong, c_ulong, POINTER(ENABLE_TRACE_PARAMETERS)], - c_ulong) \ No newline at end of file diff --git a/fibratus/apidefs/fs.py b/fibratus/apidefs/fs.py deleted file mode 100644 index bdce04440..000000000 --- a/fibratus/apidefs/fs.py +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from ctypes import Structure -from ctypes.wintypes import HANDLE, DWORD, BOOL, WCHAR, LONG - -import fibratus.apidefs.declarer as declarer -from fibratus.apidefs.cdefs import LPVOID, LPTSTR - - -FILE_SHARE_READ = 0x00000001 -FILE_SHARE_WRITE = 0x00000002 -FILE_SHARE_DELETE = 0x00000004 - -# if the file already exists, replace it with the given file. If it does not, create the given file. -FILE_SUPERSEDE = 0x00000000 -# if the file already exists, open it instead of creating a new file. -# If it does not, fail the request and do not create a new file. -FILE_OPEN = 0x00000001 -# if the file already exists, fail the request and do not create or open the given file. -# If it does not, create the given file. -FILE_CREATE = 0x00000002 -# If the file already exists, open it. If it does not, create the given file. -FILE_OPEN_IF = 0x00000003 -# If the file already exists, open it and overwrite it. If it does not, fail the request. -FILE_OVERWRITE = 0x00000004 -# If the file already exists, open it and overwrite it. If it does not, create the given file. -FILE_OVERWRITE_IF = 0x00000005 - -# the file being created or opened is a directory file -FILE_DIRECTORY_FILE = 0x00000001 -# open a file with a reparse point and bypass normal reparse point processing for the file -FILE_OPEN_REPARSE_POINT = 0x00200000 - - -class FILE_NAME_INFO(Structure): - _fields_ = [('file_name_length', DWORD), - ('filename', WCHAR * 1)] - - -get_file_info_by_handle = declarer.declare(declarer.KERNEL, 'GetFileInformationByHandleEx', - [HANDLE, DWORD, LPVOID, DWORD], - BOOL) -query_dos_device = declarer.declare(declarer.KERNEL, 'QueryDosDeviceW', - [LPTSTR, LPTSTR, DWORD], - DWORD) - -_get_osfhandle = declarer.declare(declarer.C, '_get_osfhandle', - [DWORD], - LONG) - -get_file_type = declarer.declare(declarer.KERNEL, 'GetFileType', - [HANDLE], - DWORD) \ No newline at end of file diff --git a/fibratus/apidefs/guiddef.py b/fibratus/apidefs/guiddef.py deleted file mode 100644 index a383f78f8..000000000 --- a/fibratus/apidefs/guiddef.py +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import ctypes -import re - - -class GUID(ctypes.Structure): - _DECOMPOSE_RE = re.compile('{([0-9A-F]{8})-([0-9A-F]{4})-([0-9A-F]{4})-([0-9A-F]{2})([0-9A-F]{2})-' - '([0-9A-F]{2})([0-9A-F]{2})([0-9A-F]{2})' - '([0-9A-F]{2})([0-9A-F]{2})([0-9A-F]{2})}', re.I) - - def __init__(self, guid_as_str=None): - if guid_as_str: - m = self._DECOMPOSE_RE.match(guid_as_str) - g = [int(i, 16) for i in m.groups()] - self.Data1 = g[0] - self.Data2 = g[1] - self.Data3 = g[2] - for i in range(8): - self.Data4[i] = g[3 + i] - - _fields_ = [("Data1", ctypes.c_ulong), - ("Data2", ctypes.c_ushort), - ("Data3", ctypes.c_ushort), - ("Data4", ctypes.c_ubyte * 8)] - - def __str__(self): - return "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}" % \ - (self.Data1, self.Data2, self.Data3, - self.Data4[0], self.Data4[1], - self.Data4[2], self.Data4[3], self.Data4[4], - self.Data4[5], self.Data4[6], self.Data4[7]) diff --git a/fibratus/apidefs/process.py b/fibratus/apidefs/process.py deleted file mode 100644 index d02e01fe4..000000000 --- a/fibratus/apidefs/process.py +++ /dev/null @@ -1,115 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from ctypes import POINTER -from ctypes.wintypes import DWORD, BOOL, HANDLE, ULONG, PULONG, BYTE, PDWORD - -from fibratus.apidefs.cdefs import * -from fibratus.apidefs.sys import malloc, free -import fibratus.apidefs.declarer as declarer - - -# process access rights -PROCESS_VM_READ = 0x0010 -PROCESS_DUP_HANDLE = 0x0040 -PROCESS_QUERY_INFORMATION = 0x0400 -PROCESS_QUERY_LIMITED_INFORMATION = 0x1000 - -# thread access rights -THREAD_QUERY_INFORMATION = 0x0040 - -# ZwQueryInformationProcess constants -PROCESS_BASIC_INFO = 0 -PROCESS_IMAGE_FILENAME = 27 - - -# PEB (Process Environment Block) structures -class LIST_ENTRY(Structure): - pass -LIST_ENTRY._fields_ = [('flink', POINTER(LIST_ENTRY)), ('blink', POINTER(LIST_ENTRY))] - - -class PEB_LDR_DATA(Structure): - _fields_ = [('reserved1', BYTE * 8), - ('reserved2', BYTE * 3), - ('in_memory_order_module_list', LIST_ENTRY)] - - -class RTL_USER_PROCESS_PARAMETERS(Structure): - _fields_ = [('reserved1', BYTE * 16), - ('reserved2', PVOID * 10), - ('image_path_name', UNICODE_STRING), - ('command_line', UNICODE_STRING)] - - -class PEB(Structure): - _fields_ = [('reserved1', BYTE * 2), - ('being_debugged', BYTE), - ('reserved2', BYTE * 21), - ('ldr', POINTER(PEB_LDR_DATA)), - ('process_parameters', POINTER(RTL_USER_PROCESS_PARAMETERS)), - ('reserved3', BYTE * 520), - ('post_process_init_routine', PVOID), - ('reserved4', BYTE * 136), - ('session_id', ULONG)] - - -class PROCESS_BASIC_INFORMATION(Structure): - _fields_ = [('reserved1', PVOID), - ('peb_base_address', POINTER(PEB)), - ('reserved2', PVOID * 2), - ('unique_process_id', PULONG), - ('inherited_from_unique_process_id', ULONG)] - -open_process = declarer.declare(declarer.KERNEL, 'OpenProcess', - [DWORD, BOOL, DWORD], - HANDLE) - -open_thread = declarer.declare(declarer.KERNEL, 'OpenThread', - [DWORD, BOOL, DWORD], - HANDLE) - -_read_process_memory = declarer.declare(declarer.KERNEL, 'ReadProcessMemory', - [HANDLE, LPVOID, LPVOID, SIZE_T, POINTER(SIZE_T)], - BOOL) - -zw_query_information_process = declarer.declare(declarer.NT, 'ZwQueryInformationProcess', - [HANDLE, DWORD, PVOID, ULONG, PULONG], - DWORD) -query_full_process_image_name = declarer.declare(declarer.KERNEL, 'QueryFullProcessImageNameW', - [HANDLE, DWORD, LPTSTR, PDWORD], - BOOL) - -get_current_process = declarer.declare(declarer.KERNEL, 'GetCurrentProcess', - [], - HANDLE) -get_process_id_of_thread = declarer.declare(declarer.KERNEL, 'GetProcessIdOfThread', - [HANDLE], - DWORD) - - -def read_process_memory(process, chunk, size): - """Reads a memory block from the process address space. - """ - buff = malloc(size) - status = _read_process_memory(process, - chunk, - buff, - size, - None) - if status != ERROR_SUCCESS: - return buff - else: - free(buff) diff --git a/fibratus/apidefs/registry.py b/fibratus/apidefs/registry.py deleted file mode 100644 index c253b419f..000000000 --- a/fibratus/apidefs/registry.py +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from ctypes.wintypes import HKEY, DWORD, LPDWORD, LONG, LPCWSTR -from enum import Enum - -from fibratus.apidefs.cdefs import * -import fibratus.apidefs.declarer as declarer - - -# query type flags -RRF_RT_ANY = 0x0000ffff - -# reserved key handles -HKEY_CLASSES_ROOT = HKEY(0x80000000) -HKEY_CURRENT_USER = HKEY(0x80000001) -HKEY_LOCAL_MACHINE = HKEY(0x80000002) -HKEY_USERS = HKEY(0x80000003) - -MAX_BUFFER_SIZE = 4096 -reg_get_value = declarer.declare(declarer.ADVAPI, 'RegGetValueW', - [HKEY, LPCWSTR, LPCWSTR, - DWORD, LPDWORD, PVOID, LPDWORD], - LONG) - - -class ValueType(Enum): - REG_NONE = 0 - REG_SZ = 1 - REG_EXPAND_SZ = 2 - REG_BINARY = 3 - REG_DWORD = 4 - REG_DWORD_BIG_ENDIAN = 5 - REG_LINK = 6 - REG_MULTI_SZ = 7 - REG_RESOURCE_LIST = 8 - REG_FULL_RESOURCE_DESCRIPTOR = 9 - REG_RESOURCE_REQUIREMENTS_LIST = 10 - REG_QWORD = 11 diff --git a/fibratus/apidefs/sys.py b/fibratus/apidefs/sys.py deleted file mode 100644 index 3686ee21a..000000000 --- a/fibratus/apidefs/sys.py +++ /dev/null @@ -1,157 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from ctypes import POINTER -from ctypes import c_int, c_byte, WINFUNCTYPE -from ctypes.wintypes import DWORD, ULONG, PULONG, USHORT, HANDLE, BOOL, SHORT, WCHAR, CHAR, WORD, LPDWORD - -from fibratus.apidefs.cdefs import * -import fibratus.apidefs.declarer as declarer - - -SYSTEM_HANDLE_INFORMATION_CLASS = 16 - -PUBLIC_OBJECT_BASIC_INFORMATION = 0 -PUBLIC_OBJECT_NAME_INFORMATION = 1 -PUBLIC_OBJECT_TYPE_INFORMATION = 2 - -# this constants may vary from -# one Windows version to another -# for Win 7/8 they should have -# the following values -FILE_OBJECT_TYPE_INDEX = 28 - - -STD_OUTPUT_HANDLE = -11 -INVALID_HANDLE_VALUE = -1 - -CONSOLE_TEXTMODE_BUFFER = 1 - -GENERIC_READ = 0x80000000 -GENERIC_WRITE = 0x40000000 - -FILE_SHARE_READ = 0x00000001 -FILE_SHARE_WRITE = 0x00000002 - - -# console structures -class CURSOR_INFO(ctypes.Structure): - _fields_ = [("size", c_int), - ("visible", c_byte)] - - -class COORD(ctypes.Structure): - _fields_ = [("x", SHORT), ("y", SHORT)] - - -class SMALL_RECT(ctypes.Structure): - _fields_ = [("left", SHORT), - ("top", SHORT), - ("right", SHORT), - ("bottom", SHORT)] - - -class CHAR_INFOU(ctypes.Union): - _fields_ = [("unicode_char", WCHAR), ("ascii_char", CHAR)] - - -class CHAR_INFO(ctypes.Structure): - _anonymous_ = ("char",) - _fields_ = [("char", CHAR_INFOU), ("attributes", WORD)] - - -class CONSOLE_SCREEN_BUFFER_INFO(ctypes.Structure): - _fields_ = [('size', COORD), - ('cursor_position', COORD), - ('attributes', WORD), - ('window', SMALL_RECT), - ('maximum_window_size', COORD)] - - -class SYSTEM_HANDLE(Structure): - _fields_ = [('process_id', ULONG), - ('object_type_number', UCHAR), - ('flags', UCHAR), - ('handle', USHORT), - ('object', PVOID), - ('access_mask', DWORD)] - - -class SYSTEM_HANDLE_INFORMATION(Structure): - _fields_ = [('number_of_handles', ULONG), - ('handles', SYSTEM_HANDLE * 1)] - - -class OBJECT_TYPE_INFORMATION(Structure): - _fields_ = [('type_name', UNICODE_STRING), - ('reserved', ULONG * 22)] - - -# retrieves the specified system information -zw_query_system_information = declarer.declare(declarer.NT, 'ZwQuerySystemInformation', - [DWORD, PVOID, ULONG, PULONG], - DWORD) - -# memory alloc/free functions -malloc = declarer.declare(declarer.C, 'malloc', [c_size_t], c_void_p) -realloc = declarer.declare(declarer.C, 'realloc', [c_void_p, c_size_t], c_void_p) -free = declarer.declare(declarer.C, 'free', [c_void_p], None) - -# object handle cleanup -close_handle = declarer.declare(declarer.KERNEL, 'CloseHandle', [HANDLE], BOOL) -# duplicate object handle -duplicate_handle = declarer.declare(declarer.KERNEL, 'DuplicateHandle', - [HANDLE, HANDLE, HANDLE, POINTER(HANDLE), DWORD, ULONG, ULONG], - DWORD) - -# query object name / type -nt_query_object = declarer.declare(declarer.NT, 'NtQueryObject', - [HANDLE, ULONG, PVOID, ULONG, PULONG], - DWORD) - -# low level console api -get_std_handle = declarer.declare(declarer.KERNEL, 'GetStdHandle', [DWORD], HANDLE) -set_console_active_screen_buffer = declarer.declare(declarer.KERNEL, 'SetConsoleActiveScreenBuffer', [HANDLE], BOOL) - -create_console_screen_buffer = declarer.declare(declarer.KERNEL, 'CreateConsoleScreenBuffer', - [DWORD, DWORD, c_void_p, DWORD, LPVOID], HANDLE) -get_console_screen_buffer_info = declarer.declare(declarer.KERNEL, 'GetConsoleScreenBufferInfo', - [HANDLE, POINTER(CONSOLE_SCREEN_BUFFER_INFO)], BOOL) - -write_console_output = declarer.declare(declarer.KERNEL, 'WriteConsoleOutputW', - [HANDLE, POINTER(CHAR_INFO), COORD, COORD, POINTER(SMALL_RECT)], BOOL) - -set_console_cursor_position = declarer.declare(declarer.KERNEL, 'SetConsoleCursorPosition', - [HANDLE, COORD], BOOL) - -get_console_cursor_info = declarer.declare(declarer.KERNEL, 'GetConsoleCursorInfo', - [HANDLE, POINTER(CURSOR_INFO)], BOOL) - -set_console_cursor_info = declarer.declare(declarer.KERNEL, 'SetConsoleCursorInfo', - [HANDLE, POINTER(CURSOR_INFO)], BOOL) - -write_console_unicode = declarer.declare(declarer.KERNEL, 'WriteConsoleW', - [HANDLE, c_void_p, DWORD, LPDWORD, LPVOID], BOOL) - - -PHANDLER_ROUTINE = WINFUNCTYPE(BOOL, DWORD) -set_console_ctrl_handler = declarer.declare(declarer.KERNEL, 'SetConsoleCtrlHandler', - [PHANDLER_ROUTINE, BOOL], BOOL) - - -# event objects -create_event = declarer.declare(declarer.KERNEL, 'CreateEventW', [c_void_p, BOOL, BOOL, LPTSTR], HANDLE) - - diff --git a/fibratus/binding/__init__.py b/fibratus/binding/__init__.py deleted file mode 100644 index d7ce39087..000000000 --- a/fibratus/binding/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2017 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. \ No newline at end of file diff --git a/fibratus/binding/base.py b/fibratus/binding/base.py deleted file mode 100644 index f4a8913cf..000000000 --- a/fibratus/binding/base.py +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2017 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -class BaseBinding(object): - - def __init__(self, outputs, logger): - self.outputs = outputs - self.logger = logger - - def run(self, **kwargs): - raise NotImplementedError() diff --git a/fibratus/binding/yar.py b/fibratus/binding/yar.py deleted file mode 100644 index 57db325e6..000000000 --- a/fibratus/binding/yar.py +++ /dev/null @@ -1,94 +0,0 @@ -# Copyright 2017 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from fibratus.binding.base import BaseBinding -from fibratus.errors import BindingError - -import os -import glob - -try: - import yara -except ImportError: - yara = None - - -class YaraBinding(BaseBinding): - - def __init__(self, outputs, logger, **config): - """Creates an instance of the YARA binding. - - This binding integrates with YARA tool to provide real time classification and pattern matching of the - process's binary images. The image path is extracted from the `ThreadInfo` instance after `CreateProcess` - kernel event has been captured. - - :param dict outputs: declared output adapters - :param logbook.Logger logger: reference to the logger implementation - :param dict config: configuration for this binding - """ - - BaseBinding.__init__(self, outputs, logger) - self._path = config.pop('path', None) - self._rules = None - if not yara: - raise BindingError('yara-python package is not installed') - if not os.path.exists(self._path) or not os.path.isdir(self._path): - raise BindingError('%s rules path does not exist' % - self._path) - try: - for file in glob.glob(os.path.join(self._path, '*.yar')): - self._rules = yara.compile(os.path.join(self._path, file)) - except yara.SyntaxError as e: - raise BindingError("rule compilation error %s" % e) - - def run(self, **kwargs): - """Apply the YARA rule set to process's image path. - - If a rule match occurs, the data with rule information, matching strings, process name, etc. is transported - over provided output implementation. If output type is not specified, the console output stream is used. - - :param dict kwargs: parameters for the binding context - """ - thread_info = kwargs.pop('thread_info', None) - kevent = kwargs.pop('kevent', None) - if thread_info: - def yara_callback(data): - matches = data['matches'] - if matches: - rule_context = { - 'rule_info': { - 'meta': data['meta'], - 'tags': data['tags'], - 'namespace': data['namespace'], - 'rule': data['rule'], - 'strings': [self.__string_meta(string) for string in data['strings']] - } - } - kevent.params.update(rule_context) - return yara.CALLBACK_CONTINUE - self._rules.match(thread_info.exe, callback=yara_callback) - - def __string_meta(self, string): - """Unpacks the tuple with matching string data and transforms it to a dictionary. - - :param tuple string: the tuple with matching string data - :return: dict: - """ - offset, ident, data = string - return { - 'offset': offset, - 'identifier': ident, - 'data': data.decode('utf-8') - } diff --git a/fibratus/cli.py b/fibratus/cli.py deleted file mode 100644 index 07a4cd373..000000000 --- a/fibratus/cli.py +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Usage: - fibratus run ([--filament=] | [--filters ...]) - [--pid= | --image=] [--no-enum-handles] [--cswitch] - fibratus list-kevents - fibratus list-filaments - fibratus -h | --help - fibratus --version - -Options: - -h --help Show this screen. - --filament= Specify the filament to execute. - --no-enum-handles Avoids enumerating the system handles. - --pid= Spy on a specific process identifier. - --image= Spy on a specific image name. - --cswitch Enables context switch kernel events. - --version Show version. -""" -import sys - -from docopt import docopt - -from fibratus.apidefs.sys import set_console_ctrl_handler, PHANDLER_ROUTINE -from fibratus.errors import FilamentError -from fibratus.entrypoint import Fibratus -from fibratus.filament import Filament -from fibratus.kevent import KEvents -from fibratus.version import VERSION -from fibratus.common import panic, Tabular - -args = docopt(__doc__, version=VERSION) - -kevent_filters = args[''] -filament_name = args['--filament'] if args['--filament'] else None - - -def _check_kevent(kevent): - if kevent not in KEvents.all(): - panic('fibratus run: ERROR - %s is not a valid kernel event. Run list-kevents to see ' - 'the available kernel events' % kevent) - - -def main(): - if args['run']: - if len(kevent_filters) > 0 and not filament_name: - for kfilter in kevent_filters: - _check_kevent(kfilter) - - enum_handles = False if args['--no-enum-handles'] else True - cswitch = True if args['--cswitch'] else False - - filament = None - filament_filters = [] - - if filament_name: - if not Filament.exists(filament_name): - panic('fibratus run: ERROR - %s filament does not exist. Run list-filaments to see ' - 'the available filaments' % filament_name) - filament = Filament() - try: - filament.load_filament(filament_name) - except FilamentError as e: - panic('fibratus run: ERROR - %s' % e) - - filament_filters = filament.filters - - if len(filament_filters) > 0: - for kfilter in filament_filters: - _check_kevent(kfilter) - - filament.render_tabular() - - try: - fibratus = Fibratus(filament, enum_handles=enum_handles, cswitch=cswitch) - except KeyboardInterrupt: - # the user has stopped command execution - # before opening the kernel event stream - sys.exit(0) - - @PHANDLER_ROUTINE - def handle_ctrl_c(event): - if event == 0: - fibratus.stop_ktrace() - return 0 - set_console_ctrl_handler(handle_ctrl_c, True) - - # add specific filters - filters = dict() - filters['pid'] = args['--pid'] if args['--pid'] else None - filters['image'] = args['--image'] if args['--image'] else None - - if not filament: - if len(kevent_filters) > 0: - fibratus.add_filters(kevent_filters, **filters) - else: - fibratus.add_filters([], **filters) - else: - if len(filament_filters) > 0: - fibratus.add_filters(filament_filters, **filters) - else: - fibratus.add_filters([], **filters) - try: - fibratus.run() - except KeyboardInterrupt: - set_console_ctrl_handler(handle_ctrl_c, False) - - elif args['list-filaments']: - filaments = Tabular(['Filament', 'Description'], 'Description', - sort_by='Filament') - for filament, desc in Filament.list_filaments().items(): - filaments.add_row([filament, desc]) - filaments.draw() - - elif args['list-kevents']: - kevents = Tabular(['KEvent', 'Category', 'Description'], 'Description', - sort_by='Category') - for kevent, meta in KEvents.meta_info().items(): - kevents.add_row([kevent, meta[0].name, meta[1]]) - kevents.draw() diff --git a/fibratus/common.py b/fibratus/common.py deleted file mode 100644 index d7e7f830e..000000000 --- a/fibratus/common.py +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import sys -import re -from prettytable import PrettyTable - -__underscore_regex__ = re.compile('((?<=[a-z0-9])[A-Z]|(?!^)[A-Z](?=[a-z]))') - - -NA = '' - - -def panic(msg): - """Write the message on the console and terminates the process. - - Parameters - ---------- - msg: str - the message to be written on the standard output stream - """ - print(msg) - sys.exit() - - -def underscore_dict_keys(in_dict): - if type(in_dict) is dict: - out_dict = {} - for key, item in in_dict.items(): - out_dict[__underscore_regex__.sub(r'_\1', key).lower()] = underscore_dict_keys(item) - return out_dict - elif type(in_dict) is list: - return [__underscore_regex__.sub(r'_\1', obj).lower() for obj in in_dict] - else: - return in_dict - - -class Tabular(PrettyTable): - - def __init__(self, columns, align_col=None, align_type='l', sort_by=None): - PrettyTable.__init__(self, columns) - if align_col: - self.align[align_col] = align_type - if sort_by: - self.sortby = sort_by - - def draw(self): - print(self.get_string()) - - -class DotD(dict): - """This code is borrowed from easydict - Credits to: - - https://github.com/makinacorpus/easydict/blob/master/easydict/__init__.py - """ - def __init__(self, d=None, **kwargs): - if d is None: - d = {} - if kwargs: - d.update(**kwargs) - for k, v in d.items(): - setattr(self, k, v) - # class attributes - for k in self.__class__.__dict__.keys(): - if not (k.startswith('__') and k.endswith('__')): - setattr(self, k, getattr(self, k)) - - def __setattr__(self, name, value): - if isinstance(value, (list, tuple)): - value = [self.__class__(x) - if isinstance(x, dict) else x for x in value] - else: - value = self.__class__(value) if isinstance(value, dict) else value - super(DotD, self).__setattr__(name, value) - super(DotD, self).__setitem__(name, value) - - __setitem__ = __setattr__ - diff --git a/fibratus/config.py b/fibratus/config.py deleted file mode 100644 index 40b819133..000000000 --- a/fibratus/config.py +++ /dev/null @@ -1,85 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import sys -import anyconfig -from fibratus.common import panic, DotD as ddict -from pykwalify.core import Core - - -class YamlConfig(object): - """YAML based configuration reader. - - Reads the configuration from YAML file, and ensures the content satisfies the structure - as defined in the schema file. - """ - - def __init__(self, config_path=None): - self._default_config_path = os.path.join(os.path.expanduser('~'), '.fibratus', 'fibratus.yml') - self._default_schema_path = os.path.join(os.path.expanduser('~'), '.fibratus', 'schema.yml') - self.path = config_path or os.getenv('FIBRATUS_CONFIG_PATH', self._default_config_path) - self._yaml = None - - def load(self, validate=True): - schema_file = os.path.join(sys._MEIPASS, 'schema.yml') \ - if hasattr(sys, '_MEIPASS') else self._default_schema_path - try: - self._yaml = anyconfig.load(self.path, ignore_missing=False) - except FileNotFoundError: - panic('ERROR - %s configuration file does not exist' % self.path) - if validate: - validator = Core(source_file=self.path, schema_files=[schema_file]) - validator.validate(raise_exception=True) - - @property - def image_meta(self): - return ddict(self._yaml.pop('image_meta', {})) - - @property - def skips(self): - return ddict(self._yaml.pop('skips', {})) - - @property - def outputs(self): - return self._yaml.pop('output', None) - - @property - def bindings(self): - return self._yaml.pop('binding', None) - - @property - def yaml(self): - return self._yaml - - @property - def default_config_path(self): - return self._default_config_path - - @default_config_path.setter - def default_config_path(self, path): - self._default_config_path = path - - @property - def default_schema_path(self): - return self._default_schema_path - - @default_schema_path.setter - def default_schema_path(self, path): - self._default_schema_path = path - - @property - def config_path(self): - return self.path \ No newline at end of file diff --git a/fibratus/context_switch.py b/fibratus/context_switch.py deleted file mode 100644 index eb8be4a28..000000000 --- a/fibratus/context_switch.py +++ /dev/null @@ -1,405 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import ctypes -import os -from ctypes.wintypes import MAX_PATH, DWORD -from enum import Enum - -from fibratus.apidefs.process import open_thread, get_process_id_of_thread, \ - THREAD_QUERY_INFORMATION, open_process, PROCESS_QUERY_INFORMATION, PROCESS_VM_READ, \ - query_full_process_image_name -from fibratus.apidefs.sys import close_handle -from fibratus.common import NA - - -class ContextSwitchRegistry(object): - """Keeps the state of the context switches ocurring on the system. - - Once the CPU scheduler selects a new thread to execute, the context switch - registry tracks down a plethora of attributes like the new thread priority, - the old thread state, the wait reason, etc. It also keeps a counter on how many - context switches has been made for a particular thread and the logical cpu. - - """ - - def __init__(self, thread_registry, kevent): - self._css = {} - self._thread_registry = thread_registry - self._kevent = kevent - - def next_cswitch(self, cpu, ts, kcs, on_context_switch=None): - """Parses the context switch kernel events. - - Parameters - ---------- - cpu: int - the logical cpu where the context switch occurs - ts: str - the timestamp of the context switch - kcs: dict - the context switch info as forwarded - from the kstream collector - on_context_switch: callable - the callback to execute after the parsing stage - - """ - new_thread_id = int(kcs.new_thread_id, 16) - old_thread_id = int(kcs.old_thread_id, 16) - new_thread_wait_time = int(kcs.new_thread_wait_time, 16) - thread_cs = (cpu, new_thread_id,) - next_thread = self._thread_registry.get_thread(new_thread_id) - prev_thread = self._thread_registry.get_thread(old_thread_id) - - next_pid = next_thread.pid if next_thread else None - next_proc_name = next_thread.name if next_thread \ - else self._get_proc(new_thread_id) - prev_proc_name = prev_thread.name if prev_thread \ - else self._get_proc(old_thread_id) - - if thread_cs in self._css: - # if the thread has been previously scheduled - # on the same logical cpu, we can update its - # context switch info - cs = self._css[thread_cs] - cs.timestamp = ts - cs.prev_thread = prev_proc_name or NA - cs.next_thread_prio = kcs.new_thread_priority - cs.next_thread_wait_time = new_thread_wait_time - cs.prev_thread_prio = kcs.old_thread_priority - cs.prev_thread_state = ContextSwitchRegistry._human_thread_state(kcs.old_thread_state) - cs.prev_thread_wait_mode = ContextSwitchRegistry._human_wait_mode(kcs.old_thread_wait_mode) - cs.prev_thread_wait_reason = ContextSwitchRegistry._human_wait_reason(kcs.old_thread_wait_reason) - cs.increment_count() - else: - # the new thread has been scheduled - # add it to the registry of context - # switches - cs = CSwitch(ts, - next_proc_name or NA, - prev_proc_name or NA, - kcs.new_thread_priority, - new_thread_wait_time, - kcs.old_thread_priority, - ContextSwitchRegistry._human_thread_state(kcs.old_thread_state), - ContextSwitchRegistry._human_wait_mode(kcs.old_thread_wait_mode), - ContextSwitchRegistry._human_wait_reason(kcs.old_thread_wait_reason)) - cs.increment_count() - self._css[thread_cs] = cs - - if on_context_switch: - if next_proc_name: - on_context_switch(cpu, next_proc_name) - else: - on_context_switch(cpu, kcs.new_thread_id) - - self._kevent.tid = new_thread_id - self._kevent.pid = next_pid - params = { - 'next_proc_name': cs.next_proc_name, - 'prev_proc_name': cs.prev_proc_name, - 'cpu': cpu, - 'next_thread_id': new_thread_id, - 'prev_thread_id': old_thread_id, - 'next_thread_prio': cs.next_thread_prio, - 'prev_thread_prio': cs.prev_thread_prio, - 'prev_thread_state': cs.prev_thread_state.name if cs.prev_thread_state else NA, - 'next_thread_wait_time': cs.next_thread_wait_time, - 'prev_thread_wait_mode': cs.prev_thread_wait_mode.name if cs.prev_thread_wait_mode else NA, - 'prev_thread_wait_reason': cs.prev_thread_wait_reason.name if cs.prev_thread_wait_reason else NA - } - self._kevent.params = params - - def context_switches(self): - """Returns a dictionary of context switches. - """ - return self._css - - def _get_proc(self, thread_id): - handle = open_thread(THREAD_QUERY_INFORMATION, - False, - thread_id) - - if handle: - # if it was possible to get the process id - # which is the parent of the thread, we can - # try to get the process name from its pid - pid = get_process_id_of_thread(handle) - close_handle(handle) - handle = open_process(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, - False, - pid) - if handle: - exe = ctypes.create_unicode_buffer(MAX_PATH) - status = query_full_process_image_name(handle, 0, - exe, DWORD(MAX_PATH)) - close_handle(handle) - if status: - return os.path.basename(exe.value) - - @classmethod - def _human_thread_state(cls, thread_state): - if thread_state == ThreadState.INITIALIZED.value: - return ThreadState.INITIALIZED - elif thread_state == ThreadState.READY.value: - return ThreadState.READY - elif thread_state == ThreadState.RUNNING.value: - return ThreadState.RUNNING - elif thread_state == ThreadState.STANDBY.value: - return ThreadState.STANDBY - elif thread_state == ThreadState.TERMINATED.value: - return ThreadState.TERMINATED - elif thread_state == ThreadState.WAITING.value: - return ThreadState.WAITING - elif thread_state == ThreadState.TRANSITION.value: - return ThreadState.TRANSITION - elif thread_state == ThreadState.DEFERRED_READY.value: - return ThreadState.DEFERRED_READY - - @classmethod - def _human_wait_reason(cls, wait_reason): - if wait_reason == WaitReason.EXECUTIVE.value or wait_reason == WaitReason.EXECUTIVE.value + 7: - return WaitReason.EXECUTIVE - elif wait_reason == WaitReason.FREE_PAGE.value or wait_reason == WaitReason.FREE_PAGE.value + 7: - return WaitReason.FREE_PAGE - elif wait_reason == WaitReason.PAGE_IN.value or wait_reason == WaitReason.PAGE_IN.value + 7: - return WaitReason.PAGE_IN - elif wait_reason == WaitReason.POOL_ALLOCATION.value or wait_reason == WaitReason.POOL_ALLOCATION.value + 7: - return WaitReason.POOL_ALLOCATION - elif wait_reason == WaitReason.DELAY_EXECUTION.value or wait_reason == WaitReason.DELAY_EXECUTION.value + 7: - return WaitReason.DELAY_EXECUTION - elif wait_reason == WaitReason.SUSPENDED.value or wait_reason == WaitReason.SUSPENDED.value + 7: - return WaitReason.SUSPENDED - elif wait_reason == WaitReason.USER_REQUEST or wait_reason == WaitReason.USER_REQUEST.value + 7: - return WaitReason.USER_REQUEST - elif wait_reason == WaitReason.EVENT_PAIR.value: - return WaitReason.EVENT_PAIR - elif wait_reason == WaitReason.QUEUE.value: - return WaitReason.QUEUE - elif wait_reason == WaitReason.LPC_RECEIVE.value: - return WaitReason.LPC_RECEIVE - elif wait_reason == WaitReason.LPC_REPLY.value: - return WaitReason.LPC_REPLY - elif wait_reason == WaitReason.VIRTUAL_MEMORY.value: - return WaitReason.VIRTUAL_MEMORY - elif wait_reason == WaitReason.PAGE_OUT.value: - return WaitReason.PAGE_OUT - elif wait_reason == WaitReason.RENDEZVOUS.value: - return WaitReason.RENDEZVOUS - elif wait_reason == WaitReason.KEYED_EVENT.value: - return WaitReason.KEYED_EVENT - elif wait_reason == WaitReason.TERMINATED.value: - return WaitReason.TERMINATED - elif wait_reason == WaitReason.PROCESS_IN_SWAP.value: - return WaitReason.PROCESS_IN_SWAP - elif wait_reason == WaitReason.CPU_WAIT_CONTROL.value: - return WaitReason.CPU_WAIT_CONTROL - elif wait_reason == WaitReason.CALLOUT_STACK.value: - return WaitReason.CALLOUT_STACK - elif wait_reason == WaitReason.KERNEL.value: - return WaitReason.KERNEL - elif wait_reason == WaitReason.RESOURCE.value: - return WaitReason.RESOURCE - elif wait_reason == WaitReason.PUSH_LOCK.value: - return WaitReason.PUSH_LOCK - elif wait_reason == WaitReason.MUTEX.value: - return WaitReason.MUTEX - elif wait_reason == WaitReason.QUANTUM_END.value: - return WaitReason.QUANTUM_END - elif wait_reason == WaitReason.DISPATCH_INT.value: - return WaitReason.DISPATCH_INT - elif wait_reason == WaitReason.PREEMPTED.value: - return WaitReason.PREEMPTED - elif wait_reason == WaitReason.YIELD_EXECUTION.value: - return WaitReason.YIELD_EXECUTION - elif wait_reason == WaitReason.FAST_MUTEX.value: - return WaitReason.FAST_MUTEX - elif wait_reason == WaitReason.GUARDED_MUTEX.value: - return WaitReason.GUARDED_MUTEX - elif wait_reason == WaitReason.RUNDOWN.value: - return WaitReason.RUNDOWN - elif wait_reason == WaitReason.MAXIMUM_WAIT_REASON.value: - return WaitReason.MAXIMUM_WAIT_REASON - - @classmethod - def _human_wait_mode(cls, wait_mode): - if wait_mode == WaitMode.KERNEL.value: - return WaitMode.KERNEL - elif wait_mode == WaitMode.USER.value: - return WaitMode.USER - - -class CSwitch(object): - - def __init__(self, ts, next_proc_name, prev_proc_name, next_thread_prio, - next_thread_wait_time, prev_thread_prio, prev_thread_state, - prev_thread_wait_mode, - prev_thread_wait_reason): - """Context switch state info. - - Parameters - ---------- - ts: str - the timestamp of the context switch - next_proc_name: str - process name of the thread which is about to be scheduled - prev_proc_name: str - process name right before the context switch - next_thread_prio: int - the priority of the new thread - next_thread_wait_time: int - wait time for the new thread - prev_thread_prio: int - the priority of the old thread - prev_thread_state: Enum - state of the previous thread - prev_thread_wait_mode: Enum - the wait mode of the old thread - prev_thread_wait_reason: Enum - the wait reason of the previous thread - - """ - self._ts = ts - self._next_proc_name = next_proc_name - self._prev_proc_name = prev_proc_name - self._next_thread_prio = next_thread_prio - self._next_thread_wait_time = next_thread_wait_time - self._prev_thread_prio = prev_thread_prio - self._prev_thread_state = prev_thread_state - self._prev_thread_wait_mode = prev_thread_wait_mode - self._prev_thread_wait_reason = prev_thread_wait_reason - self._count = 0 - - @property - def timestamp(self): - return self._ts - - @timestamp.setter - def timestamp(self, ts): - self._ts = ts - - @property - def next_proc_name(self): - return self._next_proc_name - - @property - def prev_proc_name(self): - return self._prev_proc_name - - @property - def next_thread_prio(self): - return self._next_thread_prio - - @next_thread_prio.setter - def next_thread_prio(self, next_thread_prio): - self._next_thread_prio = next_thread_prio - - @property - def next_thread_wait_time(self): - return self._next_thread_wait_time - - @next_thread_wait_time.setter - def next_thread_wait_time(self, next_thread_wait_time): - self._next_thread_wait_time = next_thread_wait_time - - @property - def prev_thread_prio(self): - return self._prev_thread_prio - - @prev_thread_prio.setter - def prev_thread_prio(self, prev_thread_prio): - self._prev_thread_prio = prev_thread_prio - - @property - def prev_thread_state(self): - return self._prev_thread_state - - @prev_thread_state.setter - def prev_thread_state(self, prev_thread_state): - self._prev_thread_state = prev_thread_state - - @property - def prev_thread_wait_mode(self): - return self._prev_thread_wait_mode - - @prev_thread_wait_mode.setter - def prev_thread_wait_mode(self, prev_thread_wait_mode): - self._prev_thread_wait_mode = prev_thread_wait_mode - - @property - def prev_thread_wait_reason(self): - return self._prev_thread_wait_reason - - @prev_thread_wait_reason.setter - def prev_thread_wait_reason(self, prev_thread_wait_reason): - self._prev_thread_wait_reason = prev_thread_wait_reason - - @property - def count(self): - return self._count - - def increment_count(self): - self._count += 1 - - -class ThreadState(Enum): - """Possible thread states. - """ - INITIALIZED = 0 - READY = 1 - RUNNING = 2 - STANDBY = 3 - TERMINATED = 4 - WAITING = 5 - TRANSITION = 6 - DEFERRED_READY = 7 - - -class WaitMode(Enum): - KERNEL = 0 - USER = 1 - - -class WaitReason(Enum): - EXECUTIVE = 0 - FREE_PAGE = 1 - PAGE_IN = 2 - POOL_ALLOCATION = 3 - DELAY_EXECUTION = 4 - SUSPENDED = 5 - USER_REQUEST = 6 - EVENT_PAIR = 14 - QUEUE = 15 - LPC_RECEIVE = 16 - LPC_REPLY = 17 - VIRTUAL_MEMORY = 18 - PAGE_OUT = 19 - RENDEZVOUS = 20 - KEYED_EVENT = 21 - TERMINATED = 22 - PROCESS_IN_SWAP = 23 - CPU_WAIT_CONTROL = 24 - CALLOUT_STACK = 25 - KERNEL = 26 - RESOURCE = 27 - PUSH_LOCK = 28 - MUTEX = 29 - QUANTUM_END = 30 - DISPATCH_INT = 31 - PREEMPTED = 32 - YIELD_EXECUTION = 33 - FAST_MUTEX = 34 - GUARDED_MUTEX = 35 - RUNDOWN = 36 - MAXIMUM_WAIT_REASON = 37 diff --git a/fibratus/controller.py b/fibratus/controller.py deleted file mode 100644 index 48da194fc..000000000 --- a/fibratus/controller.py +++ /dev/null @@ -1,158 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from ctypes import addressof, byref, cast, memmove, sizeof, c_char, c_wchar -from ctypes import ArgumentError, pointer - -from fibratus.apidefs.cdefs import ERROR_ALREADY_EXISTS, ERROR_ACCESS_DENIED, ERROR_BAD_LENGTH, \ - ERROR_INVALID_PARAMETER, ERROR_SUCCESS -from fibratus.apidefs.etw import * -from fibratus.errors import FibratusError -from fibratus.common import panic - -class KTraceProps(object): - - def __init__(self, buffer_size=1024): - """Builds the tracing session properties. - - Parameters - --------- - - buffer_size: int - the amount of memory allocated for each trace buffer - """ - - # allocate buffer for the trace - self.max_string_len = 1024 - self.buff_size = sizeof(EVENT_TRACE_PROPERTIES) + 2 * sizeof(c_wchar) * self.max_string_len - - self._buff = (c_char * self.buff_size)() - self._props = cast(pointer(self._buff), POINTER(EVENT_TRACE_PROPERTIES)) - - # set trace properties - self._props.contents.wnode.buffer_size = self.buff_size - self._props.contents.wnode.guid = KERNEL_TRACE_CONTROL_GUID - self._props.contents.wnode.flags = WNODE_FLAG_TRACED_GUID - self._props.contents.logger_name_offset = sizeof(EVENT_TRACE_PROPERTIES) - self._props.contents.log_file_name_offset = 0 - self._props.contents.log_file_mode = PROCESS_TRACE_MODE_REAL_TIME - self._props.contents.buffer_size = buffer_size - - def enable_kflags(self, syscall=False, cswitch=False): - # enable the basic set of flags - # for the kernel events - self._props.contents.enable_flags = (EVENT_TRACE_FLAG_PROCESS | - EVENT_TRACE_FLAG_REGISTRY | - EVENT_TRACE_FLAG_THREAD | - EVENT_TRACE_FLAG_DISK_IO | - EVENT_TRACE_FLAG_DISK_FILE_IO | - EVENT_TRACE_FLAG_FILE_IO | - EVENT_TRACE_FLAG_FILE_IO_INIT | - EVENT_TRACE_FLAG_IMAGE_LOAD | - EVENT_TRACE_FLAG_NETWORK_TCPIP) - - # syscall / cswitch flags generate a LOT of kevents - # and they are disabled by default - if syscall: - self._props.contents.enable_flags |= (EVENT_TRACE_FLAG_SYSTEMCALL | EVENT_TRACE_FLAG_CSWITCH) - if cswitch: - self._props.contents.enable_flags |= EVENT_TRACE_FLAG_CSWITCH - - def get(self): - return self._props - - @property - def logger_name(self): - return c_wchar_p(addressof(self._props.contents) + - self._props.contents.logger_name_offset) - - @logger_name.setter - def logger_name(self, logger_name): - name_len = len(logger_name) + 1 - if self.max_string_len < name_len: - raise ArgumentError("Logger name %s is too long" % logger_name) - props = self._props - logger = c_wchar_p(addressof(props.contents) + props.contents.logger_name_offset) - memmove(logger, c_wchar_p(logger_name), sizeof(c_wchar) * name_len) - - -class KTraceController(object): - """Controls the life cycle of the kernel traces. - - """ - - def __init__(self): - self._handle = TRACEHANDLE() - self._trace_name = None - - def __del__(self): - if self._handle: - self.stop_ktrace() - - def start_ktrace(self, name, kprops): - """Starts a new trace. - - Parameters - --------- - - name: str - the name for the trace session - kprops: KTraceProps - an instance of the kernel trace properties - """ - self._trace_name = name - handle = TRACEHANDLE() - kp = kprops.get() - status = start_trace(byref(handle), - self._trace_name, - kp) - self._handle = handle - if status == ERROR_ALREADY_EXISTS: - # the kernel logger trace session - # is already running. Restart the trace. - self.stop_ktrace() - status = start_trace(byref(handle), - self._trace_name, - kp) - if status != ERROR_SUCCESS: - raise FibratusError('Unable to start fibratus') - self._handle = handle - elif status == ERROR_ACCESS_DENIED: - # insufficient privileges - panic("You don't have administrative privileges. Stopping fibratus...") - elif status == ERROR_BAD_LENGTH: - raise FibratusError('Incorrect buffer size for the trace buffer') - elif status == ERROR_INVALID_PARAMETER: - raise FibratusError('Invalid trace handle or provider GUID') - elif status != ERROR_SUCCESS: - raise FibratusError('Unable to start fibratus') - - def stop_ktrace(self, kprops=None): - """Stops the current running trace. - - Parameters - --------- - kprops: KTraceProps - an instance of the kernel trace properties - """ - kprops = kprops or KTraceProps() - - handle = self._handle - self._handle = TRACEHANDLE() - control_trace(handle, - self._trace_name, - kprops.get(), - EVENT_TRACE_CONTROL_STOP) diff --git a/fibratus/dll.py b/fibratus/dll.py deleted file mode 100644 index 7fe42afa0..000000000 --- a/fibratus/dll.py +++ /dev/null @@ -1,138 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os - - -class DllRepository(object): - - def __init__(self, kevent): - self.dlls = {} - self._kevent = kevent - - def register_dll(self, kdll): - """Registers a loaded image. - - Registers an image when - the latter is loaded into the address space - of the process. - - Parameters - ---------- - - kdll: dict - Image load event payload as forwarded - from the kernel event stream collector - """ - pid = kdll.process_id - path = kdll.file_name - image = os.path.basename(path) - size = kdll.image_size - checksum = kdll.image_checksum - base = kdll.image_base - - self._kevent.pid = pid - - dll = Dll(pid, path, - image, - size, - checksum, - base) - - if pid in self.dlls: - # append a new image to - # the associated process - self.dlls[pid].append(dll) - else: - self.dlls[pid] = [dll] - - self._kevent.params = dict(image=image, - pid=pid, - path=path, - size=dll.size, - checksum=checksum, - base=hex(base)) - - def unregister_dll(self, kdll): - """Unregisters a loaded image. - - Removes the loaded image from - the repository for a given process. - - Parameters - ---------- - - kdll: dict - Image unload event payload as forwarded - from the kernel event stream collector - """ - pid = kdll.process_id - path = kdll.file_name - image = os.path.basename(path) - size = kdll.image_size / 1024 - checksum = kdll.image_checksum - base = kdll.image_base - - self._kevent.pid = pid - - if pid in self.dlls: - dlls = self.dlls[pid] - for dll in dlls: - if dll.image == image: - dlls.remove(dll) - self._kevent.params = dict(image=image, - pid=pid, - path=path, - size=size, - checksum=checksum, - base=hex(base)) - - def dlls_for_process(self, pid): - return self.dlls[pid] if pid in self.dlls else [] - - -class Dll(object): - - def __init__(self, pid, path, image, size, checksum, base): - self._pid = pid - self._path = path - self._size = size - self._checksum = checksum - self._base = base - self._image = image - - @property - def pid(self): - return self._pid - - @property - def path(self): - return self._path - - @property - def image(self): - return self._image - - @property - def size(self): - return self._size - - @property - def base(self): - return hex(self._base) - - @property - def checksum(self): - return self._checksum diff --git a/fibratus/entrypoint.py b/fibratus/entrypoint.py deleted file mode 100644 index 737593f6f..000000000 --- a/fibratus/entrypoint.py +++ /dev/null @@ -1,435 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import atexit -import os -import sys -from datetime import datetime - -from kstreamc import KEventStreamCollector -from pykwalify.errors import SchemaError - -from fibratus.binding.yar import YaraBinding -from fibratus.errors import BindingError -from fibratus.image_meta import ImageMetaRegistry -from fibratus.output.aggregator import OutputAggregator -from fibratus.output.console import ConsoleOutput -from fibratus.output.elasticsearch import ElasticsearchOutput -from fibratus.output.fs import FsOutput -from fibratus.output.smtp import SmtpOutput -from logbook import Logger, FileHandler, StreamHandler - -import fibratus.apidefs.etw as etw -from fibratus.common import DotD as ddict, panic -from fibratus.config import YamlConfig -from fibratus.context_switch import ContextSwitchRegistry -from fibratus.controller import KTraceController, KTraceProps -from fibratus.dll import DllRepository -from fibratus.fs import FsIO -from fibratus.handle import HandleRepository -from fibratus.kevent import KEvent -from fibratus.kevent_types import * -from fibratus.tcpip.tcpip import TcpIpParser -from fibratus.output.amqp import AmqpOutput -from fibratus.registry import HiveParser -from fibratus.thread import ThreadRegistry - - -class Fibratus(object): - - """Fibratus entrypoint. - - Setup the core components including the kernel - event stream collector and the tracing controller. - At this point the system handles are also being - enumerated. - - """ - def __init__(self, filament, **kwargs): - - self._start = datetime.now() - try: - log_path = os.path.join(os.path.expanduser('~'), '.fibratus', 'fibratus.log') - FileHandler(log_path, mode='w+').push_application() - StreamHandler(sys.stdout, bubble=True).push_application() - except PermissionError: - panic("ERROR - Unable to open log file for writing due to permission error") - - self.logger = Logger(Fibratus.__name__) - self.logger.info('Starting Fibratus...') - - self._config = YamlConfig() - self.logger.info('Loading configuration from [%s]' % self._config.config_path) - try: - self._config.load() - except SchemaError as e: - panic('Invalid configuration file. %s' % e.msg) - - enable_cswitch = kwargs.pop('cswitch', False) - - self.kcontroller = KTraceController() - self.ktrace_props = KTraceProps() - self.ktrace_props.enable_kflags(cswitch=enable_cswitch) - self.ktrace_props.logger_name = etw.KERNEL_LOGGER_NAME - - enum_handles = kwargs.pop('enum_handles', True) - - self.handle_repository = HandleRepository() - self._handles = [] - # query for handles on the - # start of the kernel trace - if enum_handles: - self.logger.info('Enumerating system handles...') - self._handles = self.handle_repository.query_handles() - self.logger.info('%s handles found' % len(self._handles)) - self.handle_repository.free_buffers() - - image_meta_config = self._config.image_meta - self.image_meta_registry = ImageMetaRegistry(image_meta_config.enabled, image_meta_config.imports, - image_meta_config.file_info) - - self.thread_registry = ThreadRegistry(self.handle_repository, self._handles, - self.image_meta_registry) - - self.kevt_streamc = KEventStreamCollector(etw.KERNEL_LOGGER_NAME.encode()) - skips = self._config.skips - image_skips = skips.images if 'images' in skips else [] - if len(image_skips) > 0: - self.logger.info("Adding skips for images %s" % image_skips) - for skip in image_skips: - self.kevt_streamc.add_skip(skip) - - self.kevent = KEvent(self.thread_registry) - - self._output_classes = dict(console=ConsoleOutput, - amqp=AmqpOutput, - smtp=SmtpOutput, - elasticsearch=ElasticsearchOutput, - fs=FsOutput) - self._outputs = self._construct_outputs() - self.output_aggregator = OutputAggregator(self._outputs) - - self._binding_classes = dict(yara=YaraBinding) - self._bindings = self._construct_bindings() - - if filament: - filament.logger = self.logger - filament.do_output_accessors(self._outputs) - self._filament = filament - - self.fsio = FsIO(self.kevent, self._handles) - self.hive_parser = HiveParser(self.kevent, self.thread_registry) - self.tcpip_parser = TcpIpParser(self.kevent) - self.dll_repository = DllRepository(self.kevent) - self.context_switch_registry = ContextSwitchRegistry(self.thread_registry, self.kevent) - - self.output_kevents = {} - self.filters_count = 0 - - def run(self): - - @atexit.register - def _exit(): - self.stop_ktrace() - - self.kcontroller.start_ktrace(etw.KERNEL_LOGGER_NAME, self.ktrace_props) - - def on_kstream_open(): - if self._filament is None: - delta = datetime.now() - self._start - self.logger.info('Started in %sm:%02ds.%s' % (int(delta.total_seconds() / 60), delta.seconds, - int(delta.total_seconds() * 1000))) - else: - self.logger.info('Running [%s] filament...' % self._filament.name) - self.kevt_streamc.set_kstream_open_callback(on_kstream_open) - self._open_kstream() - - def _open_kstream(self): - try: - self.kevt_streamc.open_kstream(self._on_next_kevent) - except Exception as e: - self.logger.error(e) - except KeyboardInterrupt: - self.stop_ktrace() - - def _construct_outputs(self): - """Instantiates output classes. - - Builds the dictionary with instances - of the output classes. - """ - outputs = {} - output_configs = self._config.outputs - if not output_configs: - return outputs - for output in output_configs: - name = next(iter(list(output.keys())), None) - if name and \ - name in self._output_classes.keys(): - # get the output configuration - # and instantiate its class - output_config = output[name] - self.logger.info("Deploying [%s] output - [%s]" - % (name, {k: v for k, v in output_config.items() - if 'password' not in k})) - output_class = self._output_classes[name] - outputs[name] = output_class(**output_config) - return outputs - - def _construct_bindings(self): - """Builds binding classes. - - :return: dict: dictionary with instances of the binding classes - """ - bindings = {} - binding_configs = self._config.bindings - if not binding_configs: - return bindings - for b in binding_configs: - name = next(iter(list(b.keys())), None) - if name and \ - name in self._binding_classes.keys(): - binding_config = b[name] - self.logger.info("Starting [%s] binding - [%s]" % - (name, binding_config)) - binding_class = self._binding_classes[name] - try: - binding = binding_class(self._outputs, self.logger, - **binding_config) - bindings[name] = binding - except BindingError as e: - self.logger.error("Couldn't start [%s] binding. Reason: %s" % - (name, e)) - return bindings - - def __find_binding(self, name): - return self._bindings[name] if name in self._bindings else None - - def stop_ktrace(self): - self.logger.info('Stopping fibratus...') - if self._filament: - self._filament.close() - self.kcontroller.stop_ktrace(self.ktrace_props) - self.kevt_streamc.close_kstream() - - def add_filters(self, kevent_filters, **kwargs): - self.kevt_streamc.add_pid_filter(kwargs.pop('pid', None)) - self.kevt_streamc.add_image_filter(kwargs.pop('image', None)) - if len(kevent_filters) > 0: - self.filters_count = len(kevent_filters) - # include the basic filters - # that are essential to the - # rest of kernel events - self.kevt_streamc.add_ktuple_filter(ENUM_PROCESS) - self.kevt_streamc.add_ktuple_filter(ENUM_THREAD) - self.kevt_streamc.add_ktuple_filter(ENUM_IMAGE) - self.kevt_streamc.add_ktuple_filter(REG_CREATE_KCB) - self.kevt_streamc.add_ktuple_filter(REG_DELETE_KCB) - - # these kevents are necessary for consistent state - # of the trace. If the user doesn't include them - # in a filter list, then we do the job but set the - # kernel event type as not eligible for rendering - if KEvents.CREATE_PROCESS not in kevent_filters: - self.kevt_streamc.add_ktuple_filter(CREATE_PROCESS) - self.output_kevents[CREATE_PROCESS] = False - else: - self.output_kevents[CREATE_PROCESS] = True - - if KEvents.CREATE_THREAD not in kevent_filters: - self.kevt_streamc.add_ktuple_filter(CREATE_THREAD) - self.output_kevents[CREATE_THREAD] = False - else: - self.output_kevents[CREATE_THREAD] = True - - if KEvents.TERMINATE_PROCESS not in kevent_filters: - self.kevt_streamc.add_ktuple_filter(TERMINATE_PROCESS) - self.output_kevents[TERMINATE_PROCESS] = False - else: - self.output_kevents[TERMINATE_PROCESS] = True - - if KEvents.TERMINATE_THREAD not in kevent_filters: - self.kevt_streamc.add_ktuple_filter(TERMINATE_THREAD) - self.output_kevents[TERMINATE_THREAD] = False - else: - self.output_kevents[TERMINATE_THREAD] = True - - for kevent_filter in kevent_filters: - ktuple = kname_to_tuple(kevent_filter) - if isinstance(ktuple, list): - for kt in ktuple: - self.kevt_streamc.add_ktuple_filter(kt) - if kt not in self.output_kevents: - self.output_kevents[kt] = True - else: - self.kevt_streamc.add_ktuple_filter(ktuple) - if ktuple not in self.output_kevents: - self.output_kevents[ktuple] = True - - def _on_next_kevent(self, ktype, cpuid, ts, kparams): - """Callback which fires when new kernel event arrives. - - This callback is invoked for every new kernel event - forwarded from the kernel stream collector. - - Parameters - ---------- - - ktype: tuple - Kernel event type. - cpuid: int - Indentifies the CPU core where the event - has been captured. - ts: str - Temporal reference of the kernel event. - kparams: dict - Kernel event's parameters. - """ - - # initialize kernel event properties - self.kevent.ts = ts - self.kevent.cpuid = cpuid - self.kevent.name = ktuple_to_name(ktype) - kparams = ddict(kparams) - - # thread / process kernel events - if ktype in [CREATE_PROCESS, - CREATE_THREAD, - ENUM_PROCESS, - ENUM_THREAD]: - self.thread_registry.add_thread(ktype, kparams) - if ktype in [CREATE_PROCESS, CREATE_THREAD]: - self.thread_registry.init_thread_kevent(self.kevent, - ktype, - kparams) - # apply yara binding by matching against the process's image path - if ktype == CREATE_PROCESS: - yara_binding = self.__find_binding('yara') - pid = int(kparams.process_id, 16) - thread = self.thread_registry.get_thread(pid) - if thread and yara_binding: - yara_binding.run(thread_info=thread, - kevent=self.kevent) - self._aggregate(ktype) - - elif ktype in [TERMINATE_PROCESS, TERMINATE_THREAD]: - self.thread_registry.init_thread_kevent(self.kevent, - ktype, - kparams) - self._aggregate(ktype) - self.thread_registry.remove_thread(ktype, kparams) - - # file system/disk kernel events - elif ktype in [CREATE_FILE, - DELETE_FILE, - CLOSE_FILE, - READ_FILE, - WRITE_FILE, - RENAME_FILE, - SET_FILE_INFORMATION]: - self.fsio.parse_fsio(ktype, kparams) - self._aggregate(ktype) - - # dll kernel events - elif ktype in [LOAD_IMAGE, ENUM_IMAGE]: - self.dll_repository.register_dll(kparams) - if ktype == LOAD_IMAGE: - self._aggregate(ktype) - elif ktype == UNLOAD_IMAGE: - self.dll_repository.unregister_dll(kparams) - self._aggregate(ktype) - # - # # registry kernel events - elif ktype == REG_CREATE_KCB: - self.hive_parser.add_kcb(kparams) - elif ktype == REG_DELETE_KCB: - self.hive_parser.remove_kcb(kparams.key_handle) - - elif ktype in [REG_CREATE_KEY, - REG_DELETE_KEY, - REG_OPEN_KEY, - REG_QUERY_KEY, - REG_SET_VALUE, - REG_DELETE_VALUE, - REG_QUERY_VALUE]: - self.hive_parser.parse_hive(ktype, kparams) - self._aggregate(ktype) - - # network kernel events - elif ktype in [SEND_SOCKET_TCPV4, - SEND_SOCKET_UDPV4, - RECV_SOCKET_TCPV4, - RECV_SOCKET_UDPV4, - ACCEPT_SOCKET_TCPV4, - CONNECT_SOCKET_TCPV4, - DISCONNECT_SOCKET_TCPV4, - RECONNECT_SOCKET_TCPV4]: - self.tcpip_parser.parse_tcpip(ktype, kparams) - self._aggregate(ktype) - - # context switch events - elif ktype == CONTEXT_SWITCH: - self.context_switch_registry.next_cswitch(cpuid, ts, kparams) - self._aggregate(ktype) - - if self._filament: - if ktype not in [ENUM_PROCESS, - ENUM_THREAD, - ENUM_IMAGE, - REG_CREATE_KCB, - REG_DELETE_KCB]: - ok = self.output_kevents[ktype] if ktype in self.output_kevents \ - else False - if self.kevent.name and ok: - thread = self.kevent.thread - kevent = { - 'params': self.kevent.params, - 'name': self.kevent.name, - 'pid': self.kevent.pid, - 'tid': self.kevent.tid, - 'timestamp': self.kevent.ts, - 'cpuid': self.kevent.cpuid, - 'category': self.kevent.category - } - if thread: - kevent.update({ - 'thread': { - 'name': thread.name, - 'exe': thread.exe, - 'comm': thread.comm, - 'pid': thread.pid, - 'ppid': thread.ppid - } - }) - self._filament.on_next_kevent(kevent) - - def _aggregate(self, ktype): - """Aggregates the kernel event to the output sink. - - Parameters - ---------- - - ktype: tuple - Identifier of the kernel event - """ - if not self._filament: - if ktype in self.output_kevents: - if self.output_kevents[ktype]: - self.kevent.inc_kid() - self.output_aggregator.aggregate(self.kevent) - elif self.filters_count == 0: - self.kevent.inc_kid() - self.output_aggregator.aggregate(self.kevent) \ No newline at end of file diff --git a/fibratus/errors.py b/fibratus/errors.py deleted file mode 100644 index 1e2349b32..000000000 --- a/fibratus/errors.py +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -class KTraceError(Exception): - pass - - -class FibratusError(Exception): - pass - - -class FilamentError(Exception): - pass - - -class TermInitializationError(Exception): - pass - - -class UnknownKeventTypeError(Exception): - - def __init__(self, kevent): - Exception.__init__(self, '%s cannot be recognized as a valid kernel event' - % kevent) - - -class HandleEnumError(Exception): - - def __init__(self, status): - Exception.__init__(self, 'Unable to enumerate handles. Error code %s' - % status) - - -class InvalidPayloadError(Exception): - pass - - -class BindingError(Exception): - pass - diff --git a/fibratus/filament.py b/fibratus/filament.py deleted file mode 100644 index 9d214f556..000000000 --- a/fibratus/filament.py +++ /dev/null @@ -1,321 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import inspect -import traceback -import os -import sys -from importlib.machinery import SourceFileLoader - -from apscheduler.executors.pool import ThreadPoolExecutor -from apscheduler.schedulers.background import BackgroundScheduler -from apscheduler.triggers.interval import IntervalTrigger - -from fibratus.common import DotD as ddict, Tabular -from fibratus.common import panic -from fibratus.errors import FilamentError, TermInitializationError -from fibratus.term import AnsiTerm - - -FILAMENTS_DIR = os.getenv('FILAMENTS_PATH', os.path.join(os.path.expanduser('~'), '.fibratus', 'filaments')) - - -class OutputAccessor(object): - """An accessor for the output meta variable. - - It represents an output accessor which is injected into - every filament module. - """ - def __init__(self, output): - self._output = output - - def emit(self, body, **kwargs): - self._output.emit(body, **kwargs) - - -class Filament(object): - """Filament initialization and execution engine. - - Filaments are lightweight Python modules which run - on top of Fibratus. They are often used to enrich/extend the - functionality of Fibratus by performing any type of logic - (aggregations, groupings, filters, counters, etc) on the - kernel event stream. - - """ - def __init__(self): - """Builds a new instance of the filament. - - Attributes: - ---------- - - filament_module: module - module which contains the filament logic - """ - self._filament_module = None - self._name = None - self._filters = [] - self._cols = [] - self._tabular = None - self._limit = 10 - self._interval = 1 - self._sort_by = None - self._sort_desc = True - self._logger = None - self._ansi_term = AnsiTerm() - self.scheduler = BackgroundScheduler() - - def load_filament(self, name): - """Loads the filament module. - - Finds and loads the python module which - holds the filament logic. It also looks up for - some essential filament methods and raises an error - if they can't be found. - - Parameters - ---------- - name: str - name of the filament to load - - """ - self._name = name - Filament._assert_root_dir() - filament_path = self._find_filament_path(name) - if filament_path: - loader = SourceFileLoader(name, filament_path) - self._filament_module = loader.load_module() - sys.path.append(FILAMENTS_DIR) - doc = inspect.getdoc(self._filament_module) - if not doc: - raise FilamentError('Please provide a short ' - 'description for the filament') - - on_next_kevent = self._find_filament_func('on_next_kevent') - if on_next_kevent: - if self._num_args(on_next_kevent) != 1: - raise FilamentError('Missing one argument on_next_kevent ' - 'method on filament') - self._initialize_funcs() - else: - raise FilamentError('Missing required on_next_kevent ' - 'method on filament') - else: - raise FilamentError('%s filament not found' % name) - - def _initialize_funcs(self): - """Setup the filament modules functions. - - Functions - --------- - - set_filter: func - accepts the comma separated list of kernel events - for whose the filter should be applied - set_interval: func - establishes the fixed repeating interval in seconds - columns: func - configure the column set for the table - add_row: func - adds a new row to the table - sort_by: func - sorts the table by specific column - """ - - def set_filter(*args): - self._filters = args - self._filament_module.set_filter = set_filter - - def set_interval(interval): - if not type(interval) is int: - raise FilamentError('Interval must be an integer value') - self._interval = interval - self._filament_module.set_interval = set_interval - - def columns(cols): - if not isinstance(cols, list): - raise FilamentError('Columns must be a list, ' - '%s found' % type(cols)) - self._cols = cols - self._tabular = Tabular(self._cols) - self._tabular.padding_width = 10 - self._tabular.junction_char = '|' - - def add_row(row): - if not isinstance(row, list): - raise FilamentError('Expected list type for the row, found %s' - % type(row)) - self._tabular.add_row(row) - - def sort_by(col, sort_desc=True): - if len(self._cols) == 0: - raise FilamentError('Expected at least 1 column but 0 found') - if col not in self._cols: - raise FilamentError('%s column does not exist' % col) - self._sort_by = col - self._sort_desc = sort_desc - - def limit(l): - if len(self._cols) == 0: - raise FilamentError('Expected at least 1 column but 0 found') - if not type(l) is int: - raise FilamentError('Limit must be an integer value') - self._limit = l - - def title(text): - self._tabular.title = text - - self._filament_module.columns = columns - self._filament_module.title = title - self._filament_module.sort_by = sort_by - self._filament_module.limit = limit - self._filament_module.add_row = add_row - self._filament_module.render_tabular = self.render_tabular - - on_init = self._find_filament_func('on_init') - if on_init and self._zero_args(on_init): - self._filament_module.on_init() - if self._find_filament_func('on_interval'): - self.scheduler.add_executor(ThreadPoolExecutor(max_workers=4)) - self.scheduler.start() - - def on_interval(): - try: - self._filament_module.on_interval() - except Exception: - self._logger.error('Unexpected error on interval elapsed %s' - % traceback.format_exc()) - self.scheduler.add_job(on_interval, - IntervalTrigger(), - seconds=self._interval, - max_instances=4, - misfire_grace_time=60) - if len(self._cols) > 0: - try: - self._ansi_term.setup_console() - except TermInitializationError: - panic('fibratus run: ERROR - console initialization failed') - - def do_output_accessors(self, outputs): - """Creates the filament's output accessors. - - Parameters - ---------- - - outputs: dict - outputs initialized from the configuration - descriptor - """ - for name, output in outputs.items(): - setattr(self._filament_module, name, OutputAccessor(output)) - - def on_next_kevent(self, kevent): - try: - self._filament_module.on_next_kevent(ddict(kevent)) - except Exception as e: - self._logger.error('Unexpected filament error %s' % e) - - def render_tabular(self): - """Renders the table on the console. - """ - if len(self._cols) > 0: - tabular = self._tabular.get_string(start=1, end=self._limit) - if self._sort_by: - tabular = self._tabular.get_string(start=1, end=self._limit, - sortby=self._sort_by, - reversesort=self._sort_desc) - self._tabular.clear_rows() - self._ansi_term.write_output(tabular) - - def close(self): - on_stop = self._find_filament_func('on_stop') - if on_stop and self._zero_args(on_stop): - self._filament_module.on_stop() - if self.scheduler.running: - self.scheduler.shutdown() - self._ansi_term.restore_console() - - @classmethod - def exists(cls, filament): - Filament._assert_root_dir() - return os.path.exists(os.path.join(FILAMENTS_DIR, '%s.py' % filament)) - - @classmethod - def list_filaments(cls): - Filament._assert_root_dir() - filaments = {} - paths = [os.path.join(FILAMENTS_DIR, path) for path in os.listdir(FILAMENTS_DIR) - if path.endswith('.py')] - for path in paths: - filament_name = os.path.basename(path)[:-3] - loader = SourceFileLoader(filament_name, path) - filament = loader.load_module() - filaments[filament_name] = inspect.getdoc(filament) - return filaments - - @classmethod - def _assert_root_dir(cls): - if not os.path.exists(FILAMENTS_DIR): - panic('fibratus run: ERROR - %s path does not exist.' % FILAMENTS_DIR) - - @property - def filters(self): - return self._filters - - @property - def logger(self): - return self._logger - - @logger.setter - def logger(self, logger): - self._logger = logger - - @property - def filament_module(self): - return self._filament_module - - @property - def name(self): - return self._name - - def _find_filament_func(self, func_name): - """Finds the function in the filament module. - - Parameters - ---------- - - func_name: str - the name of the function - """ - functions = inspect.getmembers(self._filament_module, predicate=inspect.isfunction) - return next(iter([func for name, func in functions if name == func_name]), None) - - def _find_filament_path(self, filament_name): - """Resolves the filament full path from the name - - Parameters - ---------- - - filament_name: str - the name of the filament whose path if about to be resolved - """ - return next(iter([os.path.join(FILAMENTS_DIR, filament) for filament in os.listdir(FILAMENTS_DIR) - if filament.endswith('.py') and filament_name == filament[:-3]]), None) - - def _num_args(self, func): - return len(inspect.getargspec(func).args) - - def _zero_args(self, func): - return self._num_args(func) == 0 diff --git a/fibratus/fs.py b/fibratus/fs.py deleted file mode 100644 index 841805328..000000000 --- a/fibratus/fs.py +++ /dev/null @@ -1,223 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from enum import Enum - -from fibratus.common import NA -from fibratus.handle import HandleType -from fibratus.kevent_types import * -from fibratus.apidefs.fs import * - - -class FileOps(Enum): - - # if the file already exists, - # replace it with the given file - # otherwise create the given file - SUPERSEDE = 0 - # if the file already exists, - # open it instead of creating a new file - OPEN = 1 - # if the file already exists, - # fail the request otherwise create the file - CREATE = 2 - # if the file already exists, - # open it, otherwise create the given file - OPEN_IF = 3 - # if the file already exists, - # open it and overwrite it, - # otherwise fail the request - OVERWRITE = 4 - # if the file already exists, - # open it and overwrite it, - # otherwise create the given file - OVERWRITE_IF = 5 - - -class FileType(Enum): - - FILE = 0 - DIRECTORY = 1 - REPARSE_POINT = 2 - UNKNOWN = 3 - - -class FsIO(object): - - def __init__(self, kevent, handles): - self._kevent = kevent - self.file_pool = {} - self.file_handles = {handle.obj: (handle.name, handle.handle_type, handle.handle) - for handle in handles - if handle.handle_type in [HandleType.FILE, HandleType.DIRECTORY]} - - def parse_fsio(self, ketype, kfsio): - """Parses the file system related kevents. - - Parameters - ---------- - - ketype: tuple - kevent type - kfsio: dict - kevent payload as forwarded from - """ - - # thread which is perfoming the op - tid = kfsio.ttid - pid = kfsio.process_id - obj = kfsio.file_object - self._kevent.tid = tid - self._kevent.pid = pid - # creates or opens a file or the I/O device. - # The device can be a file, file stream, directory, - # physical disk, volume, console buffer, tape drive, - # communications resource, mailslot, or pipe. - if ketype == CREATE_FILE: - file = kfsio.open_path - # the high 8 bits correspond to the value of the - # `CreateDisposition` parameter and the low 24 bits - # are the value of the `CreateOptions` parameter - # of the `NtCreateFile` system call - co = kfsio.create_options - - # extract the most significat 8 bits - flags = (co >> 24) & ((1 << 8) - 1) - - op = FileOps.OPEN - if flags == FILE_SUPERSEDE: - op = FileOps.SUPERSEDE - elif flags == FILE_OPEN: - op = FileOps.OPEN - elif flags == FILE_CREATE: - op = FileOps.CREATE - elif flags == FILE_OPEN_IF: - op = FileOps.OPEN_IF - elif flags == FILE_OVERWRITE: - op = FileOps.OVERWRITE - elif flags == FILE_OVERWRITE_IF: - op = FileOps.OVERWRITE_IF - - # determine file descriptor type - file_type = FileType.FILE - if (co & FILE_DIRECTORY_FILE) == FILE_DIRECTORY_FILE: - file_type = FileType.DIRECTORY - elif (co & FILE_OPEN_REPARSE_POINT) == FILE_OPEN_REPARSE_POINT: - file_type = FileType.REPARSE_POINT - - share_mask = self._resolve_share_mask(kfsio.share_access) - params = { - 'file': file, - 'file_type': file_type.name, - 'file_object': obj, - 'tid': tid, - 'pid': pid, - 'operation': op.name, - 'share_mask': share_mask - } - self._kevent.params = params - - # index by file object pointer - # so we can query the pool - # to resolve the file name - self.file_pool[obj] = file - - elif ketype == DELETE_FILE or ketype == CLOSE_FILE: - file = self._query_file_name(obj, True) - params = { - 'file': file, - 'file_object': obj, - 'pid': pid, - 'tid': tid - } - self._kevent.params = params - elif ketype == WRITE_FILE or ketype == READ_FILE: - # the number of kb read/written - io_size = kfsio.io_size / 1024 - file = self._query_file_name(obj) - params = { - 'file': file, - 'file_object': obj, - 'pid': pid, - 'tid': tid, - 'io_size': io_size - } - self._kevent.params = params - elif ketype == RENAME_FILE: - file = self._query_file_name(obj) - params = { - 'file': file, - 'file_object': obj, - 'pid': pid, - 'tid': tid - } - self._kevent.params = params - if NA not in file: - self.file_pool[obj] = file - elif ketype == SET_FILE_INFORMATION: - file = self._query_file_name(obj) - params = { - 'file': file, - 'file_object': obj, - 'pid': pid, - 'tid': tid, - 'info_class': kfsio.info_class - } - self._kevent.params = params - - def _query_file_name(self, fobj, remove=False): - if fobj in self.file_pool: - return self.file_pool.pop(fobj) if remove \ - else self.file_pool[fobj] - else: - # couldn't find the file in the file pool, - # query the file handles - if fobj in self.file_handles: - file, _, _ = self.file_handles.pop(fobj) - if file and not remove: - self.file_pool[fobj] = file - return file if file else NA - else: - return NA - - def _resolve_share_mask(self, share_access): - """Resolves the share mask. - - Resolves the type of share access that - the caller would like to use in the file. - - For example, `FILE_SHARE_READ` would allow other - threads to open the file for read access. - - :param str share_access: the value of the share access - :return: str: resolved share mask - """ - - if share_access == FILE_SHARE_READ: - return 'r--' - elif share_access == FILE_SHARE_WRITE: - return '-w-' - elif share_access == FILE_SHARE_DELETE: - return '--d' - elif share_access == (FILE_SHARE_READ | FILE_SHARE_WRITE): - return 'rw-' - elif share_access == (FILE_SHARE_READ | FILE_SHARE_DELETE): - return 'r-d' - elif share_access == (FILE_SHARE_WRITE | FILE_SHARE_DELETE): - return '-wd' - elif share_access == (FILE_SHARE_READ | FILE_SHARE_WRITE | - FILE_SHARE_DELETE): - return 'rwd' - else: - return '---' diff --git a/fibratus/handle.py b/fibratus/handle.py deleted file mode 100644 index adf496e33..000000000 --- a/fibratus/handle.py +++ /dev/null @@ -1,268 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from _ctypes import POINTER, byref, addressof -from ctypes import cast, c_ulong, c_wchar_p -from ctypes.wintypes import HANDLE, ULONG -from enum import Enum - -from fibratus.common import DotD as ddict -from fibratus.apidefs.cdefs import STATUS_INFO_LENGTH_MISMATCH, STATUS_SUCCESS, ERROR_SUCCESS, \ - UNICODE_STRING -from fibratus.apidefs.process import open_process, PROCESS_DUP_HANDLE, get_current_process -from fibratus.apidefs.registry import MAX_BUFFER_SIZE -from fibratus.apidefs.sys import zw_query_system_information, SYSTEM_HANDLE_INFORMATION_CLASS, \ - SYSTEM_HANDLE_INFORMATION, free, realloc, SYSTEM_HANDLE, malloc, duplicate_handle, nt_query_object, \ - PUBLIC_OBJECT_TYPE_INFORMATION, OBJECT_TYPE_INFORMATION, PUBLIC_OBJECT_NAME_INFORMATION, close_handle -from fibratus.errors import HandleEnumError - - -class HandleType(Enum): - FILE = 0 - DIRECTORY = 1 - KEY = 2 - ALPC_PORT = 3 - SECTION = 4 - MUTANT = 5 - EVENT = 6 - DESKTOP = 7 - SEMAPHORE = 8 - TIMER = 9 - TOKEN = 10 - JOB = 11 - - -class HandleRepository(object): - """Stores open handle objects. - """ - - def __init__(self): - self._object_buff_size = 0x1000 - self._object_types = {} - # the object handles with these - # masks shouldn't be queried, - # otherwise the call could hang - # the main thread - self._nasty_access_masks = [0x120189, - 0x0012019f, - 0x1A019F] - - self._handle_types = [name for name, _ in HandleType.__members__.items()] - self._buffers = [] - - def query_handles(self, pid=None): - raw_handles = self._enum_handles(pid) - current_ps = HANDLE(get_current_process()) - handles = [] - # find the object handles for the process - for _, handle in raw_handles.items(): - ps_handle = open_process(PROCESS_DUP_HANDLE, - False, - handle.pid) - if ps_handle: - handle_copy = HANDLE() - # to query the object handle - # we need to duplicate it in - # the address space of the current process - status = duplicate_handle(ps_handle, - handle.handle, - current_ps, - byref(handle_copy), - 0, 0, 0) - if status != ERROR_SUCCESS: - # get the object type - handle_type = self._query_handle(handle_copy, - PUBLIC_OBJECT_TYPE_INFORMATION, - OBJECT_TYPE_INFORMATION) - if handle_type: - handle_type = cast(handle_type.contents.type_name.buffer, c_wchar_p) \ - .value \ - .upper().replace(' ', '_') - # query for object name - # (file names, registry keys, - # sections, ALPC ports, etc) - # check the access mask to make - # sure `NtQueryObject` won't hang - if handle_type in self._handle_types and \ - handle.access_mask not in self._nasty_access_masks: - handle_name = self._query_handle(handle_copy, - PUBLIC_OBJECT_NAME_INFORMATION, - UNICODE_STRING) - if handle_name: - handle_name = cast(handle_name.contents.buffer, c_wchar_p).value - handle_info = HandleInfo(handle.handle, - handle.obj, - HandleType(HandleType.__getattr__(handle_type)), - handle_name, - handle.pid) - handles.append(handle_info) - - close_handle(handle_copy) - close_handle(ps_handle) - return handles - - def free_buffers(self): - for buff in self._buffers: - free(buff) - - def _enum_handles(self, process_id=None): - """Enumerates handle information. - - Enumerates handle info on - the start of the kernel capture. - - Returns a dictionary of handle's - information including the handle id, - access mask, and the process which owns - the handle. - """ - buff_size = MAX_BUFFER_SIZE - size = c_ulong() - # allocate the initial buffer - buff = malloc(buff_size) - handles = {} - - while True: - status = zw_query_system_information(SYSTEM_HANDLE_INFORMATION_CLASS, - buff, - buff_size, - byref(size)) - if status == STATUS_INFO_LENGTH_MISMATCH: - # the buffer is too small - # increment the buffer size and try again - buff_size += MAX_BUFFER_SIZE - elif status == STATUS_SUCCESS: - # cast the buffer to `SYSTEM_HANDLE_INFORMATION` struct - # which contains an array of `SYSTEM_HANDLE` structures - sys_handle_info = cast(buff, POINTER(SYSTEM_HANDLE_INFORMATION)) - sys_handle_info = sys_handle_info.contents - handle_count = sys_handle_info.number_of_handles - - # resize the array size to the - # actual number of file handles - sys_handles = (SYSTEM_HANDLE * buff_size).from_address(addressof(sys_handle_info.handles)) - - for i in range(handle_count): - sys_handle = sys_handles[i] - pid = sys_handle.process_id - handle = sys_handle.handle - obj = sys_handle.object - obj_type_index = sys_handle.object_type_number - access_mask = sys_handle.access_mask - if process_id and process_id == pid: - handles[obj] = ddict(pid=process_id, - handle=handle, - obj=obj, - access_mask=access_mask, - obj_type_index=obj_type_index) - elif process_id is None: - handles[obj] = ddict(pid=pid, - handle=handle, - obj=obj, - access_mask=access_mask, - obj_type_index=obj_type_index) - break - else: - raise HandleEnumError(status) - # reallocate the buffer - buff = realloc(buff, buff_size) - # free the buffer memory - free(buff) - - return handles - - def _async_query_object(self): - pass - - def _query_handle(self, handle, klass, object_info_type): - """Gets the object handle info. - - Parameters - ---------- - - - handle: HANDLE - handle object - klass: int - the class of information to query - object_info_type: Structure - structure type which holds the handle info - """ - buff = malloc(self._object_buff_size) - rlen = ULONG() - status = nt_query_object(handle, - klass, - buff, - self._object_buff_size, - byref(rlen)) - if status >= 0: - info = cast(buff, POINTER(object_info_type)) - self._buffers.append(buff) - return info - else: - # reallocate the buffer size - # and try again - buff = realloc(buff, rlen.value) - status = nt_query_object(handle, - klass, - buff, - self._object_buff_size, - None) - if status >= 0: - info = cast(buff, POINTER(object_info_type)) - self._buffers.append(buff) - return info - else: - free(buff) - return None - - -class HandleInfo(): - """Saves the handle meta data. - """ - - def __init__(self, handle, obj, handle_type, name, pid): - self._handle = handle - self._obj = obj - self._handle_type = handle_type - self._name = name - self._pid = pid - - @property - def name(self): - return self._name - - @property - def handle_type(self): - return self._handle_type - - @property - def obj(self): - return self._obj - - @property - def pid(self): - return self._pid - - @property - def handle(self): - return self._handle - - def __str__(self): - return '%s type: [%s] object address: [%s] handle id: [%s] pid: [%s]' % \ - (self._name, self._handle_type, - hex(self._obj), - self._handle, - self._pid) diff --git a/fibratus/image_meta.py b/fibratus/image_meta.py deleted file mode 100644 index 4ff2e199a..000000000 --- a/fibratus/image_meta.py +++ /dev/null @@ -1,237 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import pefile -from fibratus.common import DotD as ddict, underscore_dict_keys - - -def __decode__(value): - return value.decode('utf-8') - - -def __from_idx__(string_table, idx): - """Lookups the entry in the string table. - - Parameters - ---------- - string_table: dict - the string table - idx: int - index for the entry - """ - _, v = string_table[idx] - return __decode__(v) - - -class ImageMetaRegistry(object): - - def __init__(self, enabled=True, imports=False, file_info=False): - """Creates an instace of the image meta registry. - - Arguments - --------- - - enabled: bool - determines if image meta information should be added to the registry - imports: bool - it instructs the PE module to parse the directory entry import structure - file_info: bool - determines if file information meta data should be extracted from the PE - """ - self.image_metas = {} - self.imports = imports - self.file_info = file_info - self.enabled = enabled - self.full_loaded = False - - def add_image_meta(self, path): - """Registers image meta information. - - This method parses the PE (Portable Executable) binary format - of the the image passed in the `path` parameter. - - It then extracts some basic headers present in the PE, as well - as sections which form the binary image. - - Parameters - ---------- - - path: str - the absolute path of the image file - """ - if not self.enabled: - return None - try: - if (path.endswith('exe') or - path.endswith('dll') or - path.endswith('sys')) and \ - path not in self.image_metas: - pe = pefile.PE(path, fast_load=True) - file_header = ddict(underscore_dict_keys(pe.FILE_HEADER.dump_dict())) - # create image meta instance - image_meta = ImageMeta(file_header.machine.value, - file_header.time_date_stamp.value, - file_header.number_of_sections.value) - image_meta.sections = [dict(name=__decode__(ddict(se.dump_dict()).Name.Value), - entropy=se.get_entropy(), - md5=se.get_hash_md5(), - sha1=se.get_hash_sha1(), - sha256=se.get_hash_sha256(), - sha512=se.get_hash_sha512()) - for se in pe.sections] - # parse directory entry imports - if self.imports: - pe.full_load() - self.full_loaded = True - for module in self.__directory_entry_import__(pe): - dll = __decode__(module.dll) - imports = [__decode__(i.name) - for i in module.imports - if not i.import_by_ordinal] - image_meta.imports[dll] = imports - # parse the string table to extract - # the copyright, company, description - # and other attributes - if self.file_info: - if not self.full_loaded: - pe.full_load() - if self.__pe_has_version_info__(pe): - file_info = pe.FileInfo - if file_info and len(file_info) > 0: - file_info = file_info[0] - if self.__fi_has_string_table__(file_info): - string_table = sorted(list(file_info.StringTable[0].entries.items())) - # get file info entries from table index - image_meta.org = __from_idx__(string_table, 0) - image_meta.description = __from_idx__(string_table, 1) - image_meta.version = __from_idx__(string_table, 2) - image_meta.internal_name = __from_idx__(string_table, 3) - image_meta.copyright = __from_idx__(string_table, 4) - - self.image_metas[path] = image_meta - - return image_meta - except Exception: - # ignore the exception for now - # but consider logging it to file - # in case it can provide hints for - # troubleshooting purposes - pass - - def get_image_meta(self, path): - return self.image_metas[path] if path in self.image_metas else None - - def remove_image_meta(self, path): - return self.image_metas.pop(path, None) - - def __pe_has_version_info__(self, pe): - return hasattr(pe, 'VS_VERSIONINFO') - - def __fi_has_string_table__(self, file_info): - return len(file_info.StringTable) > 0 and hasattr(file_info, 'StringTable') - - def __directory_entry_import__(self, pe): - return getattr(pe, 'DIRECTORY_ENTRY_IMPORT') if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT') else [] - - -class ImageMeta(object): - """Container for a plethora of metadata extracted from the PE headers. - - Attributes - ---------- - arch: str - identifies the target architecture for which this image is compiled - timestamp: str - the date and time the image was created by the linker - num_sections: int - indicates the size of the section table - sections: list - information for every section found in the image - """ - def __init__(self, arch, timestamp, num_sections): - self._arch = 'x86-64' if arch == 34404 else 'x86' - self._timestamp = timestamp - self._num_sections = num_sections - self._sections = [] - self._org = None - self._description = None - self._version = None - self._internal_name = None - self._copyright = None - - self._imports = {} - - @property - def arch(self): - return self._arch - - @property - def timestamp(self): - return self._timestamp - - @property - def num_sections(self): - return self._num_sections - - @property - def org(self): - return self._org - - @org.setter - def org(self, org): - self._org = org - - @property - def description(self): - return self._description - - @description.setter - def description(self, description): - self._description = description - - @property - def version(self): - return self._version - - @version.setter - def version(self, version): - self._version = version - - @property - def internal_name(self): - return self._internal_name - - @internal_name.setter - def internal_name(self, internal_name): - self._internal_name = internal_name - - @property - def copyright(self): - return self._copyright - - @copyright.setter - def copyright(self, copyright): - self._copyright = copyright - - @property - def sections(self): - return self._sections - - @sections.setter - def sections(self, sections): - self._sections = sections - - @property - def imports(self): - return self._imports diff --git a/fibratus/kevent.py b/fibratus/kevent.py deleted file mode 100644 index 5f7a76766..000000000 --- a/fibratus/kevent.py +++ /dev/null @@ -1,269 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from datetime import datetime -from enum import Enum - -from fibratus.apidefs.process import open_thread, THREAD_QUERY_INFORMATION, get_process_id_of_thread -from fibratus.apidefs.sys import close_handle -from fibratus.common import DotD as ddict, NA - - -class Category(Enum): - - REGISTRY = 0 - FILE = 1 - NET = 2 - PROCESS = 3 - THREAD = 4 - MM = 5 - CSWITCH = 6 - SYSCALL = 7 - DISK_IO = 8 - DLL = 9 - OTHER = 10 - - -class KEvents(object): - """Available kernel event names. - """ - CREATE_PROCESS = 'CreateProcess' - CREATE_THREAD = 'CreateThread' - TERMINATE_PROCESS = 'TerminateProcess' - TERMINATE_THREAD = 'TerminateThread' - - REG_CREATE_KEY = 'RegCreateKey' - REG_DELETE_KEY = 'RegDeleteKey' - REG_DELETE_VALUE = 'RegDeleteValue' - REG_OPEN_KEY = 'RegOpenKey' - REG_SET_VALUE = 'RegSetValue' - REG_QUERY_VALUE = 'RegQueryValue' - REG_QUERY_KEY = 'RegQueryKey' - - CREATE_FILE = 'CreateFile' - DELETE_FILE = 'DeleteFile' - WRITE_FILE = 'WriteFile' - READ_FILE = 'ReadFile' - CLOSE_FILE = 'CloseFile' - RENAME_FILE = 'RenameFile' - SET_FILE_INFORMATION = 'SetFileInformation' - - SEND = 'Send' - RECEIVE = 'Recv' - ACCEPT = 'Accept' - CONNECT = 'Connect' - DISCONNECT = 'Disconnect' - RECONNECT = 'Reconnect' - - LOAD_IMAGE = 'LoadImage' - UNLOAD_IMAGE = 'UnloadImage' - - SYSCALL_ENTER = 'SyscallEnter' - SYSCALL_EXIT = 'SyscallExit' - - CONTEXT_SWITCH = 'ContextSwitch' - - @classmethod - def all(cls): - return [cls.CREATE_PROCESS, - cls.CREATE_THREAD, - cls.TERMINATE_PROCESS, - cls.TERMINATE_THREAD, - cls.CREATE_FILE, - cls.DELETE_FILE, - cls.READ_FILE, - cls.WRITE_FILE, - cls.CLOSE_FILE, - cls.RENAME_FILE, - cls.SET_FILE_INFORMATION, - cls.REG_QUERY_KEY, - cls.REG_QUERY_VALUE, - cls.REG_CREATE_KEY, - cls.REG_DELETE_KEY, - cls.REG_DELETE_VALUE, - cls.REG_OPEN_KEY, - cls.REG_SET_VALUE, - cls.LOAD_IMAGE, - cls.UNLOAD_IMAGE, - cls.SEND, - cls.RECEIVE, - cls.ACCEPT, - cls.CONNECT, - cls.RECONNECT, - cls.DISCONNECT, - cls.CONTEXT_SWITCH] - - @classmethod - def meta_info(cls): - kevents = { - KEvents.CREATE_PROCESS: (Category.PROCESS, 'Creates a new process and its primary thread', ), - KEvents.CREATE_THREAD: (Category.THREAD, 'Creates a thread to execute within the virtual address space' - ' of the calling process', ), - KEvents.TERMINATE_PROCESS: (Category.PROCESS, 'Terminates the process and all of its threads', ), - KEvents.TERMINATE_THREAD: (Category.THREAD, 'Terminates a thread', ), - KEvents.CREATE_FILE: (Category.FILE, 'Creates or opens a file or I/O device', ), - KEvents.DELETE_FILE: (Category.FILE, 'Deletes an existing file or directory', ), - KEvents.READ_FILE: (Category.FILE, 'Reads data from the file or I/O device', ), - KEvents.WRITE_FILE: (Category.FILE, 'Writes data to the file or I/O device', ), - KEvents.CLOSE_FILE: (Category.FILE, 'Closes the file or I/O device', ), - KEvents.SET_FILE_INFORMATION: (Category.FILE, 'Changes information for the specified file',), - KEvents.RENAME_FILE: (Category.FILE, 'Renames a file or directory', ), - KEvents.REG_QUERY_KEY: (Category.REGISTRY, 'Retrieves information about the registry key', ), - KEvents.REG_OPEN_KEY: (Category.REGISTRY, 'Opens the registry key', ), - KEvents.REG_CREATE_KEY: (Category.REGISTRY, 'Creates the registry key or open it if the key ' - 'already exists', ), - KEvents.REG_DELETE_KEY: (Category.REGISTRY, 'Deletes a subkey and its values', ), - KEvents.REG_QUERY_VALUE: (Category.REGISTRY, 'Retrieves the type and data of the value' - ' associated with an open registry key', ), - KEvents.REG_DELETE_VALUE: (Category.REGISTRY, 'Removes a value from the registry key', ), - KEvents.REG_SET_VALUE: (Category.REGISTRY, 'Sets the data and type of a value under a registry key', ), - KEvents.LOAD_IMAGE: (Category.DLL, 'Loads the module into the address space of the calling process', ), - KEvents.UNLOAD_IMAGE: (Category.DLL, 'Frees the loaded module from the address space ' - 'of the calling process', ), - KEvents.SEND: (Category.NET, 'Sends data on a connected socket', ), - KEvents.RECEIVE: (Category.NET, 'Receives data from a connected socket', ), - KEvents.ACCEPT: (Category.NET, 'Initiates the connection attempt from the remote or local TCP socket', ), - KEvents.CONNECT: (Category.NET, 'Establishes the connection to a TCP socket', ), - KEvents.RECONNECT: (Category.NET, 'Reconnects to a TCP socket', ), - KEvents.DISCONNECT: (Category.NET, 'Closes the connection to a TCP socket', ), - - KEvents.CONTEXT_SWITCH: (Category.THREAD, 'Scheduler selects a new thread to execute',)} - return kevents - -__kevents__ = KEvents.meta_info() - - -class KEvent(object): - - def __init__(self, thread_registry): - self._kid = 0 - self._ts = datetime.now() - self._cpuid = 0 - self._name = None - self._category = None - self._params = {} - self._tid = None - self._pid = None - self.thread_registry = thread_registry - - @property - def name(self): - return self._name - - @name.setter - def name(self, name): - self._name = name - if name in __kevents__: - cat, _ = __kevents__[name] - self._category = cat.name - - @property - def params(self): - return self._params - - @params.setter - def params(self, params): - self._params = ddict(params) - - @property - def ts(self): - return self._ts - - @ts.setter - def ts(self, ts): - self._ts = datetime.strptime(ts, '%Y-%m-%d %H:%M:%S.%f') - - @property - def cpuid(self): - return self._cpuid - - @cpuid.setter - def cpuid(self, cpuid): - self._cpuid = cpuid - - @property - def category(self): - return self._category - - @property - def pid(self): - return self._pid - - @pid.setter - def pid(self, pid): - self._pid = pid - - @property - def tid(self): - return self._tid - - @tid.setter - def tid(self, tid): - self._tid = tid - - @property - def kid(self): - return self._kid - - @property - def thread(self): - return self._find_thread() - - def _find_thread(self): - """Finds the current thread/process emitted by the kernel event. - """ - if self._pid: - # first lookup by process id - # if the process doesn't exist - # in the thread registry - # then query by the thread id - thread = self.thread_registry.get_thread(self._pid) - if not thread and self._tid: - thread = self.thread_registry.get_thread(self._tid) - else: - # we dont have the process id - # try to find the thread from which - # we can get the process - thread = self.thread_registry.get_thread(self._tid) - return thread - - def get_thread(self): - """Gets the thread associated with the kernel event. - """ - thread = self._find_thread() - if thread: - return thread.pid, thread.name - else: - # figure out the process id from thread - # if the process can't be found in - # the thread registry - pid = NA - if self._pid is None: - if self._tid: - # get the thread handle - handle = open_thread(THREAD_QUERY_INFORMATION, - False, - self._tid) - if handle: - pid = get_process_id_of_thread(handle) - close_handle(handle) - else: - pid = self._pid - return pid, NA - - def inc_kid(self): - self._kid += 1 - - diff --git a/fibratus/kevent_types.py b/fibratus/kevent_types.py deleted file mode 100644 index 445712c99..000000000 --- a/fibratus/kevent_types.py +++ /dev/null @@ -1,239 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from fibratus.errors import UnknownKeventTypeError -from fibratus.kevent import KEvents - - -# start process event -CREATE_PROCESS = ('{3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c}', 1) -# end process event -TERMINATE_PROCESS = ('{3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c}', 2) -# enum processes event -ENUM_PROCESS = ('{3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c}', 3) -# start thread event -CREATE_THREAD = ('{3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c}', 1) -# end thread event -TERMINATE_THREAD = ('{3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c}', 2) -# enum threads event -ENUM_THREAD = ('{3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c}', 3) - -# create file event -CREATE_FILE = ('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 64) -# delete file event -DELETE_FILE = ('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 70) -# close file event generated when the file object is freed -CLOSE_FILE = ('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 66) -# read file event -READ_FILE = ('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 67) -# write file event -WRITE_FILE = ('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 68) -# rename file event -RENAME_FILE = ('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 71) -# enumerate directory event -ENUM_DIRECTORY = ('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 72) -# set file information event -SET_FILE_INFORMATION = ('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 69) - -# disk read event -DISK_IO_READ = ('{3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c}', 10) -# disk write event -DISK_IO_WRITE = ('{3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c}', 11) - -# create registry key event -REG_CREATE_KEY = ('{ae53722e-c863-11d2-8659-00c04fa321a1}', 10) -# create registry key event -REG_DELETE_KEY = ('{ae53722e-c863-11d2-8659-00c04fa321a1}', 12) -# delete registry value event -REG_DELETE_VALUE = ('{ae53722e-c863-11d2-8659-00c04fa321a1}', 15) -# registry open key -REG_OPEN_KEY = ('{ae53722e-c863-11d2-8659-00c04fa321a1}', 11) -# registry set value key event -REG_SET_VALUE = ('{ae53722e-c863-11d2-8659-00c04fa321a1}', 14) -# registry query value key event -REG_QUERY_VALUE = ('{ae53722e-c863-11d2-8659-00c04fa321a1}', 16) -# registry query value key event -REG_QUERY_KEY = ('{ae53722e-c863-11d2-8659-00c04fa321a1}', 13) -# create the key control block -REG_CREATE_KCB = ('{ae53722e-c863-11d2-8659-00c04fa321a1}', 22) -# delete the key control block -REG_DELETE_KCB = ('{ae53722e-c863-11d2-8659-00c04fa321a1}', 23) - -# image load event generated when a DLL or executable file is loaded -LOAD_IMAGE = ('{2cb15d1d-5fc1-11d2-abe1-00a0c911f518}', 10) -# generated when a DLL or executable file is unloaded -UNLOAD_IMAGE = ('{2cb15d1d-5fc1-11d2-abe1-00a0c911f518}', 2) -# enumerates all loaded images -ENUM_IMAGE = ('{2cb15d1d-5fc1-11d2-abe1-00a0c911f518}', 3) - -# virtual memory allocation event -VIRTUAL_ALLOC = ('{3d6fa8d3-fe05-11d0-9dda-00c04fd7ba7c}', 98) -# virtual memory free event -VIRTUAL_FREE = ('{3d6fa8d3-fe05-11d0-9dda-00c04fd7ba7c}', 99) - -# system call enter event -SYSCALL_ENTER = ('{ce1dbfb4-137e-4da6-87b0-3f59aa102cbc}', 51) -# system call exit event -SYSCALL_EXIT = ('{ce1dbfb4-137e-4da6-87b0-3f59aa102cbc}', 52) - -# context switch event -CONTEXT_SWITCH = ('{3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c}', 36) - -# starts an incoming connection attempt on socket -ACCEPT_SOCKET_TCPV4 = ('{9a280ac0-c8e0-11d1-84e2-00c04fb998a2}', 15) -ACCEPT_SOCKET_TCPV6 = ('{9a280ac0-c8e0-11d1-84e2-00c04fb998a2}', 31) - -# sends data on a connected socket -SEND_SOCKET_TCPV4 = ('{9a280ac0-c8e0-11d1-84e2-00c04fb998a2}', 10) -SEND_SOCKET_UDPV4 = ('{bf3a50c5-a9c9-4988-a005-2df0b7c80f80}', 10) -# establishes a connection to a specified socket -CONNECT_SOCKET_TCPV4 = ('{9a280ac0-c8e0-11d1-84e2-00c04fb998a2}', 12) -# disconnect event -DISCONNECT_SOCKET_TCPV4 = ('{9a280ac0-c8e0-11d1-84e2-00c04fb998a2}', 13) -# reconnect attempt event -RECONNECT_SOCKET_TCPV4 = ('{9a280ac0-c8e0-11d1-84e2-00c04fb998a2}', 16) -# receives data from a connected socket -RECV_SOCKET_TCPV4 = ('{9a280ac0-c8e0-11d1-84e2-00c04fb998a2}', 11) -RECV_SOCKET_UDPV4 = ('{bf3a50c5-a9c9-4988-a005-2df0b7c80f80}', 11) - - -def kname_to_tuple(name): - - if name == KEvents.CREATE_PROCESS: - return CREATE_PROCESS - elif name == KEvents.TERMINATE_PROCESS: - return TERMINATE_PROCESS - elif name == KEvents.CREATE_THREAD: - return CREATE_THREAD - elif name == KEvents.TERMINATE_THREAD: - return TERMINATE_THREAD - - elif name == KEvents.REG_CREATE_KEY: - return REG_CREATE_KEY - elif name == KEvents.REG_QUERY_KEY: - return REG_QUERY_KEY - elif name == KEvents.REG_OPEN_KEY: - return REG_OPEN_KEY - elif name == KEvents.REG_QUERY_VALUE: - return REG_QUERY_VALUE - elif name == KEvents.REG_SET_VALUE: - return REG_SET_VALUE - elif name == KEvents.REG_DELETE_KEY: - return REG_DELETE_KEY - elif name == KEvents.REG_DELETE_VALUE: - return REG_DELETE_VALUE - - elif name == KEvents.CREATE_FILE: - return CREATE_FILE - elif name == KEvents.READ_FILE: - return READ_FILE - elif name == KEvents.WRITE_FILE: - return WRITE_FILE - elif name == KEvents.CLOSE_FILE: - return CLOSE_FILE - elif name == KEvents.DELETE_FILE: - return DELETE_FILE - elif name == KEvents.RENAME_FILE: - return RENAME_FILE - elif name == KEvents.SET_FILE_INFORMATION: - return SET_FILE_INFORMATION - - elif name == KEvents.LOAD_IMAGE: - return LOAD_IMAGE - elif name == KEvents.UNLOAD_IMAGE: - return UNLOAD_IMAGE - - elif name == KEvents.CONTEXT_SWITCH: - return CONTEXT_SWITCH - - elif name == KEvents.SEND: - return [SEND_SOCKET_UDPV4, SEND_SOCKET_TCPV4] - elif name == KEvents.RECEIVE: - return [RECV_SOCKET_UDPV4, RECV_SOCKET_TCPV4] - elif name == KEvents.ACCEPT: - return [ACCEPT_SOCKET_TCPV4, ACCEPT_SOCKET_TCPV6] - elif name == KEvents.CONNECT: - return CONNECT_SOCKET_TCPV4 - elif name == KEvents.RECONNECT: - return RECONNECT_SOCKET_TCPV4 - elif name == KEvents.DISCONNECT: - return DISCONNECT_SOCKET_TCPV4 - else: - raise UnknownKeventTypeError(name) - - -def ktuple_to_name(ktuple): - - if ktuple == CREATE_PROCESS: - return KEvents.CREATE_PROCESS - elif ktuple == CREATE_THREAD: - return KEvents.CREATE_THREAD - elif ktuple == TERMINATE_PROCESS: - return KEvents.TERMINATE_PROCESS - elif ktuple == TERMINATE_THREAD: - return KEvents.TERMINATE_THREAD - - elif ktuple == REG_CREATE_KEY: - return KEvents.REG_CREATE_KEY - elif ktuple == REG_DELETE_KEY: - return KEvents.REG_DELETE_KEY - elif ktuple == REG_DELETE_VALUE: - return KEvents.REG_DELETE_VALUE - elif ktuple == REG_OPEN_KEY: - return KEvents.REG_OPEN_KEY - elif ktuple == REG_SET_VALUE: - return KEvents.REG_SET_VALUE - elif ktuple == REG_QUERY_VALUE: - return KEvents.REG_QUERY_VALUE - elif ktuple == REG_QUERY_KEY: - return KEvents.REG_QUERY_KEY - - elif ktuple == CREATE_FILE: - return KEvents.CREATE_FILE - elif ktuple == DELETE_FILE: - return KEvents.DELETE_FILE - elif ktuple == CLOSE_FILE: - return KEvents.CLOSE_FILE - elif ktuple == WRITE_FILE: - return KEvents.WRITE_FILE - elif ktuple == READ_FILE: - return KEvents.READ_FILE - elif ktuple == RENAME_FILE: - return KEvents.RENAME_FILE - elif ktuple == SET_FILE_INFORMATION: - return KEvents.SET_FILE_INFORMATION - - elif ktuple == LOAD_IMAGE: - return KEvents.LOAD_IMAGE - elif ktuple == UNLOAD_IMAGE: - return KEvents.UNLOAD_IMAGE - - elif ktuple == CONTEXT_SWITCH: - return KEvents.CONTEXT_SWITCH - - elif ktuple == SEND_SOCKET_UDPV4 or\ - ktuple == SEND_SOCKET_TCPV4: - return KEvents.SEND - elif ktuple == RECV_SOCKET_UDPV4 or\ - ktuple == RECV_SOCKET_TCPV4: - return KEvents.RECEIVE - elif ktuple == ACCEPT_SOCKET_TCPV4: - return KEvents.ACCEPT - elif ktuple == CONNECT_SOCKET_TCPV4: - return KEvents.CONNECT - elif ktuple == DISCONNECT_SOCKET_TCPV4: - return KEvents.DISCONNECT - elif ktuple == RECONNECT_SOCKET_TCPV4: - return KEvents.RECONNECT \ No newline at end of file diff --git a/fibratus/output/aggregator.py b/fibratus/output/aggregator.py deleted file mode 100644 index 2df2f9cc2..000000000 --- a/fibratus/output/aggregator.py +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from fibratus.output.console import ConsoleOutput - - -class OutputAggregator(object): - - def __init__(self, outputs): - self.outputs = outputs - - def aggregate(self, kevent): - """Emit the kernel stream via output sinks. - - For each output registered, invokes the `emit`` - method to send the kernel event info to the - output sink. - - Parameters - ---------- - - kevent: KEvent - an instance of the kernel event - """ - for _, output in self.outputs.items(): - if isinstance(output, ConsoleOutput): - output.emit(kevent) - else: - pid, proc = kevent.get_thread() - body = {'id': kevent.kid, - 'timestamp': kevent.ts.strftime('%Y-%m-%d %H:%M:%S.%f'), - 'cpuid': kevent.cpuid, - 'proc': proc, - 'pid': pid, - 'name': kevent.name, - 'category': kevent.category, - 'params': kevent.params} - output.emit(body) diff --git a/fibratus/output/amqp.py b/fibratus/output/amqp.py deleted file mode 100644 index 4a0edbca1..000000000 --- a/fibratus/output/amqp.py +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import json - -import pika - -from fibratus.errors import InvalidPayloadError -from fibratus.output.base import Output - - -class AmqpOutput(Output): - - def __init__(self, **kwargs): - """Builds a new instance of the AMQP output adapter. - - Parameters - ---------- - - kwargs: dict - AMQP configuration - """ - Output.__init__(self) - self._username = kwargs.pop('username', 'guest') - self._password = kwargs.pop('password', 'guest') - - self._host = kwargs.pop('host', '127.0.0.1') - self._port = kwargs.pop('port', 5672) - self._vhost = kwargs.pop('vhost', '/') - self._delivery_mode = kwargs.pop('delivery_mode', 1) - - credentials = pika.PlainCredentials(self._username, self._password) - self._parameters = pika.ConnectionParameters(self._host, - self._port, - self._vhost, - credentials) - - self._exchange = kwargs.pop('exchange', None) - self._routingkey = kwargs.pop('routingkey', None) - - self._connection = None - self._channel = None - - self._basic_props = pika.BasicProperties(content_type='text/json', - delivery_mode=self._delivery_mode) - - def emit(self, body, **kwargs): - if not self._connection: - self._connection = pika.BlockingConnection(self._parameters) - self._channel = self._connection.channel() - # override the default exchange name - # and the routing key used to send - # the message to the AMQP broker - self._routingkey = kwargs.pop('routingkey', self._routingkey) - self._exchange = kwargs.pop('exchange', self._exchange) - - # the message body should be a dictionary - if not isinstance(body, dict): - raise InvalidPayloadError('invalid payload for AMQP message. ' - 'dict expected but %s found' - % type(body)) - body = json.dumps(body) - self._channel.basic_publish(self._exchange, - self._routingkey, - body, self._basic_props) - - @property - def username(self): - return self._username - - @property - def host(self): - return self._host - - @property - def port(self): - return self._port - - @property - def vhost(self): - return self._vhost - - @property - def exchange(self): - return self._exchange - - @property - def routingkey(self): - return self._routingkey - - @property - def delivery_mode(self): - return self._delivery_mode diff --git a/fibratus/output/base.py b/fibratus/output/base.py deleted file mode 100644 index 4aa4d9681..000000000 --- a/fibratus/output/base.py +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from logbook import Logger, StreamHandler -import sys - - -class Output(object): - - def __init__(self): - StreamHandler(sys.stdout).push_application() - self.logger = Logger() - - def emit(self, body, **kwargs): - raise NotImplementedError() - - def supports_batches(self): - return False diff --git a/fibratus/output/console.py b/fibratus/output/console.py deleted file mode 100644 index 42e2b9fe8..000000000 --- a/fibratus/output/console.py +++ /dev/null @@ -1,97 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import json -from _ctypes import byref - -from fibratus.apidefs.sys import get_std_handle, STD_OUTPUT_HANDLE, write_console_unicode, c_ulong -from fibratus.output.base import Output - -RENDER_FORMAT = '%s %s %s %s (%s) - %s %s' - - -class ConsoleOutput(Output): - - def __init__(self, **kwargs): - Output.__init__(self) - - self._fmt = kwargs.pop('format', 'pretty') - self._timestamp_pattern = kwargs.pop('timestamp_pattern', '%Y-%m-%d %H:%M:%S.%f') - self._stdout_handle = get_std_handle(STD_OUTPUT_HANDLE) - - assert self._stdout_handle, 'could not acquire the standard output stream handle' - - def emit(self, kevent, **kwargs): - """Renders the kevent to the standard output stream. - - Uses the default output format or JSON to render the - kernel event to standard output stream. - - The default output format is as follows: - - id timestamp cpu process (process id) - kevent (parameters) - -- --------- --- ------- ----------- ------- ------------ - - Example: - - 160 13:27:27.554 0 wmiprvse.exe (1012) - CloseFile (file=C:\\WINDOWS\\SYSTEM32\\RSAENH.DLL, tid=2668) - - Parameters - ---------- - - kevent: KEvent - the information regarding the kernel event - - kwargs: dict - console adapter configuration - - """ - if isinstance(kevent, dict): - kevt = json.dumps(kevent) - else: - pid, proc = kevent.get_thread() - if 'pretty' in self._fmt: - kevt = RENDER_FORMAT % (kevent.kid, - kevent.ts.time(), - kevent.cpuid, - proc, - pid, - kevent.name, - self._format_params(kevent.params)) - else: - kevt = json.dumps(dict(id=kevent.kid, - timestamp=kevent.ts.strftime(self._timestamp_pattern), - cpuid=kevent.cpuid, - proc=proc, - pid=pid, - name=kevent.name, - params=kevent.params)) - - kevt += '\n' - # write the output on the standard output stream - write_console_unicode(self._stdout_handle, kevt, - len(kevt), - byref(c_ulong()), - None) - - def _format_params(self, kparams): - """Transforms the kevent parameters. - - Apply the rendering format on the kevent payload - to transform it into more convenient structure - sorted by parameter keys. - """ - fmt = ', '.join('%s=%s' % (k, kparams[k]) for k in sorted(kparams.keys())) \ - .replace('\"', '') - return '(%s)' % fmt diff --git a/fibratus/output/elasticsearch.py b/fibratus/output/elasticsearch.py deleted file mode 100644 index 771f23445..000000000 --- a/fibratus/output/elasticsearch.py +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import elasticsearch -import elasticsearch.helpers - -from fibratus.errors import InvalidPayloadError -from fibratus.output.base import Output -from datetime import datetime - -class ElasticsearchOutput(Output): - - def __init__(self, **kwargs): - """Creates an instance of the Elasticsearch output adapter. - - Parameters - ---------- - - kwargs: dict - Elasticsearch cluster configuration - """ - Output.__init__(self) - - hosts = kwargs.pop('hosts', []) - self._hosts = [dict(host=host.split(':')[0], port=int(host.split(':')[1])) for host in hosts] - self._index_name = kwargs.pop('index', None) - self._index_type = kwargs.pop('index_type', 'fixed') - self._daily_index_format = kwargs.pop('daily_index_format', '%Y.%m.%d') - self._document_type = kwargs.pop('document', None) - self._bulk = kwargs.pop('bulk', False) - self._username = kwargs.pop('username', None) - self._password = kwargs.pop('password', None) - self._config = {} - if self._username and self._password: - self._config['http_auth'] = (self._username, self._password,) - self._config['use_ssl'] = kwargs.pop('ssl', False) - self._elasticsearch = None - - def emit(self, body, **kwargs): - if not self._elasticsearch: - self._elasticsearch = elasticsearch.Elasticsearch(self._hosts, **self._config) - if self._bulk: - if not isinstance(body, list): - raise InvalidPayloadError('invalid payload for bulk indexing. ' - 'list expected but %s found' - % type(body)) - else: - if not isinstance(body, dict): - raise InvalidPayloadError('invalid payload for document. ' - 'dict expected but %s found' - % type(body)) - - self._index_name = kwargs.pop('index', self._index_name) - - # build index name for daily index types - if 'daily' in self._index_type: - self._index_name = '%s-%s' % (self._index_name, datetime.now().strftime(self._daily_index_format)) - - if self._bulk: - actions = [dict(_index=self._index_name, _type=self._document_type, _source=b) for b in body] - elasticsearch.helpers.bulk(self._elasticsearch, actions) - else: - self._elasticsearch.index(self._index_name, self._document_type, body=body) - - @property - def hosts(self): - return self._hosts - - @property - def index_name(self): - return self._index_name - - @property - def index_type(self): - return self._index_type - - @property - def document_type(self): - return self._document_type - - @property - def bulk(self): - return self._bulk diff --git a/fibratus/output/fs.py b/fibratus/output/fs.py deleted file mode 100644 index 10fe507c5..000000000 --- a/fibratus/output/fs.py +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2017 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from fibratus.output.base import Output -import io -import os -import time -import json - - -class FsOutput(Output): - """File system output. - - Implementation of the output which writes the stream of - kernel events to a file. - """ - - def __init__(self, **kwargs): - Output.__init__(self) - self._path = kwargs.pop('path', None) - self._fmt = kwargs.pop('format', 'json') - self._mode = kwargs.pop('mode', 'a') - - filename = os.path.join(self._path, - '%s.fibra' % time.strftime('%x') - .replace('/', '-')) - self.stream = io.open(filename, self._mode) - - def emit(self, body, **kwargs): - if 'json' in self._fmt: - self.stream.write(json.dumps(body) + '\n') - - @property - def path(self): - return self._path - - @property - def format(self): - return self._fmt - - @property - def mode(self): - return self._mode \ No newline at end of file diff --git a/fibratus/output/smtp.py b/fibratus/output/smtp.py deleted file mode 100644 index 612ead8e0..000000000 --- a/fibratus/output/smtp.py +++ /dev/null @@ -1,82 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import smtplib - -from fibratus.output.base import Output - - -class SmtpOutput(Output): - - def __init__(self, **kwargs): - """Constructs a new instance of the SMTP outbound adapter. - - Parameters - ---------- - - kwargs: dict - SMTP server and account configuration - """ - Output.__init__(self) - self._host = kwargs.pop('host', None) - self._port = kwargs.pop('port', 587) - self._from = kwargs.pop('from', None) - self._to = kwargs.pop('to', []) - self._password = kwargs.pop('password', None) or \ - os.environ.get('SMTP_PASS') - self._smtp = None - - def emit(self, body, **kwargs): - if not self._smtp: - self._smtp = smtplib.SMTP(self._host, self._port) - self._smtp.ehlo() - self._smtp.starttls() - self._smtp.ehlo() - subject = kwargs.pop('subject', '') - message = self._compose_message(subject, body) - # try to authenticate with the server - # before attempting to send the message - try: - self._smtp.login(self._from, self._password) - self._smtp.sendmail(self._from, self._to, message) - except smtplib.SMTPAuthenticationError: - self.logger.error('Invalid SMTP credentials for %s account' - % self._from) - finally: - self._smtp.quit() - - def _compose_message(self, subject, body): - return """From: %s\r\nTo: %s\r\nSubject: %s\r\n\ - - %s - """ % (self._from, ", ".join(self._to), - subject, body) - - @property - def host(self): - return self._host - - @property - def port(self): - return self._port - - @property - def sender(self): - return self._from - - @property - def to(self): - return self._to diff --git a/fibratus/registry.py b/fibratus/registry.py deleted file mode 100644 index 9815a64b0..000000000 --- a/fibratus/registry.py +++ /dev/null @@ -1,294 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import os -from ctypes import cast, byref - -from fibratus.common import NA -from fibratus.handle import HandleType -from fibratus.kevent_types import * -from fibratus.apidefs.registry import * -from fibratus.apidefs.sys import malloc, free - - -class HiveParser(object): - - def __init__(self, kevent, thread_registry): - self._kcblocks = {} - self._kevent = kevent - self.thread_registry = thread_registry - self.hive_regexs = [ - r'(?i)(REGISTRY\\MACHINE\\SOFTWARE)(.*)', - r'(?i)(REGISTRY\\MACHINE\\HARDWARE)(.*)', - r'(?i)(REGISTRY\\MACHINE\\SECURITY)(.*)', - r'(?i)(REGISTRY\\MACHINE\\SYSTEM)(.*)', - r'(?i)(REGISTRY\\MACHINE\\SAM)(.*)', - r'(?i)(REGISTRY\\USER\\.DEFAULT)(.*)', - r'(?i)(REGISTRY\\USER\\S-.+?)\\(.*)', - r'(?i)(REGISTRY\\USER)(.*)'] - self._reg_value_types = [v.value for v in ValueType] - - @property - def kcblocks(self): - return self._kcblocks - - def remove_kcb(self, key_handle): - if key_handle in self._kcblocks: - self._kcblocks.pop(key_handle) - - def add_kcb(self, kkcb): - """Adds a key control block (KCB). - - Parameters - ---------- - - kkcb: dict - metadata for the KCB - - """ - handle = kkcb.key_handle - # index the KCB by key handle - # we also save the process and - # thread id which created the KCB - kcb = Kcb(handle, kkcb.key_name, - kkcb.index, - kkcb.status, - kkcb.thread_id, - kkcb.process_id) - self._kcblocks[handle] = kcb - - def parse_hive(self, ketype, regkevt): - """Parses a hive from the registry kernel event. - - Hive is a logical group of keys, subkeys and values - which are commonly called as nodes. - - Parameters - ---------- - - ketype: tuple - kernel event type - regkevt: dict - kernel registry event payload as forwarded from the - event stream collector - """ - hive = NA - key = regkevt.key_name - status = regkevt.status - tid = regkevt.thread_id - pid = regkevt.process_id - index = regkevt.index - - self._kevent.tid = tid - self._kevent.pid = pid - - # if the node handle (KCB handle) is equal to 0 - # we have the full node name. Otherwise - # we have to query the key control blocks - # to found the full node name - handle = regkevt.key_handle - if handle == 0: - # find the hive by applying - # the regular expression - hive, key = self._dissect_hive(key) - else: - if handle in self._kcblocks: - # KCB found. Concatenate the - # full node path - kcb = self._kcblocks[handle] - full_path = '%s\%s' % (kcb.key, key) - hive, key = self._dissect_hive(full_path) - else: - # we missed the KCB creation - # lookup the handles - # to find the key name - thread = self.thread_registry.get_thread(pid) - if thread: - key_handles = [kh for kh in thread.handles if kh.handle_type is not None and - kh.handle_type == HandleType.KEY] - for khandle in key_handles: - if ketype in [REG_CREATE_KEY, - REG_DELETE_KEY, - REG_OPEN_KEY, - REG_QUERY_KEY]: - # try to find the match of the key name - # from registry key handle name. - # Replace the backslash to prevent - # bogus escape exceptions - khandle_name = khandle.name - f = re.findall(r"%s" % key.replace('\\', '_'), - khandle_name.replace('\\', '_')) - if len(f) > 0: - hive, key = self._dissect_hive(khandle_name) - kcb = Kcb(handle, - khandle_name, - index, - status, - tid, - pid) - self._kcblocks[handle] = kcb - break - - if hive == NA: - # set the unknown hive and - # the partial node name - key = '..\%s' % key - - if ketype in [REG_CREATE_KEY, - REG_DELETE_KEY, - REG_OPEN_KEY, - REG_QUERY_KEY]: - params = { - 'hive': hive, - 'key': key, - 'status': status, - 'tid': tid, - 'pid': pid - } - self._kevent.params = params - elif ketype in [REG_SET_VALUE, - REG_DELETE_VALUE, - REG_QUERY_VALUE]: - if ketype == REG_SET_VALUE or ketype == REG_QUERY_VALUE: - # we have the hive and the subkey - # including the registry value name - # which means we are able to query the content - # of the registry value - if hive != NA and not key.startswith('..'): - # resolve the root key name - # from the registry hive - hkey = self._hive_to_hkey(hive) - subkey, value_name = os.path.split(key) - # get the value data and value type - # from the registry - value, value_type = self._query_value(hkey, - subkey, - value_name) - self._kevent.params = dict(hive=hive, key=key, - value_type=value_type, - value=value, - status=status, - tid=tid, - pid=pid) - else: - self._kevent.params = dict(hive=hive, key=key, - value_type=NA, - value=NA, status=status, - tid=tid, pid=pid) - - else: - self._kevent.params = dict(hive=hive, key=key, - status=status, - tid=tid, - pid=pid) - - def _query_value(self, hkey, subkey, value_name): - """Get value content and value type from registry. - - Parameters - ---------- - - hkey: HKEY - handle to registry root key - subkey: str - path representing the subkey - value: - the name of the value - """ - if not hkey: - return NA, NA - value_type = c_ulong() - buff = malloc(MAX_BUFFER_SIZE) - buff_size = c_ulong(MAX_BUFFER_SIZE) - - status = reg_get_value(hkey, c_wchar_p(subkey), - c_wchar_p(value_name), - RRF_RT_ANY, - byref(value_type), - buff, byref(buff_size)) - if status == ERROR_SUCCESS: - value = cast(buff, c_wchar_p).value - value_type = value_type.value - if value_type in self._reg_value_types: - if value_type == ValueType.REG_BINARY.value: - value = '' - [value_type] = [v.name for v in ValueType if v.value == value_type] - else: - value_type = ValueType.REG_NONE.name - free(buff) - return value, value_type - else: - free(buff) - return NA, NA - - def _dissect_hive(self, key_name): - """Extracts the hive name and the subkey from the key path. - - Parameters - ---------- - - key_name: str - key path from whom the hive - can be resolved - """ - for rx in self.hive_regexs: - # for each regex match it - # against key path - m = re.search(rx, key_name) - if m and len(m.groups()) > 0: - hive = m.group(1).upper() - # hive found, now try - # to get the node path - if len(m.groups()) > 1: - node = m.group(2) - if node: - # because the hive contains the - # child node of the registry subkey - # we have to include it - _, hive_child = os.path.split(hive) - if not node.startswith('\\'): - node = '\\%s' % node - node = '%s%s' % (hive_child, node) - return hive.replace('\\', '_'), node - return hive.replace('\\', '_'), key_name - return key_name, key_name - - def _hive_to_hkey(self, hive): - if re.match(r'(?i).*MACHINE.*', hive): - return HKEY_LOCAL_MACHINE - elif re.match(r'(?i).*USER_S-.*|\.DEFAULT', hive): - return HKEY_USERS - else: - return None - - -class Kcb(object): - """The container for the Key Control Block data. - """ - def __init__(self, handle, key, index, - status, tid, pid): - self._handle = handle - self._key = key - self._index = index - self._status = status - self._thread_id = tid - self._process_id = pid - - @property - def key(self): - return self._key - - - diff --git a/fibratus/tcpip/__init__.py b/fibratus/tcpip/__init__.py deleted file mode 100644 index b4b9e2a2a..000000000 --- a/fibratus/tcpip/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. \ No newline at end of file diff --git a/fibratus/tcpip/ports.py b/fibratus/tcpip/ports.py deleted file mode 100644 index 7e5885f28..000000000 --- a/fibratus/tcpip/ports.py +++ /dev/null @@ -1,11095 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -IANA_PORTS_TCP = { - 1: "tcpmux", - 2: "compressnet", - 3: "compressnet", - 5: "rje", - 7: "echo", - 9: "discard", - 11: "systat", - 13: "daytime", - 17: "qotd", - 18: "msp", - 19: "chargen", - 20: "ftp-data", - 21: "ftp", - 22: "ssh", - 23: "telnet", - 25: "smtp", - 27: "nsw-fe", - 29: "msg-icp", - 31: "msg-auth", - 33: "dsp", - 37: "time", - 38: "rap", - 39: "rlp", - 41: "graphics", - 42: "name", - 43: "nicname", - 44: "mpm-flags", - 45: "mpm", - 46: "mpm-snd", - 47: "ni-ftp", - 48: "auditd", - 49: "tacacs", - 50: "re-mail-ck", - 52: "xns-time", - 53: "domain", - 54: "xns-ch", - 55: "isi-gl", - 56: "xns-auth", - 58: "xns-mail", - 61: "ni-mail", - 62: "acas", - 63: "whoispp", - 64: "covia", - 65: "tacacs-ds", - 66: "sql-net", - 67: "bootps", - 68: "bootpc", - 69: "tftp", - 70: "gopher", - 71: "netrjs-1", - 72: "netrjs-2", - 73: "netrjs-3", - 74: "netrjs-4", - 76: "deos", - 78: "vettcp", - 79: "finger", - 80: "http", - 82: "xfer", - 83: "mit-ml-dev", - 84: "ctf", - 85: "mit-ml-dev", - 86: "mfcobol", - 88: "kerberos", - 89: "su-mit-tg", - 90: "dnsix", - 91: "mit-dov", - 92: "npp", - 93: "dcp", - 94: "objcall", - 95: "supdup", - 96: "dixie", - 97: "swift-rvf", - 98: "tacnews", - 99: "metagram", - 101: "hostname", - 102: "iso-tsap", - 103: "gppitnp", - 104: "acr-nema", - 105: "cso", - 106: "3com-tsmux", - 107: "rtelnet", - 108: "snagas", - 109: "pop2", - 110: "pop3", - 111: "sunrpc", - 112: "mcidas", - 113: "ident", - 115: "sftp", - 116: "ansanotify", - 117: "uucp-path", - 118: "sqlserv", - 119: "nntp", - 120: "cfdptkt", - 121: "erpc", - 122: "smakynet", - 123: "ntp", - 124: "ansatrader", - 125: "locus-map", - 126: "nxedit", - 127: "locus-con", - 128: "gss-xlicen", - 129: "pwdgen", - 130: "cisco-fna", - 131: "cisco-tna", - 132: "cisco-sys", - 133: "statsrv", - 134: "ingres-net", - 135: "epmap", - 136: "profile", - 137: "netbios-ns", - 138: "netbios-dgm", - 139: "netbios-ssn", - 140: "emfis-data", - 141: "emfis-cntl", - 142: "bl-idm", - 143: "imap", - 144: "uma", - 145: "uaac", - 146: "iso-tp0", - 147: "iso-ip", - 148: "jargon", - 149: "aed-512", - 150: "sql-net", - 151: "hems", - 152: "bftp", - 153: "sgmp", - 154: "netsc-prod", - 155: "netsc-dev", - 156: "sqlsrv", - 157: "knet-cmp", - 158: "pcmail-srv", - 159: "nss-routing", - 160: "sgmp-traps", - 161: "snmp", - 162: "snmptrap", - 163: "cmip-man", - 164: "cmip-agent", - 165: "xns-courier", - 166: "s-net", - 167: "namp", - 168: "rsvd", - 169: "send", - 170: "print-srv", - 171: "multiplex", - 172: "cl-1", - 173: "xyplex-mux", - 174: "mailq", - 175: "vmnet", - 176: "genrad-mux", - 177: "xdmcp", - 178: "nextstep", - 179: "bgp", - 180: "ris", - 181: "unify", - 182: "audit", - 183: "ocbinder", - 184: "ocserver", - 185: "remote-kis", - 186: "kis", - 187: "aci", - 188: "mumps", - 189: "qft", - 190: "gacp", - 191: "prospero", - 192: "osu-nms", - 193: "srmp", - 194: "irc", - 195: "dn6-nlm-aud", - 196: "dn6-smm-red", - 197: "dls", - 198: "dls-mon", - 199: "smux", - 200: "src", - 201: "at-rtmp", - 202: "at-nbp", - 203: "at-3", - 204: "at-echo", - 205: "at-5", - 206: "at-zis", - 207: "at-7", - 208: "at-8", - 209: "qmtp", - 210: "z39-50", - 211: "914c-g", - 212: "anet", - 213: "ipx", - 214: "vmpwscs", - 215: "softpc", - 216: "CAIlic", - 217: "dbase", - 218: "mpp", - 219: "uarps", - 220: "imap3", - 221: "fln-spx", - 222: "rsh-spx", - 223: "cdc", - 224: "masqdialer", - 242: "direct", - 243: "sur-meas", - 244: "inbusiness", - 245: "link", - 246: "dsp3270", - 247: "subntbcst-tftp", - 248: "bhfhs", - 256: "rap", - 257: "set", - 259: "esro-gen", - 260: "openport", - 261: "nsiiops", - 262: "arcisdms", - 263: "hdap", - 264: "bgmp", - 265: "x-bone-ctl", - 266: "sst", - 267: "td-service", - 268: "td-replica", - 269: "manet", - 271: "pt-tls", - 280: "http-mgmt", - 281: "personal-link", - 282: "cableport-ax", - 283: "rescap", - 284: "corerjd", - 286: "fxp", - 287: "k-block", - 308: "novastorbakcup", - 309: "entrusttime", - 310: "bhmds", - 311: "asip-webadmin", - 312: "vslmp", - 313: "magenta-logic", - 314: "opalis-robot", - 315: "dpsi", - 316: "decauth", - 317: "zannet", - 318: "pkix-timestamp", - 319: "ptp-event", - 320: "ptp-general", - 321: "pip", - 322: "rtsps", - 323: "rpki-rtr", - 324: "rpki-rtr-tls", - 333: "texar", - 344: "pdap", - 345: "pawserv", - 346: "zserv", - 347: "fatserv", - 348: "csi-sgwp", - 349: "mftp", - 350: "matip-type-a", - 351: "matip-type-b", - 352: "dtag-ste-sb", - 353: "ndsauth", - 354: "bh611", - 355: "datex-asn", - 356: "cloanto-net-1", - 357: "bhevent", - 358: "shrinkwrap", - 359: "nsrmp", - 360: "scoi2odialog", - 361: "semantix", - 362: "srssend", - 363: "rsvp-tunnel", - 364: "aurora-cmgr", - 365: "dtk", - 366: "odmr", - 367: "mortgageware", - 368: "qbikgdp", - 369: "rpc2portmap", - 370: "codaauth2", - 371: "clearcase", - 372: "ulistproc", - 373: "legent-1", - 374: "legent-2", - 375: "hassle", - 376: "nip", - 377: "tnETOS", - 378: "dsETOS", - 379: "is99c", - 380: "is99s", - 381: "hp-collector", - 382: "hp-managed-node", - 383: "hp-alarm-mgr", - 384: "arns", - 385: "ibm-app", - 386: "asa", - 387: "aurp", - 388: "unidata-ldm", - 389: "ldap", - 390: "uis", - 391: "synotics-relay", - 392: "synotics-broker", - 393: "meta5", - 394: "embl-ndt", - 395: "netcp", - 396: "netware-ip", - 397: "mptn", - 398: "kryptolan", - 399: "iso-tsap-c2", - 400: "osb-sd", - 401: "ups", - 402: "genie", - 403: "decap", - 404: "nced", - 405: "ncld", - 406: "imsp", - 407: "timbuktu", - 408: "prm-sm", - 409: "prm-nm", - 410: "decladebug", - 411: "rmt", - 412: "synoptics-trap", - 413: "smsp", - 414: "infoseek", - 415: "bnet", - 416: "silverplatter", - 417: "onmux", - 418: "hyper-g", - 419: "ariel1", - 420: "smpte", - 421: "ariel2", - 422: "ariel3", - 423: "opc-job-start", - 424: "opc-job-track", - 425: "icad-el", - 426: "smartsdp", - 427: "svrloc", - 428: "ocs-cmu", - 429: "ocs-amu", - 430: "utmpsd", - 431: "utmpcd", - 432: "iasd", - 433: "nnsp", - 434: "mobileip-agent", - 435: "mobilip-mn", - 436: "dna-cml", - 437: "comscm", - 438: "dsfgw", - 439: "dasp", - 440: "sgcp", - 441: "decvms-sysmgt", - 442: "cvc-hostd", - 443: "https", - 444: "snpp", - 445: "microsoft-ds", - 446: "ddm-rdb", - 447: "ddm-dfm", - 448: "ddm-ssl", - 449: "as-servermap", - 450: "tserver", - 451: "sfs-smp-net", - 452: "sfs-config", - 453: "creativeserver", - 454: "contentserver", - 455: "creativepartnr", - 456: "macon-tcp", - 457: "scohelp", - 458: "appleqtc", - 459: "ampr-rcmd", - 460: "skronk", - 461: "datasurfsrv", - 462: "datasurfsrvsec", - 463: "alpes", - 464: "kpasswd", - 465: "urd", - 466: "digital-vrc", - 467: "mylex-mapd", - 468: "photuris", - 469: "rcp", - 470: "scx-proxy", - 471: "mondex", - 472: "ljk-login", - 473: "hybrid-pop", - 474: "tn-tl-w1", - 475: "tcpnethaspsrv", - 476: "tn-tl-fd1", - 477: "ss7ns", - 478: "spsc", - 479: "iafserver", - 480: "iafdbase", - 481: "ph", - 482: "bgs-nsi", - 483: "ulpnet", - 484: "integra-sme", - 485: "powerburst", - 486: "avian", - 487: "saft", - 488: "gss-http", - 489: "nest-protocol", - 490: "micom-pfs", - 491: "go-login", - 492: "ticf-1", - 493: "ticf-2", - 494: "pov-ray", - 495: "intecourier", - 496: "pim-rp-disc", - 497: "retrospect", - 498: "siam", - 499: "iso-ill", - 500: "isakmp", - 501: "stmf", - 502: "mbap", - 503: "intrinsa", - 504: "citadel", - 505: "mailbox-lm", - 506: "ohimsrv", - 507: "crs", - 508: "xvttp", - 509: "snare", - 510: "fcp", - 511: "passgo", - 512: "exec", - 513: "login", - 514: "shell", - 515: "printer", - 516: "videotex", - 517: "talk", - 518: "ntalk", - 519: "utime", - 520: "efs", - 521: "ripng", - 522: "ulp", - 523: "ibm-db2", - 524: "ncp", - 525: "timed", - 526: "tempo", - 527: "stx", - 528: "custix", - 529: "irc-serv", - 530: "courier", - 531: "conference", - 532: "netnews", - 533: "netwall", - 534: "windream", - 535: "iiop", - 536: "opalis-rdv", - 537: "nmsp", - 538: "gdomap", - 539: "apertus-ldp", - 540: "uucp", - 541: "uucp-rlogin", - 542: "commerce", - 543: "klogin", - 544: "kshell", - 545: "appleqtcsrvr", - 546: "dhcpv6-client", - 547: "dhcpv6-server", - 548: "afpovertcp", - 549: "idfp", - 550: "new-rwho", - 551: "cybercash", - 552: "devshr-nts", - 553: "pirp", - 554: "rtsp", - 555: "dsf", - 556: "remotefs", - 557: "openvms-sysipc", - 558: "sdnskmp", - 559: "teedtap", - 560: "rmonitor", - 561: "monitor", - 562: "chshell", - 563: "nntps", - 564: "9pfs", - 565: "whoami", - 566: "streettalk", - 567: "banyan-rpc", - 568: "ms-shuttle", - 569: "ms-rome", - 570: "meter", - 571: "meter", - 572: "sonar", - 573: "banyan-vip", - 574: "ftp-agent", - 575: "vemmi", - 576: "ipcd", - 577: "vnas", - 578: "ipdd", - 579: "decbsrv", - 580: "sntp-heartbeat", - 581: "bdp", - 582: "scc-security", - 583: "philips-vc", - 584: "keyserver", - 586: "password-chg", - 587: "submission", - 588: "cal", - 589: "eyelink", - 590: "tns-cml", - 591: "http-alt", - 592: "eudora-set", - 593: "http-rpc-epmap", - 594: "tpip", - 595: "cab-protocol", - 596: "smsd", - 597: "ptcnameservice", - 598: "sco-websrvrmg3", - 599: "acp", - 600: "ipcserver", - 601: "syslog-conn", - 602: "xmlrpc-beep", - 603: "idxp", - 604: "tunnel", - 605: "soap-beep", - 606: "urm", - 607: "nqs", - 608: "sift-uft", - 609: "npmp-trap", - 610: "npmp-local", - 611: "npmp-gui", - 612: "hmmp-ind", - 613: "hmmp-op", - 614: "sshell", - 615: "sco-inetmgr", - 616: "sco-sysmgr", - 617: "sco-dtmgr", - 618: "dei-icda", - 619: "compaq-evm", - 620: "sco-websrvrmgr", - 621: "escp-ip", - 622: "collaborator", - 623: "oob-ws-http", - 624: "cryptoadmin", - 625: "dec-dlm", - 626: "asia", - 627: "passgo-tivoli", - 628: "qmqp", - 629: "3com-amp3", - 630: "rda", - 631: "ipp", - 632: "bmpp", - 633: "servstat", - 634: "ginad", - 635: "rlzdbase", - 636: "ldaps", - 637: "lanserver", - 638: "mcns-sec", - 639: "msdp", - 640: "entrust-sps", - 641: "repcmd", - 642: "esro-emsdp", - 643: "sanity", - 644: "dwr", - 645: "pssc", - 646: "ldp", - 647: "dhcp-failover", - 648: "rrp", - 649: "cadview-3d", - 650: "obex", - 651: "ieee-mms", - 652: "hello-port", - 653: "repscmd", - 654: "aodv", - 655: "tinc", - 656: "spmp", - 657: "rmc", - 658: "tenfold", - 660: "mac-srvr-admin", - 661: "hap", - 662: "pftp", - 663: "purenoise", - 664: "oob-ws-https", - 665: "sun-dr", - 666: "mdqs", - 667: "disclose", - 668: "mecomm", - 669: "meregister", - 670: "vacdsm-sws", - 671: "vacdsm-app", - 672: "vpps-qua", - 673: "cimplex", - 674: "acap", - 675: "dctp", - 676: "vpps-via", - 677: "vpp", - 678: "ggf-ncp", - 679: "mrm", - 680: "entrust-aaas", - 681: "entrust-aams", - 682: "xfr", - 683: "corba-iiop", - 684: "corba-iiop-ssl", - 685: "mdc-portmapper", - 686: "hcp-wismar", - 687: "asipregistry", - 688: "realm-rusd", - 689: "nmap", - 690: "vatp", - 691: "msexch-routing", - 692: "hyperwave-isp", - 693: "connendp", - 694: "ha-cluster", - 695: "ieee-mms-ssl", - 696: "rushd", - 697: "uuidgen", - 698: "olsr", - 699: "accessnetwork", - 700: "epp", - 701: "lmp", - 702: "iris-beep", - 704: "elcsd", - 705: "agentx", - 706: "silc", - 707: "borland-dsj", - 709: "entrust-kmsh", - 710: "entrust-ash", - 711: "cisco-tdp", - 712: "tbrpf", - 713: "iris-xpc", - 714: "iris-xpcs", - 715: "iris-lwz", - 729: "netviewdm1", - 730: "netviewdm2", - 731: "netviewdm3", - 741: "netgw", - 742: "netrcs", - 744: "flexlm", - 747: "fujitsu-dev", - 748: "ris-cm", - 749: "kerberos-adm", - 750: "rfile", - 751: "pump", - 752: "qrh", - 753: "rrh", - 754: "tell", - 758: "nlogin", - 759: "con", - 760: "ns", - 761: "rxe", - 762: "quotad", - 763: "cycleserv", - 764: "omserv", - 765: "webster", - 767: "phonebook", - 769: "vid", - 770: "cadlock", - 771: "rtip", - 772: "cycleserv2", - 773: "submit", - 774: "rpasswd", - 775: "entomb", - 776: "wpages", - 777: "multiling-http", - 780: "wpgs", - 800: "mdbs-daemon", - 801: "device", - 802: "mbap-s", - 810: "fcp-udp", - 828: "itm-mcell-s", - 829: "pkix-3-ca-ra", - 830: "netconf-ssh", - 831: "netconf-beep", - 832: "netconfsoaphttp", - 833: "netconfsoapbeep", - 847: "dhcp-failover2", - 848: "gdoi", - 860: "iscsi", - 861: "owamp-control", - 862: "twamp-control", - 873: "rsync", - 886: "iclcnet-locate", - 887: "iclcnet-svinfo", - 888: "accessbuilder", - 900: "omginitialrefs", - 901: "smpnameres", - 902: "ideafarm-door", - 903: "ideafarm-panic", - 910: "kink", - 911: "xact-backup", - 912: "apex-mesh", - 913: "apex-edge", - 989: "ftps-data", - 990: "ftps", - 991: "nas", - 992: "telnets", - 993: "imaps", - 995: "pop3s", - 996: "vsinet", - 997: "maitrd", - 998: "busboy", - 999: "garcon", - 1000: "cadlock2", - 1010: "surf", - 1021: "exp1", - 1022: "exp2", - 1025: "blackjack", - 1026: "cap", - 1029: "solid-mux", - 1033: "netinfo-local", - 1034: "activesync", - 1035: "mxxrlogin", - 1036: "nsstp", - 1037: "ams", - 1038: "mtqp", - 1039: "sbl", - 1040: "netarx", - 1041: "danf-ak2", - 1042: "afrog", - 1043: "boinc-client", - 1044: "dcutility", - 1045: "fpitp", - 1046: "wfremotertm", - 1047: "neod1", - 1048: "neod2", - 1049: "td-postman", - 1050: "cma", - 1051: "optima-vnet", - 1052: "ddt", - 1053: "remote-as", - 1054: "brvread", - 1055: "ansyslmd", - 1056: "vfo", - 1057: "startron", - 1058: "nim", - 1059: "nimreg", - 1060: "polestar", - 1061: "kiosk", - 1062: "veracity", - 1063: "kyoceranetdev", - 1064: "jstel", - 1065: "syscomlan", - 1066: "fpo-fns", - 1067: "instl-boots", - 1068: "instl-bootc", - 1069: "cognex-insight", - 1070: "gmrupdateserv", - 1071: "bsquare-voip", - 1072: "cardax", - 1073: "bridgecontrol", - 1074: "warmspotMgmt", - 1075: "rdrmshc", - 1076: "dab-sti-c", - 1077: "imgames", - 1078: "avocent-proxy", - 1079: "asprovatalk", - 1080: "socks", - 1081: "pvuniwien", - 1082: "amt-esd-prot", - 1083: "ansoft-lm-1", - 1084: "ansoft-lm-2", - 1085: "webobjects", - 1086: "cplscrambler-lg", - 1087: "cplscrambler-in", - 1088: "cplscrambler-al", - 1089: "ff-annunc", - 1090: "ff-fms", - 1091: "ff-sm", - 1092: "obrpd", - 1093: "proofd", - 1094: "rootd", - 1095: "nicelink", - 1096: "cnrprotocol", - 1097: "sunclustermgr", - 1098: "rmiactivation", - 1099: "rmiregistry", - 1100: "mctp", - 1101: "pt2-discover", - 1102: "adobeserver-1", - 1103: "adobeserver-2", - 1104: "xrl", - 1105: "ftranhc", - 1106: "isoipsigport-1", - 1107: "isoipsigport-2", - 1108: "ratio-adp", - 1110: "webadmstart", - 1111: "lmsocialserver", - 1112: "icp", - 1113: "ltp-deepspace", - 1114: "mini-sql", - 1115: "ardus-trns", - 1116: "ardus-cntl", - 1117: "ardus-mtrns", - 1118: "sacred", - 1119: "bnetgame", - 1120: "bnetfile", - 1121: "rmpp", - 1122: "availant-mgr", - 1123: "murray", - 1124: "hpvmmcontrol", - 1125: "hpvmmagent", - 1126: "hpvmmdata", - 1127: "kwdb-commn", - 1128: "saphostctrl", - 1129: "saphostctrls", - 1130: "casp", - 1131: "caspssl", - 1132: "kvm-via-ip", - 1133: "dfn", - 1134: "aplx", - 1135: "omnivision", - 1136: "hhb-gateway", - 1137: "trim", - 1138: "encrypted-admin", - 1139: "evm", - 1140: "autonoc", - 1141: "mxomss", - 1142: "edtools", - 1143: "imyx", - 1144: "fuscript", - 1145: "x9-icue", - 1146: "audit-transfer", - 1147: "capioverlan", - 1148: "elfiq-repl", - 1149: "bvtsonar", - 1150: "blaze", - 1151: "unizensus", - 1152: "winpoplanmess", - 1153: "c1222-acse", - 1154: "resacommunity", - 1155: "nfa", - 1156: "iascontrol-oms", - 1157: "iascontrol", - 1158: "dbcontrol-oms", - 1159: "oracle-oms", - 1160: "olsv", - 1161: "health-polling", - 1162: "health-trap", - 1163: "sddp", - 1164: "qsm-proxy", - 1165: "qsm-gui", - 1166: "qsm-remote", - 1167: "cisco-ipsla", - 1168: "vchat", - 1169: "tripwire", - 1170: "atc-lm", - 1171: "atc-appserver", - 1172: "dnap", - 1173: "d-cinema-rrp", - 1174: "fnet-remote-ui", - 1175: "dossier", - 1176: "indigo-server", - 1177: "dkmessenger", - 1178: "sgi-storman", - 1179: "b2n", - 1180: "mc-client", - 1181: "3comnetman", - 1182: "accelenet", - 1183: "llsurfup-http", - 1184: "llsurfup-https", - 1185: "catchpole", - 1186: "mysql-cluster", - 1187: "alias", - 1188: "hp-webadmin", - 1189: "unet", - 1190: "commlinx-avl", - 1191: "gpfs", - 1192: "caids-sensor", - 1193: "fiveacross", - 1194: "openvpn", - 1195: "rsf-1", - 1196: "netmagic", - 1197: "carrius-rshell", - 1198: "cajo-discovery", - 1199: "dmidi", - 1200: "scol", - 1201: "nucleus-sand", - 1202: "caiccipc", - 1203: "ssslic-mgr", - 1204: "ssslog-mgr", - 1205: "accord-mgc", - 1206: "anthony-data", - 1207: "metasage", - 1208: "seagull-ais", - 1209: "ipcd3", - 1210: "eoss", - 1211: "groove-dpp", - 1212: "lupa", - 1213: "mpc-lifenet", - 1214: "kazaa", - 1215: "scanstat-1", - 1216: "etebac5", - 1217: "hpss-ndapi", - 1218: "aeroflight-ads", - 1219: "aeroflight-ret", - 1220: "qt-serveradmin", - 1221: "sweetware-apps", - 1222: "nerv", - 1223: "tgp", - 1224: "vpnz", - 1225: "slinkysearch", - 1226: "stgxfws", - 1227: "dns2go", - 1228: "florence", - 1229: "zented", - 1230: "periscope", - 1231: "menandmice-lpm", - 1232: "first-defense", - 1233: "univ-appserver", - 1234: "search-agent", - 1235: "mosaicsyssvc1", - 1236: "bvcontrol", - 1237: "tsdos390", - 1238: "hacl-qs", - 1239: "nmsd", - 1240: "instantia", - 1241: "nessus", - 1242: "nmasoverip", - 1243: "serialgateway", - 1244: "isbconference1", - 1245: "isbconference2", - 1246: "payrouter", - 1247: "visionpyramid", - 1248: "hermes", - 1249: "mesavistaco", - 1250: "swldy-sias", - 1251: "servergraph", - 1252: "bspne-pcc", - 1253: "q55-pcc", - 1254: "de-noc", - 1255: "de-cache-query", - 1256: "de-server", - 1257: "shockwave2", - 1258: "opennl", - 1259: "opennl-voice", - 1260: "ibm-ssd", - 1261: "mpshrsv", - 1262: "qnts-orb", - 1263: "dka", - 1264: "prat", - 1265: "dssiapi", - 1266: "dellpwrappks", - 1267: "epc", - 1268: "propel-msgsys", - 1269: "watilapp", - 1270: "opsmgr", - 1271: "excw", - 1272: "cspmlockmgr", - 1273: "emc-gateway", - 1274: "t1distproc", - 1275: "ivcollector", - 1277: "miva-mqs", - 1278: "dellwebadmin-1", - 1279: "dellwebadmin-2", - 1280: "pictrography", - 1281: "healthd", - 1282: "emperion", - 1283: "productinfo", - 1284: "iee-qfx", - 1285: "neoiface", - 1286: "netuitive", - 1287: "routematch", - 1288: "navbuddy", - 1289: "jwalkserver", - 1290: "winjaserver", - 1291: "seagulllms", - 1292: "dsdn", - 1293: "pkt-krb-ipsec", - 1294: "cmmdriver", - 1295: "ehtp", - 1296: "dproxy", - 1297: "sdproxy", - 1298: "lpcp", - 1299: "hp-sci", - 1300: "h323hostcallsc", - 1301: "ci3-software-1", - 1302: "ci3-software-2", - 1303: "sftsrv", - 1304: "boomerang", - 1305: "pe-mike", - 1306: "re-conn-proto", - 1307: "pacmand", - 1308: "odsi", - 1309: "jtag-server", - 1310: "husky", - 1311: "rxmon", - 1312: "sti-envision", - 1313: "bmc-patroldb", - 1314: "pdps", - 1315: "els", - 1316: "exbit-escp", - 1317: "vrts-ipcserver", - 1318: "krb5gatekeeper", - 1319: "amx-icsp", - 1320: "amx-axbnet", - 1321: "pip", - 1322: "novation", - 1323: "brcd", - 1324: "delta-mcp", - 1325: "dx-instrument", - 1326: "wimsic", - 1327: "ultrex", - 1328: "ewall", - 1329: "netdb-export", - 1330: "streetperfect", - 1331: "intersan", - 1332: "pcia-rxp-b", - 1333: "passwrd-policy", - 1334: "writesrv", - 1335: "digital-notary", - 1336: "ischat", - 1337: "menandmice-dns", - 1338: "wmc-log-svc", - 1339: "kjtsiteserver", - 1340: "naap", - 1341: "qubes", - 1342: "esbroker", - 1343: "re101", - 1344: "icap", - 1345: "vpjp", - 1346: "alta-ana-lm", - 1347: "bbn-mmc", - 1348: "bbn-mmx", - 1349: "sbook", - 1350: "editbench", - 1351: "equationbuilder", - 1352: "lotusnote", - 1353: "relief", - 1354: "XSIP-network", - 1355: "intuitive-edge", - 1356: "cuillamartin", - 1357: "pegboard", - 1358: "connlcli", - 1359: "ftsrv", - 1360: "mimer", - 1361: "linx", - 1362: "timeflies", - 1363: "ndm-requester", - 1364: "ndm-server", - 1365: "adapt-sna", - 1366: "netware-csp", - 1367: "dcs", - 1368: "screencast", - 1369: "gv-us", - 1370: "us-gv", - 1371: "fc-cli", - 1372: "fc-ser", - 1373: "chromagrafx", - 1374: "molly", - 1375: "bytex", - 1376: "ibm-pps", - 1377: "cichlid", - 1378: "elan", - 1379: "dbreporter", - 1380: "telesis-licman", - 1381: "apple-licman", - 1382: "udt-os", - 1383: "gwha", - 1384: "os-licman", - 1385: "atex-elmd", - 1386: "checksum", - 1387: "cadsi-lm", - 1388: "objective-dbc", - 1389: "iclpv-dm", - 1390: "iclpv-sc", - 1391: "iclpv-sas", - 1392: "iclpv-pm", - 1393: "iclpv-nls", - 1394: "iclpv-nlc", - 1395: "iclpv-wsm", - 1396: "dvl-activemail", - 1397: "audio-activmail", - 1398: "video-activmail", - 1399: "cadkey-licman", - 1400: "cadkey-tablet", - 1401: "goldleaf-licman", - 1402: "prm-sm-np", - 1403: "prm-nm-np", - 1404: "igi-lm", - 1405: "ibm-res", - 1406: "netlabs-lm", - 1407: "dbsa-lm", - 1408: "sophia-lm", - 1409: "here-lm", - 1410: "hiq", - 1411: "af", - 1412: "innosys", - 1413: "innosys-acl", - 1414: "ibm-mqseries", - 1415: "dbstar", - 1416: "novell-lu6-2", - 1417: "timbuktu-srv1", - 1418: "timbuktu-srv2", - 1419: "timbuktu-srv3", - 1420: "timbuktu-srv4", - 1421: "gandalf-lm", - 1422: "autodesk-lm", - 1423: "essbase", - 1424: "hybrid", - 1425: "zion-lm", - 1426: "sais", - 1427: "mloadd", - 1428: "informatik-lm", - 1429: "nms", - 1430: "tpdu", - 1431: "rgtp", - 1432: "blueberry-lm", - 1433: "ms-sql-s", - 1434: "ms-sql-m", - 1435: "ibm-cics", - 1436: "saism", - 1437: "tabula", - 1438: "eicon-server", - 1439: "eicon-x25", - 1440: "eicon-slp", - 1441: "cadis-1", - 1442: "cadis-2", - 1443: "ies-lm", - 1444: "marcam-lm", - 1445: "proxima-lm", - 1446: "ora-lm", - 1447: "apri-lm", - 1448: "oc-lm", - 1449: "peport", - 1450: "dwf", - 1451: "infoman", - 1452: "gtegsc-lm", - 1453: "genie-lm", - 1454: "interhdl-elmd", - 1455: "esl-lm", - 1456: "dca", - 1457: "valisys-lm", - 1458: "nrcabq-lm", - 1459: "proshare1", - 1460: "proshare2", - 1461: "ibm-wrless-lan", - 1462: "world-lm", - 1463: "nucleus", - 1464: "msl-lmd", - 1465: "pipes", - 1466: "oceansoft-lm", - 1467: "csdmbase", - 1468: "csdm", - 1469: "aal-lm", - 1470: "uaiact", - 1471: "csdmbase", - 1472: "csdm", - 1473: "openmath", - 1474: "telefinder", - 1475: "taligent-lm", - 1476: "clvm-cfg", - 1477: "ms-sna-server", - 1478: "ms-sna-base", - 1479: "dberegister", - 1480: "pacerforum", - 1481: "airs", - 1482: "miteksys-lm", - 1483: "afs", - 1484: "confluent", - 1485: "lansource", - 1486: "nms-topo-serv", - 1487: "localinfosrvr", - 1488: "docstor", - 1489: "dmdocbroker", - 1490: "insitu-conf", - 1492: "stone-design-1", - 1493: "netmap-lm", - 1494: "ica", - 1495: "cvc", - 1496: "liberty-lm", - 1497: "rfx-lm", - 1498: "sybase-sqlany", - 1499: "fhc", - 1500: "vlsi-lm", - 1501: "saiscm", - 1502: "shivadiscovery", - 1503: "imtc-mcs", - 1504: "evb-elm", - 1505: "funkproxy", - 1506: "utcd", - 1507: "symplex", - 1508: "diagmond", - 1509: "robcad-lm", - 1510: "mvx-lm", - 1511: "3l-l1", - 1512: "wins", - 1513: "fujitsu-dtc", - 1514: "fujitsu-dtcns", - 1515: "ifor-protocol", - 1516: "vpad", - 1517: "vpac", - 1518: "vpvd", - 1519: "vpvc", - 1520: "atm-zip-office", - 1521: "ncube-lm", - 1522: "ricardo-lm", - 1523: "cichild-lm", - 1524: "ingreslock", - 1525: "orasrv", - 1526: "pdap-np", - 1527: "tlisrv", - 1529: "coauthor", - 1530: "rap-service", - 1531: "rap-listen", - 1532: "miroconnect", - 1533: "virtual-places", - 1534: "micromuse-lm", - 1535: "ampr-info", - 1536: "ampr-inter", - 1537: "sdsc-lm", - 1538: "3ds-lm", - 1539: "intellistor-lm", - 1540: "rds", - 1541: "rds2", - 1542: "gridgen-elmd", - 1543: "simba-cs", - 1544: "aspeclmd", - 1545: "vistium-share", - 1546: "abbaccuray", - 1547: "laplink", - 1548: "axon-lm", - 1549: "shivahose", - 1550: "3m-image-lm", - 1551: "hecmtl-db", - 1552: "pciarray", - 1553: "sna-cs", - 1554: "caci-lm", - 1555: "livelan", - 1556: "veritas-pbx", - 1557: "arbortext-lm", - 1558: "xingmpeg", - 1559: "web2host", - 1560: "asci-val", - 1561: "facilityview", - 1562: "pconnectmgr", - 1563: "cadabra-lm", - 1564: "pay-per-view", - 1565: "winddlb", - 1566: "corelvideo", - 1567: "jlicelmd", - 1568: "tsspmap", - 1569: "ets", - 1570: "orbixd", - 1571: "rdb-dbs-disp", - 1572: "chip-lm", - 1573: "itscomm-ns", - 1574: "mvel-lm", - 1575: "oraclenames", - 1576: "moldflow-lm", - 1577: "hypercube-lm", - 1578: "jacobus-lm", - 1579: "ioc-sea-lm", - 1580: "tn-tl-r1", - 1581: "mil-2045-47001", - 1582: "msims", - 1583: "simbaexpress", - 1584: "tn-tl-fd2", - 1585: "intv", - 1586: "ibm-abtact", - 1587: "pra-elmd", - 1588: "triquest-lm", - 1589: "vqp", - 1590: "gemini-lm", - 1591: "ncpm-pm", - 1592: "commonspace", - 1593: "mainsoft-lm", - 1594: "sixtrak", - 1595: "radio", - 1596: "radio-sm", - 1597: "orbplus-iiop", - 1598: "picknfs", - 1599: "simbaservices", - 1600: "issd", - 1601: "aas", - 1602: "inspect", - 1603: "picodbc", - 1604: "icabrowser", - 1605: "slp", - 1606: "slm-api", - 1607: "stt", - 1608: "smart-lm", - 1609: "isysg-lm", - 1610: "taurus-wh", - 1611: "ill", - 1612: "netbill-trans", - 1613: "netbill-keyrep", - 1614: "netbill-cred", - 1615: "netbill-auth", - 1616: "netbill-prod", - 1617: "nimrod-agent", - 1618: "skytelnet", - 1619: "xs-openstorage", - 1620: "faxportwinport", - 1621: "softdataphone", - 1622: "ontime", - 1623: "jaleosnd", - 1624: "udp-sr-port", - 1625: "svs-omagent", - 1626: "shockwave", - 1627: "t128-gateway", - 1628: "lontalk-norm", - 1629: "lontalk-urgnt", - 1630: "oraclenet8cman", - 1631: "visitview", - 1632: "pammratc", - 1633: "pammrpc", - 1634: "loaprobe", - 1635: "edb-server1", - 1636: "isdc", - 1637: "islc", - 1638: "ismc", - 1639: "cert-initiator", - 1640: "cert-responder", - 1641: "invision", - 1642: "isis-am", - 1643: "isis-ambc", - 1644: "saiseh", - 1645: "sightline", - 1646: "sa-msg-port", - 1647: "rsap", - 1648: "concurrent-lm", - 1649: "kermit", - 1650: "nkd", - 1651: "shiva-confsrvr", - 1652: "xnmp", - 1653: "alphatech-lm", - 1654: "stargatealerts", - 1655: "dec-mbadmin", - 1656: "dec-mbadmin-h", - 1657: "fujitsu-mmpdc", - 1658: "sixnetudr", - 1659: "sg-lm", - 1660: "skip-mc-gikreq", - 1661: "netview-aix-1", - 1662: "netview-aix-2", - 1663: "netview-aix-3", - 1664: "netview-aix-4", - 1665: "netview-aix-5", - 1666: "netview-aix-6", - 1667: "netview-aix-7", - 1668: "netview-aix-8", - 1669: "netview-aix-9", - 1670: "netview-aix-10", - 1671: "netview-aix-11", - 1672: "netview-aix-12", - 1673: "proshare-mc-1", - 1674: "proshare-mc-2", - 1675: "pdp", - 1676: "netcomm1", - 1677: "groupwise", - 1678: "prolink", - 1679: "darcorp-lm", - 1680: "microcom-sbp", - 1681: "sd-elmd", - 1682: "lanyon-lantern", - 1683: "ncpm-hip", - 1684: "snaresecure", - 1685: "n2nremote", - 1686: "cvmon", - 1687: "nsjtp-ctrl", - 1688: "nsjtp-data", - 1689: "firefox", - 1690: "ng-umds", - 1691: "empire-empuma", - 1692: "sstsys-lm", - 1693: "rrirtr", - 1694: "rrimwm", - 1695: "rrilwm", - 1696: "rrifmm", - 1697: "rrisat", - 1698: "rsvp-encap-1", - 1699: "rsvp-encap-2", - 1700: "mps-raft", - 1701: "l2f", - 1702: "deskshare", - 1703: "hb-engine", - 1704: "bcs-broker", - 1705: "slingshot", - 1706: "jetform", - 1707: "vdmplay", - 1708: "gat-lmd", - 1709: "centra", - 1710: "impera", - 1711: "pptconference", - 1712: "registrar", - 1713: "conferencetalk", - 1714: "sesi-lm", - 1715: "houdini-lm", - 1716: "xmsg", - 1717: "fj-hdnet", - 1718: "h323gatedisc", - 1719: "h323gatestat", - 1720: "h323hostcall", - 1721: "caicci", - 1722: "hks-lm", - 1723: "pptp", - 1724: "csbphonemaster", - 1725: "iden-ralp", - 1726: "iberiagames", - 1727: "winddx", - 1728: "telindus", - 1729: "citynl", - 1730: "roketz", - 1731: "msiccp", - 1732: "proxim", - 1733: "siipat", - 1734: "cambertx-lm", - 1735: "privatechat", - 1736: "street-stream", - 1737: "ultimad", - 1738: "gamegen1", - 1739: "webaccess", - 1740: "encore", - 1741: "cisco-net-mgmt", - 1742: "3Com-nsd", - 1743: "cinegrfx-lm", - 1744: "ncpm-ft", - 1745: "remote-winsock", - 1746: "ftrapid-1", - 1747: "ftrapid-2", - 1748: "oracle-em1", - 1749: "aspen-services", - 1750: "sslp", - 1751: "swiftnet", - 1752: "lofr-lm", - 1753: "predatar-comms", - 1754: "oracle-em2", - 1755: "ms-streaming", - 1756: "capfast-lmd", - 1757: "cnhrp", - 1758: "tftp-mcast", - 1759: "spss-lm", - 1760: "www-ldap-gw", - 1761: "cft-0", - 1762: "cft-1", - 1763: "cft-2", - 1764: "cft-3", - 1765: "cft-4", - 1766: "cft-5", - 1767: "cft-6", - 1768: "cft-7", - 1769: "bmc-net-adm", - 1770: "bmc-net-svc", - 1771: "vaultbase", - 1772: "essweb-gw", - 1773: "kmscontrol", - 1774: "global-dtserv", - 1775: "vdab", - 1776: "femis", - 1777: "powerguardian", - 1778: "prodigy-intrnet", - 1779: "pharmasoft", - 1780: "dpkeyserv", - 1781: "answersoft-lm", - 1782: "hp-hcip", - 1784: "finle-lm", - 1785: "windlm", - 1786: "funk-logger", - 1787: "funk-license", - 1788: "psmond", - 1789: "hello", - 1790: "nmsp", - 1791: "ea1", - 1792: "ibm-dt-2", - 1793: "rsc-robot", - 1794: "cera-bcm", - 1795: "dpi-proxy", - 1796: "vocaltec-admin", - 1797: "uma", - 1798: "etp", - 1799: "netrisk", - 1800: "ansys-lm", - 1801: "msmq", - 1802: "concomp1", - 1803: "hp-hcip-gwy", - 1804: "enl", - 1805: "enl-name", - 1806: "musiconline", - 1807: "fhsp", - 1808: "oracle-vp2", - 1809: "oracle-vp1", - 1810: "jerand-lm", - 1811: "scientia-sdb", - 1812: "radius", - 1813: "radius-acct", - 1814: "tdp-suite", - 1815: "mmpft", - 1816: "harp", - 1817: "rkb-oscs", - 1818: "etftp", - 1819: "plato-lm", - 1820: "mcagent", - 1821: "donnyworld", - 1822: "es-elmd", - 1823: "unisys-lm", - 1824: "metrics-pas", - 1825: "direcpc-video", - 1826: "ardt", - 1827: "asi", - 1828: "itm-mcell-u", - 1829: "optika-emedia", - 1830: "net8-cman", - 1831: "myrtle", - 1832: "tht-treasure", - 1833: "udpradio", - 1834: "ardusuni", - 1835: "ardusmul", - 1836: "ste-smsc", - 1837: "csoft1", - 1838: "talnet", - 1839: "netopia-vo1", - 1840: "netopia-vo2", - 1841: "netopia-vo3", - 1842: "netopia-vo4", - 1843: "netopia-vo5", - 1844: "direcpc-dll", - 1845: "altalink", - 1846: "tunstall-pnc", - 1847: "slp-notify", - 1848: "fjdocdist", - 1849: "alpha-sms", - 1850: "gsi", - 1851: "ctcd", - 1852: "virtual-time", - 1853: "vids-avtp", - 1854: "buddy-draw", - 1855: "fiorano-rtrsvc", - 1856: "fiorano-msgsvc", - 1857: "datacaptor", - 1858: "privateark", - 1859: "gammafetchsvr", - 1860: "sunscalar-svc", - 1861: "lecroy-vicp", - 1862: "mysql-cm-agent", - 1863: "msnp", - 1864: "paradym-31port", - 1865: "entp", - 1866: "swrmi", - 1867: "udrive", - 1868: "viziblebrowser", - 1869: "transact", - 1870: "sunscalar-dns", - 1871: "canocentral0", - 1872: "canocentral1", - 1873: "fjmpjps", - 1874: "fjswapsnp", - 1875: "westell-stats", - 1876: "ewcappsrv", - 1877: "hp-webqosdb", - 1878: "drmsmc", - 1879: "nettgain-nms", - 1880: "vsat-control", - 1881: "ibm-mqseries2", - 1882: "ecsqdmn", - 1883: "ibm-mqisdp", - 1884: "idmaps", - 1885: "vrtstrapserver", - 1886: "leoip", - 1887: "filex-lport", - 1888: "ncconfig", - 1889: "unify-adapter", - 1890: "wilkenlistener", - 1891: "childkey-notif", - 1892: "childkey-ctrl", - 1893: "elad", - 1894: "o2server-port", - 1896: "b-novative-ls", - 1897: "metaagent", - 1898: "cymtec-port", - 1899: "mc2studios", - 1900: "ssdp", - 1901: "fjicl-tep-a", - 1902: "fjicl-tep-b", - 1903: "linkname", - 1904: "fjicl-tep-c", - 1905: "sugp", - 1906: "tpmd", - 1907: "intrastar", - 1908: "dawn", - 1909: "global-wlink", - 1910: "ultrabac", - 1911: "mtp", - 1912: "rhp-iibp", - 1913: "armadp", - 1914: "elm-momentum", - 1915: "facelink", - 1916: "persona", - 1917: "noagent", - 1918: "can-nds", - 1919: "can-dch", - 1920: "can-ferret", - 1921: "noadmin", - 1922: "tapestry", - 1923: "spice", - 1924: "xiip", - 1925: "discovery-port", - 1926: "egs", - 1927: "videte-cipc", - 1928: "emsd-port", - 1929: "bandwiz-system", - 1930: "driveappserver", - 1931: "amdsched", - 1932: "ctt-broker", - 1933: "xmapi", - 1934: "xaapi", - 1935: "macromedia-fcs", - 1936: "jetcmeserver", - 1937: "jwserver", - 1938: "jwclient", - 1939: "jvserver", - 1940: "jvclient", - 1941: "dic-aida", - 1942: "res", - 1943: "beeyond-media", - 1944: "close-combat", - 1945: "dialogic-elmd", - 1946: "tekpls", - 1947: "sentinelsrm", - 1948: "eye2eye", - 1949: "ismaeasdaqlive", - 1950: "ismaeasdaqtest", - 1951: "bcs-lmserver", - 1952: "mpnjsc", - 1953: "rapidbase", - 1954: "abr-api", - 1955: "abr-secure", - 1956: "vrtl-vmf-ds", - 1957: "unix-status", - 1958: "dxadmind", - 1959: "simp-all", - 1960: "nasmanager", - 1961: "bts-appserver", - 1962: "biap-mp", - 1963: "webmachine", - 1964: "solid-e-engine", - 1965: "tivoli-npm", - 1966: "slush", - 1967: "sns-quote", - 1968: "lipsinc", - 1969: "lipsinc1", - 1970: "netop-rc", - 1971: "netop-school", - 1972: "intersys-cache", - 1973: "dlsrap", - 1974: "drp", - 1975: "tcoflashagent", - 1976: "tcoregagent", - 1977: "tcoaddressbook", - 1978: "unisql", - 1979: "unisql-java", - 1980: "pearldoc-xact", - 1981: "p2pq", - 1982: "estamp", - 1983: "lhtp", - 1984: "bb", - 1985: "hsrp", - 1986: "licensedaemon", - 1987: "tr-rsrb-p1", - 1988: "tr-rsrb-p2", - 1989: "tr-rsrb-p3", - 1990: "stun-p1", - 1991: "stun-p2", - 1992: "stun-p3", - 1993: "snmp-tcp-port", - 1994: "stun-port", - 1995: "perf-port", - 1996: "tr-rsrb-port", - 1997: "gdp-port", - 1998: "x25-svc-port", - 1999: "tcp-id-port", - 2000: "cisco-sccp", - 2001: "dc", - 2002: "globe", - 2003: "brutus", - 2004: "mailbox", - 2005: "berknet", - 2006: "invokator", - 2007: "dectalk", - 2008: "conf", - 2009: "news", - 2010: "search", - 2011: "raid-cc", - 2012: "ttyinfo", - 2013: "raid-am", - 2014: "troff", - 2015: "cypress", - 2016: "bootserver", - 2017: "cypress-stat", - 2018: "terminaldb", - 2019: "whosockami", - 2020: "xinupageserver", - 2021: "servexec", - 2022: "down", - 2023: "xinuexpansion3", - 2024: "xinuexpansion4", - 2025: "ellpack", - 2026: "scrabble", - 2027: "shadowserver", - 2028: "submitserver", - 2029: "hsrpv6", - 2030: "device2", - 2031: "mobrien-chat", - 2032: "blackboard", - 2033: "glogger", - 2034: "scoremgr", - 2035: "imsldoc", - 2036: "e-dpnet", - 2037: "applus", - 2038: "objectmanager", - 2039: "prizma", - 2040: "lam", - 2041: "interbase", - 2042: "isis", - 2043: "isis-bcast", - 2044: "rimsl", - 2045: "cdfunc", - 2046: "sdfunc", - 2047: "dls", - 2048: "dls-monitor", - 2049: "shilp", - 2050: "av-emb-config", - 2051: "epnsdp", - 2052: "clearvisn", - 2053: "lot105-ds-upd", - 2054: "weblogin", - 2055: "iop", - 2056: "omnisky", - 2057: "rich-cp", - 2058: "newwavesearch", - 2059: "bmc-messaging", - 2060: "teleniumdaemon", - 2061: "netmount", - 2062: "icg-swp", - 2063: "icg-bridge", - 2064: "icg-iprelay", - 2065: "dlsrpn", - 2066: "aura", - 2067: "dlswpn", - 2068: "avauthsrvprtcl", - 2069: "event-port", - 2070: "ah-esp-encap", - 2071: "acp-port", - 2072: "msync", - 2073: "gxs-data-port", - 2074: "vrtl-vmf-sa", - 2075: "newlixengine", - 2076: "newlixconfig", - 2077: "tsrmagt", - 2078: "tpcsrvr", - 2079: "idware-router", - 2080: "autodesk-nlm", - 2081: "kme-trap-port", - 2082: "infowave", - 2083: "radsec", - 2084: "sunclustergeo", - 2085: "ada-cip", - 2086: "gnunet", - 2087: "eli", - 2088: "ip-blf", - 2089: "sep", - 2090: "lrp", - 2091: "prp", - 2092: "descent3", - 2093: "nbx-cc", - 2094: "nbx-au", - 2095: "nbx-ser", - 2096: "nbx-dir", - 2097: "jetformpreview", - 2098: "dialog-port", - 2099: "h2250-annex-g", - 2100: "amiganetfs", - 2101: "rtcm-sc104", - 2102: "zephyr-srv", - 2103: "zephyr-clt", - 2104: "zephyr-hm", - 2105: "minipay", - 2106: "mzap", - 2107: "bintec-admin", - 2108: "comcam", - 2109: "ergolight", - 2110: "umsp", - 2111: "dsatp", - 2112: "idonix-metanet", - 2113: "hsl-storm", - 2114: "newheights", - 2115: "kdm", - 2116: "ccowcmr", - 2117: "mentaclient", - 2118: "mentaserver", - 2119: "gsigatekeeper", - 2120: "qencp", - 2121: "scientia-ssdb", - 2122: "caupc-remote", - 2123: "gtp-control", - 2124: "elatelink", - 2125: "lockstep", - 2126: "pktcable-cops", - 2127: "index-pc-wb", - 2128: "net-steward", - 2129: "cs-live", - 2130: "xds", - 2131: "avantageb2b", - 2132: "solera-epmap", - 2133: "zymed-zpp", - 2134: "avenue", - 2135: "gris", - 2136: "appworxsrv", - 2137: "connect", - 2138: "unbind-cluster", - 2139: "ias-auth", - 2140: "ias-reg", - 2141: "ias-admind", - 2142: "tdmoip", - 2143: "lv-jc", - 2144: "lv-ffx", - 2145: "lv-pici", - 2146: "lv-not", - 2147: "lv-auth", - 2148: "veritas-ucl", - 2149: "acptsys", - 2150: "dynamic3d", - 2151: "docent", - 2152: "gtp-user", - 2153: "ctlptc", - 2154: "stdptc", - 2155: "brdptc", - 2156: "trp", - 2157: "xnds", - 2158: "touchnetplus", - 2159: "gdbremote", - 2160: "apc-2160", - 2161: "apc-2161", - 2162: "navisphere", - 2163: "navisphere-sec", - 2164: "ddns-v3", - 2165: "x-bone-api", - 2166: "iwserver", - 2167: "raw-serial", - 2168: "easy-soft-mux", - 2169: "brain", - 2170: "eyetv", - 2171: "msfw-storage", - 2172: "msfw-s-storage", - 2173: "msfw-replica", - 2174: "msfw-array", - 2175: "airsync", - 2176: "rapi", - 2177: "qwave", - 2178: "bitspeer", - 2179: "vmrdp", - 2180: "mc-gt-srv", - 2181: "eforward", - 2182: "cgn-stat", - 2183: "cgn-config", - 2184: "nvd", - 2185: "onbase-dds", - 2186: "gtaua", - 2187: "ssmc", - 2188: "radware-rpm", - 2189: "radware-rpm-s", - 2190: "tivoconnect", - 2191: "tvbus", - 2192: "asdis", - 2193: "drwcs", - 2197: "mnp-exchange", - 2198: "onehome-remote", - 2199: "onehome-help", - 2200: "ici", - 2201: "ats", - 2202: "imtc-map", - 2203: "b2-runtime", - 2204: "b2-license", - 2205: "jps", - 2206: "hpocbus", - 2207: "hpssd", - 2208: "hpiod", - 2209: "rimf-ps", - 2210: "noaaport", - 2211: "emwin", - 2212: "leecoposserver", - 2213: "kali", - 2214: "rpi", - 2215: "ipcore", - 2216: "vtu-comms", - 2217: "gotodevice", - 2218: "bounzza", - 2219: "netiq-ncap", - 2220: "netiq", - 2221: "rockwell-csp1", - 2222: "EtherNet-IP-1", - 2223: "rockwell-csp2", - 2224: "efi-mg", - 2225: "rcip-itu", - 2226: "di-drm", - 2227: "di-msg", - 2228: "ehome-ms", - 2229: "datalens", - 2230: "queueadm", - 2231: "wimaxasncp", - 2232: "ivs-video", - 2233: "infocrypt", - 2234: "directplay", - 2235: "sercomm-wlink", - 2236: "nani", - 2237: "optech-port1-lm", - 2238: "aviva-sna", - 2239: "imagequery", - 2240: "recipe", - 2241: "ivsd", - 2242: "foliocorp", - 2243: "magicom", - 2244: "nmsserver", - 2245: "hao", - 2246: "pc-mta-addrmap", - 2247: "antidotemgrsvr", - 2248: "ums", - 2249: "rfmp", - 2250: "remote-collab", - 2251: "dif-port", - 2252: "njenet-ssl", - 2253: "dtv-chan-req", - 2254: "seispoc", - 2255: "vrtp", - 2256: "pcc-mfp", - 2257: "simple-tx-rx", - 2258: "rcts", - 2260: "apc-2260", - 2261: "comotionmaster", - 2262: "comotionback", - 2263: "ecwcfg", - 2264: "apx500api-1", - 2265: "apx500api-2", - 2266: "mfserver", - 2267: "ontobroker", - 2268: "amt", - 2269: "mikey", - 2270: "starschool", - 2271: "mmcals", - 2272: "mmcal", - 2273: "mysql-im", - 2274: "pcttunnell", - 2275: "ibridge-data", - 2276: "ibridge-mgmt", - 2277: "bluectrlproxy", - 2278: "s3db", - 2279: "xmquery", - 2280: "lnvpoller", - 2281: "lnvconsole", - 2282: "lnvalarm", - 2283: "lnvstatus", - 2284: "lnvmaps", - 2285: "lnvmailmon", - 2286: "nas-metering", - 2287: "dna", - 2288: "netml", - 2289: "dict-lookup", - 2290: "sonus-logging", - 2291: "eapsp", - 2292: "mib-streaming", - 2293: "npdbgmngr", - 2294: "konshus-lm", - 2295: "advant-lm", - 2296: "theta-lm", - 2297: "d2k-datamover1", - 2298: "d2k-datamover2", - 2299: "pc-telecommute", - 2300: "cvmmon", - 2301: "cpq-wbem", - 2302: "binderysupport", - 2303: "proxy-gateway", - 2304: "attachmate-uts", - 2305: "mt-scaleserver", - 2306: "tappi-boxnet", - 2307: "pehelp", - 2308: "sdhelp", - 2309: "sdserver", - 2310: "sdclient", - 2311: "messageservice", - 2312: "wanscaler", - 2313: "iapp", - 2314: "cr-websystems", - 2315: "precise-sft", - 2316: "sent-lm", - 2317: "attachmate-g32", - 2318: "cadencecontrol", - 2319: "infolibria", - 2320: "siebel-ns", - 2321: "rdlap", - 2322: "ofsd", - 2323: "3d-nfsd", - 2324: "cosmocall", - 2325: "ansysli", - 2326: "idcp", - 2327: "xingcsm", - 2328: "netrix-sftm", - 2329: "nvd", - 2330: "tscchat", - 2331: "agentview", - 2332: "rcc-host", - 2333: "snapp", - 2334: "ace-client", - 2335: "ace-proxy", - 2336: "appleugcontrol", - 2337: "ideesrv", - 2338: "norton-lambert", - 2339: "3com-webview", - 2340: "wrs-registry", - 2341: "xiostatus", - 2342: "manage-exec", - 2343: "nati-logos", - 2344: "fcmsys", - 2345: "dbm", - 2346: "redstorm-join", - 2347: "redstorm-find", - 2348: "redstorm-info", - 2349: "redstorm-diag", - 2350: "psbserver", - 2351: "psrserver", - 2352: "pslserver", - 2353: "pspserver", - 2354: "psprserver", - 2355: "psdbserver", - 2356: "gxtelmd", - 2357: "unihub-server", - 2358: "futrix", - 2359: "flukeserver", - 2360: "nexstorindltd", - 2361: "tl1", - 2362: "digiman", - 2363: "mediacntrlnfsd", - 2364: "oi-2000", - 2365: "dbref", - 2366: "qip-login", - 2367: "service-ctrl", - 2368: "opentable", - 2370: "l3-hbmon", - 2371: "hp-rda", - 2372: "lanmessenger", - 2373: "remographlm", - 2374: "hydra", - 2375: "docker", - 2376: "docker-s", - 2379: "etcd-client", - 2380: "etcd-server", - 2381: "compaq-https", - 2382: "ms-olap3", - 2383: "ms-olap4", - 2384: "sd-request", - 2385: "sd-data", - 2386: "virtualtape", - 2387: "vsamredirector", - 2388: "mynahautostart", - 2389: "ovsessionmgr", - 2390: "rsmtp", - 2391: "3com-net-mgmt", - 2392: "tacticalauth", - 2393: "ms-olap1", - 2394: "ms-olap2", - 2395: "lan900-remote", - 2396: "wusage", - 2397: "ncl", - 2398: "orbiter", - 2399: "fmpro-fdal", - 2400: "opequus-server", - 2401: "cvspserver", - 2402: "taskmaster2000", - 2403: "taskmaster2000", - 2404: "iec-104", - 2405: "trc-netpoll", - 2406: "jediserver", - 2407: "orion", - 2408: "railgun-webaccl", - 2409: "sns-protocol", - 2410: "vrts-registry", - 2411: "netwave-ap-mgmt", - 2412: "cdn", - 2413: "orion-rmi-reg", - 2414: "beeyond", - 2415: "codima-rtp", - 2416: "rmtserver", - 2417: "composit-server", - 2418: "cas", - 2419: "attachmate-s2s", - 2420: "dslremote-mgmt", - 2421: "g-talk", - 2422: "crmsbits", - 2423: "rnrp", - 2424: "kofax-svr", - 2425: "fjitsuappmgr", - 2427: "mgcp-gateway", - 2428: "ott", - 2429: "ft-role", - 2430: "venus", - 2431: "venus-se", - 2432: "codasrv", - 2433: "codasrv-se", - 2434: "pxc-epmap", - 2435: "optilogic", - 2436: "topx", - 2437: "unicontrol", - 2438: "msp", - 2439: "sybasedbsynch", - 2440: "spearway", - 2441: "pvsw-inet", - 2442: "netangel", - 2443: "powerclientcsf", - 2444: "btpp2sectrans", - 2445: "dtn1", - 2446: "bues-service", - 2447: "ovwdb", - 2448: "hpppssvr", - 2449: "ratl", - 2450: "netadmin", - 2451: "netchat", - 2452: "snifferclient", - 2453: "madge-ltd", - 2454: "indx-dds", - 2455: "wago-io-system", - 2456: "altav-remmgt", - 2457: "rapido-ip", - 2458: "griffin", - 2459: "community", - 2460: "ms-theater", - 2461: "qadmifoper", - 2462: "qadmifevent", - 2463: "lsi-raid-mgmt", - 2464: "direcpc-si", - 2465: "lbm", - 2466: "lbf", - 2467: "high-criteria", - 2468: "qip-msgd", - 2469: "mti-tcs-comm", - 2470: "taskman-port", - 2471: "seaodbc", - 2472: "c3", - 2473: "aker-cdp", - 2474: "vitalanalysis", - 2475: "ace-server", - 2476: "ace-svr-prop", - 2477: "ssm-cvs", - 2478: "ssm-cssps", - 2479: "ssm-els", - 2480: "powerexchange", - 2481: "giop", - 2482: "giop-ssl", - 2483: "ttc", - 2484: "ttc-ssl", - 2485: "netobjects1", - 2486: "netobjects2", - 2487: "pns", - 2488: "moy-corp", - 2489: "tsilb", - 2490: "qip-qdhcp", - 2491: "conclave-cpp", - 2492: "groove", - 2493: "talarian-mqs", - 2494: "bmc-ar", - 2495: "fast-rem-serv", - 2496: "dirgis", - 2497: "quaddb", - 2498: "odn-castraq", - 2499: "unicontrol", - 2500: "rtsserv", - 2501: "rtsclient", - 2502: "kentrox-prot", - 2503: "nms-dpnss", - 2504: "wlbs", - 2505: "ppcontrol", - 2506: "jbroker", - 2507: "spock", - 2508: "jdatastore", - 2509: "fjmpss", - 2510: "fjappmgrbulk", - 2511: "metastorm", - 2512: "citrixima", - 2513: "citrixadmin", - 2514: "facsys-ntp", - 2515: "facsys-router", - 2516: "maincontrol", - 2517: "call-sig-trans", - 2518: "willy", - 2519: "globmsgsvc", - 2520: "pvsw", - 2521: "adaptecmgr", - 2522: "windb", - 2523: "qke-llc-v3", - 2524: "optiwave-lm", - 2525: "ms-v-worlds", - 2526: "ema-sent-lm", - 2527: "iqserver", - 2528: "ncr-ccl", - 2529: "utsftp", - 2530: "vrcommerce", - 2531: "ito-e-gui", - 2532: "ovtopmd", - 2533: "snifferserver", - 2534: "combox-web-acc", - 2535: "madcap", - 2536: "btpp2audctr1", - 2537: "upgrade", - 2538: "vnwk-prapi", - 2539: "vsiadmin", - 2540: "lonworks", - 2541: "lonworks2", - 2542: "udrawgraph", - 2543: "reftek", - 2544: "novell-zen", - 2545: "sis-emt", - 2546: "vytalvaultbrtp", - 2547: "vytalvaultvsmp", - 2548: "vytalvaultpipe", - 2549: "ipass", - 2550: "ads", - 2551: "isg-uda-server", - 2552: "call-logging", - 2553: "efidiningport", - 2554: "vcnet-link-v10", - 2555: "compaq-wcp", - 2556: "nicetec-nmsvc", - 2557: "nicetec-mgmt", - 2558: "pclemultimedia", - 2559: "lstp", - 2560: "labrat", - 2561: "mosaixcc", - 2562: "delibo", - 2563: "cti-redwood", - 2564: "hp-3000-telnet", - 2565: "coord-svr", - 2566: "pcs-pcw", - 2567: "clp", - 2568: "spamtrap", - 2569: "sonuscallsig", - 2570: "hs-port", - 2571: "cecsvc", - 2572: "ibp", - 2573: "trustestablish", - 2574: "blockade-bpsp", - 2575: "hl7", - 2576: "tclprodebugger", - 2577: "scipticslsrvr", - 2578: "rvs-isdn-dcp", - 2579: "mpfoncl", - 2580: "tributary", - 2581: "argis-te", - 2582: "argis-ds", - 2583: "mon", - 2584: "cyaserv", - 2585: "netx-server", - 2586: "netx-agent", - 2587: "masc", - 2588: "privilege", - 2589: "quartus-tcl", - 2590: "idotdist", - 2591: "maytagshuffle", - 2592: "netrek", - 2593: "mns-mail", - 2594: "dts", - 2595: "worldfusion1", - 2596: "worldfusion2", - 2597: "homesteadglory", - 2598: "citriximaclient", - 2599: "snapd", - 2600: "hpstgmgr", - 2601: "discp-client", - 2602: "discp-server", - 2603: "servicemeter", - 2604: "nsc-ccs", - 2605: "nsc-posa", - 2606: "netmon", - 2607: "connection", - 2608: "wag-service", - 2609: "system-monitor", - 2610: "versa-tek", - 2611: "lionhead", - 2612: "qpasa-agent", - 2613: "smntubootstrap", - 2614: "neveroffline", - 2615: "firepower", - 2616: "appswitch-emp", - 2617: "cmadmin", - 2618: "priority-e-com", - 2619: "bruce", - 2620: "lpsrecommender", - 2621: "miles-apart", - 2622: "metricadbc", - 2623: "lmdp", - 2624: "aria", - 2625: "blwnkl-port", - 2626: "gbjd816", - 2627: "moshebeeri", - 2628: "dict", - 2629: "sitaraserver", - 2630: "sitaramgmt", - 2631: "sitaradir", - 2632: "irdg-post", - 2633: "interintelli", - 2634: "pk-electronics", - 2635: "backburner", - 2636: "solve", - 2637: "imdocsvc", - 2638: "sybaseanywhere", - 2639: "aminet", - 2640: "sai-sentlm", - 2641: "hdl-srv", - 2642: "tragic", - 2643: "gte-samp", - 2644: "travsoft-ipx-t", - 2645: "novell-ipx-cmd", - 2646: "and-lm", - 2647: "syncserver", - 2648: "upsnotifyprot", - 2649: "vpsipport", - 2650: "eristwoguns", - 2651: "ebinsite", - 2652: "interpathpanel", - 2653: "sonus", - 2654: "corel-vncadmin", - 2655: "unglue", - 2656: "kana", - 2657: "sns-dispatcher", - 2658: "sns-admin", - 2659: "sns-query", - 2660: "gcmonitor", - 2661: "olhost", - 2662: "bintec-capi", - 2663: "bintec-tapi", - 2664: "patrol-mq-gm", - 2665: "patrol-mq-nm", - 2666: "extensis", - 2667: "alarm-clock-s", - 2668: "alarm-clock-c", - 2669: "toad", - 2670: "tve-announce", - 2671: "newlixreg", - 2672: "nhserver", - 2673: "firstcall42", - 2674: "ewnn", - 2675: "ttc-etap", - 2676: "simslink", - 2677: "gadgetgate1way", - 2678: "gadgetgate2way", - 2679: "syncserverssl", - 2680: "pxc-sapxom", - 2681: "mpnjsomb", - 2683: "ncdloadbalance", - 2684: "mpnjsosv", - 2685: "mpnjsocl", - 2686: "mpnjsomg", - 2687: "pq-lic-mgmt", - 2688: "md-cg-http", - 2689: "fastlynx", - 2690: "hp-nnm-data", - 2691: "itinternet", - 2692: "admins-lms", - 2694: "pwrsevent", - 2695: "vspread", - 2696: "unifyadmin", - 2697: "oce-snmp-trap", - 2698: "mck-ivpip", - 2699: "csoft-plusclnt", - 2700: "tqdata", - 2701: "sms-rcinfo", - 2702: "sms-xfer", - 2703: "sms-chat", - 2704: "sms-remctrl", - 2705: "sds-admin", - 2706: "ncdmirroring", - 2707: "emcsymapiport", - 2708: "banyan-net", - 2709: "supermon", - 2710: "sso-service", - 2711: "sso-control", - 2712: "aocp", - 2713: "raventbs", - 2714: "raventdm", - 2715: "hpstgmgr2", - 2716: "inova-ip-disco", - 2717: "pn-requester", - 2718: "pn-requester2", - 2719: "scan-change", - 2720: "wkars", - 2721: "smart-diagnose", - 2722: "proactivesrvr", - 2723: "watchdog-nt", - 2724: "qotps", - 2725: "msolap-ptp2", - 2726: "tams", - 2727: "mgcp-callagent", - 2728: "sqdr", - 2729: "tcim-control", - 2730: "nec-raidplus", - 2731: "fyre-messanger", - 2732: "g5m", - 2733: "signet-ctf", - 2734: "ccs-software", - 2735: "netiq-mc", - 2736: "radwiz-nms-srv", - 2737: "srp-feedback", - 2738: "ndl-tcp-ois-gw", - 2739: "tn-timing", - 2740: "alarm", - 2741: "tsb", - 2742: "tsb2", - 2743: "murx", - 2744: "honyaku", - 2745: "urbisnet", - 2746: "cpudpencap", - 2747: "fjippol-swrly", - 2748: "fjippol-polsvr", - 2749: "fjippol-cnsl", - 2750: "fjippol-port1", - 2751: "fjippol-port2", - 2752: "rsisysaccess", - 2753: "de-spot", - 2754: "apollo-cc", - 2755: "expresspay", - 2756: "simplement-tie", - 2757: "cnrp", - 2758: "apollo-status", - 2759: "apollo-gms", - 2760: "sabams", - 2761: "dicom-iscl", - 2762: "dicom-tls", - 2763: "desktop-dna", - 2764: "data-insurance", - 2765: "qip-audup", - 2766: "compaq-scp", - 2767: "uadtc", - 2768: "uacs", - 2769: "exce", - 2770: "veronica", - 2771: "vergencecm", - 2772: "auris", - 2773: "rbakcup1", - 2774: "rbakcup2", - 2775: "smpp", - 2776: "ridgeway1", - 2777: "ridgeway2", - 2778: "gwen-sonya", - 2779: "lbc-sync", - 2780: "lbc-control", - 2781: "whosells", - 2782: "everydayrc", - 2783: "aises", - 2784: "www-dev", - 2785: "aic-np", - 2786: "aic-oncrpc", - 2787: "piccolo", - 2788: "fryeserv", - 2789: "media-agent", - 2790: "plgproxy", - 2791: "mtport-regist", - 2792: "f5-globalsite", - 2793: "initlsmsad", - 2795: "livestats", - 2796: "ac-tech", - 2797: "esp-encap", - 2798: "tmesis-upshot", - 2799: "icon-discover", - 2800: "acc-raid", - 2801: "igcp", - 2802: "veritas-tcp1", - 2803: "btprjctrl", - 2804: "dvr-esm", - 2805: "wta-wsp-s", - 2806: "cspuni", - 2807: "cspmulti", - 2808: "j-lan-p", - 2809: "corbaloc", - 2810: "netsteward", - 2811: "gsiftp", - 2812: "atmtcp", - 2813: "llm-pass", - 2814: "llm-csv", - 2815: "lbc-measure", - 2816: "lbc-watchdog", - 2817: "nmsigport", - 2818: "rmlnk", - 2819: "fc-faultnotify", - 2820: "univision", - 2821: "vrts-at-port", - 2822: "ka0wuc", - 2823: "cqg-netlan", - 2824: "cqg-netlan-1", - 2826: "slc-systemlog", - 2827: "slc-ctrlrloops", - 2828: "itm-lm", - 2829: "silkp1", - 2830: "silkp2", - 2831: "silkp3", - 2832: "silkp4", - 2833: "glishd", - 2834: "evtp", - 2835: "evtp-data", - 2836: "catalyst", - 2837: "repliweb", - 2838: "starbot", - 2839: "nmsigport", - 2840: "l3-exprt", - 2841: "l3-ranger", - 2842: "l3-hawk", - 2843: "pdnet", - 2844: "bpcp-poll", - 2845: "bpcp-trap", - 2846: "aimpp-hello", - 2847: "aimpp-port-req", - 2848: "amt-blc-port", - 2849: "fxp", - 2850: "metaconsole", - 2851: "webemshttp", - 2852: "bears-01", - 2853: "ispipes", - 2854: "infomover", - 2855: "msrp", - 2856: "cesdinv", - 2857: "simctlp", - 2858: "ecnp", - 2859: "activememory", - 2860: "dialpad-voice1", - 2861: "dialpad-voice2", - 2862: "ttg-protocol", - 2863: "sonardata", - 2864: "astromed-main", - 2865: "pit-vpn", - 2866: "iwlistener", - 2867: "esps-portal", - 2868: "npep-messaging", - 2869: "icslap", - 2870: "daishi", - 2871: "msi-selectplay", - 2872: "radix", - 2874: "dxmessagebase1", - 2875: "dxmessagebase2", - 2876: "sps-tunnel", - 2877: "bluelance", - 2878: "aap", - 2879: "ucentric-ds", - 2880: "synapse", - 2881: "ndsp", - 2882: "ndtp", - 2883: "ndnp", - 2884: "flashmsg", - 2885: "topflow", - 2886: "responselogic", - 2887: "aironetddp", - 2888: "spcsdlobby", - 2889: "rsom", - 2890: "cspclmulti", - 2891: "cinegrfx-elmd", - 2892: "snifferdata", - 2893: "vseconnector", - 2894: "abacus-remote", - 2895: "natuslink", - 2896: "ecovisiong6-1", - 2897: "citrix-rtmp", - 2898: "appliance-cfg", - 2899: "powergemplus", - 2900: "quicksuite", - 2901: "allstorcns", - 2902: "netaspi", - 2903: "suitcase", - 2904: "m2ua", - 2905: "m3ua", - 2906: "caller9", - 2907: "webmethods-b2b", - 2908: "mao", - 2909: "funk-dialout", - 2910: "tdaccess", - 2911: "blockade", - 2912: "epicon", - 2913: "boosterware", - 2914: "gamelobby", - 2915: "tksocket", - 2916: "elvin-server", - 2917: "elvin-client", - 2918: "kastenchasepad", - 2919: "roboer", - 2920: "roboeda", - 2921: "cesdcdman", - 2922: "cesdcdtrn", - 2923: "wta-wsp-wtp-s", - 2924: "precise-vip", - 2926: "mobile-file-dl", - 2927: "unimobilectrl", - 2928: "redstone-cpss", - 2929: "amx-webadmin", - 2930: "amx-weblinx", - 2931: "circle-x", - 2932: "incp", - 2933: "4-tieropmgw", - 2934: "4-tieropmcli", - 2935: "qtp", - 2936: "otpatch", - 2937: "pnaconsult-lm", - 2938: "sm-pas-1", - 2939: "sm-pas-2", - 2940: "sm-pas-3", - 2941: "sm-pas-4", - 2942: "sm-pas-5", - 2943: "ttnrepository", - 2944: "megaco-h248", - 2945: "h248-binary", - 2946: "fjsvmpor", - 2947: "gpsd", - 2948: "wap-push", - 2949: "wap-pushsecure", - 2950: "esip", - 2951: "ottp", - 2952: "mpfwsas", - 2953: "ovalarmsrv", - 2954: "ovalarmsrv-cmd", - 2955: "csnotify", - 2956: "ovrimosdbman", - 2957: "jmact5", - 2958: "jmact6", - 2959: "rmopagt", - 2960: "dfoxserver", - 2961: "boldsoft-lm", - 2962: "iph-policy-cli", - 2963: "iph-policy-adm", - 2964: "bullant-srap", - 2965: "bullant-rap", - 2966: "idp-infotrieve", - 2967: "ssc-agent", - 2968: "enpp", - 2969: "essp", - 2970: "index-net", - 2971: "netclip", - 2972: "pmsm-webrctl", - 2973: "svnetworks", - 2974: "signal", - 2975: "fjmpcm", - 2976: "cns-srv-port", - 2977: "ttc-etap-ns", - 2978: "ttc-etap-ds", - 2979: "h263-video", - 2980: "wimd", - 2981: "mylxamport", - 2982: "iwb-whiteboard", - 2983: "netplan", - 2984: "hpidsadmin", - 2985: "hpidsagent", - 2986: "stonefalls", - 2987: "identify", - 2988: "hippad", - 2989: "zarkov", - 2990: "boscap", - 2991: "wkstn-mon", - 2992: "avenyo", - 2993: "veritas-vis1", - 2994: "veritas-vis2", - 2995: "idrs", - 2996: "vsixml", - 2997: "rebol", - 2998: "realsecure", - 2999: "remoteware-un", - 3000: "hbci", - 3001: "origo-native", - 3002: "exlm-agent", - 3003: "cgms", - 3004: "csoftragent", - 3005: "geniuslm", - 3006: "ii-admin", - 3007: "lotusmtap", - 3008: "midnight-tech", - 3009: "pxc-ntfy", - 3010: "gw", - 3011: "trusted-web", - 3012: "twsdss", - 3013: "gilatskysurfer", - 3014: "broker-service", - 3015: "nati-dstp", - 3016: "notify-srvr", - 3017: "event-listener", - 3018: "srvc-registry", - 3019: "resource-mgr", - 3020: "cifs", - 3021: "agriserver", - 3022: "csregagent", - 3023: "magicnotes", - 3024: "nds-sso", - 3025: "arepa-raft", - 3026: "agri-gateway", - 3027: "LiebDevMgmt-C", - 3028: "LiebDevMgmt-DM", - 3029: "LiebDevMgmt-A", - 3030: "arepa-cas", - 3031: "eppc", - 3032: "redwood-chat", - 3033: "pdb", - 3034: "osmosis-aeea", - 3035: "fjsv-gssagt", - 3036: "hagel-dump", - 3037: "hp-san-mgmt", - 3038: "santak-ups", - 3039: "cogitate", - 3040: "tomato-springs", - 3041: "di-traceware", - 3042: "journee", - 3043: "brp", - 3044: "epp", - 3045: "responsenet", - 3046: "di-ase", - 3047: "hlserver", - 3048: "pctrader", - 3049: "nsws", - 3050: "gds-db", - 3051: "galaxy-server", - 3052: "apc-3052", - 3053: "dsom-server", - 3054: "amt-cnf-prot", - 3055: "policyserver", - 3056: "cdl-server", - 3057: "goahead-fldup", - 3058: "videobeans", - 3059: "qsoft", - 3060: "interserver", - 3061: "cautcpd", - 3062: "ncacn-ip-tcp", - 3063: "ncadg-ip-udp", - 3064: "rprt", - 3065: "slinterbase", - 3066: "netattachsdmp", - 3067: "fjhpjp", - 3068: "ls3bcast", - 3069: "ls3", - 3070: "mgxswitch", - 3071: "csd-mgmt-port", - 3072: "csd-monitor", - 3073: "vcrp", - 3074: "xbox", - 3075: "orbix-locator", - 3076: "orbix-config", - 3077: "orbix-loc-ssl", - 3078: "orbix-cfg-ssl", - 3079: "lv-frontpanel", - 3080: "stm-pproc", - 3081: "tl1-lv", - 3082: "tl1-raw", - 3083: "tl1-telnet", - 3084: "itm-mccs", - 3085: "pcihreq", - 3086: "jdl-dbkitchen", - 3087: "asoki-sma", - 3088: "xdtp", - 3089: "ptk-alink", - 3090: "stss", - 3091: "1ci-smcs", - 3093: "rapidmq-center", - 3094: "rapidmq-reg", - 3095: "panasas", - 3096: "ndl-aps", - 3098: "umm-port", - 3099: "chmd", - 3100: "opcon-xps", - 3101: "hp-pxpib", - 3102: "slslavemon", - 3103: "autocuesmi", - 3104: "autocuelog", - 3105: "cardbox", - 3106: "cardbox-http", - 3107: "business", - 3108: "geolocate", - 3109: "personnel", - 3110: "sim-control", - 3111: "wsynch", - 3112: "ksysguard", - 3113: "cs-auth-svr", - 3114: "ccmad", - 3115: "mctet-master", - 3116: "mctet-gateway", - 3117: "mctet-jserv", - 3118: "pkagent", - 3119: "d2000kernel", - 3120: "d2000webserver", - 3121: "pcmk-remote", - 3122: "vtr-emulator", - 3123: "edix", - 3124: "beacon-port", - 3125: "a13-an", - 3127: "ctx-bridge", - 3128: "ndl-aas", - 3129: "netport-id", - 3130: "icpv2", - 3131: "netbookmark", - 3132: "ms-rule-engine", - 3133: "prism-deploy", - 3134: "ecp", - 3135: "peerbook-port", - 3136: "grubd", - 3137: "rtnt-1", - 3138: "rtnt-2", - 3139: "incognitorv", - 3140: "ariliamulti", - 3141: "vmodem", - 3142: "rdc-wh-eos", - 3143: "seaview", - 3144: "tarantella", - 3145: "csi-lfap", - 3146: "bears-02", - 3147: "rfio", - 3148: "nm-game-admin", - 3149: "nm-game-server", - 3150: "nm-asses-admin", - 3151: "nm-assessor", - 3152: "feitianrockey", - 3153: "s8-client-port", - 3154: "ccmrmi", - 3155: "jpegmpeg", - 3156: "indura", - 3157: "e3consultants", - 3158: "stvp", - 3159: "navegaweb-port", - 3160: "tip-app-server", - 3161: "doc1lm", - 3162: "sflm", - 3163: "res-sap", - 3164: "imprs", - 3165: "newgenpay", - 3166: "sossecollector", - 3167: "nowcontact", - 3168: "poweronnud", - 3169: "serverview-as", - 3170: "serverview-asn", - 3171: "serverview-gf", - 3172: "serverview-rm", - 3173: "serverview-icc", - 3174: "armi-server", - 3175: "t1-e1-over-ip", - 3176: "ars-master", - 3177: "phonex-port", - 3178: "radclientport", - 3179: "h2gf-w-2m", - 3180: "mc-brk-srv", - 3181: "bmcpatrolagent", - 3182: "bmcpatrolrnvu", - 3183: "cops-tls", - 3184: "apogeex-port", - 3185: "smpppd", - 3186: "iiw-port", - 3187: "odi-port", - 3188: "brcm-comm-port", - 3189: "pcle-infex", - 3190: "csvr-proxy", - 3191: "csvr-sslproxy", - 3192: "firemonrcc", - 3193: "spandataport", - 3194: "magbind", - 3195: "ncu-1", - 3196: "ncu-2", - 3197: "embrace-dp-s", - 3198: "embrace-dp-c", - 3199: "dmod-workspace", - 3200: "tick-port", - 3201: "cpq-tasksmart", - 3202: "intraintra", - 3203: "netwatcher-mon", - 3204: "netwatcher-db", - 3205: "isns", - 3206: "ironmail", - 3207: "vx-auth-port", - 3208: "pfu-prcallback", - 3209: "netwkpathengine", - 3210: "flamenco-proxy", - 3211: "avsecuremgmt", - 3212: "surveyinst", - 3213: "neon24x7", - 3214: "jmq-daemon-1", - 3215: "jmq-daemon-2", - 3216: "ferrari-foam", - 3217: "unite", - 3218: "smartpackets", - 3219: "wms-messenger", - 3220: "xnm-ssl", - 3221: "xnm-clear-text", - 3222: "glbp", - 3223: "digivote", - 3224: "aes-discovery", - 3225: "fcip-port", - 3226: "isi-irp", - 3227: "dwnmshttp", - 3228: "dwmsgserver", - 3229: "global-cd-port", - 3230: "sftdst-port", - 3231: "vidigo", - 3232: "mdtp", - 3233: "whisker", - 3234: "alchemy", - 3235: "mdap-port", - 3236: "apparenet-ts", - 3237: "apparenet-tps", - 3238: "apparenet-as", - 3239: "apparenet-ui", - 3240: "triomotion", - 3241: "sysorb", - 3242: "sdp-id-port", - 3243: "timelot", - 3244: "onesaf", - 3245: "vieo-fe", - 3246: "dvt-system", - 3247: "dvt-data", - 3248: "procos-lm", - 3249: "ssp", - 3250: "hicp", - 3251: "sysscanner", - 3252: "dhe", - 3253: "pda-data", - 3254: "pda-sys", - 3255: "semaphore", - 3256: "cpqrpm-agent", - 3257: "cpqrpm-server", - 3258: "ivecon-port", - 3259: "epncdp2", - 3260: "iscsi-target", - 3261: "winshadow", - 3262: "necp", - 3263: "ecolor-imager", - 3264: "ccmail", - 3265: "altav-tunnel", - 3266: "ns-cfg-server", - 3267: "ibm-dial-out", - 3268: "msft-gc", - 3269: "msft-gc-ssl", - 3270: "verismart", - 3271: "csoft-prev", - 3272: "user-manager", - 3273: "sxmp", - 3274: "ordinox-server", - 3275: "samd", - 3276: "maxim-asics", - 3277: "awg-proxy", - 3278: "lkcmserver", - 3279: "admind", - 3280: "vs-server", - 3281: "sysopt", - 3282: "datusorb", - 3283: "Apple Remote Desktop (Net Assistant)", - 3284: "4talk", - 3285: "plato", - 3286: "e-net", - 3287: "directvdata", - 3288: "cops", - 3289: "enpc", - 3290: "caps-lm", - 3291: "sah-lm", - 3292: "cart-o-rama", - 3293: "fg-fps", - 3294: "fg-gip", - 3295: "dyniplookup", - 3296: "rib-slm", - 3297: "cytel-lm", - 3298: "deskview", - 3299: "pdrncs", - 3302: "mcs-fastmail", - 3303: "opsession-clnt", - 3304: "opsession-srvr", - 3305: "odette-ftp", - 3306: "mysql", - 3307: "opsession-prxy", - 3308: "tns-server", - 3309: "tns-adv", - 3310: "dyna-access", - 3311: "mcns-tel-ret", - 3312: "appman-server", - 3313: "uorb", - 3314: "uohost", - 3315: "cdid", - 3316: "aicc-cmi", - 3317: "vsaiport", - 3318: "ssrip", - 3319: "sdt-lmd", - 3320: "officelink2000", - 3321: "vnsstr", - 3326: "sftu", - 3327: "bbars", - 3328: "egptlm", - 3329: "hp-device-disc", - 3330: "mcs-calypsoicf", - 3331: "mcs-messaging", - 3332: "mcs-mailsvr", - 3333: "dec-notes", - 3334: "directv-web", - 3335: "directv-soft", - 3336: "directv-tick", - 3337: "directv-catlg", - 3338: "anet-b", - 3339: "anet-l", - 3340: "anet-m", - 3341: "anet-h", - 3342: "webtie", - 3343: "ms-cluster-net", - 3344: "bnt-manager", - 3345: "influence", - 3346: "trnsprntproxy", - 3347: "phoenix-rpc", - 3348: "pangolin-laser", - 3349: "chevinservices", - 3350: "findviatv", - 3351: "btrieve", - 3352: "ssql", - 3353: "fatpipe", - 3354: "suitjd", - 3355: "ordinox-dbase", - 3356: "upnotifyps", - 3357: "adtech-test", - 3358: "mpsysrmsvr", - 3359: "wg-netforce", - 3360: "kv-server", - 3361: "kv-agent", - 3362: "dj-ilm", - 3363: "nati-vi-server", - 3364: "creativeserver", - 3365: "contentserver", - 3366: "creativepartnr", - 3372: "tip2", - 3373: "lavenir-lm", - 3374: "cluster-disc", - 3375: "vsnm-agent", - 3376: "cdbroker", - 3377: "cogsys-lm", - 3378: "wsicopy", - 3379: "socorfs", - 3380: "sns-channels", - 3381: "geneous", - 3382: "fujitsu-neat", - 3383: "esp-lm", - 3384: "hp-clic", - 3385: "qnxnetman", - 3386: "gprs-data", - 3387: "backroomnet", - 3388: "cbserver", - 3389: "ms-wbt-server", - 3390: "dsc", - 3391: "savant", - 3392: "efi-lm", - 3393: "d2k-tapestry1", - 3394: "d2k-tapestry2", - 3395: "dyna-lm", - 3396: "printer-agent", - 3397: "cloanto-lm", - 3398: "mercantile", - 3399: "csms", - 3400: "csms2", - 3401: "filecast", - 3402: "fxaengine-net", - 3405: "nokia-ann-ch1", - 3406: "nokia-ann-ch2", - 3407: "ldap-admin", - 3408: "BESApi", - 3409: "networklens", - 3410: "networklenss", - 3411: "biolink-auth", - 3412: "xmlblaster", - 3413: "svnet", - 3414: "wip-port", - 3415: "bcinameservice", - 3416: "commandport", - 3417: "csvr", - 3418: "rnmap", - 3419: "softaudit", - 3420: "ifcp-port", - 3421: "bmap", - 3422: "rusb-sys-port", - 3423: "xtrm", - 3424: "xtrms", - 3425: "agps-port", - 3426: "arkivio", - 3427: "websphere-snmp", - 3428: "twcss", - 3429: "gcsp", - 3430: "ssdispatch", - 3431: "ndl-als", - 3432: "osdcp", - 3433: "opnet-smp", - 3434: "opencm", - 3435: "pacom", - 3436: "gc-config", - 3437: "autocueds", - 3438: "spiral-admin", - 3439: "hri-port", - 3440: "ans-console", - 3441: "connect-client", - 3442: "connect-server", - 3443: "ov-nnm-websrv", - 3444: "denali-server", - 3445: "monp", - 3446: "3comfaxrpc", - 3447: "directnet", - 3448: "dnc-port", - 3449: "hotu-chat", - 3450: "castorproxy", - 3451: "asam", - 3452: "sabp-signal", - 3453: "pscupd", - 3454: "mira", - 3455: "prsvp", - 3456: "vat", - 3457: "vat-control", - 3458: "d3winosfi", - 3459: "integral", - 3460: "edm-manager", - 3461: "edm-stager", - 3462: "edm-std-notify", - 3463: "edm-adm-notify", - 3464: "edm-mgr-sync", - 3465: "edm-mgr-cntrl", - 3466: "workflow", - 3467: "rcst", - 3468: "ttcmremotectrl", - 3469: "pluribus", - 3470: "jt400", - 3471: "jt400-ssl", - 3472: "jaugsremotec-1", - 3473: "jaugsremotec-2", - 3474: "ttntspauto", - 3475: "genisar-port", - 3476: "nppmp", - 3477: "ecomm", - 3478: "stun", - 3479: "twrpc", - 3480: "plethora", - 3481: "cleanerliverc", - 3482: "vulture", - 3483: "slim-devices", - 3484: "gbs-stp", - 3485: "celatalk", - 3486: "ifsf-hb-port", - 3487: "ltctcp", - 3488: "fs-rh-srv", - 3489: "dtp-dia", - 3490: "colubris", - 3491: "swr-port", - 3492: "tvdumtray-port", - 3493: "nut", - 3494: "ibm3494", - 3495: "seclayer-tcp", - 3496: "seclayer-tls", - 3497: "ipether232port", - 3498: "dashpas-port", - 3499: "sccip-media", - 3500: "rtmp-port", - 3501: "isoft-p2p", - 3502: "avinstalldisc", - 3503: "lsp-ping", - 3504: "ironstorm", - 3505: "ccmcomm", - 3506: "apc-3506", - 3507: "nesh-broker", - 3508: "interactionweb", - 3509: "vt-ssl", - 3510: "xss-port", - 3511: "webmail-2", - 3512: "aztec", - 3513: "arcpd", - 3514: "must-p2p", - 3515: "must-backplane", - 3516: "smartcard-port", - 3517: "802-11-iapp", - 3518: "artifact-msg", - 3519: "nvmsgd", - 3520: "galileolog", - 3521: "mc3ss", - 3522: "nssocketport", - 3523: "odeumservlink", - 3524: "ecmport", - 3525: "eisport", - 3526: "starquiz-port", - 3527: "beserver-msg-q", - 3528: "jboss-iiop", - 3529: "jboss-iiop-ssl", - 3530: "gf", - 3531: "joltid", - 3532: "raven-rmp", - 3533: "raven-rdp", - 3534: "urld-port", - 3535: "ms-la", - 3536: "snac", - 3537: "ni-visa-remote", - 3538: "ibm-diradm", - 3539: "ibm-diradm-ssl", - 3540: "pnrp-port", - 3541: "voispeed-port", - 3542: "hacl-monitor", - 3543: "qftest-lookup", - 3544: "teredo", - 3545: "camac", - 3547: "symantec-sim", - 3548: "interworld", - 3549: "tellumat-nms", - 3550: "ssmpp", - 3551: "apcupsd", - 3552: "taserver", - 3553: "rbr-discovery", - 3554: "questnotify", - 3555: "razor", - 3556: "sky-transport", - 3557: "personalos-001", - 3558: "mcp-port", - 3559: "cctv-port", - 3560: "iniserve-port", - 3561: "bmc-onekey", - 3562: "sdbproxy", - 3563: "watcomdebug", - 3564: "esimport", - 3565: "m2pa", - 3566: "quest-data-hub", - 3567: "enc-eps", - 3568: "enc-tunnel-sec", - 3569: "mbg-ctrl", - 3570: "mccwebsvr-port", - 3571: "megardsvr-port", - 3572: "megaregsvrport", - 3573: "tag-ups-1", - 3574: "dmaf-server", - 3575: "ccm-port", - 3576: "cmc-port", - 3577: "config-port", - 3578: "data-port", - 3579: "ttat3lb", - 3580: "nati-svrloc", - 3581: "kfxaclicensing", - 3582: "press", - 3583: "canex-watch", - 3584: "u-dbap", - 3585: "emprise-lls", - 3586: "emprise-lsc", - 3587: "p2pgroup", - 3588: "sentinel", - 3589: "isomair", - 3590: "wv-csp-sms", - 3591: "gtrack-server", - 3592: "gtrack-ne", - 3593: "bpmd", - 3594: "mediaspace", - 3595: "shareapp", - 3596: "iw-mmogame", - 3597: "a14", - 3598: "a15", - 3599: "quasar-server", - 3600: "trap-daemon", - 3601: "visinet-gui", - 3602: "infiniswitchcl", - 3603: "int-rcv-cntrl", - 3604: "bmc-jmx-port", - 3605: "comcam-io", - 3606: "splitlock", - 3607: "precise-i3", - 3608: "trendchip-dcp", - 3609: "cpdi-pidas-cm", - 3610: "echonet", - 3611: "six-degrees", - 3612: "hp-dataprotect", - 3613: "alaris-disc", - 3614: "sigma-port", - 3615: "start-network", - 3616: "cd3o-protocol", - 3617: "sharp-server", - 3618: "aairnet-1", - 3619: "aairnet-2", - 3620: "ep-pcp", - 3621: "ep-nsp", - 3622: "ff-lr-port", - 3623: "haipe-discover", - 3624: "dist-upgrade", - 3625: "volley", - 3626: "bvcdaemon-port", - 3627: "jamserverport", - 3628: "ept-machine", - 3629: "escvpnet", - 3630: "cs-remote-db", - 3631: "cs-services", - 3632: "distcc", - 3633: "wacp", - 3634: "hlibmgr", - 3635: "sdo", - 3636: "servistaitsm", - 3637: "scservp", - 3638: "ehp-backup", - 3639: "xap-ha", - 3640: "netplay-port1", - 3641: "netplay-port2", - 3642: "juxml-port", - 3643: "audiojuggler", - 3644: "ssowatch", - 3645: "cyc", - 3646: "xss-srv-port", - 3647: "splitlock-gw", - 3648: "fjcp", - 3649: "nmmp", - 3650: "prismiq-plugin", - 3651: "xrpc-registry", - 3652: "vxcrnbuport", - 3653: "tsp", - 3654: "vaprtm", - 3655: "abatemgr", - 3656: "abatjss", - 3657: "immedianet-bcn", - 3658: "ps-ams", - 3659: "apple-sasl", - 3660: "can-nds-ssl", - 3661: "can-ferret-ssl", - 3662: "pserver", - 3663: "dtp", - 3664: "ups-engine", - 3665: "ent-engine", - 3666: "eserver-pap", - 3667: "infoexch", - 3668: "dell-rm-port", - 3669: "casanswmgmt", - 3670: "smile", - 3671: "efcp", - 3672: "lispworks-orb", - 3673: "mediavault-gui", - 3674: "wininstall-ipc", - 3675: "calltrax", - 3676: "va-pacbase", - 3677: "roverlog", - 3678: "ipr-dglt", - 3679: "Escale (Newton Dock)", - 3680: "npds-tracker", - 3681: "bts-x73", - 3682: "cas-mapi", - 3683: "bmc-ea", - 3684: "faxstfx-port", - 3685: "dsx-agent", - 3686: "tnmpv2", - 3687: "simple-push", - 3688: "simple-push-s", - 3689: "daap", - 3690: "svn", - 3691: "magaya-network", - 3692: "intelsync", - 3695: "bmc-data-coll", - 3696: "telnetcpcd", - 3697: "nw-license", - 3698: "sagectlpanel", - 3699: "kpn-icw", - 3700: "lrs-paging", - 3701: "netcelera", - 3702: "ws-discovery", - 3703: "adobeserver-3", - 3704: "adobeserver-4", - 3705: "adobeserver-5", - 3706: "rt-event", - 3707: "rt-event-s", - 3708: "sun-as-iiops", - 3709: "ca-idms", - 3710: "portgate-auth", - 3711: "edb-server2", - 3712: "sentinel-ent", - 3713: "tftps", - 3714: "delos-dms", - 3715: "anoto-rendezv", - 3716: "wv-csp-sms-cir", - 3717: "wv-csp-udp-cir", - 3718: "opus-services", - 3719: "itelserverport", - 3720: "ufastro-instr", - 3721: "xsync", - 3722: "xserveraid", - 3723: "sychrond", - 3724: "blizwow", - 3725: "na-er-tip", - 3726: "array-manager", - 3727: "e-mdu", - 3728: "e-woa", - 3729: "fksp-audit", - 3730: "client-ctrl", - 3731: "smap", - 3732: "m-wnn", - 3733: "multip-msg", - 3734: "synel-data", - 3735: "pwdis", - 3736: "rs-rmi", - 3737: "xpanel", - 3738: "versatalk", - 3739: "launchbird-lm", - 3740: "heartbeat", - 3741: "wysdma", - 3742: "cst-port", - 3743: "ipcs-command", - 3744: "sasg", - 3745: "gw-call-port", - 3746: "linktest", - 3747: "linktest-s", - 3748: "webdata", - 3749: "cimtrak", - 3750: "cbos-ip-port", - 3751: "gprs-cube", - 3752: "vipremoteagent", - 3753: "nattyserver", - 3754: "timestenbroker", - 3755: "sas-remote-hlp", - 3756: "canon-capt", - 3757: "grf-port", - 3758: "apw-registry", - 3759: "exapt-lmgr", - 3760: "adtempusclient", - 3761: "gsakmp", - 3762: "gbs-smp", - 3763: "xo-wave", - 3764: "mni-prot-rout", - 3765: "rtraceroute", - 3766: "sitewatch-s", - 3767: "listmgr-port", - 3768: "rblcheckd", - 3769: "haipe-otnk", - 3770: "cindycollab", - 3771: "paging-port", - 3772: "ctp", - 3773: "ctdhercules", - 3774: "zicom", - 3775: "ispmmgr", - 3776: "dvcprov-port", - 3777: "jibe-eb", - 3778: "c-h-it-port", - 3779: "cognima", - 3780: "nnp", - 3781: "abcvoice-port", - 3782: "iso-tp0s", - 3783: "bim-pem", - 3784: "bfd-control", - 3785: "bfd-echo", - 3786: "upstriggervsw", - 3787: "fintrx", - 3788: "isrp-port", - 3789: "remotedeploy", - 3790: "quickbooksrds", - 3791: "tvnetworkvideo", - 3792: "sitewatch", - 3793: "dcsoftware", - 3794: "jaus", - 3795: "myblast", - 3796: "spw-dialer", - 3797: "idps", - 3798: "minilock", - 3799: "radius-dynauth", - 3800: "pwgpsi", - 3801: "ibm-mgr", - 3802: "vhd", - 3803: "soniqsync", - 3804: "iqnet-port", - 3805: "tcpdataserver", - 3806: "wsmlb", - 3807: "spugna", - 3808: "sun-as-iiops-ca", - 3809: "apocd", - 3810: "wlanauth", - 3811: "amp", - 3812: "neto-wol-server", - 3813: "rap-ip", - 3814: "neto-dcs", - 3815: "lansurveyorxml", - 3816: "sunlps-http", - 3817: "tapeware", - 3818: "crinis-hb", - 3819: "epl-slp", - 3820: "scp", - 3821: "pmcp", - 3822: "acp-discovery", - 3823: "acp-conduit", - 3824: "acp-policy", - 3825: "ffserver", - 3826: "warmux", - 3827: "netmpi", - 3828: "neteh", - 3829: "neteh-ext", - 3830: "cernsysmgmtagt", - 3831: "dvapps", - 3832: "xxnetserver", - 3833: "aipn-auth", - 3834: "spectardata", - 3835: "spectardb", - 3836: "markem-dcp", - 3837: "mkm-discovery", - 3838: "sos", - 3839: "amx-rms", - 3840: "flirtmitmir", - 3841: "shiprush-db-svr", - 3842: "nhci", - 3843: "quest-agent", - 3844: "rnm", - 3845: "v-one-spp", - 3846: "an-pcp", - 3847: "msfw-control", - 3848: "item", - 3849: "spw-dnspreload", - 3850: "qtms-bootstrap", - 3851: "spectraport", - 3852: "sse-app-config", - 3853: "sscan", - 3854: "stryker-com", - 3855: "opentrac", - 3856: "informer", - 3857: "trap-port", - 3858: "trap-port-mom", - 3859: "nav-port", - 3860: "sasp", - 3861: "winshadow-hd", - 3862: "giga-pocket", - 3863: "asap-tcp", - 3864: "asap-tcp-tls", - 3865: "xpl", - 3866: "dzdaemon", - 3867: "dzoglserver", - 3868: "diameter", - 3869: "ovsam-mgmt", - 3870: "ovsam-d-agent", - 3871: "avocent-adsap", - 3872: "oem-agent", - 3873: "fagordnc", - 3874: "sixxsconfig", - 3875: "pnbscada", - 3876: "dl-agent", - 3877: "xmpcr-interface", - 3878: "fotogcad", - 3879: "appss-lm", - 3880: "igrs", - 3881: "idac", - 3882: "msdts1", - 3883: "vrpn", - 3884: "softrack-meter", - 3885: "topflow-ssl", - 3886: "nei-management", - 3887: "ciphire-data", - 3888: "ciphire-serv", - 3889: "dandv-tester", - 3890: "ndsconnect", - 3891: "rtc-pm-port", - 3892: "pcc-image-port", - 3893: "cgi-starapi", - 3894: "syam-agent", - 3895: "syam-smc", - 3896: "sdo-tls", - 3897: "sdo-ssh", - 3898: "senip", - 3899: "itv-control", - 3900: "udt-os", - 3901: "nimsh", - 3902: "nimaux", - 3903: "charsetmgr", - 3904: "omnilink-port", - 3905: "mupdate", - 3906: "topovista-data", - 3907: "imoguia-port", - 3908: "hppronetman", - 3909: "surfcontrolcpa", - 3910: "prnrequest", - 3911: "prnstatus", - 3912: "gbmt-stars", - 3913: "listcrt-port", - 3914: "listcrt-port-2", - 3915: "agcat", - 3916: "wysdmc", - 3917: "aftmux", - 3918: "pktcablemmcops", - 3919: "hyperip", - 3920: "exasoftport1", - 3921: "herodotus-net", - 3922: "sor-update", - 3923: "symb-sb-port", - 3924: "mpl-gprs-port", - 3925: "zmp", - 3926: "winport", - 3927: "natdataservice", - 3928: "netboot-pxe", - 3929: "smauth-port", - 3930: "syam-webserver", - 3931: "msr-plugin-port", - 3932: "dyn-site", - 3933: "plbserve-port", - 3934: "sunfm-port", - 3935: "sdp-portmapper", - 3936: "mailprox", - 3937: "dvbservdsc", - 3938: "dbcontrol-agent", - 3939: "aamp", - 3940: "xecp-node", - 3941: "homeportal-web", - 3942: "srdp", - 3943: "tig", - 3944: "sops", - 3945: "emcads", - 3946: "backupedge", - 3947: "ccp", - 3948: "apdap", - 3949: "drip", - 3950: "namemunge", - 3951: "pwgippfax", - 3952: "i3-sessionmgr", - 3953: "xmlink-connect", - 3954: "adrep", - 3955: "p2pcommunity", - 3956: "gvcp", - 3957: "mqe-broker", - 3958: "mqe-agent", - 3959: "treehopper", - 3960: "bess", - 3961: "proaxess", - 3962: "sbi-agent", - 3963: "thrp", - 3964: "sasggprs", - 3965: "ati-ip-to-ncpe", - 3966: "bflckmgr", - 3967: "ppsms", - 3968: "ianywhere-dbns", - 3969: "landmarks", - 3970: "lanrevagent", - 3971: "lanrevserver", - 3972: "iconp", - 3973: "progistics", - 3974: "citysearch", - 3975: "airshot", - 3976: "opswagent", - 3977: "opswmanager", - 3978: "secure-cfg-svr", - 3979: "smwan", - 3980: "acms", - 3981: "starfish", - 3982: "eis", - 3983: "eisp", - 3984: "mapper-nodemgr", - 3985: "mapper-mapethd", - 3986: "mapper-ws-ethd", - 3987: "centerline", - 3988: "dcs-config", - 3989: "bv-queryengine", - 3990: "bv-is", - 3991: "bv-smcsrv", - 3992: "bv-ds", - 3993: "bv-agent", - 3995: "iss-mgmt-ssl", - 3996: "abcsoftware", - 3997: "agentsease-db", - 3998: "dnx", - 3999: "nvcnet", - 4000: "terabase", - 4001: "newoak", - 4002: "pxc-spvr-ft", - 4003: "pxc-splr-ft", - 4004: "pxc-roid", - 4005: "pxc-pin", - 4006: "pxc-spvr", - 4007: "pxc-splr", - 4008: "netcheque", - 4009: "chimera-hwm", - 4010: "samsung-unidex", - 4011: "altserviceboot", - 4012: "pda-gate", - 4013: "acl-manager", - 4014: "taiclock", - 4015: "talarian-mcast1", - 4016: "talarian-mcast2", - 4017: "talarian-mcast3", - 4018: "talarian-mcast4", - 4019: "talarian-mcast5", - 4020: "trap", - 4021: "nexus-portal", - 4022: "dnox", - 4023: "esnm-zoning", - 4024: "tnp1-port", - 4025: "partimage", - 4026: "as-debug", - 4027: "bxp", - 4028: "dtserver-port", - 4029: "ip-qsig", - 4030: "jdmn-port", - 4031: "suucp", - 4032: "vrts-auth-port", - 4033: "sanavigator", - 4034: "ubxd", - 4035: "wap-push-http", - 4036: "wap-push-https", - 4037: "ravehd", - 4038: "fazzt-ptp", - 4039: "fazzt-admin", - 4040: "yo-main", - 4041: "houston", - 4042: "ldxp", - 4043: "nirp", - 4044: "ltp", - 4045: "npp", - 4046: "acp-proto", - 4047: "ctp-state", - 4049: "wafs", - 4050: "cisco-wafs", - 4051: "cppdp", - 4052: "interact", - 4053: "ccu-comm-1", - 4054: "ccu-comm-2", - 4055: "ccu-comm-3", - 4056: "lms", - 4057: "wfm", - 4058: "kingfisher", - 4059: "dlms-cosem", - 4060: "dsmeter-iatc", - 4061: "ice-location", - 4062: "ice-slocation", - 4063: "ice-router", - 4064: "ice-srouter", - 4065: "avanti-cdp", - 4066: "pmas", - 4067: "idp", - 4068: "ipfltbcst", - 4069: "minger", - 4070: "tripe", - 4071: "aibkup", - 4072: "zieto-sock", - 4073: "iRAPP", - 4074: "cequint-cityid", - 4075: "perimlan", - 4076: "seraph", - 4078: "cssp", - 4079: "santools", - 4080: "lorica-in", - 4081: "lorica-in-sec", - 4082: "lorica-out", - 4083: "lorica-out-sec", - 4085: "ezmessagesrv", - 4087: "applusservice", - 4088: "npsp", - 4089: "opencore", - 4090: "omasgport", - 4091: "ewinstaller", - 4092: "ewdgs", - 4093: "pvxpluscs", - 4094: "sysrqd", - 4095: "xtgui", - 4096: "bre", - 4097: "patrolview", - 4098: "drmsfsd", - 4099: "dpcp", - 4100: "igo-incognito", - 4101: "brlp-0", - 4102: "brlp-1", - 4103: "brlp-2", - 4104: "brlp-3", - 4105: "shofar", - 4106: "synchronite", - 4107: "j-ac", - 4108: "accel", - 4109: "izm", - 4110: "g2tag", - 4111: "xgrid", - 4112: "apple-vpns-rp", - 4113: "aipn-reg", - 4114: "jomamqmonitor", - 4115: "cds", - 4116: "smartcard-tls", - 4117: "hillrserv", - 4118: "netscript", - 4119: "assuria-slm", - 4121: "e-builder", - 4122: "fprams", - 4123: "z-wave", - 4124: "tigv2", - 4125: "opsview-envoy", - 4126: "ddrepl", - 4127: "unikeypro", - 4128: "nufw", - 4129: "nuauth", - 4130: "fronet", - 4131: "stars", - 4132: "nuts-dem", - 4133: "nuts-bootp", - 4134: "nifty-hmi", - 4135: "cl-db-attach", - 4136: "cl-db-request", - 4137: "cl-db-remote", - 4138: "nettest", - 4139: "thrtx", - 4140: "cedros-fds", - 4141: "oirtgsvc", - 4142: "oidocsvc", - 4143: "oidsr", - 4145: "vvr-control", - 4146: "tgcconnect", - 4147: "vrxpservman", - 4148: "hhb-handheld", - 4149: "agslb", - 4150: "PowerAlert-nsa", - 4151: "menandmice-noh", - 4152: "idig-mux", - 4153: "mbl-battd", - 4154: "atlinks", - 4155: "bzr", - 4156: "stat-results", - 4157: "stat-scanner", - 4158: "stat-cc", - 4159: "nss", - 4160: "jini-discovery", - 4161: "omscontact", - 4162: "omstopology", - 4163: "silverpeakpeer", - 4164: "silverpeakcomm", - 4165: "altcp", - 4166: "joost", - 4167: "ddgn", - 4168: "pslicser", - 4169: "iadt", - 4170: "d-cinema-csp", - 4171: "ml-svnet", - 4172: "pcoip", - 4174: "smcluster", - 4175: "bccp", - 4176: "tl-ipcproxy", - 4177: "wello", - 4178: "storman", - 4179: "MaxumSP", - 4180: "httpx", - 4181: "macbak", - 4182: "pcptcpservice", - 4183: "gmmp", - 4184: "universe-suite", - 4185: "wcpp", - 4186: "boxbackupstore", - 4187: "csc-proxy", - 4188: "vatata", - 4189: "pcep", - 4190: "sieve", - 4192: "azeti", - 4193: "pvxplusio", - 4199: "eims-admin", - 4300: "corelccam", - 4301: "d-data", - 4302: "d-data-control", - 4303: "srcp", - 4304: "owserver", - 4305: "batman", - 4306: "pinghgl", - 4307: "visicron-vs", - 4308: "compx-lockview", - 4309: "dserver", - 4310: "mirrtex", - 4311: "p6ssmc", - 4312: "pscl-mgt", - 4313: "perrla", - 4314: "choiceview-agt", - 4316: "choiceview-clt", - 4320: "fdt-rcatp", - 4321: "rwhois", - 4322: "trim-event", - 4323: "trim-ice", - 4324: "balour", - 4325: "geognosisman", - 4326: "geognosis", - 4327: "jaxer-web", - 4328: "jaxer-manager", - 4329: "publiqare-sync", - 4330: "dey-sapi", - 4331: "ktickets-rest", - 4333: "ahsp", - 4340: "gaia", - 4341: "lisp-data", - 4342: "lisp-cons", - 4343: "unicall", - 4344: "vinainstall", - 4345: "m4-network-as", - 4346: "elanlm", - 4347: "lansurveyor", - 4348: "itose", - 4349: "fsportmap", - 4350: "net-device", - 4351: "plcy-net-svcs", - 4352: "pjlink", - 4353: "f5-iquery", - 4354: "qsnet-trans", - 4355: "qsnet-workst", - 4356: "qsnet-assist", - 4357: "qsnet-cond", - 4358: "qsnet-nucl", - 4359: "omabcastltkm", - 4360: "matrix-vnet", - 4368: "wxbrief", - 4369: "epmd", - 4370: "elpro-tunnel", - 4371: "l2c-control", - 4372: "l2c-data", - 4373: "remctl", - 4374: "psi-ptt", - 4375: "tolteces", - 4376: "bip", - 4377: "cp-spxsvr", - 4378: "cp-spxdpy", - 4379: "ctdb", - 4389: "xandros-cms", - 4390: "wiegand", - 4391: "apwi-imserver", - 4392: "apwi-rxserver", - 4393: "apwi-rxspooler", - 4395: "omnivisionesx", - 4396: "fly", - 4400: "ds-srv", - 4401: "ds-srvr", - 4402: "ds-clnt", - 4403: "ds-user", - 4404: "ds-admin", - 4405: "ds-mail", - 4406: "ds-slp", - 4407: "nacagent", - 4408: "slscc", - 4409: "netcabinet-com", - 4410: "itwo-server", - 4411: "found", - 4425: "netrockey6", - 4426: "beacon-port-2", - 4427: "drizzle", - 4428: "omviserver", - 4429: "omviagent", - 4430: "rsqlserver", - 4431: "wspipe", - 4432: "l-acoustics", - 4433: "vop", - 4442: "saris", - 4443: "pharos", - 4444: "krb524", - 4445: "upnotifyp", - 4446: "n1-fwp", - 4447: "n1-rmgmt", - 4448: "asc-slmd", - 4449: "privatewire", - 4450: "camp", - 4451: "ctisystemmsg", - 4452: "ctiprogramload", - 4453: "nssalertmgr", - 4454: "nssagentmgr", - 4455: "prchat-user", - 4456: "prchat-server", - 4457: "prRegister", - 4458: "mcp", - 4484: "hpssmgmt", - 4485: "assyst-dr", - 4486: "icms", - 4487: "prex-tcp", - 4488: "awacs-ice", - 4500: "ipsec-nat-t", - 4535: "ehs", - 4536: "ehs-ssl", - 4537: "wssauthsvc", - 4538: "swx-gate", - 4545: "worldscores", - 4546: "sf-lm", - 4547: "lanner-lm", - 4548: "synchromesh", - 4549: "aegate", - 4550: "gds-adppiw-db", - 4551: "ieee-mih", - 4552: "menandmice-mon", - 4553: "icshostsvc", - 4554: "msfrs", - 4555: "rsip", - 4556: "dtn-bundle", - 4559: "hylafax", - 4563: "amahi-anywhere", - 4566: "kwtc", - 4567: "tram", - 4568: "bmc-reporting", - 4569: "iax", - 4570: "deploymentmap", - 4590: "rid", - 4591: "l3t-at-an", - 4593: "ipt-anri-anri", - 4594: "ias-session", - 4595: "ias-paging", - 4596: "ias-neighbor", - 4597: "a21-an-1xbs", - 4598: "a16-an-an", - 4599: "a17-an-an", - 4600: "piranha1", - 4601: "piranha2", - 4602: "mtsserver", - 4603: "menandmice-upg", - 4604: "irp", - 4658: "playsta2-app", - 4659: "playsta2-lob", - 4660: "smaclmgr", - 4661: "kar2ouche", - 4662: "oms", - 4663: "noteit", - 4664: "ems", - 4665: "contclientms", - 4666: "eportcomm", - 4667: "mmacomm", - 4668: "mmaeds", - 4669: "eportcommdata", - 4670: "light", - 4671: "acter", - 4672: "rfa", - 4673: "cxws", - 4674: "appiq-mgmt", - 4675: "dhct-status", - 4676: "dhct-alerts", - 4677: "bcs", - 4678: "traversal", - 4679: "mgesupervision", - 4680: "mgemanagement", - 4681: "parliant", - 4682: "finisar", - 4683: "spike", - 4684: "rfid-rp1", - 4685: "autopac", - 4686: "msp-os", - 4687: "nst", - 4688: "mobile-p2p", - 4689: "altovacentral", - 4690: "prelude", - 4691: "mtn", - 4692: "conspiracy", - 4700: "netxms-agent", - 4701: "netxms-mgmt", - 4702: "netxms-sync", - 4703: "npqes-test", - 4704: "assuria-ins", - 4725: "truckstar", - 4727: "fcis", - 4728: "capmux", - 4730: "gearman", - 4731: "remcap", - 4733: "resorcs", - 4737: "ipdr-sp", - 4738: "solera-lpn", - 4739: "ipfix", - 4740: "ipfixs", - 4741: "lumimgrd", - 4742: "sicct", - 4743: "openhpid", - 4744: "ifsp", - 4745: "fmp", - 4749: "profilemac", - 4750: "ssad", - 4751: "spocp", - 4752: "snap", - 4753: "simon", - 4784: "bfd-multi-ctl", - 4786: "smart-install", - 4787: "sia-ctrl-plane", - 4788: "xmcp", - 4800: "iims", - 4801: "iwec", - 4802: "ilss", - 4803: "notateit", - 4827: "htcp", - 4837: "varadero-0", - 4838: "varadero-1", - 4839: "varadero-2", - 4840: "opcua-tcp", - 4841: "quosa", - 4842: "gw-asv", - 4843: "opcua-tls", - 4844: "gw-log", - 4845: "wcr-remlib", - 4846: "contamac-icm", - 4847: "wfc", - 4848: "appserv-http", - 4849: "appserv-https", - 4850: "sun-as-nodeagt", - 4851: "derby-repli", - 4867: "unify-debug", - 4868: "phrelay", - 4869: "phrelaydbg", - 4870: "cc-tracking", - 4871: "wired", - 4876: "tritium-can", - 4877: "lmcs", - 4879: "wsdl-event", - 4880: "hislip", - 4883: "wmlserver", - 4884: "hivestor", - 4885: "abbs", - 4894: "lyskom", - 4899: "radmin-port", - 4900: "hfcs", - 4901: "flr-agent", - 4902: "magiccontrol", - 4912: "lutap", - 4913: "lutcp", - 4914: "bones", - 4915: "frcs", - 4940: "eq-office-4940", - 4941: "eq-office-4941", - 4942: "eq-office-4942", - 4949: "munin", - 4950: "sybasesrvmon", - 4951: "pwgwims", - 4952: "sagxtsds", - 4953: "dbsyncarbiter", - 4969: "ccss-qmm", - 4970: "ccss-qsm", - 4984: "webyast", - 4985: "gerhcs", - 4986: "mrip", - 4987: "smar-se-port1", - 4988: "smar-se-port2", - 4989: "parallel", - 4990: "busycal", - 4991: "vrt", - 4999: "hfcs-manager", - 5000: "commplex-main", - 5001: "commplex-link", - 5002: "rfe", - 5003: "fmpro-internal", - 5004: "avt-profile-1", - 5005: "avt-profile-2", - 5006: "wsm-server", - 5007: "wsm-server-ssl", - 5008: "synapsis-edge", - 5009: "winfs", - 5010: "telelpathstart", - 5011: "telelpathattack", - 5012: "nsp", - 5013: "fmpro-v6", - 5015: "fmwp", - 5020: "zenginkyo-1", - 5021: "zenginkyo-2", - 5022: "mice", - 5023: "htuilsrv", - 5024: "scpi-telnet", - 5025: "scpi-raw", - 5026: "strexec-d", - 5027: "strexec-s", - 5028: "qvr", - 5029: "infobright", - 5030: "surfpass", - 5032: "signacert-agent", - 5042: "asnaacceler8db", - 5043: "swxadmin", - 5044: "lxi-evntsvc", - 5045: "osp", - 5048: "texai", - 5049: "ivocalize", - 5050: "mmcc", - 5051: "ita-agent", - 5052: "ita-manager", - 5053: "rlm", - 5054: "rlm-admin", - 5055: "unot", - 5056: "intecom-ps1", - 5057: "intecom-ps2", - 5059: "sds", - 5060: "sip", - 5061: "sips", - 5062: "na-localise", - 5063: "csrpc", - 5064: "ca-1", - 5065: "ca-2", - 5066: "stanag-5066", - 5067: "authentx", - 5068: "bitforestsrv", - 5069: "i-net-2000-npr", - 5070: "vtsas", - 5071: "powerschool", - 5072: "ayiya", - 5073: "tag-pm", - 5074: "alesquery", - 5075: "pvaccess", - 5080: "onscreen", - 5081: "sdl-ets", - 5082: "qcp", - 5083: "qfp", - 5084: "llrp", - 5085: "encrypted-llrp", - 5086: "aprigo-cs", - 5087: "biotic", - 5093: "sentinel-lm", - 5094: "hart-ip", - 5099: "sentlm-srv2srv", - 5100: "socalia", - 5101: "talarian-tcp", - 5102: "oms-nonsecure", - 5103: "actifio-c2c", - 5106: "actifioudsagent", - 5111: "taep-as-svc", - 5112: "pm-cmdsvr", - 5114: "ev-services", - 5115: "autobuild", - 5117: "gradecam", - 5120: "barracuda-bbs", - 5133: "nbt-pc", - 5134: "ppactivation", - 5135: "erp-scale", - 5137: "ctsd", - 5145: "rmonitor-secure", - 5146: "social-alarm", - 5150: "atmp", - 5151: "esri-sde", - 5152: "sde-discovery", - 5153: "toruxserver", - 5154: "bzflag", - 5155: "asctrl-agent", - 5156: "rugameonline", - 5157: "mediat", - 5161: "snmpssh", - 5162: "snmpssh-trap", - 5163: "sbackup", - 5164: "vpa", - 5165: "ife-icorp", - 5166: "winpcs", - 5167: "scte104", - 5168: "scte30", - 5172: "pcoip-mgmt", - 5190: "aol", - 5191: "aol-1", - 5192: "aol-2", - 5193: "aol-3", - 5194: "cpscomm", - 5195: "ampl-lic", - 5196: "ampl-tableproxy", - 5200: "targus-getdata", - 5201: "targus-getdata1", - 5202: "targus-getdata2", - 5203: "targus-getdata3", - 5209: "nomad", - 5215: "noteza", - 5221: "3exmp", - 5222: "xmpp-client", - 5223: "hpvirtgrp", - 5224: "hpvirtctrl", - 5225: "hp-server", - 5226: "hp-status", - 5227: "perfd", - 5228: "hpvroom", - 5229: "jaxflow", - 5230: "jaxflow-data", - 5231: "crusecontrol", - 5232: "csedaemon", - 5233: "enfs", - 5234: "eenet", - 5235: "galaxy-network", - 5236: "padl2sim", - 5237: "mnet-discovery", - 5245: "downtools", - 5248: "caacws", - 5249: "caaclang2", - 5250: "soagateway", - 5251: "caevms", - 5252: "movaz-ssc", - 5253: "kpdp", - 5264: "3com-njack-1", - 5265: "3com-njack-2", - 5269: "xmpp-server", - 5270: "cartographerxmp", - 5271: "cuelink", - 5272: "pk", - 5280: "xmpp-bosh", - 5281: "undo-lm", - 5282: "transmit-port", - 5298: "presence", - 5299: "nlg-data", - 5300: "hacl-hb", - 5301: "hacl-gs", - 5302: "hacl-cfg", - 5303: "hacl-probe", - 5304: "hacl-local", - 5305: "hacl-test", - 5306: "sun-mc-grp", - 5307: "sco-aip", - 5308: "cfengine", - 5309: "jprinter", - 5310: "outlaws", - 5312: "permabit-cs", - 5313: "rrdp", - 5314: "opalis-rbt-ipc", - 5315: "hacl-poll", - 5316: "hpbladems", - 5317: "hpdevms", - 5318: "pkix-cmc", - 5320: "bsfserver-zn", - 5321: "bsfsvr-zn-ssl", - 5343: "kfserver", - 5344: "xkotodrcp", - 5349: "stuns", - 5352: "dns-llq", - 5353: "mdns", - 5354: "mdnsresponder", - 5355: "llmnr", - 5356: "ms-smlbiz", - 5357: "wsdapi", - 5358: "wsdapi-s", - 5359: "ms-alerter", - 5360: "ms-sideshow", - 5361: "ms-s-sideshow", - 5362: "serverwsd2", - 5363: "net-projection", - 5397: "stresstester", - 5398: "elektron-admin", - 5399: "securitychase", - 5400: "excerpt", - 5401: "excerpts", - 5402: "mftp", - 5403: "hpoms-ci-lstn", - 5404: "hpoms-dps-lstn", - 5405: "netsupport", - 5406: "systemics-sox", - 5407: "foresyte-clear", - 5408: "foresyte-sec", - 5409: "salient-dtasrv", - 5410: "salient-usrmgr", - 5411: "actnet", - 5412: "continuus", - 5413: "wwiotalk", - 5414: "statusd", - 5415: "ns-server", - 5416: "sns-gateway", - 5417: "sns-agent", - 5418: "mcntp", - 5419: "dj-ice", - 5420: "cylink-c", - 5421: "netsupport2", - 5422: "salient-mux", - 5423: "virtualuser", - 5424: "beyond-remote", - 5425: "br-channel", - 5426: "devbasic", - 5427: "sco-peer-tta", - 5428: "telaconsole", - 5429: "base", - 5430: "radec-corp", - 5431: "park-agent", - 5432: "postgresql", - 5433: "pyrrho", - 5434: "sgi-arrayd", - 5435: "sceanics", - 5443: "spss", - 5445: "smbdirect", - 5453: "surebox", - 5454: "apc-5454", - 5455: "apc-5455", - 5456: "apc-5456", - 5461: "silkmeter", - 5462: "ttl-publisher", - 5463: "ttlpriceproxy", - 5464: "quailnet", - 5465: "netops-broker", - 5500: "fcp-addr-srvr1", - 5501: "fcp-addr-srvr2", - 5502: "fcp-srvr-inst1", - 5503: "fcp-srvr-inst2", - 5504: "fcp-cics-gw1", - 5505: "checkoutdb", - 5506: "amc", - 5553: "sgi-eventmond", - 5554: "sgi-esphttp", - 5555: "personal-agent", - 5556: "freeciv", - 5557: "farenet", - 5566: "westec-connect", - 5567: "enc-eps-mc-sec", - 5568: "sdt", - 5569: "rdmnet-ctrl", - 5573: "sdmmp", - 5574: "lsi-bobcat", - 5575: "ora-oap", - 5579: "fdtracks", - 5580: "tmosms0", - 5581: "tmosms1", - 5582: "fac-restore", - 5583: "tmo-icon-sync", - 5584: "bis-web", - 5585: "bis-sync", - 5586: "att-mt-sms", - 5597: "ininmessaging", - 5598: "mctfeed", - 5599: "esinstall", - 5600: "esmmanager", - 5601: "esmagent", - 5602: "a1-msc", - 5603: "a1-bs", - 5604: "a3-sdunode", - 5605: "a4-sdunode", - 5618: "efr", - 5627: "ninaf", - 5628: "htrust", - 5629: "symantec-sfdb", - 5630: "precise-comm", - 5631: "pcanywheredata", - 5632: "pcanywherestat", - 5633: "beorl", - 5634: "xprtld", - 5635: "sfmsso", - 5636: "sfm-db-server", - 5637: "cssc", - 5638: "flcrs", - 5639: "ics", - 5646: "vfmobile", - 5670: "filemq", - 5671: "amqps", - 5672: "amqp", - 5673: "jms", - 5674: "hyperscsi-port", - 5675: "v5ua", - 5676: "raadmin", - 5677: "questdb2-lnchr", - 5678: "rrac", - 5679: "dccm", - 5680: "auriga-router", - 5681: "ncxcp", - 5688: "ggz", - 5689: "qmvideo", - 5693: "rbsystem", - 5696: "kmip", - 5713: "proshareaudio", - 5714: "prosharevideo", - 5715: "prosharedata", - 5716: "prosharerequest", - 5717: "prosharenotify", - 5718: "dpm", - 5719: "dpm-agent", - 5720: "ms-licensing", - 5721: "dtpt", - 5722: "msdfsr", - 5723: "omhs", - 5724: "omsdk", - 5725: "ms-ilm", - 5726: "ms-ilm-sts", - 5727: "asgenf", - 5728: "io-dist-data", - 5729: "openmail", - 5730: "unieng", - 5741: "ida-discover1", - 5742: "ida-discover2", - 5743: "watchdoc-pod", - 5744: "watchdoc", - 5745: "fcopy-server", - 5746: "fcopys-server", - 5747: "tunatic", - 5748: "tunalyzer", - 5750: "rscd", - 5755: "openmailg", - 5757: "x500ms", - 5766: "openmailns", - 5767: "s-openmail", - 5768: "openmailpxy", - 5769: "spramsca", - 5770: "spramsd", - 5771: "netagent", - 5777: "dali-port", - 5780: "vts-rpc", - 5781: "3par-evts", - 5782: "3par-mgmt", - 5783: "3par-mgmt-ssl", - 5785: "3par-rcopy", - 5793: "xtreamx", - 5813: "icmpd", - 5814: "spt-automation", - 5841: "shiprush-d-ch", - 5842: "reversion", - 5859: "wherehoo", - 5863: "ppsuitemsg", - 5868: "diameters", - 5883: "jute", - 5900: "rfb", - 5910: "cm", - 5911: "cpdlc", - 5912: "fis", - 5913: "ads-c", - 5963: "indy", - 5968: "mppolicy-v5", - 5969: "mppolicy-mgr", - 5984: "couchdb", - 5985: "wsman", - 5986: "wsmans", - 5987: "wbem-rmi", - 5988: "wbem-http", - 5989: "wbem-https", - 5990: "wbem-exp-https", - 5991: "nuxsl", - 5992: "consul-insight", - 5999: "cvsup", - 6064: "ndl-ahp-svc", - 6065: "winpharaoh", - 6066: "ewctsp", - 6068: "gsmp-ancp", - 6069: "trip", - 6070: "messageasap", - 6071: "ssdtp", - 6072: "diagnose-proc", - 6073: "directplay8", - 6074: "max", - 6075: "dpm-acm", - 6076: "msft-dpm-cert", - 6077: "iconstructsrv", - 6084: "reload-config", - 6085: "konspire2b", - 6086: "pdtp", - 6087: "ldss", - 6088: "doglms", - 6099: "raxa-mgmt", - 6100: "synchronet-db", - 6101: "synchronet-rtc", - 6102: "synchronet-upd", - 6103: "rets", - 6104: "dbdb", - 6105: "primaserver", - 6106: "mpsserver", - 6107: "etc-control", - 6108: "sercomm-scadmin", - 6109: "globecast-id", - 6110: "softcm", - 6111: "spc", - 6112: "dtspcd", - 6113: "dayliteserver", - 6114: "wrspice", - 6115: "xic", - 6116: "xtlserv", - 6117: "daylitetouch", - 6121: "spdy", - 6122: "bex-webadmin", - 6123: "backup-express", - 6124: "pnbs", - 6130: "damewaremobgtwy", - 6133: "nbt-wol", - 6140: "pulsonixnls", - 6141: "meta-corp", - 6142: "aspentec-lm", - 6143: "watershed-lm", - 6144: "statsci1-lm", - 6145: "statsci2-lm", - 6146: "lonewolf-lm", - 6147: "montage-lm", - 6148: "ricardo-lm", - 6149: "tal-pod", - 6159: "efb-aci", - 6160: "ecmp", - 6161: "patrol-ism", - 6162: "patrol-coll", - 6163: "pscribe", - 6200: "lm-x", - 6222: "radmind", - 6241: "jeol-nsdtp-1", - 6242: "jeol-nsdtp-2", - 6243: "jeol-nsdtp-3", - 6244: "jeol-nsdtp-4", - 6251: "tl1-raw-ssl", - 6252: "tl1-ssh", - 6253: "crip", - 6267: "gld", - 6268: "grid", - 6269: "grid-alt", - 6300: "bmc-grx", - 6301: "bmc-ctd-ldap", - 6306: "ufmp", - 6315: "scup", - 6316: "abb-escp", - 6317: "nav-data-cmd", - 6320: "repsvc", - 6321: "emp-server1", - 6322: "emp-server2", - 6324: "hrd-ncs", - 6325: "dt-mgmtsvc", - 6326: "dt-vra", - 6343: "sflow", - 6344: "streletz", - 6346: "gnutella-svc", - 6347: "gnutella-rtr", - 6350: "adap", - 6355: "pmcs", - 6360: "metaedit-mu", - 6370: "metaedit-se", - 6382: "metatude-mds", - 6389: "clariion-evr01", - 6390: "metaedit-ws", - 6417: "faxcomservice", - 6418: "syserverremote", - 6419: "svdrp", - 6420: "nim-vdrshell", - 6421: "nim-wan", - 6432: "pgbouncer", - 6442: "tarp", - 6443: "sun-sr-https", - 6444: "sge-qmaster", - 6445: "sge-execd", - 6446: "mysql-proxy", - 6455: "skip-cert-recv", - 6456: "skip-cert-send", - 6471: "lvision-lm", - 6480: "sun-sr-http", - 6481: "servicetags", - 6482: "ldoms-mgmt", - 6483: "SunVTS-RMI", - 6484: "sun-sr-jms", - 6485: "sun-sr-iiop", - 6486: "sun-sr-iiops", - 6487: "sun-sr-iiop-aut", - 6488: "sun-sr-jmx", - 6489: "sun-sr-admin", - 6500: "boks", - 6501: "boks-servc", - 6502: "boks-servm", - 6503: "boks-clntd", - 6505: "badm-priv", - 6506: "badm-pub", - 6507: "bdir-priv", - 6508: "bdir-pub", - 6509: "mgcs-mfp-port", - 6510: "mcer-port", - 6513: "netconf-tls", - 6514: "syslog-tls", - 6515: "elipse-rec", - 6543: "lds-distrib", - 6544: "lds-dump", - 6547: "apc-6547", - 6548: "apc-6548", - 6549: "apc-6549", - 6550: "fg-sysupdate", - 6551: "sum", - 6558: "xdsxdm", - 6566: "sane-port", - 6568: "canit-store", - 6579: "affiliate", - 6580: "parsec-master", - 6581: "parsec-peer", - 6582: "parsec-game", - 6583: "joaJewelSuite", - 6600: "mshvlm", - 6601: "mstmg-sstp", - 6602: "wsscomfrmwk", - 6619: "odette-ftps", - 6620: "kftp-data", - 6621: "kftp", - 6622: "mcftp", - 6623: "ktelnet", - 6624: "datascaler-db", - 6625: "datascaler-ctl", - 6626: "wago-service", - 6627: "nexgen", - 6628: "afesc-mc", - 6632: "mxodbc-connect", - 6640: "ovsdb", - 6653: "openflow", - 6655: "pcs-sf-ui-man", - 6656: "emgmsg", - 6670: "vocaltec-gold", - 6671: "p4p-portal", - 6672: "vision-server", - 6673: "vision-elmd", - 6678: "vfbp", - 6679: "osaut", - 6687: "clever-ctrace", - 6688: "clever-tcpip", - 6689: "tsa", - 6697: "ircs-u", - 6701: "kti-icad-srvr", - 6702: "e-design-net", - 6703: "e-design-web", - 6714: "ibprotocol", - 6715: "fibotrader-com", - 6716: "printercare-cc", - 6767: "bmc-perf-agent", - 6768: "bmc-perf-mgrd", - 6769: "adi-gxp-srvprt", - 6770: "plysrv-http", - 6771: "plysrv-https", - 6777: "ntz-tracker", - 6778: "ntz-p2p-storage", - 6785: "dgpf-exchg", - 6786: "smc-jmx", - 6787: "smc-admin", - 6788: "smc-http", - 6789: "smc-https", - 6790: "hnmp", - 6791: "hnm", - 6801: "acnet", - 6817: "pentbox-sim", - 6831: "ambit-lm", - 6841: "netmo-default", - 6842: "netmo-http", - 6850: "iccrushmore", - 6868: "acctopus-cc", - 6888: "muse", - 6901: "jetstream", - 6935: "ethoscan", - 6936: "xsmsvc", - 6946: "bioserver", - 6951: "otlp", - 6961: "jmact3", - 6962: "jmevt2", - 6963: "swismgr1", - 6964: "swismgr2", - 6965: "swistrap", - 6966: "swispol", - 6969: "acmsoda", - 6997: "MobilitySrv", - 6998: "iatp-highpri", - 6999: "iatp-normalpri", - 7000: "afs3-fileserver", - 7001: "afs3-callback", - 7002: "afs3-prserver", - 7003: "afs3-vlserver", - 7004: "afs3-kaserver", - 7005: "afs3-volser", - 7006: "afs3-errors", - 7007: "afs3-bos", - 7008: "afs3-update", - 7009: "afs3-rmtsys", - 7010: "ups-onlinet", - 7011: "talon-disc", - 7012: "talon-engine", - 7013: "microtalon-dis", - 7014: "microtalon-com", - 7015: "talon-webserver", - 7018: "fisa-svc", - 7019: "doceri-ctl", - 7020: "dpserve", - 7021: "dpserveadmin", - 7022: "ctdp", - 7023: "ct2nmcs", - 7024: "vmsvc", - 7025: "vmsvc-2", - 7030: "op-probe", - 7031: "iposplanet", - 7070: "arcp", - 7071: "iwg1", - 7073: "martalk", - 7080: "empowerid", - 7099: "lazy-ptop", - 7100: "font-service", - 7101: "elcn", - 7121: "virprot-lm", - 7128: "scenidm", - 7129: "scenccs", - 7161: "cabsm-comm", - 7162: "caistoragemgr", - 7163: "cacsambroker", - 7164: "fsr", - 7165: "doc-server", - 7166: "aruba-server", - 7167: "casrmagent", - 7168: "cnckadserver", - 7169: "ccag-pib", - 7170: "nsrp", - 7171: "drm-production", - 7172: "metalbend", - 7173: "zsecure", - 7174: "clutild", - 7200: "fodms", - 7201: "dlip", - 7227: "ramp", - 7228: "citrixupp", - 7229: "citrixuppg", - 7236: "display", - 7237: "pads", - 7262: "cnap", - 7272: "watchme-7272", - 7273: "oma-rlp", - 7274: "oma-rlp-s", - 7275: "oma-ulp", - 7276: "oma-ilp", - 7277: "oma-ilp-s", - 7278: "oma-dcdocbs", - 7279: "ctxlic", - 7280: "itactionserver1", - 7281: "itactionserver2", - 7282: "mzca-action", - 7283: "genstat", - 7365: "lcm-server", - 7391: "mindfilesys", - 7392: "mrssrendezvous", - 7393: "nfoldman", - 7394: "fse", - 7395: "winqedit", - 7397: "hexarc", - 7400: "rtps-discovery", - 7401: "rtps-dd-ut", - 7402: "rtps-dd-mt", - 7410: "ionixnetmon", - 7411: "daqstream", - 7421: "mtportmon", - 7426: "pmdmgr", - 7427: "oveadmgr", - 7428: "ovladmgr", - 7429: "opi-sock", - 7430: "xmpv7", - 7431: "pmd", - 7437: "faximum", - 7443: "oracleas-https", - 7471: "sttunnel", - 7473: "rise", - 7474: "neo4j", - 7491: "telops-lmd", - 7500: "silhouette", - 7501: "ovbus", - 7508: "adcp", - 7509: "acplt", - 7510: "ovhpas", - 7511: "pafec-lm", - 7542: "saratoga", - 7543: "atul", - 7544: "nta-ds", - 7545: "nta-us", - 7546: "cfs", - 7547: "cwmp", - 7548: "tidp", - 7549: "nls-tl", - 7560: "sncp", - 7563: "cfw", - 7566: "vsi-omega", - 7569: "dell-eql-asm", - 7570: "aries-kfinder", - 7574: "coherence", - 7588: "sun-lm", - 7624: "indi", - 7626: "simco", - 7627: "soap-http", - 7628: "zen-pawn", - 7629: "xdas", - 7630: "hawk", - 7631: "tesla-sys-msg", - 7633: "pmdfmgt", - 7648: "cuseeme", - 7672: "imqstomp", - 7673: "imqstomps", - 7674: "imqtunnels", - 7675: "imqtunnel", - 7676: "imqbrokerd", - 7677: "sun-user-https", - 7680: "pando-pub", - 7689: "collaber", - 7697: "klio", - 7700: "em7-secom", - 7707: "sync-em7", - 7708: "scinet", - 7720: "medimageportal", - 7724: "nsdeepfreezectl", - 7725: "nitrogen", - 7726: "freezexservice", - 7727: "trident-data", - 7734: "smip", - 7738: "aiagent", - 7741: "scriptview", - 7742: "msss", - 7743: "sstp-1", - 7744: "raqmon-pdu", - 7747: "prgp", - 7777: "cbt", - 7778: "interwise", - 7779: "vstat", - 7781: "accu-lmgr", - 7786: "minivend", - 7787: "popup-reminders", - 7789: "office-tools", - 7794: "q3ade", - 7797: "pnet-conn", - 7798: "pnet-enc", - 7799: "altbsdp", - 7800: "asr", - 7801: "ssp-client", - 7810: "rbt-wanopt", - 7845: "apc-7845", - 7846: "apc-7846", - 7847: "csoauth", - 7869: "mobileanalyzer", - 7870: "rbt-smc", - 7871: "mdm", - 7878: "owms", - 7880: "pss", - 7887: "ubroker", - 7900: "mevent", - 7901: "tnos-sp", - 7902: "tnos-dp", - 7903: "tnos-dps", - 7913: "qo-secure", - 7932: "t2-drm", - 7933: "t2-brm", - 7962: "generalsync", - 7967: "supercell", - 7979: "micromuse-ncps", - 7980: "quest-vista", - 7981: "sossd-collect", - 7982: "sossd-agent", - 7997: "pushns", - 7999: "irdmi2", - 8000: "irdmi", - 8001: "vcom-tunnel", - 8002: "teradataordbms", - 8003: "mcreport", - 8005: "mxi", - 8008: "http-alt", - 8019: "qbdb", - 8020: "intu-ec-svcdisc", - 8021: "intu-ec-client", - 8022: "oa-system", - 8025: "ca-audit-da", - 8026: "ca-audit-ds", - 8032: "pro-ed", - 8033: "mindprint", - 8034: "vantronix-mgmt", - 8040: "ampify", - 8042: "fs-agent", - 8043: "fs-server", - 8044: "fs-mgmt", - 8051: "rocrail", - 8052: "senomix01", - 8053: "senomix02", - 8054: "senomix03", - 8055: "senomix04", - 8056: "senomix05", - 8057: "senomix06", - 8058: "senomix07", - 8059: "senomix08", - 8066: "toad-bi-appsrvr", - 8074: "gadugadu", - 8080: "http-alt", - 8081: "sunproxyadmin", - 8082: "us-cli", - 8083: "us-srv", - 8086: "d-s-n", - 8087: "simplifymedia", - 8088: "radan-http", - 8091: "jamlink", - 8097: "sac", - 8100: "xprint-server", - 8101: "ldoms-migr", - 8102: "kz-migr", - 8115: "mtl8000-matrix", - 8116: "cp-cluster", - 8117: "purityrpc", - 8118: "privoxy", - 8121: "apollo-data", - 8122: "apollo-admin", - 8128: "paycash-online", - 8129: "paycash-wbp", - 8130: "indigo-vrmi", - 8131: "indigo-vbcp", - 8132: "dbabble", - 8148: "isdd", - 8153: "quantastor", - 8160: "patrol", - 8161: "patrol-snmp", - 8162: "lpar2rrd", - 8181: "intermapper", - 8182: "vmware-fdm", - 8183: "proremote", - 8184: "itach", - 8191: "limnerpressure", - 8192: "spytechphone", - 8194: "blp1", - 8195: "blp2", - 8199: "vvr-data", - 8200: "trivnet1", - 8201: "trivnet2", - 8204: "lm-perfworks", - 8205: "lm-instmgr", - 8206: "lm-dta", - 8207: "lm-sserver", - 8208: "lm-webwatcher", - 8230: "rexecj", - 8243: "synapse-nhttps", - 8276: "pando-sec", - 8280: "synapse-nhttp", - 8292: "blp3", - 8293: "hiperscan-id", - 8294: "blp4", - 8300: "tmi", - 8301: "amberon", - 8313: "hub-open-net", - 8320: "tnp-discover", - 8321: "tnp", - 8351: "server-find", - 8376: "cruise-enum", - 8377: "cruise-swroute", - 8378: "cruise-config", - 8379: "cruise-diags", - 8380: "cruise-update", - 8383: "m2mservices", - 8400: "cvd", - 8401: "sabarsd", - 8402: "abarsd", - 8403: "admind", - 8404: "svcloud", - 8405: "svbackup", - 8415: "dlpx-sp", - 8416: "espeech", - 8417: "espeech-rtp", - 8442: "cybro-a-bus", - 8443: "pcsync-https", - 8444: "pcsync-http", - 8445: "copy", - 8450: "npmp", - 8457: "nexentamv", - 8470: "cisco-avp", - 8471: "pim-port", - 8472: "otv", - 8473: "vp2p", - 8474: "noteshare", - 8500: "fmtp", - 8501: "cmtp-mgt", - 8502: "ftnmtp", - 8554: "rtsp-alt", - 8555: "d-fence", - 8567: "enc-tunnel", - 8600: "asterix", - 8610: "canon-mfnp", - 8611: "canon-bjnp1", - 8612: "canon-bjnp2", - 8613: "canon-bjnp3", - 8614: "canon-bjnp4", - 8615: "imink", - 8665: "monetra", - 8666: "monetra-admin", - 8675: "msi-cps-rm", - 8686: "sun-as-jmxrmi", - 8688: "openremote-ctrl", - 8699: "vnyx", - 8711: "nvc", - 8733: "ibus", - 8750: "dey-keyneg", - 8763: "mc-appserver", - 8764: "openqueue", - 8765: "ultraseek-http", - 8766: "amcs", - 8770: "dpap", - 8778: "uec", - 8786: "msgclnt", - 8787: "msgsrvr", - 8793: "acd-pm", - 8800: "sunwebadmin", - 8804: "truecm", - 8873: "dxspider", - 8880: "cddbp-alt", - 8881: "galaxy4d", - 8883: "secure-mqtt", - 8888: "ddi-tcp-1", - 8889: "ddi-tcp-2", - 8890: "ddi-tcp-3", - 8891: "ddi-tcp-4", - 8892: "ddi-tcp-5", - 8893: "ddi-tcp-6", - 8894: "ddi-tcp-7", - 8899: "ospf-lite", - 8900: "jmb-cds1", - 8901: "jmb-cds2", - 8910: "manyone-http", - 8911: "manyone-xml", - 8912: "wcbackup", - 8913: "dragonfly", - 8937: "twds", - 8953: "ub-dns-control", - 8954: "cumulus-admin", - 8989: "sunwebadmins", - 8990: "http-wmap", - 8991: "https-wmap", - 8998: "canto-roboflow", - 8999: "bctp", - 9000: "cslistener", - 9001: "etlservicemgr", - 9002: "dynamid", - 9008: "ogs-server", - 9009: "pichat", - 9010: "sdr", - 9020: "tambora", - 9021: "panagolin-ident", - 9022: "paragent", - 9023: "swa-1", - 9024: "swa-2", - 9025: "swa-3", - 9026: "swa-4", - 9050: "versiera", - 9051: "fio-cmgmt", - 9080: "glrpc", - 9083: "emc-pp-mgmtsvc", - 9084: "aurora", - 9085: "ibm-rsyscon", - 9086: "net2display", - 9087: "classic", - 9088: "sqlexec", - 9089: "sqlexec-ssl", - 9090: "websm", - 9091: "xmltec-xmlmail", - 9092: "XmlIpcRegSvc", - 9093: "copycat", - 9100: "hp-pdl-datastr", - 9101: "bacula-dir", - 9102: "bacula-fd", - 9103: "bacula-sd", - 9104: "peerwire", - 9105: "xadmin", - 9106: "astergate", - 9107: "astergatefax", - 9119: "mxit", - 9122: "grcmp", - 9123: "grcp", - 9131: "dddp", - 9160: "apani1", - 9161: "apani2", - 9162: "apani3", - 9163: "apani4", - 9164: "apani5", - 9191: "sun-as-jpda", - 9200: "wap-wsp", - 9201: "wap-wsp-wtp", - 9202: "wap-wsp-s", - 9203: "wap-wsp-wtp-s", - 9204: "wap-vcard", - 9205: "wap-vcal", - 9206: "wap-vcard-s", - 9207: "wap-vcal-s", - 9208: "rjcdb-vcards", - 9209: "almobile-system", - 9210: "oma-mlp", - 9211: "oma-mlp-s", - 9212: "serverviewdbms", - 9213: "serverstart", - 9214: "ipdcesgbs", - 9215: "insis", - 9216: "acme", - 9217: "fsc-port", - 9222: "teamcoherence", - 9255: "mon", - 9278: "pegasus", - 9279: "pegasus-ctl", - 9280: "pgps", - 9281: "swtp-port1", - 9282: "swtp-port2", - 9283: "callwaveiam", - 9284: "visd", - 9285: "n2h2server", - 9287: "cumulus", - 9292: "armtechdaemon", - 9293: "storview", - 9294: "armcenterhttp", - 9295: "armcenterhttps", - 9300: "vrace", - 9306: "sphinxql", - 9312: "sphinxapi", - 9318: "secure-ts", - 9321: "guibase", - 9343: "mpidcmgr", - 9344: "mphlpdmc", - 9346: "ctechlicensing", - 9374: "fjdmimgr", - 9380: "boxp", - 9387: "d2dconfig", - 9388: "d2ddatatrans", - 9389: "adws", - 9390: "otp", - 9396: "fjinvmgr", - 9397: "mpidcagt", - 9400: "sec-t4net-srv", - 9401: "sec-t4net-clt", - 9402: "sec-pc2fax-srv", - 9418: "git", - 9443: "tungsten-https", - 9444: "wso2esb-console", - 9445: "mindarray-ca", - 9450: "sntlkeyssrvr", - 9500: "ismserver", - 9535: "mngsuite", - 9536: "laes-bf", - 9555: "trispen-sra", - 9592: "ldgateway", - 9593: "cba8", - 9594: "msgsys", - 9595: "pds", - 9596: "mercury-disc", - 9597: "pd-admin", - 9598: "vscp", - 9599: "robix", - 9600: "micromuse-ncpw", - 9612: "streamcomm-ds", - 9614: "iadt-tls", - 9616: "erunbook-agent", - 9617: "erunbook-server", - 9618: "condor", - 9628: "odbcpathway", - 9629: "uniport", - 9630: "peoctlr", - 9631: "peocoll", - 9640: "pqsflows", - 9666: "zoomcp", - 9667: "xmms2", - 9668: "tec5-sdctp", - 9694: "client-wakeup", - 9695: "ccnx", - 9700: "board-roar", - 9747: "l5nas-parchan", - 9750: "board-voip", - 9753: "rasadv", - 9762: "tungsten-http", - 9800: "davsrc", - 9801: "sstp-2", - 9802: "davsrcs", - 9875: "sapv1", - 9876: "sd", - 9888: "cyborg-systems", - 9889: "gt-proxy", - 9898: "monkeycom", - 9900: "iua", - 9909: "domaintime", - 9911: "sype-transport", - 9925: "xybrid-cloud", - 9950: "apc-9950", - 9951: "apc-9951", - 9952: "apc-9952", - 9953: "acis", - 9954: "hinp", - 9955: "alljoyn-stm", - 9966: "odnsp", - 9978: "xybrid-rt", - 9987: "dsm-scm-target", - 9988: "nsesrvr", - 9990: "osm-appsrvr", - 9991: "osm-oev", - 9992: "palace-1", - 9993: "palace-2", - 9994: "palace-3", - 9995: "palace-4", - 9996: "palace-5", - 9997: "palace-6", - 9998: "distinct32", - 9999: "distinct", - 10000: "ndmp", - 10001: "scp-config", - 10002: "documentum", - 10003: "documentum-s", - 10004: "emcrmirccd", - 10005: "emcrmird", - 10006: "netapp-sync", - 10007: "mvs-capacity", - 10008: "octopus", - 10009: "swdtp-sv", - 10010: "rxapi", - 10050: "zabbix-agent", - 10051: "zabbix-trapper", - 10055: "qptlmd", - 10080: "amanda", - 10081: "famdc", - 10100: "itap-ddtp", - 10101: "ezmeeting-2", - 10102: "ezproxy-2", - 10103: "ezrelay", - 10104: "swdtp", - 10107: "bctp-server", - 10110: "nmea-0183", - 10113: "netiq-endpoint", - 10114: "netiq-qcheck", - 10115: "netiq-endpt", - 10116: "netiq-voipa", - 10117: "iqrm", - 10128: "bmc-perf-sd", - 10129: "bmc-gms", - 10160: "qb-db-server", - 10161: "snmptls", - 10162: "snmptls-trap", - 10200: "trisoap", - 10201: "rsms", - 10252: "apollo-relay", - 10260: "axis-wimp-port", - 10288: "blocks", - 10321: "cosir", - 10540: "MOS-lower", - 10541: "MOS-upper", - 10542: "MOS-aux", - 10543: "MOS-soap", - 10544: "MOS-soap-opt", - 10631: "printopia", - 10800: "gap", - 10805: "lpdg", - 10809: "nbd", - 10860: "helix", - 10880: "bveapi", - 10990: "rmiaux", - 11000: "irisa", - 11001: "metasys", - 11095: "weave", - 11103: "origo-sync", - 11104: "netapp-icmgmt", - 11105: "netapp-icdata", - 11106: "sgi-lk", - 11109: "sgi-dmfmgr", - 11110: "sgi-soap", - 11111: "vce", - 11112: "dicom", - 11161: "suncacao-snmp", - 11162: "suncacao-jmxmp", - 11163: "suncacao-rmi", - 11164: "suncacao-csa", - 11165: "suncacao-websvc", - 11172: "oemcacao-jmxmp", - 11173: "t5-straton", - 11174: "oemcacao-rmi", - 11175: "oemcacao-websvc", - 11201: "smsqp", - 11202: "dcsl-backup", - 11208: "wifree", - 11211: "memcache", - 11319: "imip", - 11320: "imip-channels", - 11321: "arena-server", - 11367: "atm-uhas", - 11371: "hkp", - 11489: "asgcypresstcps", - 11600: "tempest-port", - 11623: "emc-xsw-dconfig", - 11720: "h323callsigalt", - 11723: "emc-xsw-dcache", - 11751: "intrepid-ssl", - 11796: "lanschool", - 11876: "xoraya", - 11967: "sysinfo-sp", - 12000: "entextxid", - 12001: "entextnetwk", - 12002: "entexthigh", - 12003: "entextmed", - 12004: "entextlow", - 12005: "dbisamserver1", - 12006: "dbisamserver2", - 12007: "accuracer", - 12008: "accuracer-dbms", - 12010: "edbsrvr", - 12012: "vipera", - 12013: "vipera-ssl", - 12109: "rets-ssl", - 12121: "nupaper-ss", - 12168: "cawas", - 12172: "hivep", - 12300: "linogridengine", - 12302: "rads", - 12321: "warehouse-sss", - 12322: "warehouse", - 12345: "italk", - 12753: "tsaf", - 12865: "netperf", - 13160: "i-zipqd", - 13216: "bcslogc", - 13217: "rs-pias", - 13218: "emc-vcas-tcp", - 13223: "powwow-client", - 13224: "powwow-server", - 13400: "doip-data", - 13720: "bprd", - 13721: "bpdbm", - 13722: "bpjava-msvc", - 13724: "vnetd", - 13782: "bpcd", - 13783: "vopied", - 13785: "nbdb", - 13786: "nomdb", - 13818: "dsmcc-config", - 13819: "dsmcc-session", - 13820: "dsmcc-passthru", - 13821: "dsmcc-download", - 13822: "dsmcc-ccp", - 13823: "bmdss", - 13894: "ucontrol", - 13929: "dta-systems", - 13930: "medevolve", - 14000: "scotty-ft", - 14001: "sua", - 14033: "sage-best-com1", - 14034: "sage-best-com2", - 14141: "vcs-app", - 14142: "icpp", - 14145: "gcm-app", - 14149: "vrts-tdd", - 14150: "vcscmd", - 14154: "vad", - 14250: "cps", - 14414: "ca-web-update", - 14936: "hde-lcesrvr-1", - 14937: "hde-lcesrvr-2", - 15000: "hydap", - 15002: "onep-tls", - 15345: "xpilot", - 15363: "3link", - 15555: "cisco-snat", - 15660: "bex-xr", - 15740: "ptp", - 15999: "programmar", - 16000: "fmsas", - 16001: "fmsascon", - 16002: "gsms", - 16020: "jwpc", - 16021: "jwpc-bin", - 16161: "sun-sea-port", - 16162: "solaris-audit", - 16309: "etb4j", - 16310: "pduncs", - 16311: "pdefmns", - 16360: "netserialext1", - 16361: "netserialext2", - 16367: "netserialext3", - 16368: "netserialext4", - 16384: "connected", - 16619: "xoms", - 16900: "newbay-snc-mc", - 16950: "sgcip", - 16991: "intel-rci-mp", - 16992: "amt-soap-http", - 16993: "amt-soap-https", - 16994: "amt-redir-tcp", - 16995: "amt-redir-tls", - 17007: "isode-dua", - 17184: "vestasdlp", - 17185: "soundsvirtual", - 17219: "chipper", - 17220: "avtp", - 17221: "avdecc", - 17234: "integrius-stp", - 17235: "ssh-mgmt", - 17500: "db-lsp", - 17555: "ailith", - 17729: "ea", - 17754: "zep", - 17755: "zigbee-ip", - 17756: "zigbee-ips", - 17777: "sw-orion", - 18000: "biimenu", - 18104: "radpdf", - 18136: "racf", - 18181: "opsec-cvp", - 18182: "opsec-ufp", - 18183: "opsec-sam", - 18184: "opsec-lea", - 18185: "opsec-omi", - 18186: "ohsc", - 18187: "opsec-ela", - 18241: "checkpoint-rtm", - 18242: "iclid", - 18243: "clusterxl", - 18262: "gv-pf", - 18463: "ac-cluster", - 18634: "rds-ib", - 18635: "rds-ip", - 18769: "ique", - 18881: "infotos", - 18888: "apc-necmp", - 19000: "igrid", - 19007: "scintilla", - 19020: "j-link", - 19191: "opsec-uaa", - 19194: "ua-secureagent", - 19283: "keysrvr", - 19315: "keyshadow", - 19398: "mtrgtrans", - 19410: "hp-sco", - 19411: "hp-sca", - 19412: "hp-sessmon", - 19539: "fxuptp", - 19540: "sxuptp", - 19541: "jcp", - 19998: "iec-104-sec", - 19999: "dnp-sec", - 20000: "dnp", - 20001: "microsan", - 20002: "commtact-http", - 20003: "commtact-https", - 20005: "openwebnet", - 20013: "ss-idi", - 20014: "opendeploy", - 20034: "nburn-id", - 20046: "tmophl7mts", - 20048: "mountd", - 20049: "nfsrdma", - 20167: "tolfab", - 20202: "ipdtp-port", - 20222: "ipulse-ics", - 20480: "emwavemsg", - 20670: "track", - 20999: "athand-mmp", - 21000: "irtrans", - 21010: "notezilla-lan", - 21553: "rdm-tfs", - 21554: "dfserver", - 21590: "vofr-gateway", - 21800: "tvpm", - 21845: "webphone", - 21846: "netspeak-is", - 21847: "netspeak-cs", - 21848: "netspeak-acd", - 21849: "netspeak-cps", - 22000: "snapenetio", - 22001: "optocontrol", - 22002: "optohost002", - 22003: "optohost003", - 22004: "optohost004", - 22005: "optohost004", - 22125: "dcap", - 22128: "gsidcap", - 22222: "easyengine", - 22273: "wnn6", - 22305: "cis", - 22343: "cis-secure", - 22347: "wibukey", - 22350: "codemeter", - 22351: "codemeter-cmwan", - 22537: "caldsoft-backup", - 22555: "vocaltec-wconf", - 22763: "talikaserver", - 22800: "aws-brf", - 22951: "brf-gw", - 23000: "inovaport1", - 23001: "inovaport2", - 23002: "inovaport3", - 23003: "inovaport4", - 23004: "inovaport5", - 23005: "inovaport6", - 23053: "gntp", - 23333: "elxmgmt", - 23400: "novar-dbase", - 23401: "novar-alarm", - 23402: "novar-global", - 23456: "aequus", - 23457: "aequus-alt", - 23546: "areaguard-neo", - 24000: "med-ltp", - 24001: "med-fsp-rx", - 24002: "med-fsp-tx", - 24003: "med-supp", - 24004: "med-ovw", - 24005: "med-ci", - 24006: "med-net-svc", - 24242: "filesphere", - 24249: "vista-4gl", - 24321: "ild", - 24386: "intel-rci", - 24465: "tonidods", - 24554: "binkp", - 24577: "bilobit", - 24676: "canditv", - 24677: "flashfiler", - 24678: "proactivate", - 24680: "tcc-http", - 24754: "cslg", - 24922: "find", - 25000: "icl-twobase1", - 25001: "icl-twobase2", - 25002: "icl-twobase3", - 25003: "icl-twobase4", - 25004: "icl-twobase5", - 25005: "icl-twobase6", - 25006: "icl-twobase7", - 25007: "icl-twobase8", - 25008: "icl-twobase9", - 25009: "icl-twobase10", - 25576: "sauterdongle", - 25604: "idtp", - 25793: "vocaltec-hos", - 25900: "tasp-net", - 25901: "niobserver", - 25902: "nilinkanalyst", - 25903: "niprobe", - 26000: "quake", - 26133: "scscp", - 26208: "wnn6-ds", - 26260: "ezproxy", - 26261: "ezmeeting", - 26262: "k3software-svr", - 26263: "k3software-cli", - 26486: "exoline-tcp", - 26487: "exoconfig", - 26489: "exonet", - 27345: "imagepump", - 27442: "jesmsjc", - 27504: "kopek-httphead", - 27782: "ars-vista", - 27876: "astrolink", - 27999: "tw-auth-key", - 28000: "nxlmd", - 28001: "pqsp", - 28200: "voxelstorm", - 28240: "siemensgsm", - 29167: "otmp", - 29999: "bingbang", - 30000: "ndmps", - 30001: "pago-services1", - 30002: "pago-services2", - 30003: "amicon-fpsu-ra", - 30260: "kingdomsonline", - 30999: "ovobs", - 31020: "autotrac-acp", - 31400: "pace-licensed", - 31416: "xqosd", - 31457: "tetrinet", - 31620: "lm-mon", - 31685: "dsx-monitor", - 31765: "gamesmith-port", - 31948: "iceedcp-tx", - 31949: "iceedcp-rx", - 32034: "iracinghelper", - 32249: "t1distproc60", - 32483: "apm-link", - 32635: "sec-ntb-clnt", - 32636: "DMExpress", - 32767: "filenet-powsrm", - 32768: "filenet-tms", - 32769: "filenet-rpc", - 32770: "filenet-nch", - 32771: "filenet-rmi", - 32772: "filenet-pa", - 32773: "filenet-cm", - 32774: "filenet-re", - 32775: "filenet-pch", - 32776: "filenet-peior", - 32777: "filenet-obrok", - 32801: "mlsn", - 32811: "retp", - 32896: "idmgratm", - 33123: "aurora-balaena", - 33331: "diamondport", - 33333: "dgi-serv", - 33334: "speedtrace", - 33434: "traceroute", - 33656: "snip-slave", - 34249: "turbonote-2", - 34378: "p-net-local", - 34379: "p-net-remote", - 34567: "dhanalakshmi", - 34962: "profinet-rt", - 34963: "profinet-rtm", - 34964: "profinet-cm", - 34980: "ethercat", - 35000: "heathview", - 35001: "rt-viewer", - 35002: "rt-sound", - 35003: "rt-devicemapper", - 35004: "rt-classmanager", - 35005: "rt-labtracker", - 35006: "rt-helper", - 35354: "kitim", - 35355: "altova-lm", - 35356: "guttersnex", - 35357: "openstack-id", - 36001: "allpeers", - 36524: "febooti-aw", - 36602: "observium-agent", - 36865: "kastenxpipe", - 37475: "neckar", - 37483: "gdrive-sync", - 37654: "unisys-eportal", - 38000: "ivs-database", - 38001: "ivs-insertion", - 38201: "galaxy7-data", - 38202: "fairview", - 38203: "agpolicy", - 38800: "sruth", - 38865: "secrmmsafecopya", - 39681: "turbonote-1", - 40000: "safetynetp", - 40404: "sptx", - 40841: "cscp", - 40842: "csccredir", - 40843: "csccfirewall", - 41111: "fs-qos", - 41121: "tentacle", - 41794: "crestron-cip", - 41795: "crestron-ctp", - 41796: "crestron-cips", - 41797: "crestron-ctps", - 42508: "candp", - 42509: "candrp", - 42510: "caerpc", - 43000: "recvr-rc", - 43188: "reachout", - 43189: "ndm-agent-port", - 43190: "ip-provision", - 43191: "noit-transport", - 43210: "shaperai", - 43439: "eq3-update", - 43440: "ew-mgmt", - 43441: "ciscocsdb", - 44123: "z-wave-s", - 44321: "pmcd", - 44322: "pmcdproxy", - 44323: "pmwebapi", - 44444: "cognex-dataman", - 44553: "rbr-debug", - 44818: "EtherNet-IP-2", - 44900: "m3da", - 45000: "asmp", - 45001: "asmps", - 45045: "synctest", - 45054: "invision-ag", - 45678: "eba", - 45824: "dai-shell", - 45825: "qdb2service", - 45966: "ssr-servermgr", - 46998: "spremotetablet", - 46999: "mediabox", - 47000: "mbus", - 47001: "winrm", - 47557: "dbbrowse", - 47624: "directplaysrvr", - 47806: "ap", - 47808: "bacnet", - 48000: "nimcontroller", - 48001: "nimspooler", - 48002: "nimhub", - 48003: "nimgtw", - 48004: "nimbusdb", - 48005: "nimbusdbctrl", - 48049: "3gpp-cbsp", - 48050: "weandsf", - 48128: "isnetserv", - 48129: "blp5", - 48556: "com-bardac-dw", - 48619: "iqobject", - 48653: "robotraconteur", - 49000: "matahari"} - -IANA_PORTS_UDP = { - 1: "tcpmux", - 2: "compressnet", - 3: "compressnet", - 5: "rje", - 7: "echo", - 9: "discard", - 11: "systat", - 13: "daytime", - 17: "qotd", - 18: "msp", - 19: "chargen", - 20: "ftp-data", - 21: "ftp", - 22: "ssh", - 23: "telnet", - 25: "smtp", - 27: "nsw-fe", - 29: "msg-icp", - 31: "msg-auth", - 33: "dsp", - 37: "time", - 38: "rap", - 39: "rlp", - 41: "graphics", - 42: "name", - 43: "nicname", - 44: "mpm-flags", - 45: "mpm", - 46: "mpm-snd", - 47: "ni-ftp", - 48: "auditd", - 49: "tacacs", - 50: "re-mail-ck", - 52: "xns-time", - 53: "domain", - 54: "xns-ch", - 55: "isi-gl", - 56: "xns-auth", - 58: "xns-mail", - 61: "ni-mail", - 62: "acas", - 63: "whoispp", - 64: "covia", - 65: "tacacs-ds", - 66: "sql-net", - 67: "bootps", - 68: "bootpc", - 69: "tftp", - 70: "gopher", - 71: "netrjs-1", - 72: "netrjs-2", - 73: "netrjs-3", - 74: "netrjs-4", - 76: "deos", - 78: "vettcp", - 79: "finger", - 80: "http", - 82: "xfer", - 83: "mit-ml-dev", - 84: "ctf", - 85: "mit-ml-dev", - 86: "mfcobol", - 88: "kerberos", - 89: "su-mit-tg", - 90: "dnsix", - 91: "mit-dov", - 92: "npp", - 93: "dcp", - 94: "objcall", - 95: "supdup", - 96: "dixie", - 97: "swift-rvf", - 98: "tacnews", - 99: "metagram", - 101: "hostname", - 102: "iso-tsap", - 103: "gppitnp", - 104: "acr-nema", - 105: "cso", - 106: "3com-tsmux", - 107: "rtelnet", - 108: "snagas", - 109: "pop2", - 110: "pop3", - 111: "sunrpc", - 112: "mcidas", - 113: "auth", - 115: "sftp", - 116: "ansanotify", - 117: "uucp-path", - 118: "sqlserv", - 119: "nntp", - 120: "cfdptkt", - 121: "erpc", - 122: "smakynet", - 123: "ntp", - 124: "ansatrader", - 125: "locus-map", - 126: "nxedit", - 127: "locus-con", - 128: "gss-xlicen", - 129: "pwdgen", - 130: "cisco-fna", - 131: "cisco-tna", - 132: "cisco-sys", - 133: "statsrv", - 134: "ingres-net", - 135: "epmap", - 136: "profile", - 137: "netbios-ns", - 138: "netbios-dgm", - 139: "netbios-ssn", - 140: "emfis-data", - 141: "emfis-cntl", - 142: "bl-idm", - 143: "imap", - 144: "uma", - 145: "uaac", - 146: "iso-tp0", - 147: "iso-ip", - 148: "jargon", - 149: "aed-512", - 150: "sql-net", - 151: "hems", - 152: "bftp", - 153: "sgmp", - 154: "netsc-prod", - 155: "netsc-dev", - 156: "sqlsrv", - 157: "knet-cmp", - 158: "pcmail-srv", - 159: "nss-routing", - 160: "sgmp-traps", - 161: "snmp", - 162: "snmptrap", - 163: "cmip-man", - 164: "cmip-agent", - 165: "xns-courier", - 166: "s-net", - 167: "namp", - 168: "rsvd", - 169: "send", - 170: "print-srv", - 171: "multiplex", - 172: "cl-1", - 173: "xyplex-mux", - 174: "mailq", - 175: "vmnet", - 176: "genrad-mux", - 177: "xdmcp", - 178: "nextstep", - 179: "bgp", - 180: "ris", - 181: "unify", - 182: "audit", - 183: "ocbinder", - 184: "ocserver", - 185: "remote-kis", - 186: "kis", - 187: "aci", - 188: "mumps", - 189: "qft", - 190: "gacp", - 191: "prospero", - 192: "osu-nms", - 193: "srmp", - 194: "irc", - 195: "dn6-nlm-aud", - 196: "dn6-smm-red", - 197: "dls", - 198: "dls-mon", - 199: "smux", - 200: "src", - 201: "at-rtmp", - 202: "at-nbp", - 203: "at-3", - 204: "at-echo", - 205: "at-5", - 206: "at-zis", - 207: "at-7", - 208: "at-8", - 209: "qmtp", - 210: "z39-50", - 211: "914c-g", - 212: "anet", - 213: "ipx", - 214: "vmpwscs", - 215: "softpc", - 216: "CAIlic", - 217: "dbase", - 218: "mpp", - 219: "uarps", - 220: "imap3", - 221: "fln-spx", - 222: "rsh-spx", - 223: "cdc", - 224: "masqdialer", - 242: "direct", - 243: "sur-meas", - 244: "inbusiness", - 245: "link", - 246: "dsp3270", - 247: "subntbcst-tftp", - 248: "bhfhs", - 256: "rap", - 257: "set", - 259: "esro-gen", - 260: "openport", - 261: "nsiiops", - 262: "arcisdms", - 263: "hdap", - 264: "bgmp", - 265: "x-bone-ctl", - 266: "sst", - 267: "td-service", - 268: "td-replica", - 269: "manet", - 270: "gist", - 280: "http-mgmt", - 281: "personal-link", - 282: "cableport-ax", - 283: "rescap", - 284: "corerjd", - 286: "fxp", - 287: "k-block", - 308: "novastorbakcup", - 309: "entrusttime", - 310: "bhmds", - 311: "asip-webadmin", - 312: "vslmp", - 313: "magenta-logic", - 314: "opalis-robot", - 315: "dpsi", - 316: "decauth", - 317: "zannet", - 318: "pkix-timestamp", - 319: "ptp-event", - 320: "ptp-general", - 321: "pip", - 322: "rtsps", - 333: "texar", - 344: "pdap", - 345: "pawserv", - 346: "zserv", - 347: "fatserv", - 348: "csi-sgwp", - 349: "mftp", - 350: "matip-type-a", - 351: "matip-type-b", - 352: "dtag-ste-sb", - 353: "ndsauth", - 354: "bh611", - 355: "datex-asn", - 356: "cloanto-net-1", - 357: "bhevent", - 358: "shrinkwrap", - 359: "nsrmp", - 360: "scoi2odialog", - 361: "semantix", - 362: "srssend", - 363: "rsvp-tunnel", - 364: "aurora-cmgr", - 365: "dtk", - 366: "odmr", - 367: "mortgageware", - 368: "qbikgdp", - 369: "rpc2portmap", - 370: "codaauth2", - 371: "clearcase", - 372: "ulistproc", - 373: "legent-1", - 374: "legent-2", - 375: "hassle", - 376: "nip", - 377: "tnETOS", - 378: "dsETOS", - 379: "is99c", - 380: "is99s", - 381: "hp-collector", - 382: "hp-managed-node", - 383: "hp-alarm-mgr", - 384: "arns", - 385: "ibm-app", - 386: "asa", - 387: "aurp", - 388: "unidata-ldm", - 389: "ldap", - 390: "uis", - 391: "synotics-relay", - 392: "synotics-broker", - 393: "meta5", - 394: "embl-ndt", - 395: "netcp", - 396: "netware-ip", - 397: "mptn", - 398: "kryptolan", - 399: "iso-tsap-c2", - 400: "osb-sd", - 401: "ups", - 402: "genie", - 403: "decap", - 404: "nced", - 405: "ncld", - 406: "imsp", - 407: "timbuktu", - 408: "prm-sm", - 409: "prm-nm", - 410: "decladebug", - 411: "rmt", - 412: "synoptics-trap", - 413: "smsp", - 414: "infoseek", - 415: "bnet", - 416: "silverplatter", - 417: "onmux", - 418: "hyper-g", - 419: "ariel1", - 420: "smpte", - 421: "ariel2", - 422: "ariel3", - 423: "opc-job-start", - 424: "opc-job-track", - 425: "icad-el", - 426: "smartsdp", - 427: "svrloc", - 428: "ocs-cmu", - 429: "ocs-amu", - 430: "utmpsd", - 431: "utmpcd", - 432: "iasd", - 433: "nnsp", - 434: "mobileip-agent", - 435: "mobilip-mn", - 436: "dna-cml", - 437: "comscm", - 438: "dsfgw", - 439: "dasp", - 440: "sgcp", - 441: "decvms-sysmgt", - 442: "cvc-hostd", - 443: "https", - 444: "snpp", - 445: "microsoft-ds", - 446: "ddm-rdb", - 447: "ddm-dfm", - 448: "ddm-ssl", - 449: "as-servermap", - 450: "tserver", - 451: "sfs-smp-net", - 452: "sfs-config", - 453: "creativeserver", - 454: "contentserver", - 455: "creativepartnr", - 456: "macon-udp", - 457: "scohelp", - 458: "appleqtc", - 459: "ampr-rcmd", - 460: "skronk", - 461: "datasurfsrv", - 462: "datasurfsrvsec", - 463: "alpes", - 464: "kpasswd", - 465: "igmpv3lite", - 466: "digital-vrc", - 467: "mylex-mapd", - 468: "photuris", - 469: "rcp", - 470: "scx-proxy", - 471: "mondex", - 472: "ljk-login", - 473: "hybrid-pop", - 474: "tn-tl-w2", - 475: "tcpnethaspsrv", - 476: "tn-tl-fd1", - 477: "ss7ns", - 478: "spsc", - 479: "iafserver", - 480: "iafdbase", - 481: "ph", - 482: "bgs-nsi", - 483: "ulpnet", - 484: "integra-sme", - 485: "powerburst", - 486: "avian", - 487: "saft", - 488: "gss-http", - 489: "nest-protocol", - 490: "micom-pfs", - 491: "go-login", - 492: "ticf-1", - 493: "ticf-2", - 494: "pov-ray", - 495: "intecourier", - 496: "pim-rp-disc", - 497: "retrospect", - 498: "siam", - 499: "iso-ill", - 500: "isakmp", - 501: "stmf", - 502: "mbap", - 503: "intrinsa", - 504: "citadel", - 505: "mailbox-lm", - 506: "ohimsrv", - 507: "crs", - 508: "xvttp", - 509: "snare", - 510: "fcp", - 511: "passgo", - 512: "comsat", - 513: "who", - 514: "syslog", - 515: "printer", - 516: "videotex", - 517: "talk", - 518: "ntalk", - 519: "utime", - 520: "router", - 521: "ripng", - 522: "ulp", - 523: "ibm-db2", - 524: "ncp", - 525: "timed", - 526: "tempo", - 527: "stx", - 528: "custix", - 529: "irc-serv", - 530: "courier", - 531: "conference", - 532: "netnews", - 533: "netwall", - 534: "windream", - 535: "iiop", - 536: "opalis-rdv", - 537: "nmsp", - 538: "gdomap", - 539: "apertus-ldp", - 540: "uucp", - 541: "uucp-rlogin", - 542: "commerce", - 543: "klogin", - 544: "kshell", - 545: "appleqtcsrvr", - 546: "dhcpv6-client", - 547: "dhcpv6-server", - 548: "afpovertcp", - 549: "idfp", - 550: "new-rwho", - 551: "cybercash", - 552: "devshr-nts", - 553: "pirp", - 554: "rtsp", - 555: "dsf", - 556: "remotefs", - 557: "openvms-sysipc", - 558: "sdnskmp", - 559: "teedtap", - 560: "rmonitor", - 561: "monitor", - 562: "chshell", - 563: "nntps", - 564: "9pfs", - 565: "whoami", - 566: "streettalk", - 567: "banyan-rpc", - 568: "ms-shuttle", - 569: "ms-rome", - 570: "meter", - 571: "meter", - 572: "sonar", - 573: "banyan-vip", - 574: "ftp-agent", - 575: "vemmi", - 576: "ipcd", - 577: "vnas", - 578: "ipdd", - 579: "decbsrv", - 580: "sntp-heartbeat", - 581: "bdp", - 582: "scc-security", - 583: "philips-vc", - 584: "keyserver", - 586: "password-chg", - 587: "submission", - 588: "cal", - 589: "eyelink", - 590: "tns-cml", - 591: "http-alt", - 592: "eudora-set", - 593: "http-rpc-epmap", - 594: "tpip", - 595: "cab-protocol", - 596: "smsd", - 597: "ptcnameservice", - 598: "sco-websrvrmg3", - 599: "acp", - 600: "ipcserver", - 601: "syslog-conn", - 602: "xmlrpc-beep", - 603: "idxp", - 604: "tunnel", - 605: "soap-beep", - 606: "urm", - 607: "nqs", - 608: "sift-uft", - 609: "npmp-trap", - 610: "npmp-local", - 611: "npmp-gui", - 612: "hmmp-ind", - 613: "hmmp-op", - 614: "sshell", - 615: "sco-inetmgr", - 616: "sco-sysmgr", - 617: "sco-dtmgr", - 618: "dei-icda", - 619: "compaq-evm", - 620: "sco-websrvrmgr", - 621: "escp-ip", - 622: "collaborator", - 623: "asf-rmcp", - 624: "cryptoadmin", - 625: "dec-dlm", - 626: "asia", - 627: "passgo-tivoli", - 628: "qmqp", - 629: "3com-amp3", - 630: "rda", - 631: "ipp", - 632: "bmpp", - 633: "servstat", - 634: "ginad", - 635: "rlzdbase", - 636: "ldaps", - 637: "lanserver", - 638: "mcns-sec", - 639: "msdp", - 640: "entrust-sps", - 641: "repcmd", - 642: "esro-emsdp", - 643: "sanity", - 644: "dwr", - 645: "pssc", - 646: "ldp", - 647: "dhcp-failover", - 648: "rrp", - 649: "cadview-3d", - 650: "obex", - 651: "ieee-mms", - 652: "hello-port", - 653: "repscmd", - 654: "aodv", - 655: "tinc", - 656: "spmp", - 657: "rmc", - 658: "tenfold", - 660: "mac-srvr-admin", - 661: "hap", - 662: "pftp", - 663: "purenoise", - 664: "asf-secure-rmcp", - 665: "sun-dr", - 666: "mdqs", - 667: "disclose", - 668: "mecomm", - 669: "meregister", - 670: "vacdsm-sws", - 671: "vacdsm-app", - 672: "vpps-qua", - 673: "cimplex", - 674: "acap", - 675: "dctp", - 676: "vpps-via", - 677: "vpp", - 678: "ggf-ncp", - 679: "mrm", - 680: "entrust-aaas", - 681: "entrust-aams", - 682: "xfr", - 683: "corba-iiop", - 684: "corba-iiop-ssl", - 685: "mdc-portmapper", - 686: "hcp-wismar", - 687: "asipregistry", - 688: "realm-rusd", - 689: "nmap", - 690: "vatp", - 691: "msexch-routing", - 692: "hyperwave-isp", - 693: "connendp", - 694: "ha-cluster", - 695: "ieee-mms-ssl", - 696: "rushd", - 697: "uuidgen", - 698: "olsr", - 699: "accessnetwork", - 700: "epp", - 701: "lmp", - 702: "iris-beep", - 704: "elcsd", - 705: "agentx", - 706: "silc", - 707: "borland-dsj", - 709: "entrust-kmsh", - 710: "entrust-ash", - 711: "cisco-tdp", - 712: "tbrpf", - 713: "iris-xpc", - 714: "iris-xpcs", - 715: "iris-lwz", - 716: "pana", - 729: "netviewdm1", - 730: "netviewdm2", - 731: "netviewdm3", - 741: "netgw", - 742: "netrcs", - 744: "flexlm", - 747: "fujitsu-dev", - 748: "ris-cm", - 749: "kerberos-adm", - 750: "loadav", - 751: "pump", - 752: "qrh", - 753: "rrh", - 754: "tell", - 758: "nlogin", - 759: "con", - 760: "ns", - 761: "rxe", - 762: "quotad", - 763: "cycleserv", - 764: "omserv", - 765: "webster", - 767: "phonebook", - 769: "vid", - 770: "cadlock", - 771: "rtip", - 772: "cycleserv2", - 773: "notify", - 774: "acmaint-dbd", - 775: "acmaint-transd", - 776: "wpages", - 777: "multiling-http", - 780: "wpgs", - 800: "mdbs-daemon", - 801: "device", - 802: "mbap-s", - 810: "fcp-udp", - 828: "itm-mcell-s", - 829: "pkix-3-ca-ra", - 830: "netconf-ssh", - 831: "netconf-beep", - 832: "netconfsoaphttp", - 833: "netconfsoapbeep", - 847: "dhcp-failover2", - 848: "gdoi", - 860: "iscsi", - 861: "owamp-control", - 862: "twamp-control", - 873: "rsync", - 886: "iclcnet-locate", - 887: "iclcnet-svinfo", - 888: "accessbuilder", - 900: "omginitialrefs", - 901: "smpnameres", - 902: "ideafarm-door", - 903: "ideafarm-panic", - 910: "kink", - 911: "xact-backup", - 912: "apex-mesh", - 913: "apex-edge", - 989: "ftps-data", - 990: "ftps", - 991: "nas", - 992: "telnets", - 993: "imaps", - 995: "pop3s", - 996: "vsinet", - 997: "maitrd", - 998: "puparp", - 999: "applix", - 1000: "cadlock2", - 1010: "surf", - 1021: "exp1", - 1022: "exp2", - 1025: "blackjack", - 1026: "cap", - 1027: "6a44", - 1029: "solid-mux", - 1033: "netinfo-local", - 1034: "activesync", - 1035: "mxxrlogin", - 1036: "nsstp", - 1037: "ams", - 1038: "mtqp", - 1039: "sbl", - 1040: "netarx", - 1041: "danf-ak2", - 1042: "afrog", - 1043: "boinc-client", - 1044: "dcutility", - 1045: "fpitp", - 1046: "wfremotertm", - 1047: "neod1", - 1048: "neod2", - 1049: "td-postman", - 1050: "cma", - 1051: "optima-vnet", - 1052: "ddt", - 1053: "remote-as", - 1054: "brvread", - 1055: "ansyslmd", - 1056: "vfo", - 1057: "startron", - 1058: "nim", - 1059: "nimreg", - 1060: "polestar", - 1061: "kiosk", - 1062: "veracity", - 1063: "kyoceranetdev", - 1064: "jstel", - 1065: "syscomlan", - 1066: "fpo-fns", - 1067: "instl-boots", - 1068: "instl-bootc", - 1069: "cognex-insight", - 1070: "gmrupdateserv", - 1071: "bsquare-voip", - 1072: "cardax", - 1073: "bridgecontrol", - 1074: "warmspotMgmt", - 1075: "rdrmshc", - 1076: "dab-sti-c", - 1077: "imgames", - 1078: "avocent-proxy", - 1079: "asprovatalk", - 1080: "socks", - 1081: "pvuniwien", - 1082: "amt-esd-prot", - 1083: "ansoft-lm-1", - 1084: "ansoft-lm-2", - 1085: "webobjects", - 1086: "cplscrambler-lg", - 1087: "cplscrambler-in", - 1088: "cplscrambler-al", - 1089: "ff-annunc", - 1090: "ff-fms", - 1091: "ff-sm", - 1092: "obrpd", - 1093: "proofd", - 1094: "rootd", - 1095: "nicelink", - 1096: "cnrprotocol", - 1097: "sunclustermgr", - 1098: "rmiactivation", - 1099: "rmiregistry", - 1100: "mctp", - 1101: "pt2-discover", - 1102: "adobeserver-1", - 1103: "adobeserver-2", - 1104: "xrl", - 1105: "ftranhc", - 1106: "isoipsigport-1", - 1107: "isoipsigport-2", - 1108: "ratio-adp", - 1110: "nfsd-keepalive", - 1111: "lmsocialserver", - 1112: "icp", - 1113: "ltp-deepspace", - 1114: "mini-sql", - 1115: "ardus-trns", - 1116: "ardus-cntl", - 1117: "ardus-mtrns", - 1118: "sacred", - 1119: "bnetgame", - 1120: "bnetfile", - 1121: "rmpp", - 1122: "availant-mgr", - 1123: "murray", - 1124: "hpvmmcontrol", - 1125: "hpvmmagent", - 1126: "hpvmmdata", - 1127: "kwdb-commn", - 1128: "saphostctrl", - 1129: "saphostctrls", - 1130: "casp", - 1131: "caspssl", - 1132: "kvm-via-ip", - 1133: "dfn", - 1134: "aplx", - 1135: "omnivision", - 1136: "hhb-gateway", - 1137: "trim", - 1138: "encrypted-admin", - 1139: "evm", - 1140: "autonoc", - 1141: "mxomss", - 1142: "edtools", - 1143: "imyx", - 1144: "fuscript", - 1145: "x9-icue", - 1146: "audit-transfer", - 1147: "capioverlan", - 1148: "elfiq-repl", - 1149: "bvtsonar", - 1150: "blaze", - 1151: "unizensus", - 1152: "winpoplanmess", - 1153: "c1222-acse", - 1154: "resacommunity", - 1155: "nfa", - 1156: "iascontrol-oms", - 1157: "iascontrol", - 1158: "dbcontrol-oms", - 1159: "oracle-oms", - 1160: "olsv", - 1161: "health-polling", - 1162: "health-trap", - 1163: "sddp", - 1164: "qsm-proxy", - 1165: "qsm-gui", - 1166: "qsm-remote", - 1167: "cisco-ipsla", - 1168: "vchat", - 1169: "tripwire", - 1170: "atc-lm", - 1171: "atc-appserver", - 1172: "dnap", - 1173: "d-cinema-rrp", - 1174: "fnet-remote-ui", - 1175: "dossier", - 1176: "indigo-server", - 1177: "dkmessenger", - 1178: "sgi-storman", - 1179: "b2n", - 1180: "mc-client", - 1181: "3comnetman", - 1182: "accelenet-data", - 1183: "llsurfup-http", - 1184: "llsurfup-https", - 1185: "catchpole", - 1186: "mysql-cluster", - 1187: "alias", - 1188: "hp-webadmin", - 1189: "unet", - 1190: "commlinx-avl", - 1191: "gpfs", - 1192: "caids-sensor", - 1193: "fiveacross", - 1194: "openvpn", - 1195: "rsf-1", - 1196: "netmagic", - 1197: "carrius-rshell", - 1198: "cajo-discovery", - 1199: "dmidi", - 1200: "scol", - 1201: "nucleus-sand", - 1202: "caiccipc", - 1203: "ssslic-mgr", - 1204: "ssslog-mgr", - 1205: "accord-mgc", - 1206: "anthony-data", - 1207: "metasage", - 1208: "seagull-ais", - 1209: "ipcd3", - 1210: "eoss", - 1211: "groove-dpp", - 1212: "lupa", - 1213: "mpc-lifenet", - 1214: "kazaa", - 1215: "scanstat-1", - 1216: "etebac5", - 1217: "hpss-ndapi", - 1218: "aeroflight-ads", - 1219: "aeroflight-ret", - 1220: "qt-serveradmin", - 1221: "sweetware-apps", - 1222: "nerv", - 1223: "tgp", - 1224: "vpnz", - 1225: "slinkysearch", - 1226: "stgxfws", - 1227: "dns2go", - 1228: "florence", - 1229: "zented", - 1230: "periscope", - 1231: "menandmice-lpm", - 1232: "first-defense", - 1233: "univ-appserver", - 1234: "search-agent", - 1235: "mosaicsyssvc1", - 1236: "bvcontrol", - 1237: "tsdos390", - 1238: "hacl-qs", - 1239: "nmsd", - 1240: "instantia", - 1241: "nessus", - 1242: "nmasoverip", - 1243: "serialgateway", - 1244: "isbconference1", - 1245: "isbconference2", - 1246: "payrouter", - 1247: "visionpyramid", - 1248: "hermes", - 1249: "mesavistaco", - 1250: "swldy-sias", - 1251: "servergraph", - 1252: "bspne-pcc", - 1253: "q55-pcc", - 1254: "de-noc", - 1255: "de-cache-query", - 1256: "de-server", - 1257: "shockwave2", - 1258: "opennl", - 1259: "opennl-voice", - 1260: "ibm-ssd", - 1261: "mpshrsv", - 1262: "qnts-orb", - 1263: "dka", - 1264: "prat", - 1265: "dssiapi", - 1266: "dellpwrappks", - 1267: "epc", - 1268: "propel-msgsys", - 1269: "watilapp", - 1270: "opsmgr", - 1271: "excw", - 1272: "cspmlockmgr", - 1273: "emc-gateway", - 1274: "t1distproc", - 1275: "ivcollector", - 1277: "miva-mqs", - 1278: "dellwebadmin-1", - 1279: "dellwebadmin-2", - 1280: "pictrography", - 1281: "healthd", - 1282: "emperion", - 1283: "productinfo", - 1284: "iee-qfx", - 1285: "neoiface", - 1286: "netuitive", - 1287: "routematch", - 1288: "navbuddy", - 1289: "jwalkserver", - 1290: "winjaserver", - 1291: "seagulllms", - 1292: "dsdn", - 1293: "pkt-krb-ipsec", - 1294: "cmmdriver", - 1295: "ehtp", - 1296: "dproxy", - 1297: "sdproxy", - 1298: "lpcp", - 1299: "hp-sci", - 1300: "h323hostcallsc", - 1301: "ci3-software-1", - 1302: "ci3-software-2", - 1303: "sftsrv", - 1304: "boomerang", - 1305: "pe-mike", - 1306: "re-conn-proto", - 1307: "pacmand", - 1308: "odsi", - 1309: "jtag-server", - 1310: "husky", - 1311: "rxmon", - 1312: "sti-envision", - 1313: "bmc-patroldb", - 1314: "pdps", - 1315: "els", - 1316: "exbit-escp", - 1317: "vrts-ipcserver", - 1318: "krb5gatekeeper", - 1319: "amx-icsp", - 1320: "amx-axbnet", - 1321: "pip", - 1322: "novation", - 1323: "brcd", - 1324: "delta-mcp", - 1325: "dx-instrument", - 1326: "wimsic", - 1327: "ultrex", - 1328: "ewall", - 1329: "netdb-export", - 1330: "streetperfect", - 1331: "intersan", - 1332: "pcia-rxp-b", - 1333: "passwrd-policy", - 1334: "writesrv", - 1335: "digital-notary", - 1336: "ischat", - 1337: "menandmice-dns", - 1338: "wmc-log-svc", - 1339: "kjtsiteserver", - 1340: "naap", - 1341: "qubes", - 1342: "esbroker", - 1343: "re101", - 1344: "icap", - 1345: "vpjp", - 1346: "alta-ana-lm", - 1347: "bbn-mmc", - 1348: "bbn-mmx", - 1349: "sbook", - 1350: "editbench", - 1351: "equationbuilder", - 1352: "lotusnote", - 1353: "relief", - 1354: "XSIP-network", - 1355: "intuitive-edge", - 1356: "cuillamartin", - 1357: "pegboard", - 1358: "connlcli", - 1359: "ftsrv", - 1360: "mimer", - 1361: "linx", - 1362: "timeflies", - 1363: "ndm-requester", - 1364: "ndm-server", - 1365: "adapt-sna", - 1366: "netware-csp", - 1367: "dcs", - 1368: "screencast", - 1369: "gv-us", - 1370: "us-gv", - 1371: "fc-cli", - 1372: "fc-ser", - 1373: "chromagrafx", - 1374: "molly", - 1375: "bytex", - 1376: "ibm-pps", - 1377: "cichlid", - 1378: "elan", - 1379: "dbreporter", - 1380: "telesis-licman", - 1381: "apple-licman", - 1382: "udt-os", - 1383: "gwha", - 1384: "os-licman", - 1385: "atex-elmd", - 1386: "checksum", - 1387: "cadsi-lm", - 1388: "objective-dbc", - 1389: "iclpv-dm", - 1390: "iclpv-sc", - 1391: "iclpv-sas", - 1392: "iclpv-pm", - 1393: "iclpv-nls", - 1394: "iclpv-nlc", - 1395: "iclpv-wsm", - 1396: "dvl-activemail", - 1397: "audio-activmail", - 1398: "video-activmail", - 1399: "cadkey-licman", - 1400: "cadkey-tablet", - 1401: "goldleaf-licman", - 1402: "prm-sm-np", - 1403: "prm-nm-np", - 1404: "igi-lm", - 1405: "ibm-res", - 1406: "netlabs-lm", - 1407: "dbsa-lm", - 1408: "sophia-lm", - 1409: "here-lm", - 1410: "hiq", - 1411: "af", - 1412: "innosys", - 1413: "innosys-acl", - 1414: "ibm-mqseries", - 1415: "dbstar", - 1416: "novell-lu6-2", - 1417: "timbuktu-srv1", - 1418: "timbuktu-srv2", - 1419: "timbuktu-srv3", - 1420: "timbuktu-srv4", - 1421: "gandalf-lm", - 1422: "autodesk-lm", - 1423: "essbase", - 1424: "hybrid", - 1425: "zion-lm", - 1426: "sais", - 1427: "mloadd", - 1428: "informatik-lm", - 1429: "nms", - 1430: "tpdu", - 1431: "rgtp", - 1432: "blueberry-lm", - 1433: "ms-sql-s", - 1434: "ms-sql-m", - 1435: "ibm-cics", - 1436: "saism", - 1437: "tabula", - 1438: "eicon-server", - 1439: "eicon-x25", - 1440: "eicon-slp", - 1441: "cadis-1", - 1442: "cadis-2", - 1443: "ies-lm", - 1444: "marcam-lm", - 1445: "proxima-lm", - 1446: "ora-lm", - 1447: "apri-lm", - 1448: "oc-lm", - 1449: "peport", - 1450: "dwf", - 1451: "infoman", - 1452: "gtegsc-lm", - 1453: "genie-lm", - 1454: "interhdl-elmd", - 1455: "esl-lm", - 1456: "dca", - 1457: "valisys-lm", - 1458: "nrcabq-lm", - 1459: "proshare1", - 1460: "proshare2", - 1461: "ibm-wrless-lan", - 1462: "world-lm", - 1463: "nucleus", - 1464: "msl-lmd", - 1465: "pipes", - 1466: "oceansoft-lm", - 1467: "csdmbase", - 1468: "csdm", - 1469: "aal-lm", - 1470: "uaiact", - 1471: "csdmbase", - 1472: "csdm", - 1473: "openmath", - 1474: "telefinder", - 1475: "taligent-lm", - 1476: "clvm-cfg", - 1477: "ms-sna-server", - 1478: "ms-sna-base", - 1479: "dberegister", - 1480: "pacerforum", - 1481: "airs", - 1482: "miteksys-lm", - 1483: "afs", - 1484: "confluent", - 1485: "lansource", - 1486: "nms-topo-serv", - 1487: "localinfosrvr", - 1488: "docstor", - 1489: "dmdocbroker", - 1490: "insitu-conf", - 1492: "stone-design-1", - 1493: "netmap-lm", - 1494: "ica", - 1495: "cvc", - 1496: "liberty-lm", - 1497: "rfx-lm", - 1498: "sybase-sqlany", - 1499: "fhc", - 1500: "vlsi-lm", - 1501: "saiscm", - 1502: "shivadiscovery", - 1503: "imtc-mcs", - 1504: "evb-elm", - 1505: "funkproxy", - 1506: "utcd", - 1507: "symplex", - 1508: "diagmond", - 1509: "robcad-lm", - 1510: "mvx-lm", - 1511: "3l-l1", - 1512: "wins", - 1513: "fujitsu-dtc", - 1514: "fujitsu-dtcns", - 1515: "ifor-protocol", - 1516: "vpad", - 1517: "vpac", - 1518: "vpvd", - 1519: "vpvc", - 1520: "atm-zip-office", - 1521: "ncube-lm", - 1522: "ricardo-lm", - 1523: "cichild-lm", - 1524: "ingreslock", - 1525: "orasrv", - 1526: "pdap-np", - 1527: "tlisrv", - 1529: "coauthor", - 1530: "rap-service", - 1531: "rap-listen", - 1532: "miroconnect", - 1533: "virtual-places", - 1534: "micromuse-lm", - 1535: "ampr-info", - 1536: "ampr-inter", - 1537: "sdsc-lm", - 1538: "3ds-lm", - 1539: "intellistor-lm", - 1540: "rds", - 1541: "rds2", - 1542: "gridgen-elmd", - 1543: "simba-cs", - 1544: "aspeclmd", - 1545: "vistium-share", - 1546: "abbaccuray", - 1547: "laplink", - 1548: "axon-lm", - 1549: "shivasound", - 1550: "3m-image-lm", - 1551: "hecmtl-db", - 1552: "pciarray", - 1553: "sna-cs", - 1554: "caci-lm", - 1555: "livelan", - 1556: "veritas-pbx", - 1557: "arbortext-lm", - 1558: "xingmpeg", - 1559: "web2host", - 1560: "asci-val", - 1561: "facilityview", - 1562: "pconnectmgr", - 1563: "cadabra-lm", - 1564: "pay-per-view", - 1565: "winddlb", - 1566: "corelvideo", - 1567: "jlicelmd", - 1568: "tsspmap", - 1569: "ets", - 1570: "orbixd", - 1571: "rdb-dbs-disp", - 1572: "chip-lm", - 1573: "itscomm-ns", - 1574: "mvel-lm", - 1575: "oraclenames", - 1576: "moldflow-lm", - 1577: "hypercube-lm", - 1578: "jacobus-lm", - 1579: "ioc-sea-lm", - 1580: "tn-tl-r2", - 1581: "mil-2045-47001", - 1582: "msims", - 1583: "simbaexpress", - 1584: "tn-tl-fd2", - 1585: "intv", - 1586: "ibm-abtact", - 1587: "pra-elmd", - 1588: "triquest-lm", - 1589: "vqp", - 1590: "gemini-lm", - 1591: "ncpm-pm", - 1592: "commonspace", - 1593: "mainsoft-lm", - 1594: "sixtrak", - 1595: "radio", - 1596: "radio-bc", - 1597: "orbplus-iiop", - 1598: "picknfs", - 1599: "simbaservices", - 1600: "issd", - 1601: "aas", - 1602: "inspect", - 1603: "picodbc", - 1604: "icabrowser", - 1605: "slp", - 1606: "slm-api", - 1607: "stt", - 1608: "smart-lm", - 1609: "isysg-lm", - 1610: "taurus-wh", - 1611: "ill", - 1612: "netbill-trans", - 1613: "netbill-keyrep", - 1614: "netbill-cred", - 1615: "netbill-auth", - 1616: "netbill-prod", - 1617: "nimrod-agent", - 1618: "skytelnet", - 1619: "xs-openstorage", - 1620: "faxportwinport", - 1621: "softdataphone", - 1622: "ontime", - 1623: "jaleosnd", - 1624: "udp-sr-port", - 1625: "svs-omagent", - 1626: "shockwave", - 1627: "t128-gateway", - 1628: "lontalk-norm", - 1629: "lontalk-urgnt", - 1630: "oraclenet8cman", - 1631: "visitview", - 1632: "pammratc", - 1633: "pammrpc", - 1634: "loaprobe", - 1635: "edb-server1", - 1636: "isdc", - 1637: "islc", - 1638: "ismc", - 1639: "cert-initiator", - 1640: "cert-responder", - 1641: "invision", - 1642: "isis-am", - 1643: "isis-ambc", - 1644: "saiseh", - 1645: "sightline", - 1646: "sa-msg-port", - 1647: "rsap", - 1648: "concurrent-lm", - 1649: "kermit", - 1650: "nkd", - 1651: "shiva-confsrvr", - 1652: "xnmp", - 1653: "alphatech-lm", - 1654: "stargatealerts", - 1655: "dec-mbadmin", - 1656: "dec-mbadmin-h", - 1657: "fujitsu-mmpdc", - 1658: "sixnetudr", - 1659: "sg-lm", - 1660: "skip-mc-gikreq", - 1661: "netview-aix-1", - 1662: "netview-aix-2", - 1663: "netview-aix-3", - 1664: "netview-aix-4", - 1665: "netview-aix-5", - 1666: "netview-aix-6", - 1667: "netview-aix-7", - 1668: "netview-aix-8", - 1669: "netview-aix-9", - 1670: "netview-aix-10", - 1671: "netview-aix-11", - 1672: "netview-aix-12", - 1673: "proshare-mc-1", - 1674: "proshare-mc-2", - 1675: "pdp", - 1676: "netcomm2", - 1677: "groupwise", - 1678: "prolink", - 1679: "darcorp-lm", - 1680: "microcom-sbp", - 1681: "sd-elmd", - 1682: "lanyon-lantern", - 1683: "ncpm-hip", - 1684: "snaresecure", - 1685: "n2nremote", - 1686: "cvmon", - 1687: "nsjtp-ctrl", - 1688: "nsjtp-data", - 1689: "firefox", - 1690: "ng-umds", - 1691: "empire-empuma", - 1692: "sstsys-lm", - 1693: "rrirtr", - 1694: "rrimwm", - 1695: "rrilwm", - 1696: "rrifmm", - 1697: "rrisat", - 1698: "rsvp-encap-1", - 1699: "rsvp-encap-2", - 1700: "mps-raft", - 1701: "l2f", - 1702: "deskshare", - 1703: "hb-engine", - 1704: "bcs-broker", - 1705: "slingshot", - 1706: "jetform", - 1707: "vdmplay", - 1708: "gat-lmd", - 1709: "centra", - 1710: "impera", - 1711: "pptconference", - 1712: "registrar", - 1713: "conferencetalk", - 1714: "sesi-lm", - 1715: "houdini-lm", - 1716: "xmsg", - 1717: "fj-hdnet", - 1718: "h323gatedisc", - 1719: "h323gatestat", - 1720: "h323hostcall", - 1721: "caicci", - 1722: "hks-lm", - 1723: "pptp", - 1724: "csbphonemaster", - 1725: "iden-ralp", - 1726: "iberiagames", - 1727: "winddx", - 1728: "telindus", - 1729: "citynl", - 1730: "roketz", - 1731: "msiccp", - 1732: "proxim", - 1733: "siipat", - 1734: "cambertx-lm", - 1735: "privatechat", - 1736: "street-stream", - 1737: "ultimad", - 1738: "gamegen1", - 1739: "webaccess", - 1740: "encore", - 1741: "cisco-net-mgmt", - 1742: "3Com-nsd", - 1743: "cinegrfx-lm", - 1744: "ncpm-ft", - 1745: "remote-winsock", - 1746: "ftrapid-1", - 1747: "ftrapid-2", - 1748: "oracle-em1", - 1749: "aspen-services", - 1750: "sslp", - 1751: "swiftnet", - 1752: "lofr-lm", - 1754: "oracle-em2", - 1755: "ms-streaming", - 1756: "capfast-lmd", - 1757: "cnhrp", - 1758: "tftp-mcast", - 1759: "spss-lm", - 1760: "www-ldap-gw", - 1761: "cft-0", - 1762: "cft-1", - 1763: "cft-2", - 1764: "cft-3", - 1765: "cft-4", - 1766: "cft-5", - 1767: "cft-6", - 1768: "cft-7", - 1769: "bmc-net-adm", - 1770: "bmc-net-svc", - 1771: "vaultbase", - 1772: "essweb-gw", - 1773: "kmscontrol", - 1774: "global-dtserv", - 1776: "femis", - 1777: "powerguardian", - 1778: "prodigy-intrnet", - 1779: "pharmasoft", - 1780: "dpkeyserv", - 1781: "answersoft-lm", - 1782: "hp-hcip", - 1784: "finle-lm", - 1785: "windlm", - 1786: "funk-logger", - 1787: "funk-license", - 1788: "psmond", - 1789: "hello", - 1790: "nmsp", - 1791: "ea1", - 1792: "ibm-dt-2", - 1793: "rsc-robot", - 1794: "cera-bcm", - 1795: "dpi-proxy", - 1796: "vocaltec-admin", - 1797: "uma", - 1798: "etp", - 1799: "netrisk", - 1800: "ansys-lm", - 1801: "msmq", - 1802: "concomp1", - 1803: "hp-hcip-gwy", - 1804: "enl", - 1805: "enl-name", - 1806: "musiconline", - 1807: "fhsp", - 1808: "oracle-vp2", - 1809: "oracle-vp1", - 1810: "jerand-lm", - 1811: "scientia-sdb", - 1812: "radius", - 1813: "radius-acct", - 1814: "tdp-suite", - 1815: "mmpft", - 1816: "harp", - 1817: "rkb-oscs", - 1818: "etftp", - 1819: "plato-lm", - 1820: "mcagent", - 1821: "donnyworld", - 1822: "es-elmd", - 1823: "unisys-lm", - 1824: "metrics-pas", - 1825: "direcpc-video", - 1826: "ardt", - 1827: "asi", - 1828: "itm-mcell-u", - 1829: "optika-emedia", - 1830: "net8-cman", - 1831: "myrtle", - 1832: "tht-treasure", - 1833: "udpradio", - 1834: "ardusuni", - 1835: "ardusmul", - 1836: "ste-smsc", - 1837: "csoft1", - 1838: "talnet", - 1839: "netopia-vo1", - 1840: "netopia-vo2", - 1841: "netopia-vo3", - 1842: "netopia-vo4", - 1843: "netopia-vo5", - 1844: "direcpc-dll", - 1845: "altalink", - 1846: "tunstall-pnc", - 1847: "slp-notify", - 1848: "fjdocdist", - 1849: "alpha-sms", - 1850: "gsi", - 1851: "ctcd", - 1852: "virtual-time", - 1853: "vids-avtp", - 1854: "buddy-draw", - 1855: "fiorano-rtrsvc", - 1856: "fiorano-msgsvc", - 1857: "datacaptor", - 1858: "privateark", - 1859: "gammafetchsvr", - 1860: "sunscalar-svc", - 1861: "lecroy-vicp", - 1862: "mysql-cm-agent", - 1863: "msnp", - 1864: "paradym-31port", - 1865: "entp", - 1866: "swrmi", - 1867: "udrive", - 1868: "viziblebrowser", - 1869: "transact", - 1870: "sunscalar-dns", - 1871: "canocentral0", - 1872: "canocentral1", - 1873: "fjmpjps", - 1874: "fjswapsnp", - 1875: "westell-stats", - 1876: "ewcappsrv", - 1877: "hp-webqosdb", - 1878: "drmsmc", - 1879: "nettgain-nms", - 1880: "vsat-control", - 1881: "ibm-mqseries2", - 1882: "ecsqdmn", - 1883: "ibm-mqisdp", - 1884: "idmaps", - 1885: "vrtstrapserver", - 1886: "leoip", - 1887: "filex-lport", - 1888: "ncconfig", - 1889: "unify-adapter", - 1890: "wilkenlistener", - 1891: "childkey-notif", - 1892: "childkey-ctrl", - 1893: "elad", - 1894: "o2server-port", - 1896: "b-novative-ls", - 1897: "metaagent", - 1898: "cymtec-port", - 1899: "mc2studios", - 1900: "ssdp", - 1901: "fjicl-tep-a", - 1902: "fjicl-tep-b", - 1903: "linkname", - 1904: "fjicl-tep-c", - 1905: "sugp", - 1906: "tpmd", - 1907: "intrastar", - 1908: "dawn", - 1909: "global-wlink", - 1910: "ultrabac", - 1911: "mtp", - 1912: "rhp-iibp", - 1913: "armadp", - 1914: "elm-momentum", - 1915: "facelink", - 1916: "persona", - 1917: "noagent", - 1918: "can-nds", - 1919: "can-dch", - 1920: "can-ferret", - 1921: "noadmin", - 1922: "tapestry", - 1923: "spice", - 1924: "xiip", - 1925: "discovery-port", - 1926: "egs", - 1927: "videte-cipc", - 1928: "emsd-port", - 1929: "bandwiz-system", - 1930: "driveappserver", - 1931: "amdsched", - 1932: "ctt-broker", - 1933: "xmapi", - 1934: "xaapi", - 1935: "macromedia-fcs", - 1936: "jetcmeserver", - 1937: "jwserver", - 1938: "jwclient", - 1939: "jvserver", - 1940: "jvclient", - 1941: "dic-aida", - 1942: "res", - 1943: "beeyond-media", - 1944: "close-combat", - 1945: "dialogic-elmd", - 1946: "tekpls", - 1947: "sentinelsrm", - 1948: "eye2eye", - 1949: "ismaeasdaqlive", - 1950: "ismaeasdaqtest", - 1951: "bcs-lmserver", - 1952: "mpnjsc", - 1953: "rapidbase", - 1954: "abr-api", - 1955: "abr-secure", - 1956: "vrtl-vmf-ds", - 1957: "unix-status", - 1958: "dxadmind", - 1959: "simp-all", - 1960: "nasmanager", - 1961: "bts-appserver", - 1962: "biap-mp", - 1963: "webmachine", - 1964: "solid-e-engine", - 1965: "tivoli-npm", - 1966: "slush", - 1967: "sns-quote", - 1968: "lipsinc", - 1969: "lipsinc1", - 1970: "netop-rc", - 1971: "netop-school", - 1972: "intersys-cache", - 1973: "dlsrap", - 1974: "drp", - 1975: "tcoflashagent", - 1976: "tcoregagent", - 1977: "tcoaddressbook", - 1978: "unisql", - 1979: "unisql-java", - 1980: "pearldoc-xact", - 1981: "p2pq", - 1982: "estamp", - 1983: "lhtp", - 1984: "bb", - 1985: "hsrp", - 1986: "licensedaemon", - 1987: "tr-rsrb-p1", - 1988: "tr-rsrb-p2", - 1989: "tr-rsrb-p3", - 1990: "stun-p1", - 1991: "stun-p2", - 1992: "stun-p3", - 1993: "snmp-tcp-port", - 1994: "stun-port", - 1995: "perf-port", - 1996: "tr-rsrb-port", - 1997: "gdp-port", - 1998: "x25-svc-port", - 1999: "tcp-id-port", - 2000: "cisco-sccp", - 2001: "wizard", - 2002: "globe", - 2003: "brutus", - 2004: "emce", - 2005: "oracle", - 2006: "raid-cd", - 2007: "raid-am", - 2008: "terminaldb", - 2009: "whosockami", - 2010: "pipe-server", - 2011: "servserv", - 2012: "raid-ac", - 2013: "raid-cd", - 2014: "raid-sf", - 2015: "raid-cs", - 2016: "bootserver", - 2017: "bootclient", - 2018: "rellpack", - 2019: "about", - 2020: "xinupageserver", - 2021: "xinuexpansion1", - 2022: "xinuexpansion2", - 2023: "xinuexpansion3", - 2024: "xinuexpansion4", - 2025: "xribs", - 2026: "scrabble", - 2027: "shadowserver", - 2028: "submitserver", - 2029: "hsrpv6", - 2030: "device2", - 2031: "mobrien-chat", - 2032: "blackboard", - 2033: "glogger", - 2034: "scoremgr", - 2035: "imsldoc", - 2036: "e-dpnet", - 2037: "applus", - 2038: "objectmanager", - 2039: "prizma", - 2040: "lam", - 2041: "interbase", - 2042: "isis", - 2043: "isis-bcast", - 2044: "rimsl", - 2045: "cdfunc", - 2046: "sdfunc", - 2047: "dls", - 2048: "dls-monitor", - 2049: "shilp", - 2050: "av-emb-config", - 2051: "epnsdp", - 2052: "clearvisn", - 2053: "lot105-ds-upd", - 2054: "weblogin", - 2055: "iop", - 2056: "omnisky", - 2057: "rich-cp", - 2058: "newwavesearch", - 2059: "bmc-messaging", - 2060: "teleniumdaemon", - 2061: "netmount", - 2062: "icg-swp", - 2063: "icg-bridge", - 2064: "icg-iprelay", - 2065: "dlsrpn", - 2066: "aura", - 2067: "dlswpn", - 2068: "avauthsrvprtcl", - 2069: "event-port", - 2070: "ah-esp-encap", - 2071: "acp-port", - 2072: "msync", - 2073: "gxs-data-port", - 2074: "vrtl-vmf-sa", - 2075: "newlixengine", - 2076: "newlixconfig", - 2077: "tsrmagt", - 2078: "tpcsrvr", - 2079: "idware-router", - 2080: "autodesk-nlm", - 2081: "kme-trap-port", - 2082: "infowave", - 2083: "radsec", - 2084: "sunclustergeo", - 2085: "ada-cip", - 2086: "gnunet", - 2087: "eli", - 2088: "ip-blf", - 2089: "sep", - 2090: "lrp", - 2091: "prp", - 2092: "descent3", - 2093: "nbx-cc", - 2094: "nbx-au", - 2095: "nbx-ser", - 2096: "nbx-dir", - 2097: "jetformpreview", - 2098: "dialog-port", - 2099: "h2250-annex-g", - 2100: "amiganetfs", - 2101: "rtcm-sc104", - 2102: "zephyr-srv", - 2103: "zephyr-clt", - 2104: "zephyr-hm", - 2105: "minipay", - 2106: "mzap", - 2107: "bintec-admin", - 2108: "comcam", - 2109: "ergolight", - 2110: "umsp", - 2111: "dsatp", - 2112: "idonix-metanet", - 2113: "hsl-storm", - 2114: "newheights", - 2115: "kdm", - 2116: "ccowcmr", - 2117: "mentaclient", - 2118: "mentaserver", - 2119: "gsigatekeeper", - 2120: "qencp", - 2121: "scientia-ssdb", - 2122: "caupc-remote", - 2123: "gtp-control", - 2124: "elatelink", - 2125: "lockstep", - 2126: "pktcable-cops", - 2127: "index-pc-wb", - 2128: "net-steward", - 2129: "cs-live", - 2130: "xds", - 2131: "avantageb2b", - 2132: "solera-epmap", - 2133: "zymed-zpp", - 2134: "avenue", - 2135: "gris", - 2136: "appworxsrv", - 2137: "connect", - 2138: "unbind-cluster", - 2139: "ias-auth", - 2140: "ias-reg", - 2141: "ias-admind", - 2142: "tdmoip", - 2143: "lv-jc", - 2144: "lv-ffx", - 2145: "lv-pici", - 2146: "lv-not", - 2147: "lv-auth", - 2148: "veritas-ucl", - 2149: "acptsys", - 2150: "dynamic3d", - 2151: "docent", - 2152: "gtp-user", - 2153: "ctlptc", - 2154: "stdptc", - 2155: "brdptc", - 2156: "trp", - 2157: "xnds", - 2158: "touchnetplus", - 2159: "gdbremote", - 2160: "apc-2160", - 2161: "apc-2161", - 2162: "navisphere", - 2163: "navisphere-sec", - 2164: "ddns-v3", - 2165: "x-bone-api", - 2166: "iwserver", - 2167: "raw-serial", - 2168: "easy-soft-mux", - 2169: "brain", - 2170: "eyetv", - 2171: "msfw-storage", - 2172: "msfw-s-storage", - 2173: "msfw-replica", - 2174: "msfw-array", - 2175: "airsync", - 2176: "rapi", - 2177: "qwave", - 2178: "bitspeer", - 2179: "vmrdp", - 2180: "mc-gt-srv", - 2181: "eforward", - 2182: "cgn-stat", - 2183: "cgn-config", - 2184: "nvd", - 2185: "onbase-dds", - 2186: "gtaua", - 2187: "ssmd", - 2190: "tivoconnect", - 2191: "tvbus", - 2192: "asdis", - 2193: "drwcs", - 2197: "mnp-exchange", - 2198: "onehome-remote", - 2199: "onehome-help", - 2200: "ici", - 2201: "ats", - 2202: "imtc-map", - 2203: "b2-runtime", - 2204: "b2-license", - 2205: "jps", - 2206: "hpocbus", - 2207: "hpssd", - 2208: "hpiod", - 2209: "rimf-ps", - 2210: "noaaport", - 2211: "emwin", - 2212: "leecoposserver", - 2213: "kali", - 2214: "rpi", - 2215: "ipcore", - 2216: "vtu-comms", - 2217: "gotodevice", - 2218: "bounzza", - 2219: "netiq-ncap", - 2220: "netiq", - 2221: "rockwell-csp1", - 2222: "EtherNet-IP-1", - 2223: "rockwell-csp2", - 2224: "efi-mg", - 2226: "di-drm", - 2227: "di-msg", - 2228: "ehome-ms", - 2229: "datalens", - 2230: "queueadm", - 2231: "wimaxasncp", - 2232: "ivs-video", - 2233: "infocrypt", - 2234: "directplay", - 2235: "sercomm-wlink", - 2236: "nani", - 2237: "optech-port1-lm", - 2238: "aviva-sna", - 2239: "imagequery", - 2240: "recipe", - 2241: "ivsd", - 2242: "foliocorp", - 2243: "magicom", - 2244: "nmsserver", - 2245: "hao", - 2246: "pc-mta-addrmap", - 2247: "antidotemgrsvr", - 2248: "ums", - 2249: "rfmp", - 2250: "remote-collab", - 2251: "dif-port", - 2252: "njenet-ssl", - 2253: "dtv-chan-req", - 2254: "seispoc", - 2255: "vrtp", - 2256: "pcc-mfp", - 2257: "simple-tx-rx", - 2258: "rcts", - 2260: "apc-2260", - 2261: "comotionmaster", - 2262: "comotionback", - 2263: "ecwcfg", - 2264: "apx500api-1", - 2265: "apx500api-2", - 2266: "mfserver", - 2267: "ontobroker", - 2268: "amt", - 2269: "mikey", - 2270: "starschool", - 2271: "mmcals", - 2272: "mmcal", - 2273: "mysql-im", - 2274: "pcttunnell", - 2275: "ibridge-data", - 2276: "ibridge-mgmt", - 2277: "bluectrlproxy", - 2278: "s3db", - 2279: "xmquery", - 2280: "lnvpoller", - 2281: "lnvconsole", - 2282: "lnvalarm", - 2283: "lnvstatus", - 2284: "lnvmaps", - 2285: "lnvmailmon", - 2286: "nas-metering", - 2287: "dna", - 2288: "netml", - 2289: "dict-lookup", - 2290: "sonus-logging", - 2291: "eapsp", - 2292: "mib-streaming", - 2293: "npdbgmngr", - 2294: "konshus-lm", - 2295: "advant-lm", - 2296: "theta-lm", - 2297: "d2k-datamover1", - 2298: "d2k-datamover2", - 2299: "pc-telecommute", - 2300: "cvmmon", - 2301: "cpq-wbem", - 2302: "binderysupport", - 2303: "proxy-gateway", - 2304: "attachmate-uts", - 2305: "mt-scaleserver", - 2306: "tappi-boxnet", - 2307: "pehelp", - 2308: "sdhelp", - 2309: "sdserver", - 2310: "sdclient", - 2311: "messageservice", - 2312: "wanscaler", - 2313: "iapp", - 2314: "cr-websystems", - 2315: "precise-sft", - 2316: "sent-lm", - 2317: "attachmate-g32", - 2318: "cadencecontrol", - 2319: "infolibria", - 2320: "siebel-ns", - 2321: "rdlap", - 2322: "ofsd", - 2323: "3d-nfsd", - 2324: "cosmocall", - 2325: "ansysli", - 2326: "idcp", - 2327: "xingcsm", - 2328: "netrix-sftm", - 2329: "nvd", - 2330: "tscchat", - 2331: "agentview", - 2332: "rcc-host", - 2333: "snapp", - 2334: "ace-client", - 2335: "ace-proxy", - 2336: "appleugcontrol", - 2337: "ideesrv", - 2338: "norton-lambert", - 2339: "3com-webview", - 2340: "wrs-registry", - 2341: "xiostatus", - 2342: "manage-exec", - 2343: "nati-logos", - 2344: "fcmsys", - 2345: "dbm", - 2346: "redstorm-join", - 2347: "redstorm-find", - 2348: "redstorm-info", - 2349: "redstorm-diag", - 2350: "psbserver", - 2351: "psrserver", - 2352: "pslserver", - 2353: "pspserver", - 2354: "psprserver", - 2355: "psdbserver", - 2356: "gxtelmd", - 2357: "unihub-server", - 2358: "futrix", - 2359: "flukeserver", - 2360: "nexstorindltd", - 2361: "tl1", - 2362: "digiman", - 2363: "mediacntrlnfsd", - 2364: "oi-2000", - 2365: "dbref", - 2366: "qip-login", - 2367: "service-ctrl", - 2368: "opentable", - 2370: "l3-hbmon", - 2372: "lanmessenger", - 2381: "compaq-https", - 2382: "ms-olap3", - 2383: "ms-olap4", - 2384: "sd-capacity", - 2385: "sd-data", - 2386: "virtualtape", - 2387: "vsamredirector", - 2388: "mynahautostart", - 2389: "ovsessionmgr", - 2390: "rsmtp", - 2391: "3com-net-mgmt", - 2392: "tacticalauth", - 2393: "ms-olap1", - 2394: "ms-olap2", - 2395: "lan900-remote", - 2396: "wusage", - 2397: "ncl", - 2398: "orbiter", - 2399: "fmpro-fdal", - 2400: "opequus-server", - 2401: "cvspserver", - 2402: "taskmaster2000", - 2403: "taskmaster2000", - 2404: "iec-104", - 2405: "trc-netpoll", - 2406: "jediserver", - 2407: "orion", - 2409: "sns-protocol", - 2410: "vrts-registry", - 2411: "netwave-ap-mgmt", - 2412: "cdn", - 2413: "orion-rmi-reg", - 2414: "beeyond", - 2415: "codima-rtp", - 2416: "rmtserver", - 2417: "composit-server", - 2418: "cas", - 2419: "attachmate-s2s", - 2420: "dslremote-mgmt", - 2421: "g-talk", - 2422: "crmsbits", - 2423: "rnrp", - 2424: "kofax-svr", - 2425: "fjitsuappmgr", - 2427: "mgcp-gateway", - 2428: "ott", - 2429: "ft-role", - 2430: "venus", - 2431: "venus-se", - 2432: "codasrv", - 2433: "codasrv-se", - 2434: "pxc-epmap", - 2435: "optilogic", - 2436: "topx", - 2437: "unicontrol", - 2438: "msp", - 2439: "sybasedbsynch", - 2440: "spearway", - 2441: "pvsw-inet", - 2442: "netangel", - 2443: "powerclientcsf", - 2444: "btpp2sectrans", - 2445: "dtn1", - 2446: "bues-service", - 2447: "ovwdb", - 2448: "hpppssvr", - 2449: "ratl", - 2450: "netadmin", - 2451: "netchat", - 2452: "snifferclient", - 2453: "madge-ltd", - 2454: "indx-dds", - 2455: "wago-io-system", - 2456: "altav-remmgt", - 2457: "rapido-ip", - 2458: "griffin", - 2459: "community", - 2460: "ms-theater", - 2461: "qadmifoper", - 2462: "qadmifevent", - 2463: "lsi-raid-mgmt", - 2464: "direcpc-si", - 2465: "lbm", - 2466: "lbf", - 2467: "high-criteria", - 2468: "qip-msgd", - 2469: "mti-tcs-comm", - 2470: "taskman-port", - 2471: "seaodbc", - 2472: "c3", - 2473: "aker-cdp", - 2474: "vitalanalysis", - 2475: "ace-server", - 2476: "ace-svr-prop", - 2477: "ssm-cvs", - 2478: "ssm-cssps", - 2479: "ssm-els", - 2480: "powerexchange", - 2481: "giop", - 2482: "giop-ssl", - 2483: "ttc", - 2484: "ttc-ssl", - 2485: "netobjects1", - 2486: "netobjects2", - 2487: "pns", - 2488: "moy-corp", - 2489: "tsilb", - 2490: "qip-qdhcp", - 2491: "conclave-cpp", - 2492: "groove", - 2493: "talarian-mqs", - 2494: "bmc-ar", - 2495: "fast-rem-serv", - 2496: "dirgis", - 2497: "quaddb", - 2498: "odn-castraq", - 2499: "unicontrol", - 2500: "rtsserv", - 2501: "rtsclient", - 2502: "kentrox-prot", - 2503: "nms-dpnss", - 2504: "wlbs", - 2505: "ppcontrol", - 2506: "jbroker", - 2507: "spock", - 2508: "jdatastore", - 2509: "fjmpss", - 2510: "fjappmgrbulk", - 2511: "metastorm", - 2512: "citrixima", - 2513: "citrixadmin", - 2514: "facsys-ntp", - 2515: "facsys-router", - 2516: "maincontrol", - 2517: "call-sig-trans", - 2518: "willy", - 2519: "globmsgsvc", - 2520: "pvsw", - 2521: "adaptecmgr", - 2522: "windb", - 2523: "qke-llc-v3", - 2524: "optiwave-lm", - 2525: "ms-v-worlds", - 2526: "ema-sent-lm", - 2527: "iqserver", - 2528: "ncr-ccl", - 2529: "utsftp", - 2530: "vrcommerce", - 2531: "ito-e-gui", - 2532: "ovtopmd", - 2533: "snifferserver", - 2534: "combox-web-acc", - 2535: "madcap", - 2536: "btpp2audctr1", - 2537: "upgrade", - 2538: "vnwk-prapi", - 2539: "vsiadmin", - 2540: "lonworks", - 2541: "lonworks2", - 2542: "udrawgraph", - 2543: "reftek", - 2544: "novell-zen", - 2545: "sis-emt", - 2546: "vytalvaultbrtp", - 2547: "vytalvaultvsmp", - 2548: "vytalvaultpipe", - 2549: "ipass", - 2550: "ads", - 2551: "isg-uda-server", - 2552: "call-logging", - 2553: "efidiningport", - 2554: "vcnet-link-v10", - 2555: "compaq-wcp", - 2556: "nicetec-nmsvc", - 2557: "nicetec-mgmt", - 2558: "pclemultimedia", - 2559: "lstp", - 2560: "labrat", - 2561: "mosaixcc", - 2562: "delibo", - 2563: "cti-redwood", - 2564: "hp-3000-telnet", - 2565: "coord-svr", - 2566: "pcs-pcw", - 2567: "clp", - 2568: "spamtrap", - 2569: "sonuscallsig", - 2570: "hs-port", - 2571: "cecsvc", - 2572: "ibp", - 2573: "trustestablish", - 2574: "blockade-bpsp", - 2575: "hl7", - 2576: "tclprodebugger", - 2577: "scipticslsrvr", - 2578: "rvs-isdn-dcp", - 2579: "mpfoncl", - 2580: "tributary", - 2581: "argis-te", - 2582: "argis-ds", - 2583: "mon", - 2584: "cyaserv", - 2585: "netx-server", - 2586: "netx-agent", - 2587: "masc", - 2588: "privilege", - 2589: "quartus-tcl", - 2590: "idotdist", - 2591: "maytagshuffle", - 2592: "netrek", - 2593: "mns-mail", - 2594: "dts", - 2595: "worldfusion1", - 2596: "worldfusion2", - 2597: "homesteadglory", - 2598: "citriximaclient", - 2599: "snapd", - 2600: "hpstgmgr", - 2601: "discp-client", - 2602: "discp-server", - 2603: "servicemeter", - 2604: "nsc-ccs", - 2605: "nsc-posa", - 2606: "netmon", - 2607: "connection", - 2608: "wag-service", - 2609: "system-monitor", - 2610: "versa-tek", - 2611: "lionhead", - 2612: "qpasa-agent", - 2613: "smntubootstrap", - 2614: "neveroffline", - 2615: "firepower", - 2616: "appswitch-emp", - 2617: "cmadmin", - 2618: "priority-e-com", - 2619: "bruce", - 2620: "lpsrecommender", - 2621: "miles-apart", - 2622: "metricadbc", - 2623: "lmdp", - 2624: "aria", - 2625: "blwnkl-port", - 2626: "gbjd816", - 2627: "moshebeeri", - 2628: "dict", - 2629: "sitaraserver", - 2630: "sitaramgmt", - 2631: "sitaradir", - 2632: "irdg-post", - 2633: "interintelli", - 2634: "pk-electronics", - 2635: "backburner", - 2636: "solve", - 2637: "imdocsvc", - 2638: "sybaseanywhere", - 2639: "aminet", - 2640: "sai-sentlm", - 2641: "hdl-srv", - 2642: "tragic", - 2643: "gte-samp", - 2644: "travsoft-ipx-t", - 2645: "novell-ipx-cmd", - 2646: "and-lm", - 2647: "syncserver", - 2648: "upsnotifyprot", - 2649: "vpsipport", - 2650: "eristwoguns", - 2651: "ebinsite", - 2652: "interpathpanel", - 2653: "sonus", - 2654: "corel-vncadmin", - 2655: "unglue", - 2656: "kana", - 2657: "sns-dispatcher", - 2658: "sns-admin", - 2659: "sns-query", - 2660: "gcmonitor", - 2661: "olhost", - 2662: "bintec-capi", - 2663: "bintec-tapi", - 2664: "patrol-mq-gm", - 2665: "patrol-mq-nm", - 2666: "extensis", - 2667: "alarm-clock-s", - 2668: "alarm-clock-c", - 2669: "toad", - 2670: "tve-announce", - 2671: "newlixreg", - 2672: "nhserver", - 2673: "firstcall42", - 2674: "ewnn", - 2675: "ttc-etap", - 2676: "simslink", - 2677: "gadgetgate1way", - 2678: "gadgetgate2way", - 2679: "syncserverssl", - 2680: "pxc-sapxom", - 2681: "mpnjsomb", - 2683: "ncdloadbalance", - 2684: "mpnjsosv", - 2685: "mpnjsocl", - 2686: "mpnjsomg", - 2687: "pq-lic-mgmt", - 2688: "md-cg-http", - 2689: "fastlynx", - 2690: "hp-nnm-data", - 2691: "itinternet", - 2692: "admins-lms", - 2694: "pwrsevent", - 2695: "vspread", - 2696: "unifyadmin", - 2697: "oce-snmp-trap", - 2698: "mck-ivpip", - 2699: "csoft-plusclnt", - 2700: "tqdata", - 2701: "sms-rcinfo", - 2702: "sms-xfer", - 2703: "sms-chat", - 2704: "sms-remctrl", - 2705: "sds-admin", - 2706: "ncdmirroring", - 2707: "emcsymapiport", - 2708: "banyan-net", - 2709: "supermon", - 2710: "sso-service", - 2711: "sso-control", - 2712: "aocp", - 2713: "raventbs", - 2714: "raventdm", - 2715: "hpstgmgr2", - 2716: "inova-ip-disco", - 2717: "pn-requester", - 2718: "pn-requester2", - 2719: "scan-change", - 2720: "wkars", - 2721: "smart-diagnose", - 2722: "proactivesrvr", - 2723: "watchdog-nt", - 2724: "qotps", - 2725: "msolap-ptp2", - 2726: "tams", - 2727: "mgcp-callagent", - 2728: "sqdr", - 2729: "tcim-control", - 2730: "nec-raidplus", - 2731: "fyre-messanger", - 2732: "g5m", - 2733: "signet-ctf", - 2734: "ccs-software", - 2735: "netiq-mc", - 2736: "radwiz-nms-srv", - 2737: "srp-feedback", - 2738: "ndl-tcp-ois-gw", - 2739: "tn-timing", - 2740: "alarm", - 2741: "tsb", - 2742: "tsb2", - 2743: "murx", - 2744: "honyaku", - 2745: "urbisnet", - 2746: "cpudpencap", - 2747: "fjippol-swrly", - 2748: "fjippol-polsvr", - 2749: "fjippol-cnsl", - 2750: "fjippol-port1", - 2751: "fjippol-port2", - 2752: "rsisysaccess", - 2753: "de-spot", - 2754: "apollo-cc", - 2755: "expresspay", - 2756: "simplement-tie", - 2757: "cnrp", - 2758: "apollo-status", - 2759: "apollo-gms", - 2760: "sabams", - 2761: "dicom-iscl", - 2762: "dicom-tls", - 2763: "desktop-dna", - 2764: "data-insurance", - 2765: "qip-audup", - 2766: "compaq-scp", - 2767: "uadtc", - 2768: "uacs", - 2769: "exce", - 2770: "veronica", - 2771: "vergencecm", - 2772: "auris", - 2773: "rbakcup1", - 2774: "rbakcup2", - 2775: "smpp", - 2776: "ridgeway1", - 2777: "ridgeway2", - 2778: "gwen-sonya", - 2779: "lbc-sync", - 2780: "lbc-control", - 2781: "whosells", - 2782: "everydayrc", - 2783: "aises", - 2784: "www-dev", - 2785: "aic-np", - 2786: "aic-oncrpc", - 2787: "piccolo", - 2788: "fryeserv", - 2789: "media-agent", - 2790: "plgproxy", - 2791: "mtport-regist", - 2792: "f5-globalsite", - 2793: "initlsmsad", - 2795: "livestats", - 2796: "ac-tech", - 2797: "esp-encap", - 2798: "tmesis-upshot", - 2799: "icon-discover", - 2800: "acc-raid", - 2801: "igcp", - 2802: "veritas-udp1", - 2803: "btprjctrl", - 2804: "dvr-esm", - 2805: "wta-wsp-s", - 2806: "cspuni", - 2807: "cspmulti", - 2808: "j-lan-p", - 2809: "corbaloc", - 2810: "netsteward", - 2811: "gsiftp", - 2812: "atmtcp", - 2813: "llm-pass", - 2814: "llm-csv", - 2815: "lbc-measure", - 2816: "lbc-watchdog", - 2817: "nmsigport", - 2818: "rmlnk", - 2819: "fc-faultnotify", - 2820: "univision", - 2821: "vrts-at-port", - 2822: "ka0wuc", - 2823: "cqg-netlan", - 2824: "cqg-netlan-1", - 2826: "slc-systemlog", - 2827: "slc-ctrlrloops", - 2828: "itm-lm", - 2829: "silkp1", - 2830: "silkp2", - 2831: "silkp3", - 2832: "silkp4", - 2833: "glishd", - 2834: "evtp", - 2835: "evtp-data", - 2836: "catalyst", - 2837: "repliweb", - 2838: "starbot", - 2839: "nmsigport", - 2840: "l3-exprt", - 2841: "l3-ranger", - 2842: "l3-hawk", - 2843: "pdnet", - 2844: "bpcp-poll", - 2845: "bpcp-trap", - 2846: "aimpp-hello", - 2847: "aimpp-port-req", - 2848: "amt-blc-port", - 2849: "fxp", - 2850: "metaconsole", - 2851: "webemshttp", - 2852: "bears-01", - 2853: "ispipes", - 2854: "infomover", - 2856: "cesdinv", - 2857: "simctlp", - 2858: "ecnp", - 2859: "activememory", - 2860: "dialpad-voice1", - 2861: "dialpad-voice2", - 2862: "ttg-protocol", - 2863: "sonardata", - 2864: "astromed-main", - 2865: "pit-vpn", - 2866: "iwlistener", - 2867: "esps-portal", - 2868: "npep-messaging", - 2869: "icslap", - 2870: "daishi", - 2871: "msi-selectplay", - 2872: "radix", - 2874: "dxmessagebase1", - 2875: "dxmessagebase2", - 2876: "sps-tunnel", - 2877: "bluelance", - 2878: "aap", - 2879: "ucentric-ds", - 2880: "synapse", - 2881: "ndsp", - 2882: "ndtp", - 2883: "ndnp", - 2884: "flashmsg", - 2885: "topflow", - 2886: "responselogic", - 2887: "aironetddp", - 2888: "spcsdlobby", - 2889: "rsom", - 2890: "cspclmulti", - 2891: "cinegrfx-elmd", - 2892: "snifferdata", - 2893: "vseconnector", - 2894: "abacus-remote", - 2895: "natuslink", - 2896: "ecovisiong6-1", - 2897: "citrix-rtmp", - 2898: "appliance-cfg", - 2899: "powergemplus", - 2900: "quicksuite", - 2901: "allstorcns", - 2902: "netaspi", - 2903: "suitcase", - 2904: "m2ua", - 2906: "caller9", - 2907: "webmethods-b2b", - 2908: "mao", - 2909: "funk-dialout", - 2910: "tdaccess", - 2911: "blockade", - 2912: "epicon", - 2913: "boosterware", - 2914: "gamelobby", - 2915: "tksocket", - 2916: "elvin-server", - 2917: "elvin-client", - 2918: "kastenchasepad", - 2919: "roboer", - 2920: "roboeda", - 2921: "cesdcdman", - 2922: "cesdcdtrn", - 2923: "wta-wsp-wtp-s", - 2924: "precise-vip", - 2926: "mobile-file-dl", - 2927: "unimobilectrl", - 2928: "redstone-cpss", - 2929: "amx-webadmin", - 2930: "amx-weblinx", - 2931: "circle-x", - 2932: "incp", - 2933: "4-tieropmgw", - 2934: "4-tieropmcli", - 2935: "qtp", - 2936: "otpatch", - 2937: "pnaconsult-lm", - 2938: "sm-pas-1", - 2939: "sm-pas-2", - 2940: "sm-pas-3", - 2941: "sm-pas-4", - 2942: "sm-pas-5", - 2943: "ttnrepository", - 2944: "megaco-h248", - 2945: "h248-binary", - 2946: "fjsvmpor", - 2947: "gpsd", - 2948: "wap-push", - 2949: "wap-pushsecure", - 2950: "esip", - 2951: "ottp", - 2952: "mpfwsas", - 2953: "ovalarmsrv", - 2954: "ovalarmsrv-cmd", - 2955: "csnotify", - 2956: "ovrimosdbman", - 2957: "jmact5", - 2958: "jmact6", - 2959: "rmopagt", - 2960: "dfoxserver", - 2961: "boldsoft-lm", - 2962: "iph-policy-cli", - 2963: "iph-policy-adm", - 2964: "bullant-srap", - 2965: "bullant-rap", - 2966: "idp-infotrieve", - 2967: "ssc-agent", - 2968: "enpp", - 2969: "essp", - 2970: "index-net", - 2971: "netclip", - 2972: "pmsm-webrctl", - 2973: "svnetworks", - 2974: "signal", - 2975: "fjmpcm", - 2976: "cns-srv-port", - 2977: "ttc-etap-ns", - 2978: "ttc-etap-ds", - 2979: "h263-video", - 2980: "wimd", - 2981: "mylxamport", - 2982: "iwb-whiteboard", - 2983: "netplan", - 2984: "hpidsadmin", - 2985: "hpidsagent", - 2986: "stonefalls", - 2987: "identify", - 2988: "hippad", - 2989: "zarkov", - 2990: "boscap", - 2991: "wkstn-mon", - 2992: "avenyo", - 2993: "veritas-vis1", - 2994: "veritas-vis2", - 2995: "idrs", - 2996: "vsixml", - 2997: "rebol", - 2998: "realsecure", - 2999: "remoteware-un", - 3000: "hbci", - 3002: "exlm-agent", - 3003: "cgms", - 3004: "csoftragent", - 3005: "geniuslm", - 3006: "ii-admin", - 3007: "lotusmtap", - 3008: "midnight-tech", - 3009: "pxc-ntfy", - 3010: "ping-pong", - 3011: "trusted-web", - 3012: "twsdss", - 3013: "gilatskysurfer", - 3014: "broker-service", - 3015: "nati-dstp", - 3016: "notify-srvr", - 3017: "event-listener", - 3018: "srvc-registry", - 3019: "resource-mgr", - 3020: "cifs", - 3021: "agriserver", - 3022: "csregagent", - 3023: "magicnotes", - 3024: "nds-sso", - 3025: "arepa-raft", - 3026: "agri-gateway", - 3027: "LiebDevMgmt-C", - 3028: "LiebDevMgmt-DM", - 3029: "LiebDevMgmt-A", - 3030: "arepa-cas", - 3031: "eppc", - 3032: "redwood-chat", - 3033: "pdb", - 3034: "osmosis-aeea", - 3035: "fjsv-gssagt", - 3036: "hagel-dump", - 3037: "hp-san-mgmt", - 3038: "santak-ups", - 3039: "cogitate", - 3040: "tomato-springs", - 3041: "di-traceware", - 3042: "journee", - 3043: "brp", - 3044: "epp", - 3045: "responsenet", - 3046: "di-ase", - 3047: "hlserver", - 3048: "pctrader", - 3049: "nsws", - 3050: "gds-db", - 3051: "galaxy-server", - 3052: "apc-3052", - 3053: "dsom-server", - 3054: "amt-cnf-prot", - 3055: "policyserver", - 3056: "cdl-server", - 3057: "goahead-fldup", - 3058: "videobeans", - 3059: "qsoft", - 3060: "interserver", - 3061: "cautcpd", - 3062: "ncacn-ip-tcp", - 3063: "ncadg-ip-udp", - 3064: "rprt", - 3065: "slinterbase", - 3066: "netattachsdmp", - 3067: "fjhpjp", - 3068: "ls3bcast", - 3069: "ls3", - 3070: "mgxswitch", - 3071: "csd-mgmt-port", - 3072: "csd-monitor", - 3073: "vcrp", - 3074: "xbox", - 3075: "orbix-locator", - 3076: "orbix-config", - 3077: "orbix-loc-ssl", - 3078: "orbix-cfg-ssl", - 3079: "lv-frontpanel", - 3080: "stm-pproc", - 3081: "tl1-lv", - 3082: "tl1-raw", - 3083: "tl1-telnet", - 3084: "itm-mccs", - 3085: "pcihreq", - 3086: "jdl-dbkitchen", - 3087: "asoki-sma", - 3088: "xdtp", - 3089: "ptk-alink", - 3090: "stss", - 3091: "1ci-smcs", - 3093: "rapidmq-center", - 3094: "rapidmq-reg", - 3095: "panasas", - 3096: "ndl-aps", - 3098: "umm-port", - 3099: "chmd", - 3100: "opcon-xps", - 3101: "hp-pxpib", - 3102: "slslavemon", - 3103: "autocuesmi", - 3104: "autocuetime", - 3105: "cardbox", - 3106: "cardbox-http", - 3107: "business", - 3108: "geolocate", - 3109: "personnel", - 3110: "sim-control", - 3111: "wsynch", - 3112: "ksysguard", - 3113: "cs-auth-svr", - 3114: "ccmad", - 3115: "mctet-master", - 3116: "mctet-gateway", - 3117: "mctet-jserv", - 3118: "pkagent", - 3119: "d2000kernel", - 3120: "d2000webserver", - 3122: "vtr-emulator", - 3123: "edix", - 3124: "beacon-port", - 3125: "a13-an", - 3127: "ctx-bridge", - 3128: "ndl-aas", - 3129: "netport-id", - 3130: "icpv2", - 3131: "netbookmark", - 3132: "ms-rule-engine", - 3133: "prism-deploy", - 3134: "ecp", - 3135: "peerbook-port", - 3136: "grubd", - 3137: "rtnt-1", - 3138: "rtnt-2", - 3139: "incognitorv", - 3140: "ariliamulti", - 3141: "vmodem", - 3142: "rdc-wh-eos", - 3143: "seaview", - 3144: "tarantella", - 3145: "csi-lfap", - 3146: "bears-02", - 3147: "rfio", - 3148: "nm-game-admin", - 3149: "nm-game-server", - 3150: "nm-asses-admin", - 3151: "nm-assessor", - 3152: "feitianrockey", - 3153: "s8-client-port", - 3154: "ccmrmi", - 3155: "jpegmpeg", - 3156: "indura", - 3157: "e3consultants", - 3158: "stvp", - 3159: "navegaweb-port", - 3160: "tip-app-server", - 3161: "doc1lm", - 3162: "sflm", - 3163: "res-sap", - 3164: "imprs", - 3165: "newgenpay", - 3166: "sossecollector", - 3167: "nowcontact", - 3168: "poweronnud", - 3169: "serverview-as", - 3170: "serverview-asn", - 3171: "serverview-gf", - 3172: "serverview-rm", - 3173: "serverview-icc", - 3174: "armi-server", - 3175: "t1-e1-over-ip", - 3176: "ars-master", - 3177: "phonex-port", - 3178: "radclientport", - 3179: "h2gf-w-2m", - 3180: "mc-brk-srv", - 3181: "bmcpatrolagent", - 3182: "bmcpatrolrnvu", - 3183: "cops-tls", - 3184: "apogeex-port", - 3185: "smpppd", - 3186: "iiw-port", - 3187: "odi-port", - 3188: "brcm-comm-port", - 3189: "pcle-infex", - 3190: "csvr-proxy", - 3191: "csvr-sslproxy", - 3192: "firemonrcc", - 3193: "spandataport", - 3194: "magbind", - 3195: "ncu-1", - 3196: "ncu-2", - 3197: "embrace-dp-s", - 3198: "embrace-dp-c", - 3199: "dmod-workspace", - 3200: "tick-port", - 3201: "cpq-tasksmart", - 3202: "intraintra", - 3203: "netwatcher-mon", - 3204: "netwatcher-db", - 3205: "isns", - 3206: "ironmail", - 3207: "vx-auth-port", - 3208: "pfu-prcallback", - 3209: "netwkpathengine", - 3210: "flamenco-proxy", - 3211: "avsecuremgmt", - 3212: "surveyinst", - 3213: "neon24x7", - 3214: "jmq-daemon-1", - 3215: "jmq-daemon-2", - 3216: "ferrari-foam", - 3217: "unite", - 3218: "smartpackets", - 3219: "wms-messenger", - 3220: "xnm-ssl", - 3221: "xnm-clear-text", - 3222: "glbp", - 3223: "digivote", - 3224: "aes-discovery", - 3225: "fcip-port", - 3226: "isi-irp", - 3227: "dwnmshttp", - 3228: "dwmsgserver", - 3229: "global-cd-port", - 3230: "sftdst-port", - 3231: "vidigo", - 3232: "mdtp", - 3233: "whisker", - 3234: "alchemy", - 3235: "mdap-port", - 3236: "apparenet-ts", - 3237: "apparenet-tps", - 3238: "apparenet-as", - 3239: "apparenet-ui", - 3240: "triomotion", - 3241: "sysorb", - 3242: "sdp-id-port", - 3243: "timelot", - 3244: "onesaf", - 3245: "vieo-fe", - 3246: "dvt-system", - 3247: "dvt-data", - 3248: "procos-lm", - 3249: "ssp", - 3250: "hicp", - 3251: "sysscanner", - 3252: "dhe", - 3253: "pda-data", - 3254: "pda-sys", - 3255: "semaphore", - 3256: "cpqrpm-agent", - 3257: "cpqrpm-server", - 3258: "ivecon-port", - 3259: "epncdp2", - 3260: "iscsi-target", - 3261: "winshadow", - 3262: "necp", - 3263: "ecolor-imager", - 3264: "ccmail", - 3265: "altav-tunnel", - 3266: "ns-cfg-server", - 3267: "ibm-dial-out", - 3268: "msft-gc", - 3269: "msft-gc-ssl", - 3270: "verismart", - 3271: "csoft-prev", - 3272: "user-manager", - 3273: "sxmp", - 3274: "ordinox-server", - 3275: "samd", - 3276: "maxim-asics", - 3277: "awg-proxy", - 3278: "lkcmserver", - 3279: "admind", - 3280: "vs-server", - 3281: "sysopt", - 3282: "datusorb", - 3283: "Apple Remote Desktop (Net Assistant)", - 3284: "4talk", - 3285: "plato", - 3286: "e-net", - 3287: "directvdata", - 3288: "cops", - 3289: "enpc", - 3290: "caps-lm", - 3291: "sah-lm", - 3292: "cart-o-rama", - 3293: "fg-fps", - 3294: "fg-gip", - 3295: "dyniplookup", - 3296: "rib-slm", - 3297: "cytel-lm", - 3298: "deskview", - 3299: "pdrncs", - 3302: "mcs-fastmail", - 3303: "opsession-clnt", - 3304: "opsession-srvr", - 3305: "odette-ftp", - 3306: "mysql", - 3307: "opsession-prxy", - 3308: "tns-server", - 3309: "tns-adv", - 3310: "dyna-access", - 3311: "mcns-tel-ret", - 3312: "appman-server", - 3313: "uorb", - 3314: "uohost", - 3315: "cdid", - 3316: "aicc-cmi", - 3317: "vsaiport", - 3318: "ssrip", - 3319: "sdt-lmd", - 3320: "officelink2000", - 3321: "vnsstr", - 3326: "sftu", - 3327: "bbars", - 3328: "egptlm", - 3329: "hp-device-disc", - 3330: "mcs-calypsoicf", - 3331: "mcs-messaging", - 3332: "mcs-mailsvr", - 3333: "dec-notes", - 3334: "directv-web", - 3335: "directv-soft", - 3336: "directv-tick", - 3337: "directv-catlg", - 3338: "anet-b", - 3339: "anet-l", - 3340: "anet-m", - 3341: "anet-h", - 3342: "webtie", - 3343: "ms-cluster-net", - 3344: "bnt-manager", - 3345: "influence", - 3346: "trnsprntproxy", - 3347: "phoenix-rpc", - 3348: "pangolin-laser", - 3349: "chevinservices", - 3350: "findviatv", - 3351: "btrieve", - 3352: "ssql", - 3353: "fatpipe", - 3354: "suitjd", - 3355: "ordinox-dbase", - 3356: "upnotifyps", - 3357: "adtech-test", - 3358: "mpsysrmsvr", - 3359: "wg-netforce", - 3360: "kv-server", - 3361: "kv-agent", - 3362: "dj-ilm", - 3363: "nati-vi-server", - 3364: "creativeserver", - 3365: "contentserver", - 3366: "creativepartnr", - 3372: "tip2", - 3373: "lavenir-lm", - 3374: "cluster-disc", - 3375: "vsnm-agent", - 3376: "cdbroker", - 3377: "cogsys-lm", - 3378: "wsicopy", - 3379: "socorfs", - 3380: "sns-channels", - 3381: "geneous", - 3382: "fujitsu-neat", - 3383: "esp-lm", - 3384: "hp-clic", - 3385: "qnxnetman", - 3386: "gprs-sig", - 3387: "backroomnet", - 3388: "cbserver", - 3389: "ms-wbt-server", - 3390: "dsc", - 3391: "savant", - 3392: "efi-lm", - 3393: "d2k-tapestry1", - 3394: "d2k-tapestry2", - 3395: "dyna-lm", - 3396: "printer-agent", - 3397: "cloanto-lm", - 3398: "mercantile", - 3399: "csms", - 3400: "csms2", - 3401: "filecast", - 3402: "fxaengine-net", - 3405: "nokia-ann-ch1", - 3406: "nokia-ann-ch2", - 3407: "ldap-admin", - 3408: "BESApi", - 3409: "networklens", - 3410: "networklenss", - 3411: "biolink-auth", - 3412: "xmlblaster", - 3413: "svnet", - 3414: "wip-port", - 3415: "bcinameservice", - 3416: "commandport", - 3417: "csvr", - 3418: "rnmap", - 3419: "softaudit", - 3420: "ifcp-port", - 3421: "bmap", - 3422: "rusb-sys-port", - 3423: "xtrm", - 3424: "xtrms", - 3425: "agps-port", - 3426: "arkivio", - 3427: "websphere-snmp", - 3428: "twcss", - 3429: "gcsp", - 3430: "ssdispatch", - 3431: "ndl-als", - 3432: "osdcp", - 3433: "opnet-smp", - 3434: "opencm", - 3435: "pacom", - 3436: "gc-config", - 3437: "autocueds", - 3438: "spiral-admin", - 3439: "hri-port", - 3440: "ans-console", - 3441: "connect-client", - 3442: "connect-server", - 3443: "ov-nnm-websrv", - 3444: "denali-server", - 3445: "monp", - 3446: "3comfaxrpc", - 3447: "directnet", - 3448: "dnc-port", - 3449: "hotu-chat", - 3450: "castorproxy", - 3451: "asam", - 3452: "sabp-signal", - 3453: "pscupd", - 3454: "mira", - 3455: "prsvp", - 3456: "vat", - 3457: "vat-control", - 3458: "d3winosfi", - 3459: "integral", - 3460: "edm-manager", - 3461: "edm-stager", - 3462: "edm-std-notify", - 3463: "edm-adm-notify", - 3464: "edm-mgr-sync", - 3465: "edm-mgr-cntrl", - 3466: "workflow", - 3467: "rcst", - 3468: "ttcmremotectrl", - 3469: "pluribus", - 3470: "jt400", - 3471: "jt400-ssl", - 3472: "jaugsremotec-1", - 3473: "jaugsremotec-2", - 3474: "ttntspauto", - 3475: "genisar-port", - 3476: "nppmp", - 3477: "ecomm", - 3478: "stun", - 3479: "twrpc", - 3480: "plethora", - 3481: "cleanerliverc", - 3482: "vulture", - 3483: "slim-devices", - 3484: "gbs-stp", - 3485: "celatalk", - 3486: "ifsf-hb-port", - 3487: "ltcudp", - 3488: "fs-rh-srv", - 3489: "dtp-dia", - 3490: "colubris", - 3491: "swr-port", - 3492: "tvdumtray-port", - 3493: "nut", - 3494: "ibm3494", - 3495: "seclayer-tcp", - 3496: "seclayer-tls", - 3497: "ipether232port", - 3498: "dashpas-port", - 3499: "sccip-media", - 3500: "rtmp-port", - 3501: "isoft-p2p", - 3502: "avinstalldisc", - 3503: "lsp-ping", - 3504: "ironstorm", - 3505: "ccmcomm", - 3506: "apc-3506", - 3507: "nesh-broker", - 3508: "interactionweb", - 3509: "vt-ssl", - 3510: "xss-port", - 3511: "webmail-2", - 3512: "aztec", - 3513: "arcpd", - 3514: "must-p2p", - 3515: "must-backplane", - 3516: "smartcard-port", - 3517: "802-11-iapp", - 3518: "artifact-msg", - 3519: "galileo", - 3520: "galileolog", - 3521: "mc3ss", - 3522: "nssocketport", - 3523: "odeumservlink", - 3524: "ecmport", - 3525: "eisport", - 3526: "starquiz-port", - 3527: "beserver-msg-q", - 3528: "jboss-iiop", - 3529: "jboss-iiop-ssl", - 3530: "gf", - 3531: "joltid", - 3532: "raven-rmp", - 3533: "raven-rdp", - 3534: "urld-port", - 3535: "ms-la", - 3536: "snac", - 3537: "ni-visa-remote", - 3538: "ibm-diradm", - 3539: "ibm-diradm-ssl", - 3540: "pnrp-port", - 3541: "voispeed-port", - 3542: "hacl-monitor", - 3543: "qftest-lookup", - 3544: "teredo", - 3545: "camac", - 3547: "symantec-sim", - 3548: "interworld", - 3549: "tellumat-nms", - 3550: "ssmpp", - 3551: "apcupsd", - 3552: "taserver", - 3553: "rbr-discovery", - 3554: "questnotify", - 3555: "razor", - 3556: "sky-transport", - 3557: "personalos-001", - 3558: "mcp-port", - 3559: "cctv-port", - 3560: "iniserve-port", - 3561: "bmc-onekey", - 3562: "sdbproxy", - 3563: "watcomdebug", - 3564: "esimport", - 3567: "enc-eps", - 3568: "enc-tunnel-sec", - 3569: "mbg-ctrl", - 3570: "mccwebsvr-port", - 3571: "megardsvr-port", - 3572: "megaregsvrport", - 3573: "tag-ups-1", - 3574: "dmaf-caster", - 3575: "ccm-port", - 3576: "cmc-port", - 3577: "config-port", - 3578: "data-port", - 3579: "ttat3lb", - 3580: "nati-svrloc", - 3581: "kfxaclicensing", - 3582: "press", - 3583: "canex-watch", - 3584: "u-dbap", - 3585: "emprise-lls", - 3586: "emprise-lsc", - 3587: "p2pgroup", - 3588: "sentinel", - 3589: "isomair", - 3590: "wv-csp-sms", - 3591: "gtrack-server", - 3592: "gtrack-ne", - 3593: "bpmd", - 3594: "mediaspace", - 3595: "shareapp", - 3596: "iw-mmogame", - 3597: "a14", - 3598: "a15", - 3599: "quasar-server", - 3600: "trap-daemon", - 3601: "visinet-gui", - 3602: "infiniswitchcl", - 3603: "int-rcv-cntrl", - 3604: "bmc-jmx-port", - 3605: "comcam-io", - 3606: "splitlock", - 3607: "precise-i3", - 3608: "trendchip-dcp", - 3609: "cpdi-pidas-cm", - 3610: "echonet", - 3611: "six-degrees", - 3612: "hp-dataprotect", - 3613: "alaris-disc", - 3614: "sigma-port", - 3615: "start-network", - 3616: "cd3o-protocol", - 3617: "sharp-server", - 3618: "aairnet-1", - 3619: "aairnet-2", - 3620: "ep-pcp", - 3621: "ep-nsp", - 3622: "ff-lr-port", - 3623: "haipe-discover", - 3624: "dist-upgrade", - 3625: "volley", - 3626: "bvcdaemon-port", - 3627: "jamserverport", - 3628: "ept-machine", - 3629: "escvpnet", - 3630: "cs-remote-db", - 3631: "cs-services", - 3632: "distcc", - 3633: "wacp", - 3634: "hlibmgr", - 3635: "sdo", - 3636: "servistaitsm", - 3637: "scservp", - 3638: "ehp-backup", - 3639: "xap-ha", - 3640: "netplay-port1", - 3641: "netplay-port2", - 3642: "juxml-port", - 3643: "audiojuggler", - 3644: "ssowatch", - 3645: "cyc", - 3646: "xss-srv-port", - 3647: "splitlock-gw", - 3648: "fjcp", - 3649: "nmmp", - 3650: "prismiq-plugin", - 3651: "xrpc-registry", - 3652: "vxcrnbuport", - 3653: "tsp", - 3654: "vaprtm", - 3655: "abatemgr", - 3656: "abatjss", - 3657: "immedianet-bcn", - 3658: "ps-ams", - 3659: "apple-sasl", - 3660: "can-nds-ssl", - 3661: "can-ferret-ssl", - 3662: "pserver", - 3663: "dtp", - 3664: "ups-engine", - 3665: "ent-engine", - 3666: "eserver-pap", - 3667: "infoexch", - 3668: "dell-rm-port", - 3669: "casanswmgmt", - 3670: "smile", - 3671: "efcp", - 3672: "lispworks-orb", - 3673: "mediavault-gui", - 3674: "wininstall-ipc", - 3675: "calltrax", - 3676: "va-pacbase", - 3677: "roverlog", - 3678: "ipr-dglt", - 3679: "Escale (Newton Dock)", - 3680: "npds-tracker", - 3681: "bts-x73", - 3682: "cas-mapi", - 3683: "bmc-ea", - 3684: "faxstfx-port", - 3685: "dsx-agent", - 3686: "tnmpv2", - 3687: "simple-push", - 3688: "simple-push-s", - 3689: "daap", - 3690: "svn", - 3691: "magaya-network", - 3692: "intelsync", - 3695: "bmc-data-coll", - 3696: "telnetcpcd", - 3697: "nw-license", - 3698: "sagectlpanel", - 3699: "kpn-icw", - 3700: "lrs-paging", - 3701: "netcelera", - 3702: "ws-discovery", - 3703: "adobeserver-3", - 3704: "adobeserver-4", - 3705: "adobeserver-5", - 3706: "rt-event", - 3707: "rt-event-s", - 3708: "sun-as-iiops", - 3709: "ca-idms", - 3710: "portgate-auth", - 3711: "edb-server2", - 3712: "sentinel-ent", - 3713: "tftps", - 3714: "delos-dms", - 3715: "anoto-rendezv", - 3716: "wv-csp-sms-cir", - 3717: "wv-csp-udp-cir", - 3718: "opus-services", - 3719: "itelserverport", - 3720: "ufastro-instr", - 3721: "xsync", - 3722: "xserveraid", - 3723: "sychrond", - 3724: "blizwow", - 3725: "na-er-tip", - 3726: "array-manager", - 3727: "e-mdu", - 3728: "e-woa", - 3729: "fksp-audit", - 3730: "client-ctrl", - 3731: "smap", - 3732: "m-wnn", - 3733: "multip-msg", - 3734: "synel-data", - 3735: "pwdis", - 3736: "rs-rmi", - 3738: "versatalk", - 3739: "launchbird-lm", - 3740: "heartbeat", - 3741: "wysdma", - 3742: "cst-port", - 3743: "ipcs-command", - 3744: "sasg", - 3745: "gw-call-port", - 3746: "linktest", - 3747: "linktest-s", - 3748: "webdata", - 3749: "cimtrak", - 3750: "cbos-ip-port", - 3751: "gprs-cube", - 3752: "vipremoteagent", - 3753: "nattyserver", - 3754: "timestenbroker", - 3755: "sas-remote-hlp", - 3756: "canon-capt", - 3757: "grf-port", - 3758: "apw-registry", - 3759: "exapt-lmgr", - 3760: "adtempusclient", - 3761: "gsakmp", - 3762: "gbs-smp", - 3763: "xo-wave", - 3764: "mni-prot-rout", - 3765: "rtraceroute", - 3767: "listmgr-port", - 3768: "rblcheckd", - 3769: "haipe-otnk", - 3770: "cindycollab", - 3771: "paging-port", - 3772: "ctp", - 3773: "ctdhercules", - 3774: "zicom", - 3775: "ispmmgr", - 3776: "dvcprov-port", - 3777: "jibe-eb", - 3778: "c-h-it-port", - 3779: "cognima", - 3780: "nnp", - 3781: "abcvoice-port", - 3782: "iso-tp0s", - 3783: "bim-pem", - 3784: "bfd-control", - 3785: "bfd-echo", - 3786: "upstriggervsw", - 3787: "fintrx", - 3788: "isrp-port", - 3789: "remotedeploy", - 3790: "quickbooksrds", - 3791: "tvnetworkvideo", - 3792: "sitewatch", - 3793: "dcsoftware", - 3794: "jaus", - 3795: "myblast", - 3796: "spw-dialer", - 3797: "idps", - 3798: "minilock", - 3799: "radius-dynauth", - 3800: "pwgpsi", - 3801: "ibm-mgr", - 3802: "vhd", - 3803: "soniqsync", - 3804: "iqnet-port", - 3805: "tcpdataserver", - 3806: "wsmlb", - 3807: "spugna", - 3808: "sun-as-iiops-ca", - 3809: "apocd", - 3810: "wlanauth", - 3811: "amp", - 3812: "neto-wol-server", - 3813: "rap-ip", - 3814: "neto-dcs", - 3815: "lansurveyorxml", - 3816: "sunlps-http", - 3817: "tapeware", - 3818: "crinis-hb", - 3819: "epl-slp", - 3820: "scp", - 3821: "pmcp", - 3822: "acp-discovery", - 3823: "acp-conduit", - 3824: "acp-policy", - 3825: "ffserver", - 3826: "warmux", - 3827: "netmpi", - 3828: "neteh", - 3829: "neteh-ext", - 3830: "cernsysmgmtagt", - 3831: "dvapps", - 3832: "xxnetserver", - 3833: "aipn-auth", - 3834: "spectardata", - 3835: "spectardb", - 3836: "markem-dcp", - 3837: "mkm-discovery", - 3838: "sos", - 3839: "amx-rms", - 3840: "flirtmitmir", - 3842: "nhci", - 3843: "quest-agent", - 3844: "rnm", - 3845: "v-one-spp", - 3846: "an-pcp", - 3847: "msfw-control", - 3848: "item", - 3849: "spw-dnspreload", - 3850: "qtms-bootstrap", - 3851: "spectraport", - 3852: "sse-app-config", - 3853: "sscan", - 3854: "stryker-com", - 3855: "opentrac", - 3856: "informer", - 3857: "trap-port", - 3858: "trap-port-mom", - 3859: "nav-port", - 3860: "sasp", - 3861: "winshadow-hd", - 3862: "giga-pocket", - 3863: "asap-udp", - 3865: "xpl", - 3866: "dzdaemon", - 3867: "dzoglserver", - 3869: "ovsam-mgmt", - 3870: "ovsam-d-agent", - 3871: "avocent-adsap", - 3872: "oem-agent", - 3873: "fagordnc", - 3874: "sixxsconfig", - 3875: "pnbscada", - 3876: "dl-agent", - 3877: "xmpcr-interface", - 3878: "fotogcad", - 3879: "appss-lm", - 3880: "igrs", - 3881: "idac", - 3882: "msdts1", - 3883: "vrpn", - 3884: "softrack-meter", - 3885: "topflow-ssl", - 3886: "nei-management", - 3887: "ciphire-data", - 3888: "ciphire-serv", - 3889: "dandv-tester", - 3890: "ndsconnect", - 3891: "rtc-pm-port", - 3892: "pcc-image-port", - 3893: "cgi-starapi", - 3894: "syam-agent", - 3895: "syam-smc", - 3896: "sdo-tls", - 3897: "sdo-ssh", - 3898: "senip", - 3899: "itv-control", - 3900: "udt-os", - 3901: "nimsh", - 3902: "nimaux", - 3903: "charsetmgr", - 3904: "omnilink-port", - 3905: "mupdate", - 3906: "topovista-data", - 3907: "imoguia-port", - 3908: "hppronetman", - 3909: "surfcontrolcpa", - 3910: "prnrequest", - 3911: "prnstatus", - 3912: "gbmt-stars", - 3913: "listcrt-port", - 3914: "listcrt-port-2", - 3915: "agcat", - 3916: "wysdmc", - 3917: "aftmux", - 3918: "pktcablemmcops", - 3919: "hyperip", - 3920: "exasoftport1", - 3921: "herodotus-net", - 3922: "sor-update", - 3923: "symb-sb-port", - 3924: "mpl-gprs-port", - 3925: "zmp", - 3926: "winport", - 3927: "natdataservice", - 3928: "netboot-pxe", - 3929: "smauth-port", - 3930: "syam-webserver", - 3931: "msr-plugin-port", - 3932: "dyn-site", - 3933: "plbserve-port", - 3934: "sunfm-port", - 3935: "sdp-portmapper", - 3936: "mailprox", - 3937: "dvbservdsc", - 3938: "dbcontrol-agent", - 3939: "aamp", - 3940: "xecp-node", - 3941: "homeportal-web", - 3942: "srdp", - 3943: "tig", - 3944: "sops", - 3945: "emcads", - 3946: "backupedge", - 3947: "ccp", - 3948: "apdap", - 3949: "drip", - 3950: "namemunge", - 3951: "pwgippfax", - 3952: "i3-sessionmgr", - 3953: "xmlink-connect", - 3954: "adrep", - 3955: "p2pcommunity", - 3956: "gvcp", - 3957: "mqe-broker", - 3958: "mqe-agent", - 3959: "treehopper", - 3960: "bess", - 3961: "proaxess", - 3962: "sbi-agent", - 3963: "thrp", - 3964: "sasggprs", - 3965: "ati-ip-to-ncpe", - 3966: "bflckmgr", - 3967: "ppsms", - 3968: "ianywhere-dbns", - 3969: "landmarks", - 3970: "lanrevagent", - 3971: "lanrevserver", - 3972: "iconp", - 3973: "progistics", - 3974: "citysearch", - 3975: "airshot", - 3976: "opswagent", - 3977: "opswmanager", - 3978: "secure-cfg-svr", - 3979: "smwan", - 3980: "acms", - 3981: "starfish", - 3982: "eis", - 3983: "eisp", - 3984: "mapper-nodemgr", - 3985: "mapper-mapethd", - 3986: "mapper-ws-ethd", - 3987: "centerline", - 3988: "dcs-config", - 3989: "bv-queryengine", - 3990: "bv-is", - 3991: "bv-smcsrv", - 3992: "bv-ds", - 3993: "bv-agent", - 3995: "iss-mgmt-ssl", - 3996: "abcsoftware", - 3997: "agentsease-db", - 3998: "dnx", - 3999: "nvcnet", - 4000: "terabase", - 4001: "newoak", - 4002: "pxc-spvr-ft", - 4003: "pxc-splr-ft", - 4004: "pxc-roid", - 4005: "pxc-pin", - 4006: "pxc-spvr", - 4007: "pxc-splr", - 4008: "netcheque", - 4009: "chimera-hwm", - 4010: "samsung-unidex", - 4011: "altserviceboot", - 4012: "pda-gate", - 4013: "acl-manager", - 4014: "taiclock", - 4015: "talarian-mcast1", - 4016: "talarian-mcast2", - 4017: "talarian-mcast3", - 4018: "talarian-mcast4", - 4019: "talarian-mcast5", - 4020: "trap", - 4021: "nexus-portal", - 4022: "dnox", - 4023: "esnm-zoning", - 4024: "tnp1-port", - 4025: "partimage", - 4026: "as-debug", - 4027: "bxp", - 4028: "dtserver-port", - 4029: "ip-qsig", - 4030: "jdmn-port", - 4031: "suucp", - 4032: "vrts-auth-port", - 4033: "sanavigator", - 4034: "ubxd", - 4035: "wap-push-http", - 4036: "wap-push-https", - 4037: "ravehd", - 4038: "fazzt-ptp", - 4039: "fazzt-admin", - 4040: "yo-main", - 4041: "houston", - 4042: "ldxp", - 4043: "nirp", - 4044: "ltp", - 4045: "npp", - 4046: "acp-proto", - 4047: "ctp-state", - 4049: "wafs", - 4050: "cisco-wafs", - 4051: "cppdp", - 4052: "interact", - 4053: "ccu-comm-1", - 4054: "ccu-comm-2", - 4055: "ccu-comm-3", - 4056: "lms", - 4057: "wfm", - 4058: "kingfisher", - 4059: "dlms-cosem", - 4060: "dsmeter-iatc", - 4061: "ice-location", - 4062: "ice-slocation", - 4063: "ice-router", - 4064: "ice-srouter", - 4065: "avanti-cdp", - 4066: "pmas", - 4067: "idp", - 4068: "ipfltbcst", - 4069: "minger", - 4070: "tripe", - 4071: "aibkup", - 4072: "zieto-sock", - 4073: "iRAPP", - 4074: "cequint-cityid", - 4075: "perimlan", - 4076: "seraph", - 4077: "ascomalarm", - 4079: "santools", - 4080: "lorica-in", - 4081: "lorica-in-sec", - 4082: "lorica-out", - 4083: "lorica-out-sec", - 4084: "fortisphere-vm", - 4086: "ftsync", - 4089: "opencore", - 4090: "omasgport", - 4091: "ewinstaller", - 4092: "ewdgs", - 4093: "pvxpluscs", - 4094: "sysrqd", - 4095: "xtgui", - 4096: "bre", - 4097: "patrolview", - 4098: "drmsfsd", - 4099: "dpcp", - 4100: "igo-incognito", - 4101: "brlp-0", - 4102: "brlp-1", - 4103: "brlp-2", - 4104: "brlp-3", - 4105: "shofar", - 4106: "synchronite", - 4107: "j-ac", - 4108: "accel", - 4109: "izm", - 4110: "g2tag", - 4111: "xgrid", - 4112: "apple-vpns-rp", - 4113: "aipn-reg", - 4114: "jomamqmonitor", - 4115: "cds", - 4116: "smartcard-tls", - 4117: "hillrserv", - 4118: "netscript", - 4119: "assuria-slm", - 4121: "e-builder", - 4122: "fprams", - 4123: "z-wave", - 4124: "tigv2", - 4125: "opsview-envoy", - 4126: "ddrepl", - 4127: "unikeypro", - 4128: "nufw", - 4129: "nuauth", - 4130: "fronet", - 4131: "stars", - 4132: "nuts-dem", - 4133: "nuts-bootp", - 4134: "nifty-hmi", - 4135: "cl-db-attach", - 4136: "cl-db-request", - 4137: "cl-db-remote", - 4138: "nettest", - 4139: "thrtx", - 4140: "cedros-fds", - 4141: "oirtgsvc", - 4142: "oidocsvc", - 4143: "oidsr", - 4145: "vvr-control", - 4146: "tgcconnect", - 4147: "vrxpservman", - 4148: "hhb-handheld", - 4149: "agslb", - 4150: "PowerAlert-nsa", - 4151: "menandmice-noh", - 4152: "idig-mux", - 4153: "mbl-battd", - 4154: "atlinks", - 4155: "bzr", - 4156: "stat-results", - 4157: "stat-scanner", - 4158: "stat-cc", - 4159: "nss", - 4160: "jini-discovery", - 4161: "omscontact", - 4162: "omstopology", - 4163: "silverpeakpeer", - 4164: "silverpeakcomm", - 4165: "altcp", - 4166: "joost", - 4167: "ddgn", - 4168: "pslicser", - 4169: "iadt-disc", - 4172: "pcoip", - 4173: "mma-discovery", - 4174: "sm-disc", - 4177: "wello", - 4178: "storman", - 4179: "MaxumSP", - 4180: "httpx", - 4181: "macbak", - 4182: "pcptcpservice", - 4183: "gmmp", - 4184: "universe-suite", - 4185: "wcpp", - 4188: "vatata", - 4191: "dsmipv6", - 4192: "azeti-bd", - 4199: "eims-admin", - 4300: "corelccam", - 4301: "d-data", - 4302: "d-data-control", - 4303: "srcp", - 4304: "owserver", - 4305: "batman", - 4306: "pinghgl", - 4307: "visicron-vs", - 4308: "compx-lockview", - 4309: "dserver", - 4310: "mirrtex", - 4320: "fdt-rcatp", - 4321: "rwhois", - 4322: "trim-event", - 4323: "trim-ice", - 4324: "balour", - 4325: "geognosisman", - 4326: "geognosis", - 4327: "jaxer-web", - 4328: "jaxer-manager", - 4333: "ahsp", - 4340: "gaia", - 4341: "lisp-data", - 4342: "lisp-control", - 4343: "unicall", - 4344: "vinainstall", - 4345: "m4-network-as", - 4346: "elanlm", - 4347: "lansurveyor", - 4348: "itose", - 4349: "fsportmap", - 4350: "net-device", - 4351: "plcy-net-svcs", - 4352: "pjlink", - 4353: "f5-iquery", - 4354: "qsnet-trans", - 4355: "qsnet-workst", - 4356: "qsnet-assist", - 4357: "qsnet-cond", - 4358: "qsnet-nucl", - 4359: "omabcastltkm", - 4361: "nacnl", - 4362: "afore-vdp-disc", - 4368: "wxbrief", - 4369: "epmd", - 4370: "elpro-tunnel", - 4371: "l2c-disc", - 4372: "l2c-data", - 4373: "remctl", - 4375: "tolteces", - 4376: "bip", - 4377: "cp-spxsvr", - 4378: "cp-spxdpy", - 4379: "ctdb", - 4389: "xandros-cms", - 4390: "wiegand", - 4394: "apwi-disc", - 4395: "omnivisionesx", - 4400: "ds-srv", - 4401: "ds-srvr", - 4402: "ds-clnt", - 4403: "ds-user", - 4404: "ds-admin", - 4405: "ds-mail", - 4406: "ds-slp", - 4425: "netrockey6", - 4426: "beacon-port-2", - 4430: "rsqlserver", - 4432: "l-acoustics", - 4441: "netblox", - 4442: "saris", - 4443: "pharos", - 4444: "krb524", - 4445: "upnotifyp", - 4446: "n1-fwp", - 4447: "n1-rmgmt", - 4448: "asc-slmd", - 4449: "privatewire", - 4450: "camp", - 4451: "ctisystemmsg", - 4452: "ctiprogramload", - 4453: "nssalertmgr", - 4454: "nssagentmgr", - 4455: "prchat-user", - 4456: "prchat-server", - 4457: "prRegister", - 4458: "mcp", - 4484: "hpssmgmt", - 4486: "icms", - 4488: "awacs-ice", - 4500: "ipsec-nat-t", - 4534: "armagetronad", - 4535: "ehs", - 4536: "ehs-ssl", - 4537: "wssauthsvc", - 4538: "swx-gate", - 4545: "worldscores", - 4546: "sf-lm", - 4547: "lanner-lm", - 4548: "synchromesh", - 4549: "aegate", - 4550: "gds-adppiw-db", - 4551: "ieee-mih", - 4552: "menandmice-mon", - 4554: "msfrs", - 4555: "rsip", - 4556: "dtn-bundle", - 4557: "mtcevrunqss", - 4558: "mtcevrunqman", - 4559: "hylafax", - 4566: "kwtc", - 4567: "tram", - 4568: "bmc-reporting", - 4569: "iax", - 4591: "l3t-at-an", - 4592: "hrpd-ith-at-an", - 4593: "ipt-anri-anri", - 4594: "ias-session", - 4595: "ias-paging", - 4596: "ias-neighbor", - 4597: "a21-an-1xbs", - 4598: "a16-an-an", - 4599: "a17-an-an", - 4600: "piranha1", - 4601: "piranha2", - 4658: "playsta2-app", - 4659: "playsta2-lob", - 4660: "smaclmgr", - 4661: "kar2ouche", - 4662: "oms", - 4663: "noteit", - 4664: "ems", - 4665: "contclientms", - 4666: "eportcomm", - 4667: "mmacomm", - 4668: "mmaeds", - 4669: "eportcommdata", - 4670: "light", - 4671: "acter", - 4672: "rfa", - 4673: "cxws", - 4674: "appiq-mgmt", - 4675: "dhct-status", - 4676: "dhct-alerts", - 4677: "bcs", - 4678: "traversal", - 4679: "mgesupervision", - 4680: "mgemanagement", - 4681: "parliant", - 4682: "finisar", - 4683: "spike", - 4684: "rfid-rp1", - 4685: "autopac", - 4686: "msp-os", - 4687: "nst", - 4688: "mobile-p2p", - 4689: "altovacentral", - 4690: "prelude", - 4691: "mtn", - 4692: "conspiracy", - 4700: "netxms-agent", - 4701: "netxms-mgmt", - 4702: "netxms-sync", - 4725: "truckstar", - 4726: "a26-fap-fgw", - 4727: "fcis-disc", - 4728: "capmux", - 4729: "gsmtap", - 4730: "gearman", - 4732: "ohmtrigger", - 4737: "ipdr-sp", - 4738: "solera-lpn", - 4739: "ipfix", - 4740: "ipfixs", - 4741: "lumimgrd", - 4742: "sicct-sdp", - 4743: "openhpid", - 4744: "ifsp", - 4745: "fmp", - 4747: "buschtrommel", - 4749: "profilemac", - 4750: "ssad", - 4751: "spocp", - 4752: "snap", - 4753: "simon-disc", - 4784: "bfd-multi-ctl", - 4785: "cncp", - 4789: "vxlan", - 4790: "vxlan-gpe", - 4800: "iims", - 4801: "iwec", - 4802: "ilss", - 4803: "notateit-disc", - 4804: "aja-ntv4-disc", - 4827: "htcp", - 4837: "varadero-0", - 4838: "varadero-1", - 4839: "varadero-2", - 4840: "opcua-udp", - 4841: "quosa", - 4842: "gw-asv", - 4843: "opcua-tls", - 4844: "gw-log", - 4845: "wcr-remlib", - 4846: "contamac-icm", - 4847: "wfc", - 4848: "appserv-http", - 4849: "appserv-https", - 4850: "sun-as-nodeagt", - 4851: "derby-repli", - 4867: "unify-debug", - 4868: "phrelay", - 4869: "phrelaydbg", - 4870: "cc-tracking", - 4871: "wired", - 4876: "tritium-can", - 4877: "lmcs", - 4878: "inst-discovery", - 4881: "socp-t", - 4882: "socp-c", - 4884: "hivestor", - 4885: "abbs", - 4894: "lyskom", - 4899: "radmin-port", - 4900: "hfcs", - 4914: "bones", - 4936: "an-signaling", - 4937: "atsc-mh-ssc", - 4940: "eq-office-4940", - 4941: "eq-office-4941", - 4942: "eq-office-4942", - 4949: "munin", - 4950: "sybasesrvmon", - 4951: "pwgwims", - 4952: "sagxtsds", - 4969: "ccss-qmm", - 4970: "ccss-qsm", - 4986: "mrip", - 4987: "smar-se-port1", - 4988: "smar-se-port2", - 4989: "parallel", - 4990: "busycal", - 4991: "vrt", - 4999: "hfcs-manager", - 5000: "commplex-main", - 5001: "commplex-link", - 5002: "rfe", - 5003: "fmpro-internal", - 5004: "avt-profile-1", - 5005: "avt-profile-2", - 5006: "wsm-server", - 5007: "wsm-server-ssl", - 5008: "synapsis-edge", - 5009: "winfs", - 5010: "telelpathstart", - 5011: "telelpathattack", - 5012: "nsp", - 5013: "fmpro-v6", - 5014: "onpsocket", - 5020: "zenginkyo-1", - 5021: "zenginkyo-2", - 5022: "mice", - 5023: "htuilsrv", - 5024: "scpi-telnet", - 5025: "scpi-raw", - 5026: "strexec-d", - 5027: "strexec-s", - 5029: "infobright", - 5030: "surfpass", - 5031: "dmp", - 5042: "asnaacceler8db", - 5043: "swxadmin", - 5044: "lxi-evntsvc", - 5046: "vpm-udp", - 5047: "iscape", - 5049: "ivocalize", - 5050: "mmcc", - 5051: "ita-agent", - 5052: "ita-manager", - 5053: "rlm-disc", - 5055: "unot", - 5056: "intecom-ps1", - 5057: "intecom-ps2", - 5058: "locus-disc", - 5059: "sds", - 5060: "sip", - 5061: "sips", - 5062: "na-localise", - 5064: "ca-1", - 5065: "ca-2", - 5066: "stanag-5066", - 5067: "authentx", - 5069: "i-net-2000-npr", - 5070: "vtsas", - 5071: "powerschool", - 5072: "ayiya", - 5073: "tag-pm", - 5074: "alesquery", - 5078: "pixelpusher", - 5079: "cp-spxrpts", - 5080: "onscreen", - 5081: "sdl-ets", - 5082: "qcp", - 5083: "qfp", - 5084: "llrp", - 5085: "encrypted-llrp", - 5092: "magpie", - 5093: "sentinel-lm", - 5094: "hart-ip", - 5099: "sentlm-srv2srv", - 5100: "socalia", - 5101: "talarian-udp", - 5102: "oms-nonsecure", - 5104: "tinymessage", - 5105: "hughes-ap", - 5111: "taep-as-svc", - 5112: "pm-cmdsvr", - 5116: "emb-proj-cmd", - 5120: "barracuda-bbs", - 5133: "nbt-pc", - 5136: "minotaur-sa", - 5137: "ctsd", - 5145: "rmonitor-secure", - 5150: "atmp", - 5151: "esri-sde", - 5152: "sde-discovery", - 5154: "bzflag", - 5155: "asctrl-agent", - 5164: "vpa-disc", - 5165: "ife-icorp", - 5166: "winpcs", - 5167: "scte104", - 5168: "scte30", - 5190: "aol", - 5191: "aol-1", - 5192: "aol-2", - 5193: "aol-3", - 5200: "targus-getdata", - 5201: "targus-getdata1", - 5202: "targus-getdata2", - 5203: "targus-getdata3", - 5223: "hpvirtgrp", - 5224: "hpvirtctrl", - 5225: "hp-server", - 5226: "hp-status", - 5227: "perfd", - 5234: "eenet", - 5235: "galaxy-network", - 5236: "padl2sim", - 5237: "mnet-discovery", - 5245: "downtools-disc", - 5246: "capwap-control", - 5247: "capwap-data", - 5248: "caacws", - 5249: "caaclang2", - 5250: "soagateway", - 5251: "caevms", - 5252: "movaz-ssc", - 5264: "3com-njack-1", - 5265: "3com-njack-2", - 5270: "cartographerxmp", - 5271: "cuelink-disc", - 5272: "pk", - 5282: "transmit-port", - 5298: "presence", - 5299: "nlg-data", - 5300: "hacl-hb", - 5301: "hacl-gs", - 5302: "hacl-cfg", - 5303: "hacl-probe", - 5304: "hacl-local", - 5305: "hacl-test", - 5306: "sun-mc-grp", - 5307: "sco-aip", - 5308: "cfengine", - 5309: "jprinter", - 5310: "outlaws", - 5312: "permabit-cs", - 5313: "rrdp", - 5314: "opalis-rbt-ipc", - 5315: "hacl-poll", - 5343: "kfserver", - 5344: "xkotodrcp", - 5349: "stuns", - 5350: "pcp-multicast", - 5351: "pcp", - 5352: "dns-llq", - 5353: "mdns", - 5354: "mdnsresponder", - 5355: "llmnr", - 5356: "ms-smlbiz", - 5357: "wsdapi", - 5358: "wsdapi-s", - 5359: "ms-alerter", - 5360: "ms-sideshow", - 5361: "ms-s-sideshow", - 5362: "serverwsd2", - 5363: "net-projection", - 5364: "kdnet", - 5397: "stresstester", - 5398: "elektron-admin", - 5399: "securitychase", - 5400: "excerpt", - 5401: "excerpts", - 5402: "mftp", - 5403: "hpoms-ci-lstn", - 5404: "hpoms-dps-lstn", - 5405: "netsupport", - 5406: "systemics-sox", - 5407: "foresyte-clear", - 5408: "foresyte-sec", - 5409: "salient-dtasrv", - 5410: "salient-usrmgr", - 5411: "actnet", - 5412: "continuus", - 5413: "wwiotalk", - 5414: "statusd", - 5415: "ns-server", - 5416: "sns-gateway", - 5417: "sns-agent", - 5418: "mcntp", - 5419: "dj-ice", - 5420: "cylink-c", - 5421: "netsupport2", - 5422: "salient-mux", - 5423: "virtualuser", - 5424: "beyond-remote", - 5425: "br-channel", - 5426: "devbasic", - 5427: "sco-peer-tta", - 5428: "telaconsole", - 5429: "base", - 5430: "radec-corp", - 5431: "park-agent", - 5432: "postgresql", - 5433: "pyrrho", - 5434: "sgi-arrayd", - 5435: "sceanics", - 5436: "pmip6-cntl", - 5437: "pmip6-data", - 5443: "spss", - 5453: "surebox", - 5454: "apc-5454", - 5455: "apc-5455", - 5456: "apc-5456", - 5461: "silkmeter", - 5462: "ttl-publisher", - 5463: "ttlpriceproxy", - 5464: "quailnet", - 5465: "netops-broker", - 5500: "fcp-addr-srvr1", - 5501: "fcp-addr-srvr2", - 5502: "fcp-srvr-inst1", - 5503: "fcp-srvr-inst2", - 5504: "fcp-cics-gw1", - 5505: "checkoutdb", - 5506: "amc", - 5553: "sgi-eventmond", - 5554: "sgi-esphttp", - 5555: "personal-agent", - 5556: "freeciv", - 5567: "enc-eps-mc-sec", - 5568: "sdt", - 5569: "rdmnet-device", - 5573: "sdmmp", - 5580: "tmosms0", - 5581: "tmosms1", - 5582: "fac-restore", - 5583: "tmo-icon-sync", - 5584: "bis-web", - 5585: "bis-sync", - 5597: "ininmessaging", - 5598: "mctfeed", - 5599: "esinstall", - 5600: "esmmanager", - 5601: "esmagent", - 5602: "a1-msc", - 5603: "a1-bs", - 5604: "a3-sdunode", - 5605: "a4-sdunode", - 5627: "ninaf", - 5628: "htrust", - 5629: "symantec-sfdb", - 5630: "precise-comm", - 5631: "pcanywheredata", - 5632: "pcanywherestat", - 5633: "beorl", - 5634: "xprtld", - 5670: "zre-disc", - 5671: "amqps", - 5672: "amqp", - 5673: "jms", - 5674: "hyperscsi-port", - 5675: "v5ua", - 5676: "raadmin", - 5677: "questdb2-lnchr", - 5678: "rrac", - 5679: "dccm", - 5680: "auriga-router", - 5681: "ncxcp", - 5682: "brightcore", - 5683: "coap", - 5684: "coaps", - 5687: "gog-multiplayer", - 5688: "ggz", - 5689: "qmvideo", - 5713: "proshareaudio", - 5714: "prosharevideo", - 5715: "prosharedata", - 5716: "prosharerequest", - 5717: "prosharenotify", - 5718: "dpm", - 5719: "dpm-agent", - 5720: "ms-licensing", - 5721: "dtpt", - 5722: "msdfsr", - 5723: "omhs", - 5724: "omsdk", - 5728: "io-dist-group", - 5729: "openmail", - 5730: "unieng", - 5741: "ida-discover1", - 5742: "ida-discover2", - 5743: "watchdoc-pod", - 5744: "watchdoc", - 5745: "fcopy-server", - 5746: "fcopys-server", - 5747: "tunatic", - 5748: "tunalyzer", - 5750: "rscd", - 5755: "openmailg", - 5757: "x500ms", - 5766: "openmailns", - 5767: "s-openmail", - 5768: "openmailpxy", - 5769: "spramsca", - 5770: "spramsd", - 5771: "netagent", - 5777: "dali-port", - 5781: "3par-evts", - 5782: "3par-mgmt", - 5783: "3par-mgmt-ssl", - 5784: "ibar", - 5785: "3par-rcopy", - 5786: "cisco-redu", - 5787: "waascluster", - 5793: "xtreamx", - 5794: "spdp", - 5813: "icmpd", - 5814: "spt-automation", - 5859: "wherehoo", - 5863: "ppsuitemsg", - 5900: "rfb", - 5910: "cm", - 5911: "cpdlc", - 5912: "fis", - 5913: "ads-c", - 5963: "indy", - 5968: "mppolicy-v5", - 5969: "mppolicy-mgr", - 5984: "couchdb", - 5985: "wsman", - 5986: "wsmans", - 5987: "wbem-rmi", - 5988: "wbem-http", - 5989: "wbem-https", - 5990: "wbem-exp-https", - 5991: "nuxsl", - 5992: "consul-insight", - 5999: "cvsup", - 6064: "ndl-ahp-svc", - 6065: "winpharaoh", - 6066: "ewctsp", - 6069: "trip", - 6070: "messageasap", - 6071: "ssdtp", - 6072: "diagnose-proc", - 6073: "directplay8", - 6074: "max", - 6081: "geneve", - 6082: "p25cai", - 6083: "miami-bcast", - 6085: "konspire2b", - 6086: "pdtp", - 6087: "ldss", - 6088: "doglms-notify", - 6100: "synchronet-db", - 6101: "synchronet-rtc", - 6102: "synchronet-upd", - 6103: "rets", - 6104: "dbdb", - 6105: "primaserver", - 6106: "mpsserver", - 6107: "etc-control", - 6108: "sercomm-scadmin", - 6109: "globecast-id", - 6110: "softcm", - 6111: "spc", - 6112: "dtspcd", - 6118: "tipc", - 6122: "bex-webadmin", - 6123: "backup-express", - 6124: "pnbs", - 6133: "nbt-wol", - 6140: "pulsonixnls", - 6141: "meta-corp", - 6142: "aspentec-lm", - 6143: "watershed-lm", - 6144: "statsci1-lm", - 6145: "statsci2-lm", - 6146: "lonewolf-lm", - 6147: "montage-lm", - 6148: "ricardo-lm", - 6149: "tal-pod", - 6160: "ecmp-data", - 6161: "patrol-ism", - 6162: "patrol-coll", - 6163: "pscribe", - 6200: "lm-x", - 6201: "thermo-calc", - 6222: "radmind", - 6241: "jeol-nsddp-1", - 6242: "jeol-nsddp-2", - 6243: "jeol-nsddp-3", - 6244: "jeol-nsddp-4", - 6251: "tl1-raw-ssl", - 6252: "tl1-ssh", - 6253: "crip", - 6268: "grid", - 6269: "grid-alt", - 6300: "bmc-grx", - 6301: "bmc-ctd-ldap", - 6306: "ufmp", - 6315: "scup-disc", - 6316: "abb-escp", - 6317: "nav-data", - 6320: "repsvc", - 6321: "emp-server1", - 6322: "emp-server2", - 6324: "hrd-ns-disc", - 6343: "sflow", - 6346: "gnutella-svc", - 6347: "gnutella-rtr", - 6350: "adap", - 6355: "pmcs", - 6360: "metaedit-mu", - 6363: "ndn", - 6370: "metaedit-se", - 6382: "metatude-mds", - 6389: "clariion-evr01", - 6390: "metaedit-ws", - 6417: "faxcomservice", - 6420: "nim-vdrshell", - 6421: "nim-wan", - 6443: "sun-sr-https", - 6444: "sge-qmaster", - 6445: "sge-execd", - 6446: "mysql-proxy", - 6455: "skip-cert-recv", - 6456: "skip-cert-send", - 6471: "lvision-lm", - 6480: "sun-sr-http", - 6481: "servicetags", - 6482: "ldoms-mgmt", - 6483: "SunVTS-RMI", - 6484: "sun-sr-jms", - 6485: "sun-sr-iiop", - 6486: "sun-sr-iiops", - 6487: "sun-sr-iiop-aut", - 6488: "sun-sr-jmx", - 6489: "sun-sr-admin", - 6500: "boks", - 6501: "boks-servc", - 6502: "boks-servm", - 6503: "boks-clntd", - 6505: "badm-priv", - 6506: "badm-pub", - 6507: "bdir-priv", - 6508: "bdir-pub", - 6509: "mgcs-mfp-port", - 6510: "mcer-port", - 6511: "dccp-udp", - 6514: "syslog-tls", - 6515: "elipse-rec", - 6543: "lds-distrib", - 6544: "lds-dump", - 6547: "apc-6547", - 6548: "apc-6548", - 6549: "apc-6549", - 6550: "fg-sysupdate", - 6551: "sum", - 6558: "xdsxdm", - 6566: "sane-port", - 6568: "rp-reputation", - 6579: "affiliate", - 6580: "parsec-master", - 6581: "parsec-peer", - 6582: "parsec-game", - 6583: "joaJewelSuite", - 6619: "odette-ftps", - 6620: "kftp-data", - 6621: "kftp", - 6622: "mcftp", - 6623: "ktelnet", - 6626: "wago-service", - 6627: "nexgen", - 6628: "afesc-mc", - 6633: "cisco-vpath-tun", - 6634: "mpls-pm", - 6653: "openflow", - 6657: "palcom-disc", - 6670: "vocaltec-gold", - 6671: "p4p-portal", - 6672: "vision-server", - 6673: "vision-elmd", - 6678: "vfbp-disc", - 6679: "osaut", - 6689: "tsa", - 6696: "babel", - 6701: "kti-icad-srvr", - 6702: "e-design-net", - 6703: "e-design-web", - 6714: "ibprotocol", - 6715: "fibotrader-com", - 6767: "bmc-perf-agent", - 6768: "bmc-perf-mgrd", - 6769: "adi-gxp-srvprt", - 6770: "plysrv-http", - 6771: "plysrv-https", - 6784: "bfd-lag", - 6785: "dgpf-exchg", - 6786: "smc-jmx", - 6787: "smc-admin", - 6788: "smc-http", - 6789: "smc-https", - 6790: "hnmp", - 6791: "hnm", - 6801: "acnet", - 6831: "ambit-lm", - 6841: "netmo-default", - 6842: "netmo-http", - 6850: "iccrushmore", - 6868: "acctopus-st", - 6888: "muse", - 6935: "ethoscan", - 6936: "xsmsvc", - 6946: "bioserver", - 6951: "otlp", - 6961: "jmact3", - 6962: "jmevt2", - 6963: "swismgr1", - 6964: "swismgr2", - 6965: "swistrap", - 6966: "swispol", - 6969: "acmsoda", - 6997: "MobilitySrv", - 6998: "iatp-highpri", - 6999: "iatp-normalpri", - 7000: "afs3-fileserver", - 7001: "afs3-callback", - 7002: "afs3-prserver", - 7003: "afs3-vlserver", - 7004: "afs3-kaserver", - 7005: "afs3-volser", - 7006: "afs3-errors", - 7007: "afs3-bos", - 7008: "afs3-update", - 7009: "afs3-rmtsys", - 7010: "ups-onlinet", - 7011: "talon-disc", - 7012: "talon-engine", - 7013: "microtalon-dis", - 7014: "microtalon-com", - 7015: "talon-webserver", - 7019: "doceri-view", - 7020: "dpserve", - 7021: "dpserveadmin", - 7022: "ctdp", - 7023: "ct2nmcs", - 7024: "vmsvc", - 7025: "vmsvc-2", - 7030: "op-probe", - 7040: "quest-disc", - 7070: "arcp", - 7071: "iwg1", - 7080: "empowerid", - 7095: "jdp-disc", - 7099: "lazy-ptop", - 7100: "font-service", - 7101: "elcn", - 7107: "aes-x170", - 7121: "virprot-lm", - 7128: "scenidm", - 7129: "scenccs", - 7161: "cabsm-comm", - 7162: "caistoragemgr", - 7163: "cacsambroker", - 7164: "fsr", - 7165: "doc-server", - 7166: "aruba-server", - 7169: "ccag-pib", - 7170: "nsrp", - 7171: "drm-production", - 7174: "clutild", - 7181: "janus-disc", - 7200: "fodms", - 7201: "dlip", - 7227: "ramp", - 7235: "aspcoordination", - 7262: "cnap", - 7272: "watchme-7272", - 7273: "oma-rlp", - 7274: "oma-rlp-s", - 7275: "oma-ulp", - 7276: "oma-ilp", - 7277: "oma-ilp-s", - 7278: "oma-dcdocbs", - 7279: "ctxlic", - 7280: "itactionserver1", - 7281: "itactionserver2", - 7282: "mzca-alert", - 7365: "lcm-server", - 7391: "mindfilesys", - 7392: "mrssrendezvous", - 7393: "nfoldman", - 7394: "fse", - 7395: "winqedit", - 7397: "hexarc", - 7400: "rtps-discovery", - 7401: "rtps-dd-ut", - 7402: "rtps-dd-mt", - 7410: "ionixnetmon", - 7411: "daqstream", - 7421: "mtportmon", - 7426: "pmdmgr", - 7427: "oveadmgr", - 7428: "ovladmgr", - 7429: "opi-sock", - 7430: "xmpv7", - 7431: "pmd", - 7437: "faximum", - 7443: "oracleas-https", - 7473: "rise", - 7491: "telops-lmd", - 7500: "silhouette", - 7501: "ovbus", - 7510: "ovhpas", - 7511: "pafec-lm", - 7542: "saratoga", - 7543: "atul", - 7544: "nta-ds", - 7545: "nta-us", - 7546: "cfs", - 7547: "cwmp", - 7548: "tidp", - 7549: "nls-tl", - 7550: "cloudsignaling", - 7560: "sncp", - 7566: "vsi-omega", - 7570: "aries-kfinder", - 7574: "coherence-disc", - 7588: "sun-lm", - 7624: "indi", - 7627: "soap-http", - 7628: "zen-pawn", - 7629: "xdas", - 7633: "pmdfmgt", - 7648: "cuseeme", - 7674: "imqtunnels", - 7675: "imqtunnel", - 7676: "imqbrokerd", - 7677: "sun-user-https", - 7680: "pando-pub", - 7689: "collaber", - 7697: "klio", - 7707: "sync-em7", - 7708: "scinet", - 7720: "medimageportal", - 7724: "nsdeepfreezectl", - 7725: "nitrogen", - 7726: "freezexservice", - 7727: "trident-data", - 7734: "smip", - 7738: "aiagent", - 7741: "scriptview", - 7743: "sstp-1", - 7744: "raqmon-pdu", - 7747: "prgp", - 7777: "cbt", - 7778: "interwise", - 7779: "vstat", - 7781: "accu-lmgr", - 7786: "minivend", - 7787: "popup-reminders", - 7789: "office-tools", - 7794: "q3ade", - 7797: "pnet-conn", - 7798: "pnet-enc", - 7799: "altbsdp", - 7800: "asr", - 7801: "ssp-client", - 7802: "vns-tp", - 7810: "rbt-wanopt", - 7845: "apc-7845", - 7846: "apc-7846", - 7872: "mipv6tls", - 7880: "pss", - 7887: "ubroker", - 7900: "mevent", - 7901: "tnos-sp", - 7902: "tnos-dp", - 7903: "tnos-dps", - 7913: "qo-secure", - 7932: "t2-drm", - 7933: "t2-brm", - 7962: "generalsync", - 7967: "supercell", - 7979: "micromuse-ncps", - 7980: "quest-vista", - 7982: "sossd-disc", - 7998: "usicontentpush", - 7999: "irdmi2", - 8000: "irdmi", - 8001: "vcom-tunnel", - 8002: "teradataordbms", - 8003: "mcreport", - 8005: "mxi", - 8008: "http-alt", - 8019: "qbdb", - 8020: "intu-ec-svcdisc", - 8021: "intu-ec-client", - 8022: "oa-system", - 8025: "ca-audit-da", - 8026: "ca-audit-ds", - 8032: "pro-ed", - 8033: "mindprint", - 8034: "vantronix-mgmt", - 8040: "ampify", - 8052: "senomix01", - 8053: "senomix02", - 8054: "senomix03", - 8055: "senomix04", - 8056: "senomix05", - 8057: "senomix06", - 8058: "senomix07", - 8059: "senomix08", - 8060: "aero", - 8074: "gadugadu", - 8080: "http-alt", - 8081: "sunproxyadmin", - 8082: "us-cli", - 8083: "us-srv", - 8086: "d-s-n", - 8087: "simplifymedia", - 8088: "radan-http", - 8097: "sac", - 8100: "xprint-server", - 8115: "mtl8000-matrix", - 8116: "cp-cluster", - 8118: "privoxy", - 8121: "apollo-data", - 8122: "apollo-admin", - 8128: "paycash-online", - 8129: "paycash-wbp", - 8130: "indigo-vrmi", - 8131: "indigo-vbcp", - 8132: "dbabble", - 8148: "isdd", - 8149: "eor-game", - 8160: "patrol", - 8161: "patrol-snmp", - 8182: "vmware-fdm", - 8184: "itach", - 8192: "spytechphone", - 8194: "blp1", - 8195: "blp2", - 8199: "vvr-data", - 8200: "trivnet1", - 8201: "trivnet2", - 8202: "aesop", - 8204: "lm-perfworks", - 8205: "lm-instmgr", - 8206: "lm-dta", - 8207: "lm-sserver", - 8208: "lm-webwatcher", - 8230: "rexecj", - 8243: "synapse-nhttps", - 8276: "pando-sec", - 8280: "synapse-nhttp", - 8292: "blp3", - 8294: "blp4", - 8300: "tmi", - 8301: "amberon", - 8320: "tnp-discover", - 8321: "tnp", - 8351: "server-find", - 8376: "cruise-enum", - 8377: "cruise-swroute", - 8378: "cruise-config", - 8379: "cruise-diags", - 8380: "cruise-update", - 8383: "m2mservices", - 8400: "cvd", - 8401: "sabarsd", - 8402: "abarsd", - 8403: "admind", - 8416: "espeech", - 8417: "espeech-rtp", - 8442: "cybro-a-bus", - 8443: "pcsync-https", - 8444: "pcsync-http", - 8445: "copy-disc", - 8450: "npmp", - 8472: "otv", - 8473: "vp2p", - 8474: "noteshare", - 8500: "fmtp", - 8501: "cmtp-av", - 8554: "rtsp-alt", - 8555: "d-fence", - 8567: "enc-tunnel", - 8600: "asterix", - 8609: "canon-cpp-disc", - 8610: "canon-mfnp", - 8611: "canon-bjnp1", - 8612: "canon-bjnp2", - 8613: "canon-bjnp3", - 8614: "canon-bjnp4", - 8675: "msi-cps-rm-disc", - 8686: "sun-as-jmxrmi", - 8732: "dtp-net", - 8733: "ibus", - 8763: "mc-appserver", - 8764: "openqueue", - 8765: "ultraseek-http", - 8766: "amcs", - 8770: "dpap", - 8786: "msgclnt", - 8787: "msgsrvr", - 8793: "acd-pm", - 8800: "sunwebadmin", - 8804: "truecm", - 8873: "dxspider", - 8880: "cddbp-alt", - 8883: "secure-mqtt", - 8888: "ddi-udp-1", - 8889: "ddi-udp-2", - 8890: "ddi-udp-3", - 8891: "ddi-udp-4", - 8892: "ddi-udp-5", - 8893: "ddi-udp-6", - 8894: "ddi-udp-7", - 8899: "ospf-lite", - 8900: "jmb-cds1", - 8901: "jmb-cds2", - 8910: "manyone-http", - 8911: "manyone-xml", - 8912: "wcbackup", - 8913: "dragonfly", - 8954: "cumulus-admin", - 8989: "sunwebadmins", - 8990: "http-wmap", - 8991: "https-wmap", - 8999: "bctp", - 9000: "cslistener", - 9001: "etlservicemgr", - 9002: "dynamid", - 9007: "ogs-client", - 9009: "pichat", - 9020: "tambora", - 9021: "panagolin-ident", - 9022: "paragent", - 9023: "swa-1", - 9024: "swa-2", - 9025: "swa-3", - 9026: "swa-4", - 9080: "glrpc", - 9084: "aurora", - 9085: "ibm-rsyscon", - 9086: "net2display", - 9087: "classic", - 9088: "sqlexec", - 9089: "sqlexec-ssl", - 9090: "websm", - 9091: "xmltec-xmlmail", - 9092: "XmlIpcRegSvc", - 9100: "hp-pdl-datastr", - 9101: "bacula-dir", - 9102: "bacula-fd", - 9103: "bacula-sd", - 9104: "peerwire", - 9105: "xadmin", - 9106: "astergate-disc", - 9119: "mxit", - 9131: "dddp", - 9160: "apani1", - 9161: "apani2", - 9162: "apani3", - 9163: "apani4", - 9164: "apani5", - 9191: "sun-as-jpda", - 9200: "wap-wsp", - 9201: "wap-wsp-wtp", - 9202: "wap-wsp-s", - 9203: "wap-wsp-wtp-s", - 9204: "wap-vcard", - 9205: "wap-vcal", - 9206: "wap-vcard-s", - 9207: "wap-vcal-s", - 9208: "rjcdb-vcards", - 9209: "almobile-system", - 9210: "oma-mlp", - 9211: "oma-mlp-s", - 9212: "serverviewdbms", - 9213: "serverstart", - 9214: "ipdcesgbs", - 9215: "insis", - 9216: "acme", - 9217: "fsc-port", - 9222: "teamcoherence", - 9255: "mon", - 9277: "traingpsdata", - 9278: "pegasus", - 9279: "pegasus-ctl", - 9280: "pgps", - 9281: "swtp-port1", - 9282: "swtp-port2", - 9283: "callwaveiam", - 9284: "visd", - 9285: "n2h2server", - 9286: "n2receive", - 9287: "cumulus", - 9292: "armtechdaemon", - 9293: "storview", - 9294: "armcenterhttp", - 9295: "armcenterhttps", - 9300: "vrace", - 9318: "secure-ts", - 9321: "guibase", - 9343: "mpidcmgr", - 9344: "mphlpdmc", - 9346: "ctechlicensing", - 9374: "fjdmimgr", - 9380: "boxp", - 9396: "fjinvmgr", - 9397: "mpidcagt", - 9400: "sec-t4net-srv", - 9401: "sec-t4net-clt", - 9402: "sec-pc2fax-srv", - 9418: "git", - 9443: "tungsten-https", - 9444: "wso2esb-console", - 9450: "sntlkeyssrvr", - 9500: "ismserver", - 9522: "sma-spw", - 9535: "mngsuite", - 9536: "laes-bf", - 9555: "trispen-sra", - 9592: "ldgateway", - 9593: "cba8", - 9594: "msgsys", - 9595: "pds", - 9596: "mercury-disc", - 9597: "pd-admin", - 9598: "vscp", - 9599: "robix", - 9600: "micromuse-ncpw", - 9612: "streamcomm-ds", - 9618: "condor", - 9628: "odbcpathway", - 9629: "uniport", - 9632: "mc-comm", - 9667: "xmms2", - 9668: "tec5-sdctp", - 9694: "client-wakeup", - 9695: "ccnx", - 9700: "board-roar", - 9747: "l5nas-parchan", - 9750: "board-voip", - 9753: "rasadv", - 9762: "tungsten-http", - 9800: "davsrc", - 9801: "sstp-2", - 9802: "davsrcs", - 9875: "sapv1", - 9878: "kca-service", - 9888: "cyborg-systems", - 9889: "gt-proxy", - 9898: "monkeycom", - 9899: "sctp-tunneling", - 9900: "iua", - 9901: "enrp", - 9903: "multicast-ping", - 9909: "domaintime", - 9911: "sype-transport", - 9950: "apc-9950", - 9951: "apc-9951", - 9952: "apc-9952", - 9953: "acis", - 9955: "alljoyn-mcm", - 9956: "alljoyn", - 9966: "odnsp", - 9987: "dsm-scm-target", - 9990: "osm-appsrvr", - 9991: "osm-oev", - 9992: "palace-1", - 9993: "palace-2", - 9994: "palace-3", - 9995: "palace-4", - 9996: "palace-5", - 9997: "palace-6", - 9998: "distinct32", - 9999: "distinct", - 10000: "ndmp", - 10001: "scp-config", - 10002: "documentum", - 10003: "documentum-s", - 10007: "mvs-capacity", - 10008: "octopus", - 10009: "swdtp-sv", - 10050: "zabbix-agent", - 10051: "zabbix-trapper", - 10080: "amanda", - 10081: "famdc", - 10100: "itap-ddtp", - 10101: "ezmeeting-2", - 10102: "ezproxy-2", - 10103: "ezrelay", - 10104: "swdtp", - 10107: "bctp-server", - 10110: "nmea-0183", - 10111: "nmea-onenet", - 10113: "netiq-endpoint", - 10114: "netiq-qcheck", - 10115: "netiq-endpt", - 10116: "netiq-voipa", - 10117: "iqrm", - 10128: "bmc-perf-sd", - 10160: "qb-db-server", - 10161: "snmpdtls", - 10162: "snmpdtls-trap", - 10200: "trisoap", - 10201: "rscs", - 10252: "apollo-relay", - 10260: "axis-wimp-port", - 10288: "blocks", - 10439: "bngsync", - 10500: "hip-nat-t", - 10540: "MOS-lower", - 10541: "MOS-upper", - 10542: "MOS-aux", - 10543: "MOS-soap", - 10544: "MOS-soap-opt", - 10800: "gap", - 10805: "lpdg", - 10810: "nmc-disc", - 10860: "helix", - 10880: "bveapi", - 10990: "rmiaux", - 11000: "irisa", - 11001: "metasys", - 10023: "cefd-vmp", - 11095: "weave", - 11106: "sgi-lk", - 11108: "myq-termlink", - 11111: "vce", - 11112: "dicom", - 11161: "suncacao-snmp", - 11162: "suncacao-jmxmp", - 11163: "suncacao-rmi", - 11164: "suncacao-csa", - 11165: "suncacao-websvc", - 11171: "snss", - 11201: "smsqp", - 11208: "wifree", - 11211: "memcache", - 11319: "imip", - 11320: "imip-channels", - 11321: "arena-server", - 11367: "atm-uhas", - 11371: "hkp", - 11430: "lsdp", - 11600: "tempest-port", - 11720: "h323callsigalt", - 11723: "emc-xsw-dcache", - 11751: "intrepid-ssl", - 11796: "lanschool-mpt", - 11876: "xoraya", - 11877: "x2e-disc", - 11967: "sysinfo-sp", - 12000: "entextxid", - 12001: "entextnetwk", - 12002: "entexthigh", - 12003: "entextmed", - 12004: "entextlow", - 12005: "dbisamserver1", - 12006: "dbisamserver2", - 12007: "accuracer", - 12008: "accuracer-dbms", - 12009: "ghvpn", - 12012: "vipera", - 12013: "vipera-ssl", - 12109: "rets-ssl", - 12121: "nupaper-ss", - 12168: "cawas", - 12172: "hivep", - 12300: "linogridengine", - 12321: "warehouse-sss", - 12322: "warehouse", - 12345: "italk", - 12753: "tsaf", - 13160: "i-zipqd", - 13216: "bcslogc", - 13217: "rs-pias", - 13218: "emc-vcas-udp", - 13223: "powwow-client", - 13224: "powwow-server", - 13400: "doip-disc", - 13720: "bprd", - 13721: "bpdbm", - 13722: "bpjava-msvc", - 13724: "vnetd", - 13782: "bpcd", - 13783: "vopied", - 13785: "nbdb", - 13786: "nomdb", - 13818: "dsmcc-config", - 13819: "dsmcc-session", - 13820: "dsmcc-passthru", - 13821: "dsmcc-download", - 13822: "dsmcc-ccp", - 13894: "ucontrol", - 13929: "dta-systems", - 14000: "scotty-ft", - 14001: "sua", - 14002: "scotty-disc", - 14033: "sage-best-com1", - 14034: "sage-best-com2", - 14141: "vcs-app", - 14142: "icpp", - 14145: "gcm-app", - 14149: "vrts-tdd", - 14154: "vad", - 14250: "cps", - 14414: "ca-web-update", - 14936: "hde-lcesrvr-1", - 14937: "hde-lcesrvr-2", - 15000: "hydap", - 15118: "v2g-secc", - 15345: "xpilot", - 15363: "3link", - 15555: "cisco-snat", - 15660: "bex-xr", - 15740: "ptp", - 15998: "2ping", - 16003: "alfin", - 16161: "sun-sea-port", - 16309: "etb4j", - 16310: "pduncs", - 16311: "pdefmns", - 16360: "netserialext1", - 16361: "netserialext2", - 16367: "netserialext3", - 16368: "netserialext4", - 16384: "connected", - 16666: "vtp", - 16900: "newbay-snc-mc", - 16950: "sgcip", - 16991: "intel-rci-mp", - 16992: "amt-soap-http", - 16993: "amt-soap-https", - 16994: "amt-redir-tcp", - 16995: "amt-redir-tls", - 17007: "isode-dua", - 17185: "soundsvirtual", - 17219: "chipper", - 17220: "avtp", - 17221: "avdecc", - 17222: "cpsp", - 17234: "integrius-stp", - 17235: "ssh-mgmt", - 17500: "db-lsp-disc", - 17729: "ea", - 17754: "zep", - 17755: "zigbee-ip", - 17756: "zigbee-ips", - 18000: "biimenu", - 18181: "opsec-cvp", - 18182: "opsec-ufp", - 18183: "opsec-sam", - 18184: "opsec-lea", - 18185: "opsec-omi", - 18186: "ohsc", - 18187: "opsec-ela", - 18241: "checkpoint-rtm", - 18262: "gv-pf", - 18463: "ac-cluster", - 18634: "rds-ib", - 18635: "rds-ip", - 18769: "ique", - 18881: "infotos", - 18888: "apc-necmp", - 19000: "igrid", - 19007: "scintilla", - 19191: "opsec-uaa", - 19194: "ua-secureagent", - 19283: "keysrvr", - 19315: "keyshadow", - 19398: "mtrgtrans", - 19410: "hp-sco", - 19411: "hp-sca", - 19412: "hp-sessmon", - 19539: "fxuptp", - 19540: "sxuptp", - 19541: "jcp", - 19788: "mle", - 19999: "dnp-sec", - 20000: "dnp", - 20001: "microsan", - 20002: "commtact-http", - 20003: "commtact-https", - 20005: "openwebnet", - 20012: "ss-idi-disc", - 20014: "opendeploy", - 20034: "nburn-id", - 20046: "tmophl7mts", - 20048: "mountd", - 20049: "nfsrdma", - 20167: "tolfab", - 20202: "ipdtp-port", - 20222: "ipulse-ics", - 20480: "emwavemsg", - 20670: "track", - 20999: "athand-mmp", - 21000: "irtrans", - 21554: "dfserver", - 21590: "vofr-gateway", - 21800: "tvpm", - 21845: "webphone", - 21846: "netspeak-is", - 21847: "netspeak-cs", - 21848: "netspeak-acd", - 21849: "netspeak-cps", - 22000: "snapenetio", - 22001: "optocontrol", - 22002: "optohost002", - 22003: "optohost003", - 22004: "optohost004", - 22005: "optohost004", - 22273: "wnn6", - 22305: "cis", - 22343: "cis-secure", - 22347: "wibukey", - 22350: "codemeter", - 22555: "vocaltec-phone", - 22763: "talikaserver", - 22800: "aws-brf", - 22951: "brf-gw", - 23000: "inovaport1", - 23001: "inovaport2", - 23002: "inovaport3", - 23003: "inovaport4", - 23004: "inovaport5", - 23005: "inovaport6", - 23272: "s102", - 23333: "elxmgmt", - 23400: "novar-dbase", - 23401: "novar-alarm", - 23402: "novar-global", - 24000: "med-ltp", - 24001: "med-fsp-rx", - 24002: "med-fsp-tx", - 24003: "med-supp", - 24004: "med-ovw", - 24005: "med-ci", - 24006: "med-net-svc", - 24242: "filesphere", - 24249: "vista-4gl", - 24321: "ild", - 24322: "hid", - 24386: "intel-rci", - 24465: "tonidods", - 24554: "binkp", - 24577: "bilobit-update", - 24676: "canditv", - 24677: "flashfiler", - 24678: "proactivate", - 24680: "tcc-http", - 24850: "assoc-disc", - 24922: "find", - 25000: "icl-twobase1", - 25001: "icl-twobase2", - 25002: "icl-twobase3", - 25003: "icl-twobase4", - 25004: "icl-twobase5", - 25005: "icl-twobase6", - 25006: "icl-twobase7", - 25007: "icl-twobase8", - 25008: "icl-twobase9", - 25009: "icl-twobase10", - 25793: "vocaltec-hos", - 25900: "tasp-net", - 25901: "niobserver", - 25902: "nilinkanalyst", - 25903: "niprobe", - 25954: "bf-game", - 25955: "bf-master", - 26000: "quake", - 26133: "scscp", - 26208: "wnn6-ds", - 26260: "ezproxy", - 26261: "ezmeeting", - 26262: "k3software-svr", - 26263: "k3software-cli", - 26486: "exoline-udp", - 26487: "exoconfig", - 26489: "exonet", - 27345: "imagepump", - 27442: "jesmsjc", - 27504: "kopek-httphead", - 27782: "ars-vista", - 27999: "tw-auth-key", - 28000: "nxlmd", - 28119: "a27-ran-ran", - 28200: "voxelstorm", - 28240: "siemensgsm", - 29167: "otmp", - 30001: "pago-services1", - 30002: "pago-services2", - 30003: "amicon-fpsu-ra", - 30004: "amicon-fpsu-s", - 30260: "kingdomsonline", - 30832: "samsung-disc", - 30999: "ovobs", - 31029: "yawn", - 31416: "xqosd", - 31457: "tetrinet", - 31620: "lm-mon", - 31765: "gamesmith-port", - 31948: "iceedcp-tx", - 31949: "iceedcp-rx", - 32034: "iracinghelper", - 32249: "t1distproc60", - 32483: "apm-link", - 32635: "sec-ntb-clnt", - 32636: "DMExpress", - 32767: "filenet-powsrm", - 32768: "filenet-tms", - 32769: "filenet-rpc", - 32770: "filenet-nch", - 32771: "filenet-rmi", - 32772: "filenet-pa", - 32773: "filenet-cm", - 32774: "filenet-re", - 32775: "filenet-pch", - 32776: "filenet-peior", - 32777: "filenet-obrok", - 32801: "mlsn", - 32896: "idmgratm", - 33123: "aurora-balaena", - 33331: "diamondport", - 33334: "speedtrace-disc", - 33434: "traceroute", - 33656: "snip-slave", - 34249: "turbonote-2", - 34378: "p-net-local", - 34379: "p-net-remote", - 34962: "profinet-rt", - 34963: "profinet-rtm", - 34964: "profinet-cm", - 34980: "ethercat", - 35001: "rt-viewer", - 35004: "rt-classmanager", - 35355: "altova-lm-disc", - 36001: "allpeers", - 36865: "kastenxpipe", - 37475: "neckar", - 37654: "unisys-eportal", - 38201: "galaxy7-data", - 38202: "fairview", - 38203: "agpolicy", - 39681: "turbonote-1", - 40000: "safetynetp", - 40841: "cscp", - 40842: "csccredir", - 40843: "csccfirewall", - 40853: "ortec-disc", - 41111: "fs-qos", - 41794: "crestron-cip", - 41795: "crestron-ctp", - 42508: "candp", - 42509: "candrp", - 42510: "caerpc", - 43000: "recvr-rc-disc", - 43188: "reachout", - 43189: "ndm-agent-port", - 43190: "ip-provision", - 43210: "shaperai-disc", - 43439: "eq3-config", - 43440: "ew-disc-cmd", - 43441: "ciscocsdb", - 44321: "pmcd", - 44322: "pmcdproxy", - 44544: "domiq", - 44553: "rbr-debug", - 44600: "asihpi", - 44818: "EtherNet-IP-2", - 44900: "m3da-disc", - 45000: "asmp-mon", - 45054: "invision-ag", - 45678: "eba", - 45825: "qdb2service", - 45966: "ssr-servermgr", - 46999: "mediabox", - 47000: "mbus", - 47100: "jvl-mactalk", - 47557: "dbbrowse", - 47624: "directplaysrvr", - 47806: "ap", - 47808: "bacnet", - 47809: "presonus-ucnet", - 48000: "nimcontroller", - 48001: "nimspooler", - 48002: "nimhub", - 48003: "nimgtw", - 48128: "isnetserv", - 48129: "blp5", - 48556: "com-bardac-dw", - 48619: "iqobject", - 48653: "robotraconteur"} diff --git a/fibratus/tcpip/tcpip.py b/fibratus/tcpip/tcpip.py deleted file mode 100644 index d175d43e7..000000000 --- a/fibratus/tcpip/tcpip.py +++ /dev/null @@ -1,123 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from enum import Enum - -from fibratus.common import NA -from fibratus.kevent_types import SEND_SOCKET_TCPV4, SEND_SOCKET_UDPV4, RECV_SOCKET_TCPV4, RECV_SOCKET_UDPV4, \ - ACCEPT_SOCKET_TCPV4, CONNECT_SOCKET_TCPV4, DISCONNECT_SOCKET_TCPV4, RECONNECT_SOCKET_TCPV4 - -import fibratus.tcpip.ports as ports - - -def port_to_proto(port, l4_proto): - if 'TCP' in l4_proto: - return ports.IANA_PORTS_TCP[port] if port in ports.IANA_PORTS_TCP else NA - else: - return ports.IANA_PORTS_UDP[port] if port in ports.IANA_PORTS_UDP else NA - - -class IpVer(Enum): - - IPV4 = 0 - IPV6 = 1 - - -class TcpIpParser(object): - - def __init__(self, kevent): - """TCP/IP kernel event parser. - - Packages the TCP and UDP requests into a single - kernel event. - - Parameters: - ---------- - - kevent: dict - kernel event representing the UDP / TCP request - """ - self._kevent = kevent - - def parse_tcpip(self, ketype, ktcpip): - """Parses the TCP/IP kernel events. - - Parameters - ---------- - - ketype: tuple - network kernel event - ktcpip: - kevent payload as forwarded from the collector - - """ - pid = ktcpip.pid - ip_src = ktcpip.saddr - ip_dst = ktcpip.daddr - sport = ktcpip.sport - dport = ktcpip.dport - - self._kevent.pid = pid - - if ketype in [SEND_SOCKET_TCPV4, - SEND_SOCKET_UDPV4, - RECV_SOCKET_TCPV4, - RECV_SOCKET_UDPV4]: - # get the application layer protocol - # associated with the tcp segment - # or the udp datagram - if ketype in [SEND_SOCKET_TCPV4, - RECV_SOCKET_TCPV4]: - l4_proto = 'TCP' - else: - l4_proto = 'UDP' - protocol = port_to_proto(dport, l4_proto) - if protocol == NA: - protocol = port_to_proto(sport, l4_proto) - self._kevent.params = {'pid': pid, - 'ip_src': ip_src, - 'ip_dst': ip_dst, - 'sport': sport, - 'dport': dport, - 'packet_size': ktcpip.size, - 'l4_proto': l4_proto, - 'protocol': protocol} - elif ketype == ACCEPT_SOCKET_TCPV4: - self._kevent.params = dict(pid=pid, ip_src=ip_src, ip_dst=ip_dst, - sport=sport, - dport=dport, - rwin=ktcpip.rcvwin, - protocol=port_to_proto(sport, 'TCP')) - - elif ketype == CONNECT_SOCKET_TCPV4: - self._kevent.params = dict(pid=pid, - ip_src=ip_src, - ip_dst=ip_dst, - sport=sport, - dport=dport, - rwin=ktcpip.rcvwin, - protocol=port_to_proto(dport, 'TCP')) - elif ketype == DISCONNECT_SOCKET_TCPV4: - self._kevent.params = dict(pid=pid, - ip_src=ip_src, - ip_dst=ip_dst, - sport=sport, - dport=dport) - - elif ketype == RECONNECT_SOCKET_TCPV4: - self._kevent.params = dict(pid=pid, - ip_src=ip_src, - ip_dst=ip_dst, - sport=sport, - dport=dport) \ No newline at end of file diff --git a/fibratus/term.py b/fibratus/term.py deleted file mode 100644 index 892cd9b69..000000000 --- a/fibratus/term.py +++ /dev/null @@ -1,191 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from _ctypes import byref -from ctypes import c_ulong -import os - -from fibratus.apidefs.sys import CONSOLE_SCREEN_BUFFER_INFO, INVALID_HANDLE_VALUE, get_std_handle, STD_OUTPUT_HANDLE, \ - create_console_screen_buffer, GENERIC_READ, GENERIC_WRITE, FILE_SHARE_READ, FILE_SHARE_WRITE, \ - CONSOLE_TEXTMODE_BUFFER, get_console_screen_buffer_info, COORD, SMALL_RECT, CHAR_INFO, \ - set_console_active_screen_buffer, write_console_output, CURSOR_INFO, get_console_cursor_info, \ - set_console_cursor_info, write_console_unicode -from fibratus.errors import TermInitializationError - - -HIGH_INTENSITY = 0x0008 - -# terminal colors -BLACK = 0x0000 -DARK_BLUE = 0x0001 -DARK_GREEN = 0x0002 -DARK_RED = 0x0004 -GRAY = DARK_BLUE | DARK_GREEN | DARK_RED -DARK_YELLOW = DARK_RED | DARK_GREEN -DARK_PURPLE = DARK_RED | DARK_BLUE -DARK_CYAN = DARK_GREEN | DARK_BLUE -LIGHT_WHITE = GRAY | HIGH_INTENSITY - - -class AnsiTerm(object): - """Terminal's low level interface. - - Provides a set of methods to interact - with the Windows terminals. By writing the chars - directly to the screen buffer can prevent the - annoying screen flickering. - """ - - def __init__(self): - """Creates a new instance of the terminal. - """ - self._cursor_info = CURSOR_INFO() - self._console = INVALID_HANDLE_VALUE - self._framebuffer = INVALID_HANDLE_VALUE - self._char_buffer = None - self._cols = 0 - self._rows = 0 - self._rect = None - self._coord = COORD(0, 0) - self._size = COORD(0, 0) - - def setup_console(self): - """Initializes the screen frame buffer. - - Swaps the current screen buffer with a - brand new created back buffer where the - characters can be written to the flicker-free - rectangular region. - - """ - self._console = get_std_handle(STD_OUTPUT_HANDLE) - # could not get the standard - # console handle, raise an exception - if self._console == INVALID_HANDLE_VALUE: - raise TermInitializationError() - - buffer_info = CONSOLE_SCREEN_BUFFER_INFO() - get_console_screen_buffer_info(self._console, byref(buffer_info)) - get_console_cursor_info(self._console, byref(self._cursor_info)) - self._cursor_info.visible = False - - self._cols = buffer_info.size.x - self._rows = buffer_info.size.y - self._size = COORD(self._cols, self._rows) - self._rect = SMALL_RECT(0, 0, self._cols - 1, self._rows - 1) - self._char_buffer = (CHAR_INFO * (self._size.x * self._size.y))() - self._framebuffer = create_console_screen_buffer(GENERIC_READ | GENERIC_WRITE, - FILE_SHARE_READ | FILE_SHARE_WRITE, - None, - CONSOLE_TEXTMODE_BUFFER, - None) - if self._framebuffer == INVALID_HANDLE_VALUE: - raise TermInitializationError() - # hide the cursor and swap - # the console active screen buffer - set_console_cursor_info(self._framebuffer, byref(self._cursor_info)) - set_console_active_screen_buffer(self._framebuffer) - - def restore_console(self): - if self._console: - set_console_active_screen_buffer(self._console) - self._cursor_info.visible = True - set_console_cursor_info(self._console, byref(self._cursor_info)) - - def write_output(self, charseq, color=LIGHT_WHITE): - """Writes character and color attribute data to the frame buffer. - - The data to be written is taken from a correspondingly sized rectangular - block at a specified location in the source buffer. - - Parameters - ---------- - - charseq: str - the sequence of characters to be written on the frame buffer - - color: int - the terminal output color - """ - - col = 0 - x = 0 - crlf = False - - if not charseq or len(charseq) <= 0: - return - - try: - for char in charseq: - if char == '\n': - crlf = True - col += 1 - # the last column has been reached. - # If there was a carriage return - # then stop the iteration - if col == self._cols: - col = 0 - if crlf: - crlf = False - continue - - if crlf: - crlf = False - space = col - # keep filling the rectangle with spaces - # until we reach the last column - while space <= self._cols: - self._char_buffer[space - 1].char.unicode_char = ' ' - space += 1 - x += 1 - # reset the column and - # stop the current iteration - col = 0 - continue - self._char_buffer[x].char.unicode_char = char - self._char_buffer[x].attributes = color - x += 1 - except IndexError: - pass - # write the character attribute data - # to the screen buffer - write_console_output(self._framebuffer, - self._char_buffer, - self._size, - self._coord, - byref(self._rect)) - - def write_console(self, charseq): - """Writes a string to a console frame buffer - beginning at the current cursor location. - - charseq: str - the string to be written on the frame buffer - """ - write_console_unicode(self._framebuffer, charseq, len(charseq), byref(c_ulong()), None) - - def cls(self): - """Clears the current screen buffer. - """ - for y in range(self._rows): - for x in range(self._cols): - i = (y * self._cols) + x - self._char_buffer[i].char.unicode_char = ' ' - write_console_output(self._framebuffer, - self._char_buffer, - self._coord, - self._size, - byref(self._rect)) - diff --git a/fibratus/thread.py b/fibratus/thread.py deleted file mode 100644 index 980f05ae1..000000000 --- a/fibratus/thread.py +++ /dev/null @@ -1,504 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from _ctypes import sizeof -from ctypes import byref, cast -from ctypes.wintypes import MAX_PATH -import os - -from fibratus.kevent_types import CREATE_PROCESS, ENUM_PROCESS, TERMINATE_THREAD, TERMINATE_PROCESS, \ - CREATE_THREAD, ENUM_THREAD -from fibratus.apidefs.process import * -from fibratus.apidefs.cdefs import STATUS_SUCCESS -from fibratus.apidefs.sys import close_handle, malloc, free -from fibratus.common import DotD as ddict, NA - - -class ThreadRegistry(object): - - def __init__(self, handle_repository, handles, image_meta_registry): - self._threads = {} - self.on_thread_added_callback = None - self.handle_repository = handle_repository - self.image_meta_registry = image_meta_registry - self._handles = handles - - def add_thread(self, ketype, kti): - """Adds a new process or thread to thread registry. - - Parameters - ---------- - - ketype: tuple - kernel event type - kti: dict - event payload as coming from the - kernel event stream collector - """ - if ketype == CREATE_PROCESS or ketype == ENUM_PROCESS: - parent_pid = int(kti.parent_id, 16) - process_id = int(kti.process_id, 16) - # we assume the process id is - # equal to thread id (in a single - # threaded process) - thread_id = process_id - name = kti.image_file_name - comm = kti.command_line - - thread = ThreadInfo(process_id, thread_id, - parent_pid, - name, - comm) - if ketype == ENUM_PROCESS: - thread.handles = [handle for handle in self._handles if handle.pid == process_id] - if ketype == CREATE_PROCESS: - image_meta = self.image_meta_registry.get_image_meta(thread.exe) - if not image_meta: - image_meta = self.image_meta_registry.add_image_meta(thread.exe) - thread.image_meta = image_meta - self._threads[process_id] = thread - - elif ketype == CREATE_THREAD or ketype == ENUM_THREAD: - # new thread created in the - # context of the existing process - # `procces_id` is the parent - # of this thread - process_id = int(kti.process_id, 16) - parent_pid = process_id - thread_id = int(kti.t_thread_id, 16) - - if parent_pid in self._threads: - # copy info from the process - # which created this thread - pthread = self._threads[parent_pid] - # increment the number of threads - # for this process - pthread.increment_child_count() - - name = pthread.name - comm = pthread.comm - - thread = ThreadInfo(process_id, thread_id, - parent_pid, - name, - comm) - thread.ustack_base = hex(kti.user_stack_base) - thread.kstack_base = hex(kti.stack_base) - thread.base_priority = kti.base_priority - thread.io_priority = kti.io_priority - self._threads[thread_id] = thread - else: - # the parent process has not been found - # query the os for process information - handle = open_process(PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, - False, - parent_pid) - info = {} - if handle: - info = self._query_process_info(handle) - close_handle(handle) - else: - if get_last_error() == ERROR_ACCESS_DENIED: - if parent_pid == 0: - info = ddict(name='idle', - comm='idle', - parent_id=0) - else: - # the access to protected / system process - # can't be done with PROCESS_VM_READ or PROCESS_QUERY_INFORMATION - # flags. Open the process again but with - # restricted access rights, so we can get the process image file name - handle = open_process(PROCESS_QUERY_LIMITED_INFORMATION, - False, - parent_pid) - if handle: - info = self._query_process_info(handle, False) - close_handle(handle) - - # add a new thread and the parent process - # we just found to avoid continuous lookup - name = info.name if len(info) > 0 and info.name else NA - comm = info.comm if len(info) > 0 and info.comm else NA - ppid = info.parent_pid if len(info) > 0 and info.parent_pid else NA - - thread = ThreadInfo(process_id, thread_id, - process_id, - name, - comm) - thread.ustack_base = hex(kti.user_stack_base) - thread.kstack_base = hex(kti.stack_base) - thread.base_priority = kti.base_priority - thread.io_priority = kti.io_priority - - parent = ThreadInfo(process_id, process_id, - ppid, - name, - comm) - # enumerate parent handles - parent.handles = self.handle_repository.query_handles(process_id) - - self._threads[thread_id] = thread - self._threads[parent_pid] = parent - - if self.on_thread_added_callback and callable(self.on_thread_added_callback): - self.on_thread_added_callback(thread) - - def remove_thread(self, ketype, kti): - """Removes the thread or process from the registry. - - Parameters - ---------- - - ketype: tuple - kernel event type - kti: dict - event payload as coming from the - kernel event stream collector - """ - if ketype == TERMINATE_THREAD: - thread_id = int(kti.t_thread_id, 16) - if thread_id in self._threads: - # remove the thread and - # decrement the child count of - # the parent process - if self._threads[thread_id].child_count == 0: - thread = self._threads.pop(thread_id) - if thread and thread.pid in self._threads: - parent = self._threads[thread.pid] - parent.decrement_child_count() - elif ketype == TERMINATE_PROCESS: - # the process has exited - # remove all of its threads - process_id = int(kti.process_id, 16) - if process_id in self._threads: - proc = self._threads.pop(process_id) - if proc.child_count > 0: - self._threads = dict((k, v) for k, v in self._threads.items() - if v.child_count == 0 and k != process_id) - - def init_thread_kevent(self, kevent, ketype, kti): - """Initialize kernel event. - - Parameters - ---------- - - kevent: KEvent - instance of `KEvent` class - ketype: tuple - kernel event type - kti: dict - kernel event payload - """ - if ketype == CREATE_THREAD or ketype == TERMINATE_THREAD: - tid = int(kti.t_thread_id, 16) - thread = self.get_thread(tid) - if thread: - kevent.params = dict(pid=thread.pid, - tid=tid, - kstack_base=hex(kti.stack_base), - ustack_base=hex(kti.user_stack_base), - io_priority=kti.io_priority, - base_priority=kti.base_priority) - kevent.pid = thread.pid - kevent.tid = tid - else: - pid = int(kti.process_id, 16) - thread = self.get_thread(pid) - if thread: - kparams = dict(pid=pid, - name=thread.name, - comm=thread.comm, - exe=thread.exe, - ppid=thread.ppid) - if thread.image_meta: - # include image meta info - image_meta = dict(arch=thread.image_meta.arch, - timestamp=thread.image_meta.timestamp, - num_sections=thread.image_meta.num_sections, - sections=thread.image_meta.sections, - imports=thread.image_meta.imports, - org=thread.image_meta.org, - description=thread.image_meta.description, - version=thread.image_meta.version, - internal_name=thread.image_meta.internal_name, - copyright=thread.image_meta.copyright) - kparams['image_meta'] = image_meta - kevent.params = kparams - kevent.pid = thread.ppid - - def set_thread_added_callback(self, callback): - self.on_thread_added_callback = callback - - def get_thread(self, tid): - return self._threads[tid] if tid in self._threads else None - - @property - def threads(self): - return self._threads - - def _query_process_info(self, handle, read_peb=True): - """Gets an extended proc info. - - Parameters - ----------- - - handle: HANDLE - handle to process for which the info - should be acquired - read_peb: boolean - true in case the process PEB should be read - - """ - pbi_buff = malloc(sizeof(PROCESS_BASIC_INFORMATION)) - status = zw_query_information_process(handle, - PROCESS_BASIC_INFO, - pbi_buff, - sizeof(PROCESS_BASIC_INFORMATION), - byref(ULONG())) - - info = {} - - if status == STATUS_SUCCESS: - pbi = cast(pbi_buff, POINTER(PROCESS_BASIC_INFORMATION)) - ppid = pbi.contents.inherited_from_unique_process_id - if read_peb: - # read the PEB to get the process parameters. - # Because the PEB structure resides - # in the address space of another process - # we must read the memory block in order - # to access the structure's fields - peb_addr = pbi.contents.peb_base_address - peb_buff = read_process_memory(handle, peb_addr, sizeof(PEB)) - if peb_buff: - peb = cast(peb_buff, POINTER(PEB)) - # read the RTL_USER_PROCESS_PARAMETERS struct - # which contains the command line and the image - # name of the process - pp = peb.contents.process_parameters - pp_buff = read_process_memory(handle, - pp, - sizeof(RTL_USER_PROCESS_PARAMETERS)) - if pp_buff: - pp = cast(pp_buff, POINTER(RTL_USER_PROCESS_PARAMETERS)) - - comm = pp.contents.command_line.buffer - comm_len = pp.contents.command_line.length - exe = pp.contents.image_path_name.buffer - exe_len = pp.contents.image_path_name.length - - # these memory reads are required - # to copy the command line and image name buffers - cb = read_process_memory(handle, comm, comm_len) - eb = read_process_memory(handle, exe, exe_len) - - if cb and eb: - # cast the buffers to - # UNICODE strings - comm = cast(cb, c_wchar_p).value - exe = cast(eb, c_wchar_p).value - - # the image name contains the full path - # split the string to get the exec name - name = exe[exe.rfind('\\') + 1:] - info = ddict(name=name, - comm=comm, - parent_pid=ppid) - free(cb) - free(eb) - free(pp_buff) - - free(peb_buff) - else: - # query only the process image file name - exe = ctypes.create_unicode_buffer(MAX_PATH) - size = DWORD(MAX_PATH) - name = None - status = query_full_process_image_name(handle, - 0, - exe, - byref(size)) - if status: - exe = exe.value - name = exe[exe.rfind('\\') + 1:] - info = ddict(name=name if name else NA, - comm=exe if type(exe) is str else None, - parent_pid=ppid) - if pbi_buff: - free(pbi_buff) - - return info - - -class ThreadInfo(object): - """Represents the state of thread or process. - """ - def __init__(self, pid, tid, ppid, name, comm): - """Creates an instance of `ThreadInfo` class. - - Parameters - ---------- - - pid: int - process identifier - tid: int - thread identifier in the scope of - an existing process - ppid: int - parent process identifier - name: str - process name (cmd.exe) - comm: str - the full command line of a process - (C:\Windows\system32\cmd.exe /cdir /-C /W) - - Attributes - ---------- - - exe: str - the full name of the executable - (C:\Windows\system32\cmd.exe) - args: list - command line arguments for the process - (/cdir, /-C, /W) - child_count: int - the number of threads for this process - handles: list - a list of handles which owns the process - ustack_base: int - the base address of the thread user-space stack - kstack_base: int - the base address of the thread kernel-space stack - io_priority: int - thread I/O priority - base_priority: int - thread CPU priority - """ - self._pid = pid - self._tid = tid - self._ppid = ppid - - # get the executable from the - # full file system path - head, _ = os.path.split(comm[0:comm.find('exe')]) - self._exe = '%s\%s' % (head, name) - self._exe = self._exe.replace("\"", '') - - if 'SystemRoot' in self._exe: - sys_root = os.path.expandvars("%SystemRoot%") - self._exe = self._exe.replace('%SystemRoot%', sys_root)\ - .replace('\\SystemRoot', sys_root) - - self._name = name.lower() if NA not in name else NA - self._comm = comm - # the command line arguments - # are separated by blank space - self._args = comm.split()[1:] - self._child_count = 0 - self._handles = [] - - self._ustack_base = 0x0 - self._kstack_base = 0x0 - self._io_priority = 0 - self._base_priority = 0 - - self._image_meta = None - - @property - def pid(self): - return self._pid - - @property - def ppid(self): - return self._ppid - - @property - def tid(self): - return self._tid - - @property - def exe(self): - return self._exe - - @property - def name(self): - return self._name - - @property - def comm(self): - return self._comm - - @property - def args(self): - return self._args - - @property - def child_count(self): - return self._child_count - - @property - def handles(self): - return self._handles - - @handles.setter - def handles(self, handles): - self._handles = handles - - @property - def ustack_base(self): - return self._ustack_base - - @ustack_base.setter - def ustack_base(self, ustack_base): - self._ustack_base = ustack_base - - @property - def kstack_base(self): - return self._kstack_base - - @kstack_base.setter - def kstack_base(self, kstack_base): - self._kstack_base = kstack_base - - @property - def io_priority(self): - return self._io_priority - - @io_priority.setter - def io_priority(self, io_priority): - self._io_priority = io_priority - - @property - def base_priority(self): - return self._base_priority - - @base_priority.setter - def base_priority(self, base_priority): - self._base_priority = base_priority - - @property - def image_meta(self): - return self._image_meta - - @image_meta.setter - def image_meta(self, image_meta): - self._image_meta = image_meta - - def increment_child_count(self): - self._child_count += 1 - - def decrement_child_count(self): - if self._child_count != 0: - self._child_count -= 1 diff --git a/fibratus/version.py b/fibratus/version.py deleted file mode 100644 index 5981fb911..000000000 --- a/fibratus/version.py +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -_MAJOR_ = 0 -_MINOR_ = 7 -_REV_ = 2 - -VERSION = '%s.%s.%s' % (_MAJOR_, _MINOR_, _REV_) diff --git a/filaments/anomalous_process_netio.py b/filaments/anomalous_process_netio.py deleted file mode 100644 index 6c345580b..000000000 --- a/filaments/anomalous_process_netio.py +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -An unusual process attempts to make a network request or it accepts -the incoming connection. -""" - -activations = [] -processes = ['notepad.exe', 'calc.exe', 'mspaint.exe'] - - -def on_init(): - set_filter('Send', 'Accept', 'Recv', 'Connect') - - -def on_next_kevent(kevent): - if kevent.thread: - process_name = kevent.thread.name - if process_name in processes: - triggered = True if process_name in activations else False - if not triggered: - message = 'Unusual network activity of kind %s ' \ - 'detected from %s process. ' \ - 'The source ip address is %s and ' \ - 'the destination ip address is %s' \ - % (kevent.name, process_name, - kevent.params.ip_src, - kevent.params.ip_dst) - smtp.emit(message, subject='Anomalous network activity detected') - activations.append(process_name) diff --git a/filaments/elasticsearch_indexing.py b/filaments/elasticsearch_indexing.py deleted file mode 100644 index 478b991aa..000000000 --- a/filaments/elasticsearch_indexing.py +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -""" -Performs the indexing of the kernel's event stream to -Elasticsearch on interval basis. When the scheduled -interval elapses, the list of documents aggregated -are indexed to Elasticsearch. -""" - -from datetime import datetime -documents = [] - - -def on_init(): - set_filter('CreateThread', 'CreateProcess', 'TerminateThread', 'TerminateProcess', - 'CreateFile', 'DeleteFile', 'WriteFile', 'RenameFile', 'Recv', 'Send', - 'Accept', 'Connect', 'Disconnect', 'LoadImage', 'UnloadImage', - 'RegCreateKey', 'RegDeleteKey', 'RegSetValue') - set_interval(1) - - -def on_next_kevent(kevent): - doco = {'image': kevent.thread.name, - 'thread': { - 'exe': kevent.thread.exe, - 'comm': kevent.thread.comm, - 'pid': kevent.thread.pid, - 'tid': kevent.tid, - 'ppid': kevent.thread.ppid}, - 'category': kevent.category, - 'name': kevent.name, - 'ts': '%s %s' % (datetime.now().strftime('%m/%d/%Y'), - kevent.timestamp.strftime('%H:%M:%S.%f')), - 'cpuid': kevent.cpuid, - 'params': kevent.params} - documents.append(doco) - - -def on_interval(): - if len(documents) > 0: - elasticsearch.emit(documents) - documents.clear() diff --git a/filaments/fishy_netio.py b/filaments/fishy_netio.py new file mode 100644 index 000000000..87451de3f --- /dev/null +++ b/filaments/fishy_netio.py @@ -0,0 +1,73 @@ +# Copyright 2019-2020 by Nedim Sabic (RabbitStack) +# All Rights Reserved. +# http://rabbitstack.github.io + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Anomalous process attempts to make a network request or it accepts an inbound connection +""" + +from utils.dotdict import dotdictify + +__pids__ = [] +__procs__ = [ + 'calc.exe', + 'notepad.exe', + 'mspaint.exe', +] + + +def on_init(): + kfilter("kevt.category = 'net' and ps.name in (%s)" % (', '.join([f'\'{ps}\'' for ps in __procs__]))) + + +@dotdictify +def on_next_kevent(kevent): + print(kevent) + notify = True if kevent.pid in __pids__ else False + if not notify: + emit_alert( + f'Anomalous network I/O detected to {kevent.kparams.dip}:{kevent.kparams.dport}', + text(kevent), + severity='critical', + tags=['anomalous netio'] + ) + __pids__.append(kevent.pid) + + +def text(kevent): + return """ + + Source IP: %s + Source port: %s + Destination IP: %s + Destination port: %s + Protocol: %s + + Process ================================================================================== + + Name: %s + Comm: %s + Cwd: %s + User: %s + + """ % ( + kevent.kparams.sip, + kevent.kparams.sport, + kevent.kparams.dip, + kevent.kparams.dport, + kevent.kparams.dport_name, + kevent.exe, + kevent.comm, + kevent.cwd, kevent.sid) diff --git a/filaments/registry_persistence.py b/filaments/registry_persistence.py new file mode 100644 index 000000000..74f813163 --- /dev/null +++ b/filaments/registry_persistence.py @@ -0,0 +1,91 @@ +# Copyright 2019-2020 by Nedim Sabic (RabbitStack) +# All Rights Reserved. +# http://rabbitstack.github.io + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Surfaces registry operations that would allow a process to execute on system startup +""" + +import os +from utils.dotdict import dotdictify + +__keys__ = [ + r'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run', + r'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', + r'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce', + r'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', + r'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices', + r'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices', + + r'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', + r'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce', + + r'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Debug', + r'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Debug', + + r'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce', + + r'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001', + r'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend' +] + +WINLOGON_KEY = r'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' + + +def on_init(): + kfilter("kevt.name = 'RegSetValue'") + + +@dotdictify +def on_next_kevent(kevent): + key = os.path.dirname(kevent.kparams.key_name) + + # We check if the value being modified under the Winlogon key is Userinit. + # The Userinit registry value defines which programs are run by Winlogon + # when a user logs in to the system. Typically, Winlogon runs Userinit.exe, + # which in turn runs logon scripts, reestablishes network connections, + # and then starts explorer. Attackers can prepend the userinit.exe executable + # with their own malicious binary/script. + if key.lower() == WINLOGON_KEY.lower() and os.path.basename(kevent.kparams.key_name) != 'Userinit': + return + + if any(k.lower() == key.lower() for k in __keys__): + emit_alert( + f'Registry persistence gained via {kevent.kparams.key_name}', + text(kevent), + severity='medium', + tags=['registry persistence'] + ) + + +def text(kevent): + return """ + + Key content: %s + Key type: %s + + Process ================================================================================== + + Name: %s + Comm: %s + Cwd: %s + User: %s + + """ % ( + kevent.kparams.value, + kevent.kparams.type, + kevent.exe, + kevent.comm, + kevent.cwd, kevent.sid) diff --git a/filaments/registry_persistence_detection.py b/filaments/registry_persistence_detection.py deleted file mode 100644 index 27557e103..000000000 --- a/filaments/registry_persistence_detection.py +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Triggers when a process creates the registry value which -would enable it to execute on system startup. -""" - - -keys = ['Run', 'RunOnce', 'RunServices', 'RunServicesOnce', 'Userinit'] - - -def on_init(): - set_filter('RegSetValue') - - -def on_next_kevent(kevent): - if kevent.thread: - process_name = kevent.thread.name - key = kevent.params.key - if key in keys: - message = 'The process %s has created a ' \ - 'persistent registry value , ' \ - 'under %s with content %s' \ - % (process_name, - '%s/%s' % (kevent.params.hive, key), - kevent.params.value) - smtp.emit(message, subject='Registry persistence detected') diff --git a/filaments/top_in_packets.py b/filaments/top_in_packets.py index a6f80dcd8..fa51db168 100644 --- a/filaments/top_in_packets.py +++ b/filaments/top_in_packets.py @@ -1,4 +1,4 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) +# Copyright 2019-2020 by Nedim Sabic (RabbitStack) # All Rights Reserved. # http://rabbitstack.github.io @@ -15,29 +15,29 @@ # under the License. """ -Shows the top TCP / UDP incoming packets. +Shows the top TCP / UDP inbound packets by IP/port tuple """ import collections +from utils.dotdict import dotdictify -connections = collections.Counter() +__connections__ = collections.Counter() def on_init(): - set_filter('Recv') + kfilter("kevt.name = 'Recv'") columns(["Source", "Count"]) sort_by('Count') - set_interval(1) - title('Top incoming TCP/UDP packets') + interval(1) +@dotdictify def on_next_kevent(kevent): - src = ['%s:%d' % (kevent.params.ip_dst, kevent.params.dport)] - connections.update(src) + src = ['%s:%d' % (kevent.kparams.sip, kevent.kparams.sport)] + __connections__.update(src) def on_interval(): - for ip, count in connections.items(): + for ip, count in __connections__.copy().items(): add_row([ip, count]) - render_tabular() - + render_table() \ No newline at end of file diff --git a/filaments/top_registry_io_process.py b/filaments/top_keys.py similarity index 61% rename from filaments/top_registry_io_process.py rename to filaments/top_keys.py index afc519e5a..d8580bae8 100644 --- a/filaments/top_registry_io_process.py +++ b/filaments/top_keys.py @@ -14,29 +14,32 @@ # License for the specific language governing permissions and limitations # under the License. + """ -Shows top processes by registry I/O activity. +Shows top keys by number of registry operations """ import collections +from utils.dotdict import dotdictify -processes_registry_io = collections.Counter() +__keys__ = collections.Counter() def on_init(): - set_filter('RegOpenKey', 'RegQueryKey', 'RegCreateKey', 'RegQueryValue', 'RegSetValue', 'RegDeleteValue') - columns(["Process", "#Ops"]) + kfilter("kevt.category = 'registry'") + columns(["Key", "#Ops"]) sort_by('#Ops') - set_interval(1) - limit(20) + interval(1) +@dotdictify def on_next_kevent(kevent): - process = ['%s (%d)' % (kevent.thread.name, kevent.thread.pid)] - processes_registry_io.update(process) + key = kevent.kparams.key_name + if key: + __keys__.update((key, )) def on_interval(): - for process, io in processes_registry_io.items(): - add_row([process, io]) - render_tabular() + for key, count in __keys__.copy().items(): + add_row([key, count]) + render_table() \ No newline at end of file diff --git a/filaments/top_out_packets.py b/filaments/top_out_packets.py index 436957825..ac00e10b2 100644 --- a/filaments/top_out_packets.py +++ b/filaments/top_out_packets.py @@ -1,4 +1,4 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) +# Copyright 2019-2020 by Nedim Sabic (RabbitStack) # All Rights Reserved. # http://rabbitstack.github.io @@ -15,29 +15,29 @@ # under the License. """ -Shows the top TCP / UDP outbound packets. +Shows the top TCP / UDP outbound packets by IP/port tuple """ import collections +from utils.dotdict import dotdictify -connections = collections.Counter() +__connections__ = collections.Counter() def on_init(): - set_filter('Send') + kfilter("kevt.name = 'Send'") columns(["Destination", "Count"]) sort_by('Count') - set_interval(1) - title('Top outbound TCP/UDP packets') + interval(1) +@dotdictify def on_next_kevent(kevent): - dst = ['%s:%d' % (kevent.params.ip_dst, kevent.params.dport)] - connections.update(dst) + dst = ['%s:%d' % (kevent.kparams.dip, kevent.kparams.dport)] + __connections__.update(dst) def on_interval(): - for ip, count in connections.items(): + for ip, count in __connections__.copy().items(): add_row([ip, count]) - render_tabular() - + render_table() \ No newline at end of file diff --git a/filaments/utils/dotdict.py b/filaments/utils/dotdict.py new file mode 100644 index 000000000..bda93f304 --- /dev/null +++ b/filaments/utils/dotdict.py @@ -0,0 +1,17 @@ +# https://stackoverflow.com/questions/2352181/how-to-use-a-dot-to-access-members-of-dictionary +class dotdict(dict): + """dot.notation access to dictionary attributes""" + __getattr__ = dict.get + __setattr__ = dict.__setitem__ + __delattr__ = dict.__delitem__ + + +def dotdictify(fn): + """ + The decorator for converting the dict parameter to dot notation access dictionary. + """ + def __wrap(kevent): + kevent = dotdict(kevent) + kevent.kparams = dotdict(kevent.kparams) + return fn(kevent) + return __wrap diff --git a/filaments/created_files.py b/filaments/watch_files.py similarity index 64% rename from filaments/created_files.py rename to filaments/watch_files.py index 0b52bf1ce..e0cc8c3eb 100644 --- a/filaments/created_files.py +++ b/filaments/watch_files.py @@ -1,4 +1,4 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) +# Copyright 2019-2020 by Nedim Sabic (RabbitStack) # All Rights Reserved. # http://rabbitstack.github.io @@ -15,23 +15,24 @@ # under the License. """ -Monitors the files created by processes +Watches files and directories created in the file system """ -files = [] +from utils.dotdict import dotdictify + +__files__ = [] def on_init(): - set_filter('CreateFile') + kfilter("kevt.name = 'CreateFile' and file.operation = 'create'") columns(["Process", "File"]) +@dotdictify def on_next_kevent(kevent): - if kevent.params.operation == 'CREATE' \ - and kevent.params.file_type == 'FILE': - files.append((kevent.thread.name, kevent.params.file, )) - for f in files: + file_name = kevent.kparams.file_name + if file_name: + __files__.append((kevent.exe, file_name, )) + for f in __files__: add_row([f[0], f[1]]) - render_tabular() - - + render_table() \ No newline at end of file diff --git a/go.mod b/go.mod new file mode 100644 index 000000000..04c1f767e --- /dev/null +++ b/go.mod @@ -0,0 +1,36 @@ +module github.com/rabbitstack/fibratus + +require ( + github.com/Microsoft/go-winio v0.4.14 + github.com/akavel/rsrc v0.9.0 // indirect + github.com/briandowns/spinner v1.11.1 + github.com/dustin/go-humanize v1.0.0 + github.com/go-openapi/strfmt v0.19.4 // indirect + github.com/hashicorp/go-version v1.2.1 + github.com/hillu/go-yara v1.2.1 + github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/jedib0t/go-pretty/v6 v6.0.1 + github.com/magiconair/properties v1.8.1 + github.com/mitchellh/mapstructure v1.1.2 + github.com/olivere/elastic/v7 v7.0.20 + github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 + github.com/pkg/errors v0.9.1 + github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5 + github.com/sirupsen/logrus v1.4.1 + github.com/spf13/cobra v0.0.3 + github.com/spf13/pflag v1.0.3 + github.com/spf13/viper v1.6.2 + github.com/streadway/amqp v1.0.0 + github.com/stretchr/testify v1.5.1 + github.com/valyala/bytebufferpool v1.0.0 + github.com/valyala/gozstd v1.6.4 + github.com/xeipuuv/gojsonschema v1.2.0 + golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b + golang.org/x/text v0.3.2 + gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect + gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df + gopkg.in/natefinch/lumberjack.v2 v2.0.0 + gopkg.in/yaml.v2 v2.2.4 +) + +go 1.15 diff --git a/go.sum b/go.sum new file mode 100644 index 000000000..c9a772480 --- /dev/null +++ b/go.sum @@ -0,0 +1,283 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/akavel/rsrc v0.9.0 h1:HwUDC0+tMFWqN4D5G+o5siGD4oVsC3jn6zM8ocjc3nY= +github.com/akavel/rsrc v0.9.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/aws/aws-sdk-go v1.34.13/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/briandowns/spinner v1.11.1 h1:OixPqDEcX3juo5AjQZAnFPbeUA0jvkp2qzB5gOZJ/L0= +github.com/briandowns/spinner v1.11.1/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.19.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.19.2 h1:a2kIyV3w+OS3S97zxUndRVD46+FhGOUBDFY7nmu4CsY= +github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY= +github.com/go-openapi/strfmt v0.19.4 h1:eRvaqAhpL0IL6Trh5fDsGnGhiXndzHFuA05w6sXH6/g= +github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk= +github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/go-version v1.2.1 h1:zEfKbn2+PDgroKdiOzqiE8rsmLqU2uwi5PB5pBJ3TkI= +github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hillu/go-yara v1.2.1 h1:th+MRa37XEuugX/eeSgfNRwf+lYNuClt28AJGrGhzdc= +github.com/hillu/go-yara v1.2.1/go.mod h1:KLxCsvD3F8cgVK866UDHi961qbzP+twKjhNdDsuz/2M= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jedib0t/go-pretty/v6 v6.0.1 h1:uUMwi75B5+yaLy6sldJusQYXXkTttIxnsDBzNYL+XdI= +github.com/jedib0t/go-pretty/v6 v6.0.1/go.mod h1:Qu/2Or3TWvmQjNOb13IwTwj8msdvAmiPANdOUTt7Z+Q= +github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190403194419-1ea4449da983/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= +github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU= +github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= +github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/olivere/elastic/v7 v7.0.20 h1:5FFpGPVJlBSlWBOdict406Y3yNTIpVpAiUvdFZeSbAo= +github.com/olivere/elastic/v7 v7.0.20/go.mod h1:Kh7iIsXIBl5qRQOBFoylCsXVTtye3keQU2Y/YbR7HD8= +github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= +github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 h1:JhzVVoYvbOACxoUmOs6V/G4D5nPVUW73rKvXxP4XUJc= +github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5 h1:mZHayPoR0lNmnHyvtYjDeq0zlVHn9K/ZXoy17ylucdo= +github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5/go.mod h1:GEXHk5HgEKCvEIIrSpFI3ozzG5xOKA2DVlEX/gGnewM= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/assertions v1.1.1 h1:T/YLemO5Yp7KPzS+lVtu+WsHn8yoSwTfItdAd1r3cck= +github.com/smartystreets/assertions v1.1.1/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo= +github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM= +github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/smartystreets/gunit v1.4.2/go.mod h1:ZjM1ozSIMJlAz/ay4SG8PeKF00ckUp+zMHZXV9/bvak= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/viper v1.6.2 h1:7aKfF+e8/k68gda3LOjo5RxiUqddoFxVq4BKBPrxk5E= +github.com/spf13/viper v1.6.2/go.mod h1:t3iDnF5Jlj76alVNuyFBk5oUMCvsrkbvZK0WQdfDi5k= +github.com/streadway/amqp v1.0.0 h1:kuuDrUJFZL1QYL9hUNuCxNObNzB0bV/ZG5jV3RWAQgo= +github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= +github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4= +github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/gozstd v1.6.4 h1:nFLddjEf90SFl5cVWyElSHozQDsbvLljPK703/skBS0= +github.com/valyala/gozstd v1.6.4/go.mod h1:y5Ew47GLlP37EkTB+B4s7r6A5rdaeB7ftbl9zoYiIPQ= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.mongodb.org/mongo-driver v1.0.3 h1:GKoji1ld3tw2aC+GX1wbr/J2fX13yNacEYoJ8Nhr0yU= +go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180816055513-1c9583448a9c/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk= +gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df h1:n7WqCuqOuCbNr617RXOY0AWRXxgwEyPp2z+p0+hgMuE= +gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw= +gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno= +gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/kstream/__init__.py b/kstream/__init__.py deleted file mode 100644 index b4b9e2a2a..000000000 --- a/kstream/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. \ No newline at end of file diff --git a/kstream/includes/__init__.py b/kstream/includes/__init__.py deleted file mode 100644 index b4b9e2a2a..000000000 --- a/kstream/includes/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. \ No newline at end of file diff --git a/kstream/includes/etw.pxd b/kstream/includes/etw.pxd deleted file mode 100644 index c7f948886..000000000 --- a/kstream/includes/etw.pxd +++ /dev/null @@ -1,97 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from .windows cimport * - -cdef extern from "evntcons.h": - - enum: EVENT_HEADER_FLAG_32_BIT_HEADER - enum: PROCESS_TRACE_MODE_EVENT_RECORD - - ctypedef struct EVENT_TRACE_PROPERTIES: - pass - ctypedef struct ETW_BUFFER_CONTEXT: - UCHAR cpuid "ProcessorNumber" - UCHAR Alignment - USHORT LoggerId - - ctypedef struct EVENT_DESCRIPTOR: - USHORT Id - UCHAR Version - UCHAR Channel - UCHAR Level - UCHAR opcode "Opcode" - USHORT Task - ULONGLONG Keyword - - ctypedef struct EVENT_HEADER: - USHORT Size - USHORT HeaderType - USHORT flags "Flags" - USHORT EventProperty - ULONG thread_id "ThreadId" - ULONG process_id "ProcessId" - LARGE_INTEGER timestamp "TimeStamp" - GUID ProviderId - EVENT_DESCRIPTOR descriptor "EventDescriptor" - ULONG KernelTime - ULONG UserTime - ULONGLONG ProcessorTime - GUID ActivityId - - ctypedef struct LINKAGE: - USHORT Linkage - USHORT Reserverd2 - ctypedef struct EVENT_HEADER_EXTENDED_DATA_ITEM: - USHORT Reserved1 - USHORT ExtType - LINKAGE Linkage - USHORT DataSize - ULONGLONG DataPtr - - ctypedef struct EVENT_RECORD: - EVENT_HEADER header "EventHeader" - ETW_BUFFER_CONTEXT buffer_ctx "BufferContext" - USHORT ExtendedDataCount - USHORT UserDataLength - EVENT_HEADER_EXTENDED_DATA_ITEM* ExtendedData - PVOID UserData - PVOID user_ctx "UserContext" - -cdef extern from "evntrace.h": - - ctypedef VOID (__stdcall *PEVENT_RECORD_CALLBACK) (EVENT_RECORD* e) - - ctypedef ULONG64 TRACEHANDLE - - enum: INVALID_PROCESSTRACE_HANDLE - enum: EVENT_TRACE_REAL_TIME_MODE - - ctypedef struct EVENT_TRACE_LOGFILE: - LPTSTR LogFileName - LPSTR logger_name "LoggerName" - ULONG LogFileMode - ULONG trace_mode "ProcessTraceMode" - PEVENT_RECORD_CALLBACK callback "EventRecordCallback" - PVOID context "Context" - - TRACEHANDLE open_trace "OpenTrace"(EVENT_TRACE_LOGFILE* logfile) - - ULONG close_trace "CloseTrace"(TRACEHANDLE handle) - - ULONG process_trace "ProcessTrace"(TRACEHANDLE* handle, ULONG count, - FILETIME* start, - FILETIME* end) \ No newline at end of file diff --git a/kstream/includes/python.pxd b/kstream/includes/python.pxd deleted file mode 100644 index 0a869d2dc..000000000 --- a/kstream/includes/python.pxd +++ /dev/null @@ -1,141 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from cpython.ref cimport PyObject -from libc.stddef cimport wchar_t -from .windows cimport WCHAR, CHAR, BYTE, ULONGLONG, LONGLONG, ULONG, LONG, SHORT, USHORT, ntohs, htonl, inet_ntoa, \ - in_addr, FLOAT, DOUBLE, DWORD, INT32 -from .string cimport wstring, sprintf -from cython.operator cimport dereference as deref - -cdef extern from "python.h": - PyObject* PyUnicode_FromString(const char* u) nogil - PyObject* PyUnicode_FromWideChar (wchar_t* w, Py_ssize_t size) nogil - wchar_t* PyUnicode_AsWideCharString(PyObject* unicode, Py_ssize_t* size) nogil - long PyLong_AsLong(PyObject *obj) nogil - PyObject* Py_BuildValue(char* format, ...) nogil - - PyObject* PyTuple_New(Py_ssize_t len) nogil - PyObject* PyTuple_GetItem(PyObject* p, Py_ssize_t pos) nogil - int PyTuple_SetItem(PyObject* p, Py_ssize_t pos, PyObject* o) nogil - - void Py_XDECREF(PyObject* o) nogil - void Py_XINCREF(PyObject* o) - - void PyMem_Free(void *p) nogil - - -cdef inline PyObject* _unicode(wchar_t* wchars) nogil: - return PyUnicode_FromWideChar(wchars, -1) - - -cdef inline PyObject* _ansi(char* chars) nogil: - return PyUnicode_FromString(chars) - - -cdef inline PyObject* _unicodec(void* buf) nogil: - return Py_BuildValue('u', (buf)[0]) - - -cdef inline PyObject* _ansic(void* buf) nogil: - return Py_BuildValue('s', (buf)[0]) - - -cdef inline PyObject* _i8(void* buf) nogil: - return Py_BuildValue('h', (buf)[0]) - - -cdef inline PyObject* _u8(void* buf) nogil: - return Py_BuildValue('b', (buf)[0]) - - -cdef inline PyObject* _u8_hex(void* buf) nogil: - cdef char hx[200] - sprintf(hx, "%02x", (buf)[0]) - return _ansi(hx) - - -cdef inline PyObject* _i16_hex(void* buf) nogil: - cdef char hx[200] - sprintf(hx, "%02x", (buf)[0]) - return _ansi(hx) - - -cdef inline PyObject* _i64_hex(void* buf) nogil: - cdef char hx[200] - sprintf(hx, "%02x", (buf)[0]) - return _ansi(hx) - - -cdef inline PyObject* _i64(void* buf) nogil: - return Py_BuildValue('L', (buf)[0]) - - -cdef inline PyObject* _u64(void* buf) nogil: - return Py_BuildValue('K', (buf)[0]) - - -cdef inline PyObject* _i32(void* buf) nogil: - return Py_BuildValue('i', (buf)[0]) - - -cdef inline PyObject* _i32_hex(void* buf) nogil: - cdef char hx[200] - sprintf(hx, "0x%x", (buf)[0]) - return _ansi(hx) - - -cdef inline PyObject* _u32(void* buf) nogil: - return Py_BuildValue('k', (buf)[0]) - - -cdef inline PyObject* _i16(void* buf) nogil: - return Py_BuildValue('h', (buf)[0]) - - -cdef inline PyObject* _u16(void* buf) nogil: - return Py_BuildValue('h', (buf)[0]) - - -cdef inline PyObject* _float(void* buf) nogil: - return Py_BuildValue('f', (buf)[0]) - - -cdef inline PyObject* _double(void* buf) nogil: - return Py_BuildValue('d', (buf)[0]) - - -cdef inline PyObject* _ntohs(void* buf) nogil: - return Py_BuildValue('h', ntohs((buf)[0])) - - -cdef inline PyObject* _wstring(wstring ws): - return PyUnicode_FromWideChar(ws.data(), ws.size()) - - -cdef inline wchar_t* _wchar_t(PyObject* o) nogil: - cdef Py_ssize_t size - return PyUnicode_AsWideCharString(o, &size) - - -cdef inline PyObject* ip_addr(void* buf) nogil: - cdef in_addr addr - addr.S_un.S_addr = (buf)[0] - return Py_BuildValue('s', inet_ntoa(addr)) - - -cdef inline wstring deref_prop(prop_name): - return deref(new wstring(_wchar_t(prop_name))) \ No newline at end of file diff --git a/kstream/includes/stdlib.pxd b/kstream/includes/stdlib.pxd deleted file mode 100644 index e68e0ebfb..000000000 --- a/kstream/includes/stdlib.pxd +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -cdef extern from "stdlib.h": - void free(void* ptr) nogil - void* malloc(size_t size) nogil \ No newline at end of file diff --git a/kstream/includes/string.pxd b/kstream/includes/string.pxd deleted file mode 100644 index cd09ae751..000000000 --- a/kstream/includes/string.pxd +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from libc.stddef cimport wchar_t - -cdef extern from "wchar.h": - int wprintf(const wchar_t *, ...) nogil - int printf( const char* format, ... ) nogil - int sprintf (char* str, const char* format, ... ) nogil - long strtol(const char* nptr, char** endptr, int base) nogil - long wcstol(const wchar_t* nptr, wchar_t** endptr, int base) nogil - wchar_t* _wcslwr(wchar_t * s) nogil - int wcscmp(const wchar_t* string1, const wchar_t* string2) nogil - size_t wcslen (const wchar_t* wcs) - -cdef extern from "" namespace "std" nogil: - - cdef cppclass wstring "std::wstring": - wstring() except + - wstring(wchar_t *) except + - wstring(wchar_t *, size_t) except + - wstring(wstring&) except + - - const wchar_t* data() - size_t size() - - int compare(wstring&) - diff --git a/kstream/includes/tdh.pxd b/kstream/includes/tdh.pxd deleted file mode 100644 index d5bfc6bbc..000000000 --- a/kstream/includes/tdh.pxd +++ /dev/null @@ -1,148 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from .windows cimport ULONG -from .etw cimport * - -cdef extern from "tdh.h": - - ctypedef ULONG TDHAPI - - ctypedef enum TDH_IN_TYPE: - TDH_INTYPE_NULL = 0 - TDH_INTYPE_UNICODESTRING = 1 - TDH_INTYPE_ANSISTRING = 2 - TDH_INTYPE_INT8 = 3 - TDH_INTYPE_UINT8 = 4 - TDH_INTYPE_INT16 = 5 - TDH_INTYPE_UINT16 = 6 - TDH_INTYPE_INT32 = 7 - TDH_INTYPE_UINT32 = 8 - TDH_INTYPE_INT64 = 9 - TDH_INTYPE_UINT64 = 10 - TDH_INTYPE_FLOAT = 11 - TDH_INTYPE_DOUBLE = 12 - TDH_INTYPE_BOOLEAN = 13 - TDH_INTYPE_BINARY = 14 - TDH_INTYPE_GUID = 15 - TDH_INTYPE_POINTER = 16 - TDH_INTYPE_FILETIME = 17 - TDH_INTYPE_SYSTEMTIME = 18 - TDH_INTYPE_SID = 19 - TDH_INTYPE_HEXINT32 = 20 - TDH_INTYPE_HEXINT64 = 21 - TDH_INTYPE_COUNTEDSTRING = 300 - TDH_INTYPE_COUNTEDANSISTRING = 301 - TDH_INTYPE_REVERSEDCOUNTEDSTRING = 302 - TDH_INTYPE_REVERSEDCOUNTEDANSISTRING = 303 - TDH_INTYPE_NONNULLTERMINATEDSTRING = 304 - TDH_INTYPE_NONNULLTERMINATEDANSISTRING = 305 - TDH_INTYPE_UNICODECHAR = 306 - TDH_INTYPE_ANSICHAR = 307 - TDH_INTYPE_SIZET = 308 - TDH_INTYPE_HEXDUMP = 309 - TDH_INTYPE_WBEMSID = 310 - - ctypedef enum TDH_OUT_TYPE: - TDH_OUTTYPE_NULL = 0 - TDH_OUTTYPE_STRING = 1 - TDH_OUTTYPE_DATETIME = 2 - TDH_OUTTYPE_BYTE = 3 - TDH_OUTTYPE_UNSIGNEDBYTE = 4 - TDH_OUTTYPE_SHORT = 5 - TDH_OUTTYPE_UNSIGNEDSHORT = 6 - TDH_OUTTYPE_INT = 6 - TDH_OUTTYPE_UNSIGNEDINT = 7 - TDH_OUTTYPE_LONG = 8 - TDH_OUTTYPE_UNSIGNEDLONG = 9 - TDH_OUTTYPE_FLOAT = 10 - TDH_OUTTYPE_DOUBLE = 11 - TDH_OUTTYPE_BOOLEAN = 12 - TDH_OUTTYPE_GUID = 13 - TDH_OUTTYPE_HEXBINARY = 14 - TDH_OUTTYPE_HEXINT8 = 15 - TDH_OUTTYPE_HEXINT16 = 16 - TDH_OUTTYPE_HEXINT32 = 17 - TDH_OUTTYPE_HEXINT64 = 18 - TDH_OUTTYPE_PID = 19 - TDH_OUTTYPE_TID = 20 - TDH_OUTTYPE_PORT = 21 - TDH_OUTTYPE_IPV4 = 22 - TDH_OUTTYPE_IPV6 = 23 - TDH_OUTTYPE_SOCKETADDRESS = 24 - TDH_OUTTYPE_CIMDATETIME = 25 - TDH_OUTTYPE_ETWTIME = 26 - TDH_OUTTYPE_XML = 27 - TDH_OUTYTPE_ERRORCODE = 28, - TDH_OUTTYPE_REDUCEDSTRING = 300 - - ctypedef enum PROPERTY_FLAGS: - PropertyStruct = 0x1 - PropertyParamLength = 0x2 - PropertyParamCount = 0x4 - PropertyWBEMXmlFragment = 0x8 - PropertyParamFixedLength = 0x10 - - - ctypedef struct NON_STRUCT_TYPE: - USHORT in_type "InType" - USHORT out_type "OutType" - - ctypedef struct EVENT_PROPERTY_INFO: - ULONG name_offset "NameOffset" - NON_STRUCT_TYPE non_struct_type "nonStructType" - - ctypedef struct TRACE_PROVIDER_INFO: - GUID ProviderGuid - USHORT PropertyCount - - - ctypedef struct TDH_CONTEXT: - pass - - ctypedef struct PROPERTY_DATA_DESCRIPTOR: - ULONGLONG property_name "PropertyName" - ULONG array_index "ArrayIndex" - ULONG reserved "Reserved" - - - ctypedef struct TRACE_EVENT_INFO: - GUID ProviderGuid - GUID event_guid "EventGuid" - ULONG ProviderNameOffset - ULONG OpcodeNameOffset - ULONG PropertyCount - ULONG property_count "TopLevelPropertyCount" - EVENT_PROPERTY_INFO properties "EventPropertyInfoArray"[1] - - - TDHAPI tdh_get_event_information "TdhGetEventInformation"(EVENT_RECORD* e, ULONG cc, - TDH_CONTEXT* ctx, - TRACE_EVENT_INFO* buf, - ULONG* buf_size) nogil - - ULONG tdh_get_property_size "TdhGetPropertySize"(EVENT_RECORD* e, ULONG cc, - TDH_CONTEXT* ctx, - ULONG count, - PROPERTY_DATA_DESCRIPTOR* descriptor, - ULONG *size) nogil - - ULONG tdh_get_property "TdhGetProperty"(EVENT_RECORD* e, ULONG cc, - TDH_CONTEXT* ctx, - ULONG count, - PROPERTY_DATA_DESCRIPTOR* descriptor, - ULONG buf_size, - BYTE* buf) nogil diff --git a/kstream/includes/windows.pxd b/kstream/includes/windows.pxd deleted file mode 100644 index 2dfa9354a..000000000 --- a/kstream/includes/windows.pxd +++ /dev/null @@ -1,121 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from libc.stddef cimport wchar_t - -cdef extern from "windows.h": - ctypedef unsigned long ULONG - ctypedef unsigned char BYTE - ctypedef unsigned long DWORD - ctypedef signed int INT32 - ctypedef unsigned short WORD - ctypedef float FLOAT - ctypedef double DOUBLE - ctypedef char CHAR - ctypedef unsigned char UCHAR - ctypedef void VOID - ctypedef void* PVOID - ctypedef PVOID HANDLE - ctypedef short SHORT - ctypedef unsigned short USHORT - ctypedef long long LONGLONG - ctypedef char* LPSTR - ctypedef unsigned long long ULONGLONG - ctypedef long LONG - ctypedef void* PVOID - ctypedef DWORD* LPDWORD - ctypedef int BOOL - ctypedef const char* LPCTSTR - ctypedef const wchar_t* LPWSTR - ctypedef wchar_t* LPCWSTR - ctypedef unsigned long long ULONG64 - ctypedef wchar_t* WCHAR - ctypedef WCHAR* LPTSTR - ctypedef wchar_t* LPSIDSTR - ctypedef LPWSTR LPOLESTR - ctypedef long HRESULT - - enum: ERROR_SUCCESS - enum: ERROR_CANCELLED - - enum: THREAD_QUERY_INFORMATION - enum: THREAD_QUERY_LIMITED_INFORMATION - - ctypedef struct GUID: - DWORD Data1 - WORD Data2 - WORD Data3 - BYTE Data4[8] - - ctypedef const GUID & REFGUID - - ctypedef struct U: - DWORD LowPart - LONG HighPart - ctypedef union LARGE_INTEGER: - DWORD low"LowPart" - LONG high "HighPart" - U u - LONGLONG QuadPart - - ctypedef struct FILETIME: - DWORD low_date "dwLowDateTime" - DWORD high_date "dwHighDateTime" - - ctypedef struct SYSTEMTIME: - WORD year "wYear" - WORD month "wMonth" - WORD day_of_week "wDayOfWeek" - WORD day "wDay" - WORD hour "wHour" - WORD minute "wMinute" - WORD second "wSecond" - WORD millis "wMilliseconds" - - ctypedef struct TIME_ZONE_INFORMATION: - LONG Bias - WCHAR StandardName[32] - SYSTEMTIME StandardDate - LONG StandardBias - WCHAR DaylightName[32] - SYSTEMTIME DaylightDate - LONG DaylightBias - - int string_from_guid "StringFromGUID2"(REFGUID guid, LPOLESTR lpsz, int cch) nogil - - BOOL filetime_to_systemtime "FileTimeToSystemTime"(FILETIME *ft, SYSTEMTIME *st) nogil - - BOOL systemtime_to_tz_specific_localtime "SystemTimeToTzSpecificLocalTime"(TIME_ZONE_INFORMATION *zone, - SYSTEMTIME *uni_time, - SYSTEMTIME *local_time) nogil - - HANDLE open_thread "OpenThread"(DWORD desired_access, BOOL inherit_handle, DWORD thread_id) nogil - - DWORD get_process_id_of_thread "GetProcessIdOfThread"(HANDLE thread) nogil - - BOOL close_handle "CloseHandle"(HANDLE handle) nogil - -cdef extern from "winsock.h": - USHORT ntohs(USHORT netshort) nogil - ULONG htonl(ULONG hostlong) nogil - - ctypedef union S_un: - ULONG S_addr - ctypedef struct in_addr: - S_un S_un - - char* inet_ntoa(in_addr addr) nogil - diff --git a/kstream/kstreamc.pxd b/kstream/kstreamc.pxd deleted file mode 100644 index db1b78898..000000000 --- a/kstream/kstreamc.pxd +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from kstream.ktuple cimport build_ktuple -from cpython.ref cimport PyObject - - - -cdef class KEventStreamCollector: - cdef: - - EVENT_TRACE_LOGFILE ktrace - TRACEHANDLE handle - int pointer_size - - -from kstream.includes.etw cimport * -from kstream.includes.tdh cimport * - diff --git a/kstream/kstreamc.pyx b/kstream/kstreamc.pyx deleted file mode 100644 index 270c9c310..000000000 --- a/kstream/kstreamc.pyx +++ /dev/null @@ -1,648 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import re -import os -import traceback - -from libcpp.unordered_map cimport unordered_map -from cython.operator cimport dereference as deref, preincrement as inc -from libcpp.vector cimport vector -from libcpp.utility cimport pair - -from cpython cimport PyBytes_AsString -from cpython.exc cimport PyErr_CheckSignals - -from kstream.includes.etw cimport * -from kstream.includes.tdh cimport * -from kstream.includes.windows cimport * -from kstream.includes.python cimport * -from kstream.includes.stdlib cimport * -from kstream.includes.string cimport * -from kstream.time cimport sys_time -from kstream.ktuple cimport build_ktuple -from kstream.process cimport PROCESS_INFO, THREAD_INFO, pid_from_tid - - -cdef enum: - GUID_LENGTH = 36 - INVALID_PID = 4294967295 - -cdef PyObject* ENUM_PROCESS = build_ktuple('{3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c}', 3) -cdef PyObject* ENUM_THREAD = build_ktuple('{3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c}', 3) -cdef PyObject* ENUM_IMAGE = build_ktuple('{2cb15d1d-5fc1-11d2-abe1-00a0c911f518}', 3) -cdef PyObject* REG_CREATE_KCB = build_ktuple('{ae53722e-c863-11d2-8659-00c04fa321a1}', 22) -cdef PyObject* REG_DELETE_KCB = build_ktuple('{ae53722e-c863-11d2-8659-00c04fa321a1}', 23) - -cdef PyObject* CREATE_PROCESS = build_ktuple('{3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c}', 1) -cdef PyObject* CREATE_THREAD = build_ktuple('{3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c}', 1) -cdef PyObject* TERMINATE_THREAD = build_ktuple('{3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c}', 2) -cdef PyObject* TERMINATE_PROCESS = build_ktuple('{3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c}', 2) - -cdef PyObject* CREATE_FILE = build_ktuple('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 64) -cdef PyObject* WRITE_FILE = build_ktuple('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 68) -cdef PyObject* READ_FILE = build_ktuple('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 67) -cdef PyObject* DELETE_FILE = build_ktuple('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 70) -cdef PyObject* CLOSE_FILE = build_ktuple('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 66) -cdef PyObject* RENAME_FILE = build_ktuple('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 71) -cdef PyObject* SET_FILE_INFORMATION = build_ktuple('{90cbdc39-4a3e-11d1-84f4-0000f80464e3}', 69) - -cdef PyObject* UNLOAD_IMAGE = build_ktuple('{2cb15d1d-5fc1-11d2-abe1-00a0c911f518}', 2) - -cdef wstring PID_PROP = deref_prop("PID") -cdef wstring PPID_PROP = deref_prop("ParentId") -cdef wstring PROCESS_ID_PROP = deref_prop("ProcessId") -cdef wstring FS_THREAD_ID_PROP = deref_prop("TTID") -cdef wstring THREAD_ID_PROP = deref_prop("TThreadId") -cdef wstring IMAGE_FILE_NAME_PROP = deref_prop("ImageFileName") - -REGISTRY_KGUID = '{ae53722e-c863-11d2-8659-00c04fa321a1}' -FS_KGUID = '{90cbdc39-4a3e-11d1-84f4-0000f80464e3}' - - -cdef class KEventStreamCollector: - """Kernel event stream collector. - - - Collects events from the kernel event stream and invokes - a python callback method for each event delivered - to the collector. - - The main motivation behind this Cython extension are the perfomance reasons, where - ETW can generate a huge volume of events, and the parsing - process is very CPU intensive. - - Use - --- - - kevt_stream_collector = KEventStreamCollector(logger_name) - - Register a python callback: - - def next_kevt(ktype, cpuid, ts, kparams): - # your logic here - kevt_stream_collector.open_kstream(next_kevt) - - - """ - cdef EVENT_TRACE_LOGFILE ktrace - cdef TRACEHANDLE handle - cdef int pointer_size - - cdef vector[PyObject*]* ktuple_filters - cdef vector[wchar_t*]* skips - cdef unordered_map[ULONG, PROCESS_INFO]* proc_map - cdef unordered_map[ULONG, THREAD_INFO]* thread_map - - cdef ULONG pid_filter - cdef wchar_t* image_filter - cdef ULONG own_pid - - cdef next_kevt_callback - cdef on_kstream_open_callback - cdef klogger - cdef regex - - def __init__(self, klogger): - self.klogger = klogger - self.handle = 0 - self.next_kevt_callback = None - self.on_kstream_open_callback = None - self.ktrace.logger_name = PyBytes_AsString(self.klogger) - self.regex = re.compile('((?<=[a-z0-9])[A-Z]|(?!^)[A-Z](?=[a-z]))') - self.pointer_size = 8 - self.ktuple_filters = new vector[PyObject*]() - self.proc_map = new unordered_map[ULONG, PROCESS_INFO]() - self.thread_map = new unordered_map[ULONG, THREAD_INFO]() - self.skips = new vector[wchar_t*]() - self.pid_filter = 0 - self.image_filter = NULL - self.own_pid = os.getpid() - - def open_kstream(self, callback): - """Initializes the kernel event stream. - - Sets the event record callback and open - the trace to consume from kernel event - stream. - - Parameters - ---------- - - callback: callable - A python method which is called - when kernel event is consumed successfully - - """ - self.next_kevt_callback = callback - - self.ktrace.trace_mode = EVENT_TRACE_REAL_TIME_MODE | PROCESS_TRACE_MODE_EVENT_RECORD - self.ktrace.callback = self.process_kevent_callback - # because `process_kevent` callback is the instance - # method and the ETW API expects a callback function with - # single parameter, the `self` argument refers to - # an invalid context. We need to inject the reference - # to this instance into `Context` member. - self.ktrace.context = self - - self.handle = open_trace(&self.ktrace) - - if self.on_kstream_open_callback: - self.on_kstream_open_callback() - - # foward the kernel event stream - # to the consumer and start the processing - status = process_trace(&self.handle, 1, - NULL, - NULL) - if status != ERROR_SUCCESS or status != ERROR_CANCELLED: - if status != INVALID_PROCESSTRACE_HANDLE: - close_trace(self.handle) - else: - raise RuntimeError('ERROR - Unable to open kernel event stream. Error %s' % status) - - def close_kstream(self): - close_trace(self.handle) - - def set_kstream_open_callback(self, callback): - self.on_kstream_open_callback = callback - - def add_skip(self, skip): - self.skips.push_back(_wchar_t(skip)) - - def add_ktuple_filter(self, ktuple): - kguid, opcode = ktuple - self.ktuple_filters.push_back(build_ktuple(kguid, opcode)) - - def add_pid_filter(self, pid): - self.pid_filter = int(pid) if pid else 0 - - def add_image_filter(self, image): - self.image_filter = _wchar_t(image) if image else NULL - - cdef process_kevent_callback(self, EVENT_RECORD* kevent_trace): - with nogil: - (kevent_trace.user_ctx)._process_kevent(kevent_trace) - - cdef void _process_kevent(self, EVENT_RECORD* kevent_trace) nogil except *: - """Kernel event stream callback. - - Parameters - ---------- - - kevent_trace: EVENT_RECORD - The pointer to kernel event metadata - - """ - cdef TRACE_EVENT_INFO* info = malloc(4096) - - # the allocation has failed probably - # because there is no enough memory - if info == NULL: - return - - cdef EVENT_HEADER kevt_hdr = kevent_trace.header - cdef ULONG buffer_size = 4096 - cdef unordered_map[wstring, PyObject*] params - cdef ULONG property_size - cdef PROPERTY_DATA_DESCRIPTOR descriptor - cdef BOOL dropped = False - cdef PROCESS_INFO pi - cdef THREAD_INFO ti - - status = tdh_get_event_information(kevent_trace, 0, - NULL, - info, - &buffer_size) - - cpuid = kevent_trace.buffer_ctx.cpuid - opcode = kevt_hdr.descriptor.opcode - pid = kevt_hdr.process_id - tid = kevt_hdr.thread_id - - ktuple = self.__wrap_ktuple(info.event_guid, opcode) - # this shouldn't happen, but just in - # case simply discard the kernel event - if ktuple == NULL: - free(info) - return - dropped = self.__apply_filters(pid, tid, ktuple, params, True) - - if dropped: - with gil: - free(info) - Py_XDECREF(ktuple) - return - - if (kevt_hdr.flags & EVENT_HEADER_FLAG_32_BIT_HEADER) == \ - EVENT_HEADER_FLAG_32_BIT_HEADER: - self.pointer_size = 4 - else: - self.pointer_size = 8 - - if status == ERROR_SUCCESS: - props = info.properties - for i from 0 <= i < info.property_count: - prop = props[i] - - property_name = info + prop.name_offset - - descriptor.property_name = info + \ - prop.name_offset - descriptor.array_index = 0xFFFFFFFF - - # get the property size which - # is used to allocate the buffer - tdh_get_property_size(kevent_trace, 0, - NULL, - 1, - &descriptor, - &property_size) - property_buffer = malloc(property_size) - if property_buffer == NULL: - return - - # fill the property buffer - status = tdh_get_property(kevent_trace, 0, - NULL, - 1, - &descriptor, - property_size, - property_buffer) - # get the property value and store it in the map - if status == ERROR_SUCCESS: - if property_name != NULL: - mapk = new wstring(property_name) - params[deref(mapk)] = \ - self.__parse_property(prop.non_struct_type.in_type, - prop.non_struct_type.out_type, - property_buffer) - del mapk - free(property_buffer) - else: - if property_buffer != NULL: - free(property_buffer) - - free(info) - ts = sys_time(kevt_hdr.timestamp) - - # build a tiny state machine around the - # currently running processes/threads on the system - if self.__ktuple_equals(ktuple, ENUM_PROCESS) or \ - self.__ktuple_equals(ktuple, CREATE_PROCESS): - pi.pid = wcstol(_wchar_t(params.at(PROCESS_ID_PROP)), NULL, 16) - pi.ppid = wcstol(_wchar_t(params.at(PPID_PROP)), NULL, 16) - pi.name = _wchar_t(params.at(IMAGE_FILE_NAME_PROP)) - k = new pair[ULONG, PROCESS_INFO](wcstol(_wchar_t(params.at(PROCESS_ID_PROP)), NULL, 16), - pi) - self.proc_map.insert(deref(k)) - del k - elif self.__ktuple_equals(ktuple, ENUM_THREAD) or \ - self.__ktuple_equals(ktuple, CREATE_THREAD): - ti.tid = wcstol(_wchar_t(params.at(THREAD_ID_PROP)), NULL, 16) - ti.pid = wcstol(_wchar_t(params.at(PROCESS_ID_PROP)), NULL, 16) - tk = new pair[ULONG, THREAD_INFO](wcstol(_wchar_t(params.at(THREAD_ID_PROP)), NULL, 16), - ti) - self.thread_map.insert(deref(tk)) - del tk - elif self.__ktuple_equals(ktuple, TERMINATE_THREAD): - prop_tid = wcstol(_wchar_t(params.at(THREAD_ID_PROP)), NULL, 16) - self.thread_map.erase(prop_tid) - elif self.__ktuple_equals(ktuple, TERMINATE_PROCESS): - # defer the removal of the pid to be able to capture - # `TerminateProcess` if the image filter is set - if self.image_filter == NULL: - prop_pid = wcstol(_wchar_t(params.at(PROCESS_ID_PROP)), NULL, 16) - self.proc_map.erase(prop_pid) - elif self.__ktuple_equals(ktuple, CREATE_FILE) or \ - self.__ktuple_equals(ktuple, WRITE_FILE) or \ - self.__ktuple_equals(ktuple, READ_FILE) or \ - self.__ktuple_equals(ktuple, DELETE_FILE) or \ - self.__ktuple_equals(ktuple, CLOSE_FILE) or \ - self.__ktuple_equals(ktuple, RENAME_FILE) or \ - self.__ktuple_equals(ktuple, SET_FILE_INFORMATION): - # on some Windows versions the value of - # the PID attribute is invalid for the - # file system kernel events - if pid == INVALID_PID: - prop_fs_tid = params.at(FS_THREAD_ID_PROP) - if prop_fs_tid != NULL: - # try to resolve the pid from the thread id - pid = pid_from_tid(PyLong_AsLong(prop_fs_tid), - self.thread_map) - elif self.__ktuple_equals(ktuple, UNLOAD_IMAGE): - # on Windows 7 the pid field of the event header - # is invalid, so use the pid found in the event params - if pid == INVALID_PID: - p = params.at(PROCESS_ID_PROP) - if p != NULL: - pid = PyLong_AsLong(p) - - dropped = self.__apply_filters(pid, tid, ktuple, params, False) - # now we can erase the pid - if self.image_filter != NULL and \ - self.__ktuple_equals(ktuple, TERMINATE_PROCESS): - prop_pid = wcstol(_wchar_t(params.at(PROCESS_ID_PROP)), NULL, 16) - self.proc_map.erase(prop_pid) - if dropped: - with gil: - # decrement references to avoid memory leaks - if self.image_filter != NULL: - self._decref_params(params) - Py_XDECREF(ktuple) - return - with gil: - # check for pending signals. - # The default behaviour is to - # raise `KeyboardInterrupt` exception - # which will be propagated to the caller - if PyErr_CheckSignals() > 0: - self.close_kstream() - return - try: - timestamp = '%d-%d-%d %d:%02d:%02d.%d' % (ts.year, ts.month, - ts.day, ts.hour, - ts.minute, ts.second, - ts.millis) - # convert the property name from - # camel case to underscore so we have - # PEP 8 compliant coding style - kparams = {self._underscore(self._decref(_wstring(kparam.first))): self._decref(kparam.second) - for kparam in params - if kparam.second != NULL} - kguid, opc = ktuple - kguid = kguid[:-1] - # registry events have a valid process/thread id - # in the event header so we aggregate them - if kguid in REGISTRY_KGUID: - kparams['thread_id'] = tid - kparams['process_id'] = pid - elif kguid in FS_KGUID: - kparams['process_id'] = pid - if self.next_kevt_callback: - self.next_kevt_callback((kguid, opc,), cpuid, - timestamp, - kparams) - except Exception as e: - print(traceback.print_exc()) - except KeyboardInterrupt: - pass - finally: - Py_XDECREF(ktuple) - else: - free(info) - - cdef _decref(self, PyObject* o): - pyo = None - if o != NULL: - pyo = o - Py_XDECREF(o) - return pyo - - cdef _decref_params(self, unordered_map[wstring, PyObject*] params): - for kparam in params: - Py_XDECREF(_wstring(kparam.first)) - if kparam.second != NULL: - Py_XDECREF(kparam.second) - - cdef _underscore(self, o): - return self.regex.sub(r'_\1', o).lower() - - cdef PyObject* __parse_property(self, USHORT in_type, USHORT out_type, - BYTE* buf) nogil: - """Parses the property value. - - Given the property input / output types, - transforms the buffer with property payload. - - Parameters - ---------- - - {in|out}_type : USHORT - The property input/output types. An input type can - have multiple output types. For example, UINT16 input - type can have HEXINT16 or PORT output types. - - buffer: BYTE - The pointer to the property buffer. - """ - if buf == NULL: - return NULL - - if in_type == TDH_INTYPE_UNICODESTRING: - return _unicode(buf) - elif in_type == TDH_INTYPE_ANSISTRING: - return _ansi(buf) - elif in_type == TDH_INTYPE_UNICODECHAR: - return _unicodec(buf) - elif in_type == TDH_INTYPE_ANSICHAR: - return _ansic(buf) - - elif in_type == TDH_INTYPE_INT8: - return _i8(buf) - elif in_type == TDH_INTYPE_UINT8: - if out_type == TDH_OUTTYPE_HEXINT8: - return _u8_hex(buf) - else: - return _u8(buf) - - elif in_type == TDH_INTYPE_INT16: - return _i16(buf) - elif in_type == TDH_INTYPE_UINT16: - if out_type == TDH_OUTTYPE_HEXINT16: - return _i16_hex(buf) - elif out_type == TDH_OUTTYPE_PORT: - return _ntohs(buf) - else: - return _u16(buf) - - elif in_type == TDH_INTYPE_INT32: - return _i32(buf) - elif in_type == TDH_INTYPE_UINT32: - if out_type == TDH_OUTTYPE_HEXINT32: - return _i32_hex(buf) - elif out_type == TDH_OUTTYPE_IPV4: - return ip_addr(buf) - else: - return _u32(buf) - - elif in_type == TDH_INTYPE_INT64: - return _i64(buf) - elif in_type == TDH_INTYPE_UINT64: - if out_type == TDH_OUTTYPE_HEXINT64: - return _i64_hex(buf) - else: - return _u64(buf) - - elif in_type == TDH_INTYPE_HEXINT32: - return _i32_hex(buf) - elif in_type == TDH_INTYPE_HEXINT64: - return _i64_hex(buf) - - elif in_type == TDH_INTYPE_FLOAT: - return _float(buf) - elif in_type == TDH_INTYPE_DOUBLE: - return _double(buf) - - elif in_type == TDH_INTYPE_POINTER or \ - in_type == TDH_INTYPE_SIZET: - if self.pointer_size == 8: - return _u64(buf) - else: - return _u32(buf) - else: - return NULL - - cdef BOOL __apply_filters(self, ULONG pid, ULONG tid, - PyObject* ktuple, - unordered_map[wstring, PyObject*] params, - BOOL defer) nogil: - cdef BOOL drop = True - - # we don't want to capture any events - # coming from the fibratus process - # nor from the process we've declared - # in the excluded process list - if self.own_pid == pid: - return True - - if self.__ktuple_equals(ktuple, ENUM_PROCESS) or \ - self.__ktuple_equals(ktuple, ENUM_THREAD) or \ - self.__ktuple_equals(ktuple, ENUM_IMAGE) or \ - self.__ktuple_equals(ktuple, REG_CREATE_KCB) or \ - self.__ktuple_equals(ktuple, REG_DELETE_KCB): - return False - - # apply skip list as defined - # in the configuration descriptor - drop = self.__apply_skips(pid) - if drop: - return True - elif self.image_filter != NULL: - drop = True - - for i from 0 <= i < self.ktuple_filters.size(): - ktuple_filter = self.ktuple_filters.at(i) - if self.__ktuple_equals(ktuple, ktuple_filter): - drop = False - break - - # apply pid filter - if self.pid_filter != 0 and self.pid_filter != pid: - drop = True - # we got an invalid pid from the header - # and we can't still drop the event - if pid == INVALID_PID: - drop = False - elif self.image_filter != NULL: - # apply image filter - if defer: - return False - if pid == INVALID_PID: - drop = False - else: - drop = self.__apply_image_filter(pid) - # this only apply to `CreateProcess` events where - # parent pid is mapped to an image which doesn't match - # the child pid's image - if drop and \ - self.__ktuple_equals(ktuple, CREATE_PROCESS): - if params.size() > 0: - image_name = _wchar_t(params.at(IMAGE_FILE_NAME_PROP)) - drop = wcscmp(_wcslwr(image_name), - _wcslwr(self.image_filter)) != 0 - if drop: - return True - # now scan for the kernel event - # properties to find the pid value - drop = self.__apply_prop_filters(params) - - return drop - - cdef inline BOOL __apply_skips(self, ULONG pid) nogil: - cdef BOOL ignored = False - cdef unordered_map[ULONG, PROCESS_INFO].iterator proc_iterator = self.proc_map.find(pid) - if proc_iterator != self.proc_map.end(): - for i from 0 <= i < self.skips.size(): - skip = self.skips.at(i) - # compare the image name found - # on the proc map with the value - # as defined on the skip list - pi = deref(proc_iterator).second - if wcscmp(_wcslwr(pi.name), _wcslwr(skip)) == 0: - ignored = True - break - return ignored - - cdef inline BOOL __apply_prop_filters(self, unordered_map[wstring, PyObject*] params) nogil: - cdef unordered_map[wstring, PyObject*].iterator piter = params.begin() - cdef BOOL drop = False - cdef ULONG pid = 0 - - while piter != params.end(): - prop = deref(piter) - prop_name = prop.first - - # get the value of the pid property - if prop_name.compare(PID_PROP) == 0: - pid = PyLong_AsLong(prop.second) - - # apply the filters. At this point - # we also check the kernel event is - # not coming from the fibratus process - if pid != 0: - if pid == self.own_pid: - drop = True - break - elif self.pid_filter != 0 and self.pid_filter != pid: - drop = True - break - elif self.image_filter != NULL: - drop = self.__apply_image_filter(pid) - if drop: - break - inc(piter) - return drop - - cdef inline BOOL __apply_image_filter(self, ULONG pid) nogil: - cdef BOOL drop = True - proc_iterator = self.proc_map.find(pid) - if proc_iterator != self.proc_map.end(): - pi = deref(proc_iterator).second - drop = wcscmp(_wcslwr(pi.name), - _wcslwr(self.image_filter)) != 0 - return drop - - cdef PyObject* __wrap_ktuple(self, GUID guid, UCHAR opcode) nogil: - cdef wchar_t buf[39] - - if string_from_guid(guid, buf, 39) > 0: - kguid = PyUnicode_FromWideChar(_wcslwr(buf), 39) - return build_ktuple(kguid, opcode) - else: - return NULL - - cdef inline BOOL __ktuple_equals(self, PyObject* k1, PyObject* k2) nogil: - cdef BOOL ktuple_equals = False - if PyLong_AsLong(PyTuple_GetItem(k1, 1)) == PyLong_AsLong(PyTuple_GetItem(k2, 1)): - kguid1 = _wchar_t(PyTuple_GetItem(k1, 0)) - kguid2 = _wchar_t(PyTuple_GetItem(k2, 0)) - ktuple_equals = wcscmp(kguid1, kguid2) == 0 - if kguid1 != NULL: - PyMem_Free(kguid1) - if kguid2 != NULL: - PyMem_Free(kguid2) - return ktuple_equals diff --git a/kstream/ktuple.pxd b/kstream/ktuple.pxd deleted file mode 100644 index bbc4352a2..000000000 --- a/kstream/ktuple.pxd +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -from kstream.includes.python cimport PyTuple_SetItem, Py_BuildValue, PyTuple_New -from cpython.ref cimport PyObject -from kstream.includes.windows cimport UCHAR - -cdef inline PyObject* build_ktuple(PyObject* kguid, UCHAR opcode) nogil: - cdef PyObject* ktuple = PyTuple_New(2) - cdef PyObject* oco = Py_BuildValue('b', opcode) - PyTuple_SetItem(ktuple, 0, kguid) - PyTuple_SetItem(ktuple, 1, oco) - return ktuple diff --git a/kstream/process.pxd b/kstream/process.pxd deleted file mode 100644 index 0aade3a33..000000000 --- a/kstream/process.pxd +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2017 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from kstream.includes.windows cimport UCHAR, ULONG, wchar_t, get_process_id_of_thread, open_thread, close_handle, \ - THREAD_QUERY_LIMITED_INFORMATION, HANDLE -from libcpp.unordered_map cimport unordered_map -from cython.operator cimport dereference as deref - -cdef enum: - INVALID_PID = 4294967295 - -cdef struct PROCESS_INFO: - # process identifier - ULONG pid - # process parent identifier - ULONG ppid - # name of the image file - wchar_t* name - -cdef struct THREAD_INFO: - # thread identifier - ULONG tid - # process identifier - ULONG pid - -cdef inline ULONG pid_from_tid(ULONG tid, unordered_map[ULONG, THREAD_INFO]* thread_map) nogil: - cdef unordered_map[ULONG, THREAD_INFO].iterator thread_iter = thread_map.find(tid) - # try to resolve pid from tid by - # querying the thread map - if thread_iter != thread_map.end(): - ti = deref(thread_iter).second - return ti.pid - else: - # if not found, try to resolve via - # `GetProcessIdOfThread` Windows API function - thread = open_thread(THREAD_QUERY_LIMITED_INFORMATION, - False, - tid) - if thread != NULL: - pid = get_process_id_of_thread(thread) - close_handle(thread) - return pid - else: - return INVALID_PID diff --git a/kstream/time.pxd b/kstream/time.pxd deleted file mode 100644 index 335d60734..000000000 --- a/kstream/time.pxd +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# http://rabbitstack.github.io -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from kstream.includes.windows cimport * - -cdef inline SYSTEMTIME sys_time(LARGE_INTEGER timestamp) nogil: - cdef FILETIME f - cdef SYSTEMTIME s - cdef SYSTEMTIME tzt - - f.high_date = timestamp.high - f.low_date = timestamp.low - filetime_to_systemtime(&f, &s) - systemtime_to_tz_specific_localtime(NULL, &s, &tzt) - - return tzt \ No newline at end of file diff --git a/make.bat b/make.bat new file mode 100644 index 000000000..985c50ed6 --- /dev/null +++ b/make.bat @@ -0,0 +1,110 @@ +:: Copyright 2019-2020 by Nedim Sabic Sabic +:: https://www.fibratus.io +:: All Rights Reserved. +:: +:: Licensed under the Apache License, Version 2.0 (the "License"); you may +:: not use this file except in compliance with the License. You may obtain +:: a copy of the License at +:: +:: http://www.apache.org/licenses/LICENSE-2.0 + +@echo off +SetLocal EnableDelayedExpansion + +set PYTHON_VER=3.7.9 +set PYTHON_URL=https://www.python.org/ftp/python/%PYTHON_VER%/python-%PYTHON_VER%-embed-amd64.zip + +set GOBIN=%USERPROFILE%\go\bin + +set GOTEST=go test -v -race +set GOVET=go vet +set GOFMT=gofmt -e -s -l -w +set GOLINT=%GOBIN%\golint -set_exit_status + +set LDFLAGS="-s -w -X github.com/rabbitstack/fibratus/cmd/fibratus/app.version=%VERSION% -X github.com/rabbitstack/fibratus/cmd/fibratus/app.commit=%COMMIT%" + +:: In case you want to avoid CGO overhead or don't need a specific feature, +:: try tweaking these conditional compilation tags. By default, Fibratus is +:: built with filament, yara and kcap support. +if NOT DEFINED TAGS ( + set TAGS=kcap,filament,yara +) + +set PKGS= +:: Get the list of packages that we'll use to run tests/linter +for /f %%p in ('go list .\...') do call set "PKGS=%%PKGS%% %%p" + +if "%~1"=="build" goto build +if "%~1"=="test" goto test +if "%~1"=="lint" goto lint +if "%~1"=="fmt" goto fmt +if "%~1"=="clean" goto clean +if "%~1"=="pkg" goto pkg +if "%~1"=="deps" goto deps +if "%~1"=="rsrc" goto rsrc + +:build +:: set PKG_CONFIG_PATH=pkg-config +go build -ldflags %LDFLAGS% -tags %TAGS% -o .\cmd\fibratus\fibratus.exe .\cmd\fibratus +goto :EOF + +:test +%GOTEST% %PKGS% +goto :EOF + +:lint +%GOVET% +%GOLINT% %PKGS% +goto :EOF + +:fmt +%GOFMT% pkg cmd +goto :EOF + +:deps +go get -v -u golang.org/x/lint/golint +goto :EOF + +:rsrc +set RC_VER=%VERSION:.=,% +windres --define RC_VER=%RC_VER% --define VER=%VERSION% -i cmd\fibratus\fibratus.rc -O coff -o cmd\fibratus\fibratus.syso +goto :EOF + +:pkg +set RELEASE_DIR=.\build\package\release + +mkdir "%~dp0\%RELEASE_DIR%" +mkdir "%~dp0\%RELEASE_DIR%\Bin" +mkdir "%~dp0\%RELEASE_DIR%\Config" +mkdir "%~dp0\%RELEASE_DIR%\Python" + +copy /y ".\cmd\fibratus\fibratus.exe" "%RELEASE_DIR%\bin" +copy /y ".\configs\fibratus.yml" "%RELEASE_DIR%\config\fibratus.yml" +xcopy /s /f /y ".\filaments" "%RELEASE_DIR%\Filaments\*" + +echo Downloading Python %PYTHON_VER%... +powershell -Command "Invoke-WebRequest %PYTHON_URL% -OutFile %RELEASE_DIR%\python.zip" + +echo Extracting Python distribution... +powershell -Command "Expand-Archive %RELEASE_DIR%\python.zip -DestinationPath %RELEASE_DIR%\python" + +:: Bring in the pip +:: https://stackoverflow.com/questions/42666121/pip-with-embedded-python +powershell -Command "(Get-Content -path %RELEASE_DIR%\python\python*._pth -Raw) -replace '#import','import' | Set-Content -Path %RELEASE_DIR%\python\python*._pth" +echo Downloading get-pip.py... +powershell -Command "Invoke-WebRequest https://bootstrap.pypa.io/get-pip.py -OutFile %RELEASE_DIR%\get-pip.py" +%RELEASE_DIR%\python\python.exe %RELEASE_DIR%\get-pip.py + +:: Move Python DLLs and other dependencies to the same directory where the fibratus binary +:: is located to advise Windows on the DLL search path strategy. +move %RELEASE_DIR%\python\*.dll %RELEASE_DIR%\bin + +:: Download env var plugin: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip +FOR /F "usebackq" %%A IN ('%RELEASE_DIR%\bin\fibratus.exe') DO set /a SIZE=%%~zA / 1024 + +makensis /DVERSION=1.0.0 /DINSTALLSIZE=%SIZE% build/package/fibratus.nsi +goto :EOF + +:clean +rm cmd\fibratus\fibratus.exe +goto :EOF \ No newline at end of file diff --git a/pkg-config/python-37.pc b/pkg-config/python-37.pc new file mode 100644 index 000000000..a66bed835 --- /dev/null +++ b/pkg-config/python-37.pc @@ -0,0 +1,11 @@ +prefix=C:/Python37 +exec_prefix=${prefix} +libdir=${exec_prefix}/libs +includedir=${prefix}/include + +Name: Python +Description: Python library +Requires: +Version: 3.7 +Libs: -L${libdir} -lpython37 +Cflags: -I${includedir} -DMS_WIN64 \ No newline at end of file diff --git a/pkg/aggregator/aggregator.go b/pkg/aggregator/aggregator.go new file mode 100644 index 000000000..265de8707 --- /dev/null +++ b/pkg/aggregator/aggregator.go @@ -0,0 +1,187 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package aggregator + +import ( + "errors" + "expvar" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/alertsender" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/outputs" + log "github.com/sirupsen/logrus" + "time" + // initialize outputs + _ "github.com/rabbitstack/fibratus/pkg/outputs/amqp" + _ "github.com/rabbitstack/fibratus/pkg/outputs/console" + _ "github.com/rabbitstack/fibratus/pkg/outputs/elasticsearch" + _ "github.com/rabbitstack/fibratus/pkg/outputs/null" + // initialize alert senders + _ "github.com/rabbitstack/fibratus/pkg/alertsender/mail" + _ "github.com/rabbitstack/fibratus/pkg/alertsender/slack" + // initialize transformers + _ "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/remove" + _ "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/rename" + _ "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/replace" + _ "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/tags" + _ "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/trim" +) + +var ( + // keventsDequeued counts the number of dequeued events + keventsDequeued = expvar.NewInt("kstream.kevents.dequeued") + // flushesCount computes the total count of aggregator flushes + flushesCount = expvar.NewInt("aggregator.flushes.count") + // batchEvents represents the overall number of processed batches + batchEvents = expvar.NewInt("aggregator.batch.events") + // transformerErrors is the count of transformers errors occurred during event processing + transformerErrors = expvar.NewMap("aggregator.transformer.errors") + /// keventErrors is the number of kernel event errors + keventErrors = expvar.NewInt("aggregator.kevent.errors") +) + +// BufferedAggregator collects events from the inbound channel and produces batches on regular intervals. The batches +// are pushed to the work queue from which load-balanced configured workers consume the batches and publish to the outputs. +type BufferedAggregator struct { + kevtsc chan *kevent.Kevent + errsc chan error + stop chan struct{} + flusher *time.Ticker + // queue of inbound kernel events + kevts []*kevent.Kevent + // work queue that forwarder passes to outputs + wq queue + submitter *submitter + transforms []transformers.Transformer + c Config +} + +// NewBuffered creates a new instance of the event aggregator. +func NewBuffered( + kevents chan *kevent.Kevent, + errs chan error, + config Config, + outputConfig outputs.Config, + transformerConfigs []transformers.Config, + alertsenderConfigs []alertsender.Config, +) (*BufferedAggregator, error) { + + flushInterval := config.FlushPeriod + if flushInterval < time.Millisecond*250 { + flushInterval = time.Millisecond * 250 + } + agg := &BufferedAggregator{ + kevtsc: kevents, + kevts: make([]*kevent.Kevent, 0), + errsc: errs, + stop: make(chan struct{}, 1), + flusher: time.NewTicker(flushInterval), + wq: make(chan *kevent.Batch, 0), + c: config, + } + + var err error + agg.submitter, err = newSubmitter(agg.wq, outputConfig) + if err != nil { + return nil, err + } + agg.transforms, err = transformers.LoadAll(transformerConfigs) + if err != nil { + return nil, err + } + + err = alertsender.LoadAll(alertsenderConfigs) + if err != nil { + return nil, err + } + + go agg.run() + + return agg, nil +} + +func (agg *BufferedAggregator) Stop() error { + agg.flusher.Stop() + // flush enqueued events + b := kevent.NewBatch(agg.kevts...) + if b.Len() > 0 { + done := make(chan struct{}, 1) + go func() { + agg.wq <- b + done <- struct{}{} + }() + + select { + case <-done: + close(agg.wq) + case <-time.After(agg.c.FlushTimeout): + return errors.New("fail to flush events after stop timed out") + } + } + + agg.stop <- struct{}{} + + return nil +} + +// run starts the aggregator loop. The aggregator receives kernel event stream from the upstream channel, buffers +// them to intermediate queue and dispatches batches to downstream worker queue. +func (agg *BufferedAggregator) run() { + for { + select { + case <-agg.stop: + err := agg.submitter.shutdown() + if err != nil { + log.Warnf("fail to gracefully close the submitter: %v", err) + } + return + case <-agg.flusher.C: + if len(agg.kevts) == 0 { + continue + } + b := kevent.NewBatch(agg.kevts...) + l := b.Len() + batchEvents.Add(l) + // push the batch to the work queue + if l > 0 { + agg.wq <- b + } + flushesCount.Add(1) + // clear the queue + agg.kevts = nil + case kevt := <-agg.kevtsc: + for _, transformer := range agg.transforms { + if transformer == nil { + continue + } + err := transformer.Transform(kevt) + if err != nil { + log.Warnf("transformer error occurred: %v", err) + transformerErrors.Add(err.Error(), 1) + } + } + // push the event to the queue + agg.kevts = append(agg.kevts, kevt) + keventsDequeued.Add(1) + case err := <-agg.errsc: + keventErrors.Add(1) + log.Errorf("aggregator dispatch failure: %v", err) + } + } +} diff --git a/pkg/aggregator/aggregator_test.go b/pkg/aggregator/aggregator_test.go new file mode 100644 index 000000000..60cc7d38e --- /dev/null +++ b/pkg/aggregator/aggregator_test.go @@ -0,0 +1,76 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package aggregator + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/outputs" + "github.com/rabbitstack/fibratus/pkg/outputs/console" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "net" + "testing" + "time" +) + +func TestNewBufferedAggregator(t *testing.T) { + keventsc := make(chan *kevent.Kevent, 4) + errsc := make(chan error, 1) + agg, err := NewBuffered(keventsc, errsc, Config{FlushPeriod: time.Millisecond * 200}, outputs.Config{Type: outputs.Console, Output: console.Config{Format: "pretty"}}, nil, nil) + require.NoError(t, err) + defer agg.Stop() + + for i := 0; i < 4; i++ { + kevt := &kevent.Kevent{ + Type: ktypes.SendTCPv4, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.NetDport: {Name: kparams.NetDport, Type: kparams.Uint16, Value: uint16(443)}, + kparams.NetSport: {Name: kparams.NetSport, Type: kparams.Uint16, Value: uint16(43123)}, + kparams.NetSIP: {Name: kparams.NetSIP, Type: kparams.IPv4, Value: net.ParseIP("127.0.0.1")}, + kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, + }, + } + keventsc <- kevt + } + <-time.After(time.Millisecond * 255) + assert.Equal(t, int64(4), batchEvents.Value()) + + for i := 0; i < 2; i++ { + kevt := &kevent.Kevent{ + Type: ktypes.SendTCPv4, + Tid: 2484, + PID: 859, + Seq: uint64(i), + Kparams: kevent.Kparams{ + kparams.NetDport: {Name: kparams.NetDport, Type: kparams.Uint16, Value: uint16(443)}, + kparams.NetSport: {Name: kparams.NetSport, Type: kparams.Uint16, Value: uint16(43123)}, + kparams.NetSIP: {Name: kparams.NetSIP, Type: kparams.IPv4, Value: net.ParseIP("127.0.0.1")}, + kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, + }, + } + keventsc <- kevt + } + <-time.After(time.Millisecond * 260) + assert.Equal(t, int64(6), batchEvents.Value()) + assert.Equal(t, int64(2), flushesCount.Value()) +} diff --git a/pkg/aggregator/config.go b/pkg/aggregator/config.go new file mode 100644 index 000000000..ac2c7b9ff --- /dev/null +++ b/pkg/aggregator/config.go @@ -0,0 +1,50 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package aggregator + +import ( + "github.com/spf13/pflag" + "github.com/spf13/viper" + "time" +) + +const ( + flushPeriod = "aggregator.flush-period" + flushTimeout = "aggregator.flush-timeout" +) + +// Config contains aggregator-specific configuration tweaks. +type Config struct { + // FlushPeriod determines the period for flushing batches to outputs. + FlushPeriod time.Duration `json:"aggregator.flush-period" yaml:"aggregator.flush-period"` + // FlushTimeout represents the max time to wait before announcing failed flushing of enqueued events + FlushTimeout time.Duration `json:"aggregator.flush-timeout" yaml:"aggregator.flush-timeout"` +} + +// AddFlags registers persistent aggregator flags. +func AddFlags(flags *pflag.FlagSet) { + flags.Duration(flushPeriod, time.Millisecond*200, "Determines the period for flushing batches to outputs") + flags.Duration(flushTimeout, time.Second*4, "Represents the max time to wait before announcing failed flushing of enqueued events on aggregator shutdown") +} + +// InitFromViper initializes aggregator flags from viper. +func (c *Config) InitFromViper(v *viper.Viper) { + c.FlushPeriod = v.GetDuration(flushPeriod) + c.FlushTimeout = v.GetDuration(flushTimeout) +} diff --git a/pkg/aggregator/submitter.go b/pkg/aggregator/submitter.go new file mode 100644 index 000000000..528f7c20d --- /dev/null +++ b/pkg/aggregator/submitter.go @@ -0,0 +1,57 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package aggregator + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/outputs" +) + +// queue defines the type alias for the batch worker queue +type queue chan *kevent.Batch + +// submitter initializes a group of load balanced output producers. +type submitter struct { + wq queue + workers []*worker +} + +func newSubmitter(wq queue, outputConfig outputs.Config) (*submitter, error) { + output, err := outputs.Load(outputConfig.Type, outputConfig) + if err != nil { + return nil, err + } + clients := output.Clients + workers := make([]*worker, len(clients)) + + for i, client := range clients { + workers[i] = initWorker(wq, client) + } + + return &submitter{wq: wq, workers: workers}, nil +} + +func (s *submitter) shutdown() error { + for _, w := range s.workers { + if err := w.close(); err != nil { + return err + } + } + return nil +} diff --git a/pkg/aggregator/transformers/config.go b/pkg/aggregator/transformers/config.go new file mode 100644 index 000000000..41f9d60a3 --- /dev/null +++ b/pkg/aggregator/transformers/config.go @@ -0,0 +1,30 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package transformers + +import "fmt" + +// ErrInvalidConfig signals an invalid configuration input +var ErrInvalidConfig = func(name Type) error { return fmt.Errorf("invalid config for %q transformer", name) } + +// Config acts as a container for the transformer configuration structures. +type Config struct { + Type Type + Transformer interface{} +} diff --git a/pkg/aggregator/transformers/remove/config.go b/pkg/aggregator/transformers/remove/config.go new file mode 100644 index 000000000..1362a983f --- /dev/null +++ b/pkg/aggregator/transformers/remove/config.go @@ -0,0 +1,40 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package remove + +import "github.com/spf13/pflag" + +const ( + kpars = "transformers.remove.kparams" + enabled = "transformers.remove.enabled" +) + +// Config stores the configuration for the remove transformer. +type Config struct { + // Kparams is the list of parameters that are dropped from the event. + Kparams []string `mapstructure:"kparams"` + // Enabled indicates whether this transformer is enabled + Enabled bool `mapstructure:"enabled"` +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.StringSlice(kpars, []string{}, "A list of comma-separated parameters that will be removed from the event") + flags.Bool(enabled, false, "Indicates if remove transformer is enabled") +} diff --git a/pkg/aggregator/transformers/remove/remove.go b/pkg/aggregator/transformers/remove/remove.go new file mode 100644 index 000000000..61e4da16d --- /dev/null +++ b/pkg/aggregator/transformers/remove/remove.go @@ -0,0 +1,52 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package remove + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" +) + +var removedCount = expvar.NewInt("transformers.removed.params") + +//remove transformer deletes kparams that are given in the list. +type remove struct { + c Config +} + +func init() { + transformers.Register(transformers.Remove, initRemoveTransformer) +} + +func initRemoveTransformer(config transformers.Config) (transformers.Transformer, error) { + cfg, ok := config.Transformer.(Config) + if !ok { + return nil, transformers.ErrInvalidConfig(transformers.Remove) + } + return &remove{c: cfg}, nil +} + +func (r remove) Transform(kevt *kevent.Kevent) error { + for _, kpar := range r.c.Kparams { + delete(kevt.Kparams, kpar) + removedCount.Add(1) + } + return nil +} diff --git a/pkg/aggregator/transformers/remove/remove_test.go b/pkg/aggregator/transformers/remove/remove_test.go new file mode 100644 index 000000000..75dfbb4ec --- /dev/null +++ b/pkg/aggregator/transformers/remove/remove_test.go @@ -0,0 +1,53 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package remove + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "net" + "testing" +) + +func TestTransform(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.SendTCPv4, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.NetDport: {Name: kparams.NetDport, Type: kparams.Uint16, Value: uint16(443)}, + kparams.NetSport: {Name: kparams.NetSport, Type: kparams.Uint16, Value: uint16(43123)}, + kparams.NetSIP: {Name: kparams.NetSIP, Type: kparams.IPv4, Value: net.ParseIP("127.0.0.1")}, + kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, + }, + } + assert.Len(t, kevt.Kparams, 4) + + transf, err := transformers.Load(transformers.Config{Type: transformers.Remove, Transformer: Config{Kparams: []string{"dip", "sport", "foo"}}}) + require.NoError(t, err) + err = transf.Transform(kevt) + + require.NoError(t, err) + + assert.Len(t, kevt.Kparams, 2) +} diff --git a/pkg/aggregator/transformers/rename/config.go b/pkg/aggregator/transformers/rename/config.go new file mode 100644 index 000000000..b0b742dee --- /dev/null +++ b/pkg/aggregator/transformers/rename/config.go @@ -0,0 +1,44 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package rename + +import "github.com/spf13/pflag" + +const ( + enabled = "transformers.rename.enabled" +) + +// Rename describes the configuration for the old/new parameter name. +type Rename struct { + Old string `mapstructure:"old"` + New string `mapstructure:"new"` +} + +// Config stores the configuration of the rename transformer. +type Config struct { + // Kparams is the list of parameters that will be renamed. + Kparams []Rename + // Enabled indicates whether this transformer is enabled. + Enabled bool +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.Bool(enabled, false, "Indicates if the rename transformer is enabled") +} diff --git a/pkg/aggregator/transformers/rename/rename.go b/pkg/aggregator/transformers/rename/rename.go new file mode 100644 index 000000000..7f89cb977 --- /dev/null +++ b/pkg/aggregator/transformers/rename/rename.go @@ -0,0 +1,54 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package rename + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" +) + +// rename as it name implies, it renames a sequence of kparams to their new names. +type rename struct { + c Config +} + +func init() { + transformers.Register(transformers.Rename, initRenameTransformer) +} + +func initRenameTransformer(config transformers.Config) (transformers.Transformer, error) { + cfg, ok := config.Transformer.(Config) + if !ok { + return nil, transformers.ErrInvalidConfig(transformers.Rename) + } + return &rename{c: cfg}, nil +} + +func (r rename) Transform(kevt *kevent.Kevent) error { + for _, par := range r.c.Kparams { + kpar, ok := kevt.Kparams[par.Old] + if !ok { + continue + } + kevt.Kparams.Remove(par.Old) + kpar.Name = par.New + kevt.Kparams[par.New] = kpar + } + return nil +} diff --git a/pkg/aggregator/transformers/rename/rename_test.go b/pkg/aggregator/transformers/rename/rename_test.go new file mode 100644 index 000000000..ff74f4374 --- /dev/null +++ b/pkg/aggregator/transformers/rename/rename_test.go @@ -0,0 +1,56 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package rename + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "net" + "testing" +) + +func TestTransform(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.SendTCPv4, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.NetDport: {Name: kparams.NetDport, Type: kparams.Uint16, Value: uint16(443)}, + kparams.NetSport: {Name: kparams.NetSport, Type: kparams.Uint16, Value: uint16(43123)}, + kparams.NetSIP: {Name: kparams.NetSIP, Type: kparams.IPv4, Value: net.ParseIP("127.0.0.1")}, + kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, + }, + Metadata: make(map[string]string), + } + + transf, err := transformers.Load(transformers.Config{Type: transformers.Rename, Transformer: Config{Kparams: []Rename{{Old: "dport", New: "dstport"}, {Old: "sip", New: "srcip"}}}}) + require.NoError(t, err) + + require.NoError(t, transf.Transform(kevt)) + + assert.True(t, kevt.Kparams.Contains("dstport")) + assert.False(t, kevt.Kparams.Contains("dport")) + assert.True(t, kevt.Kparams.Contains("srcip")) + assert.False(t, kevt.Kparams.Contains("sip")) + +} diff --git a/pkg/aggregator/transformers/replace/config.go b/pkg/aggregator/transformers/replace/config.go new file mode 100644 index 000000000..ea8c65cfd --- /dev/null +++ b/pkg/aggregator/transformers/replace/config.go @@ -0,0 +1,45 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package replace + +import "github.com/spf13/pflag" + +const ( + enabled = "transformers.replace.enabled" +) + +// Config stores the configuration for the replace transformer +type Config struct { + // Replacements describes a list of replacements that are applied on the kparam. + Replacements []Replacement `mapstructure:"replacements"` + // Enabled indicates whether this transformer is enabled + Enabled bool `mapstructure:"enabled"` +} + +// Replacement defines the string replacement config for a specific kparam. +type Replacement struct { + Kpar string `mapstructure:"kparam"` + Old string `mapstructure:"old"` + New string `mapstructure:"new"` +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.Bool(enabled, false, "Indicates if the replace transformer is enabled") +} diff --git a/pkg/aggregator/transformers/replace/replace.go b/pkg/aggregator/transformers/replace/replace.go new file mode 100644 index 000000000..b899374d9 --- /dev/null +++ b/pkg/aggregator/transformers/replace/replace.go @@ -0,0 +1,68 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package replace + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "strings" +) + +var replaceCount = expvar.NewInt("transformers.replaced.params") + +// replace applies string substitutions in kpar values. +type replace struct { + c Config +} + +func init() { + transformers.Register(transformers.Replace, initReplaceTransformer) +} + +func initReplaceTransformer(config transformers.Config) (transformers.Transformer, error) { + cfg, ok := config.Transformer.(Config) + if !ok { + return nil, transformers.ErrInvalidConfig(transformers.Replace) + } + return &replace{c: cfg}, nil +} + +func (r replace) Transform(kevt *kevent.Kevent) error { + for _, repl := range r.c.Replacements { + kpar := kevt.Kparams.Find(repl.Kpar) + + if kpar == nil { + continue + } + if kpar.Type != kparams.AnsiString && kpar.Type != kparams.UnicodeString { + continue + } + + val, ok := kpar.Value.(string) + if !ok { + continue + } + kpar.Value = strings.ReplaceAll(val, repl.Old, repl.New) + + replaceCount.Add(1) + } + return nil +} diff --git a/pkg/aggregator/transformers/replace/replace_test.go b/pkg/aggregator/transformers/replace/replace_test.go new file mode 100644 index 000000000..785eb21db --- /dev/null +++ b/pkg/aggregator/transformers/replace/replace_test.go @@ -0,0 +1,50 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package replace + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" +) + +func TestTransform(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.RegCreateKey, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`}, + kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.HexInt64, Value: kparams.NewHex(uint64(18446666033449935464))}, + }, + } + + transf, err := transformers.Load(transformers.Config{Type: transformers.Replace, Transformer: Config{Replacements: []Replacement{{Kpar: "key_name", Old: "HKEY_LOCAL_MACHINE", New: "HKLM"}}}}) + require.NoError(t, err) + + require.NoError(t, transf.Transform(kevt)) + + keyName, _ := kevt.Kparams.GetString(kparams.RegKeyName) + + assert.Equal(t, `HKLM\SYSTEM\Setup\Pid`, keyName) +} diff --git a/pkg/aggregator/transformers/tags/config.go b/pkg/aggregator/transformers/tags/config.go new file mode 100644 index 000000000..b520ae531 --- /dev/null +++ b/pkg/aggregator/transformers/tags/config.go @@ -0,0 +1,46 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package tags + +import ( + "github.com/spf13/pflag" +) + +const ( + enabled = "transformers.tags.enabled" +) + +// Tag represents a distinct tag with its key and value attached. +type Tag struct { + Key string `mapstructure:"key"` + Value string `mapstructure:"value"` +} + +// Config stores the configuration for the tags transformer +type Config struct { + // Tags is the sequence of key/value pairs that are added to the event + Tags []Tag `mapstructure:"tags"` + // Enabled indicates whether this transformer is enabled + Enabled bool `mapstructure:"enabled"` +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.Bool(enabled, false, "Indicates if the tags transformer is enabled") +} diff --git a/pkg/aggregator/transformers/tags/tags.go b/pkg/aggregator/transformers/tags/tags.go new file mode 100644 index 000000000..bc66391e3 --- /dev/null +++ b/pkg/aggregator/transformers/tags/tags.go @@ -0,0 +1,68 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package tags + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" + "os" + "strings" +) + +// tags transformer appends tags to the event's metadata. It is capable of adding literal values as well as +// tags that are stored in environment variables. +type tags struct { + tags map[string]string +} + +func init() { + transformers.Register(transformers.Tags, initTagsTransformer) +} + +func initTagsTransformer(config transformers.Config) (transformers.Transformer, error) { + cfg, ok := config.Transformer.(Config) + if !ok { + return nil, transformers.ErrInvalidConfig(transformers.Tags) + } + + ktags := make(map[string]string) + + for _, tag := range cfg.Tags { + // if the value is enclosed within % symbols this means + // we have to expand it from the environ variable + key, val := tag.Key, tag.Value + if len(val) == 0 { + continue + } + if val[0] == '%' && val[len(val)-1] == '%' { + ktags[key] = os.Getenv(strings.ReplaceAll(val, "%", "")) + continue + } + ktags[key] = val + } + + return &tags{tags: ktags}, nil +} + +func (t tags) Transform(kevt *kevent.Kevent) error { + for k, v := range t.tags { + kevt.AddMeta(k, v) + } + return nil +} diff --git a/pkg/aggregator/transformers/tags/tags_test.go b/pkg/aggregator/transformers/tags/tags_test.go new file mode 100644 index 000000000..9a1077a9e --- /dev/null +++ b/pkg/aggregator/transformers/tags/tags_test.go @@ -0,0 +1,58 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package tags + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "net" + "os" + "testing" +) + +func TestTransform(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.SendTCPv4, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.NetDport: {Name: kparams.NetDport, Type: kparams.Uint16, Value: uint16(443)}, + kparams.NetSport: {Name: kparams.NetSport, Type: kparams.Uint16, Value: uint16(43123)}, + kparams.NetSIP: {Name: kparams.NetSIP, Type: kparams.IPv4, Value: net.ParseIP("127.0.0.1")}, + kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, + }, + Metadata: make(map[string]string), + } + require.NoError(t, os.Setenv("NODENAME", "archbunny")) + transf, err := transformers.Load(transformers.Config{Type: transformers.Tags, Transformer: Config{Tags: []Tag{{Key: "env", Value: "staging"}, {Key: "zone", Value: "dmz"}, {Key: "node", Value: "%NODENAME%"}}}}) + require.NoError(t, err) + + require.NoError(t, transf.Transform(kevt)) + + require.Len(t, kevt.Metadata, 3) + require.Contains(t, kevt.Metadata, "env") + + assert.Equal(t, "dmz", kevt.Metadata["zone"]) + + assert.Equal(t, "archbunny", kevt.Metadata["node"]) +} diff --git a/pkg/aggregator/transformers/transformer.go b/pkg/aggregator/transformers/transformer.go new file mode 100644 index 000000000..8235112d9 --- /dev/null +++ b/pkg/aggregator/transformers/transformer.go @@ -0,0 +1,99 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package transformers + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/kevent" +) + +var transformers = map[Type]Factory{} + +// Factory defines the function for transformer factories +type Factory func(config Config) (Transformer, error) + +// Type defines the alias for the transformer types +type Type uint8 + +const ( + // Remove represents the remove transformer type. This transformer deletes the given list of parameters from the event. + Remove Type = iota + // Rename represents the rename transformer type. It renames a sequence of kparam from old to new names. + Rename + // Replace represents the replace tranformer type. It applies string replacements on specific kparams. + Replace + // Trim represents the trim transformer type that that removes suffix/prefix from string kparams. + Trim + // Tags represents the tags transformer type. This transformer appends tags to the event's metadata. + Tags +) + +// String returns the type human-readable name. +func (typ Type) String() string { + switch typ { + case Remove: + return "remove" + case Rename: + return "rename" + case Replace: + return "replace" + case Trim: + return "trim" + case Tags: + return "tags" + default: + return "unknown" + } +} + +// Register registers a singleton instance of the provided transformer. +func Register(typ Type, factory Factory) { + if _, ok := transformers[typ]; ok { + panic(fmt.Sprintf("output %q is already registered", typ)) + } + transformers[typ] = factory +} + +// LoadAll loads all transformers from the configuration inputs. +func LoadAll(configs []Config) ([]Transformer, error) { + transformers := make([]Transformer, len(configs)) + for i, config := range configs { + transformer, err := Load(config) + if err != nil { + return nil, err + } + transformers[i] = transformer + } + return transformers, nil +} + +// Load loads a single transformer from the configuration. +func Load(config Config) (Transformer, error) { + typ := config.Type + factory := transformers[typ] + if factory == nil { + return nil, fmt.Errorf("%q transformer not availaible in the factory", typ) + } + return factory(config) +} + +// Transformer is the minimal interface all transformers have to satisfy. +type Transformer interface { + Transform(*kevent.Kevent) error +} diff --git a/pkg/aggregator/transformers/trim/config.go b/pkg/aggregator/transformers/trim/config.go new file mode 100644 index 000000000..60f56c6a4 --- /dev/null +++ b/pkg/aggregator/transformers/trim/config.go @@ -0,0 +1,46 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package trim + +import "github.com/spf13/pflag" + +const ( + enabled = "transformers.trim.enabled" +) + +// Trim defines the trim configuration for a single event parameter. +type Trim struct { + Name string `mapstructure:"kparam"` + Trim string `mapstructure:"trim"` +} + +// Config stores the configuration for the trim transformer. +type Config struct { + // Prefixes contains the mapping between distinct kparam names and the prefixes that will get trimmed from their values. + Prefixes []Trim `mapstructure:"prefixes"` + // Suffixes contains the mapping between distinct kparam names and the suffixes that will get trimmed from their values. + Suffixes []Trim `mapstructure:"suffixes"` + // Enabled determines whether trim transformer is enabled or disabled. + Enabled bool `mapstructure:"enabled"` +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.Bool(enabled, false, "Indicates if the trim transformer is enabled") +} diff --git a/pkg/aggregator/transformers/trim/trim.go b/pkg/aggregator/transformers/trim/trim.go new file mode 100644 index 000000000..01a37de1b --- /dev/null +++ b/pkg/aggregator/transformers/trim/trim.go @@ -0,0 +1,74 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package trim + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "strings" +) + +// trim transformer trims suffixes/prefixes from kpar values. +type trim struct { + c Config +} + +func init() { + transformers.Register(transformers.Trim, initTrimTransformer) +} + +func initTrimTransformer(config transformers.Config) (transformers.Transformer, error) { + cfg, ok := config.Transformer.(Config) + if !ok { + return nil, transformers.ErrInvalidConfig(transformers.Trim) + } + return &trim{c: cfg}, nil +} + +func (r trim) Transform(kevt *kevent.Kevent) error { + for _, kpar := range kevt.Kparams { + if kpar.Type != kparams.AnsiString && kpar.Type != kparams.UnicodeString { + continue + } + // trim prefixes + for _, par := range r.c.Prefixes { + if kpar.Name != par.Name { + continue + } + s, ok := kpar.Value.(string) + if !ok { + continue + } + kpar.Value = strings.TrimPrefix(s, par.Trim) + } + // trim suffixes + for _, par := range r.c.Suffixes { + if kpar.Name != par.Name { + continue + } + s, ok := kpar.Value.(string) + if !ok { + continue + } + kpar.Value = strings.TrimSuffix(s, par.Trim) + } + } + return nil +} diff --git a/pkg/aggregator/transformers/trim/trim_test.go b/pkg/aggregator/transformers/trim/trim_test.go new file mode 100644 index 000000000..0216a0965 --- /dev/null +++ b/pkg/aggregator/transformers/trim/trim_test.go @@ -0,0 +1,67 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package trim + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" + "time" +) + +func TestTransform(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "overwriteif"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.HexInt8, Value: kparams.Hex("ff")}, + kparams.StartTime: {Name: kparams.StartTime, Type: kparams.Time, Value: time.Now()}, + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1204)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "barz"}, + } + + transf, err := transformers.Load(transformers.Config{Type: transformers.Trim, Transformer: Config{Prefixes: []Trim{{Name: "file_name", Trim: "\\Device"}}, Suffixes: []Trim{{Name: "operation", Trim: "if"}}}}) + require.NoError(t, err) + + require.NoError(t, transf.Transform(kevt)) + filename, _ := kevt.Kparams.GetString(kparams.FileName) + dispo, _ := kevt.Kparams.GetString(kparams.FileOperation) + + assert.Equal(t, "\\HarddiskVolume2\\Windows\\system32\\user32.dll", filename) + assert.Equal(t, "overwrite", dispo) + +} diff --git a/pkg/aggregator/worker.go b/pkg/aggregator/worker.go new file mode 100644 index 000000000..ca2f979cf --- /dev/null +++ b/pkg/aggregator/worker.go @@ -0,0 +1,70 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package aggregator + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/outputs" + log "github.com/sirupsen/logrus" + "time" +) + +// maxBackoff determines the maximum exponential backoff wait time before reconnecting the client +const maxBackoff = time.Minute + +var clientPublishErrors = expvar.NewInt("aggregator.worker.client.publish.errors") + +type worker struct { + qu queue + client outputs.Client + backoff time.Duration +} + +func initWorker(q queue, client outputs.Client) *worker { + w := &worker{qu: q, client: client, backoff: time.Second * 2} + go w.run() + return w +} + +func (w *worker) run() { + for { + err := w.client.Connect() + if err != nil { + // schedule an exponential backoff reconnect strategy for the client + w.backoff *= 2 + log.Warnf("fail to connect the client: %v. Reconnecting in %v...", err, w.backoff) + if w.backoff > maxBackoff { + w.backoff = maxBackoff + } + <-time.After(w.backoff) + continue + } + break + } + for batch := range w.qu { + if err := w.client.Publish(batch); err != nil { + clientPublishErrors.Add(1) + log.Warnf("couldn't publish batch to client: %v", err) + } + } +} + +func (w *worker) close() error { + return w.client.Close() +} diff --git a/pkg/aggregator/worker_test.go b/pkg/aggregator/worker_test.go new file mode 100644 index 000000000..26fd9b4c9 --- /dev/null +++ b/pkg/aggregator/worker_test.go @@ -0,0 +1,108 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package aggregator + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/stretchr/testify/assert" + "net/http" + "net/http/httptest" + "testing" + "time" +) + +type httpClient struct { + url string + published int + expectedPublished int + wait chan struct{} +} + +func (c *httpClient) Connect() error { + _, err := http.Get(c.url + "/connect") + return err +} + +func (c *httpClient) Close() error { return nil } + +func (c *httpClient) Publish(b *kevent.Batch) error { + _, err := http.Post(c.url+"/publish", "application/json", nil) + if err != nil { + return err + } + c.published++ + if c.published == c.expectedPublished { + c.wait <- struct{}{} + } + return nil +} + +func TestRunWorker(t *testing.T) { + q := make(chan *kevent.Batch, 2) + q <- &kevent.Batch{} + q <- &kevent.Batch{} + + mux := http.NewServeMux() + mux.HandleFunc("/publish", func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + }) + + srv := httptest.NewServer(mux) + defer srv.Close() + + client := &httpClient{url: srv.URL, wait: make(chan struct{}, 1), expectedPublished: 2} + + w := initWorker(q, client) + defer w.close() + + <-client.wait + + assert.Equal(t, 2, client.published) +} + +func TestConnectClientBackoff(t *testing.T) { + q := make(chan *kevent.Batch, 2) + q <- &kevent.Batch{} + q <- &kevent.Batch{} + + mux := http.NewServeMux() + mux.HandleFunc("/publish", func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + }) + mux.HandleFunc("/connect", func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + }) + + srv := httptest.NewUnstartedServer(mux) + defer srv.Close() + + client := &httpClient{url: srv.URL, wait: make(chan struct{}, 1), expectedPublished: 2} + + go time.AfterFunc(time.Second*3, func() { + srv.Start() + client.url = srv.URL + }) + + w := initWorker(q, client) + defer w.close() + + <-client.wait + + assert.Equal(t, 2, client.published) +} diff --git a/pkg/alertsender/alert.go b/pkg/alertsender/alert.go new file mode 100644 index 000000000..95a623c62 --- /dev/null +++ b/pkg/alertsender/alert.go @@ -0,0 +1,83 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package alertsender + +import "fmt" + +// Severity is the type alias for alert's severity level. +type Severity uint8 + +const ( + // Normal designates alert's normal level + Normal Severity = iota + // Medium designates alert's medium level + Medium + // Critical designates alert's critical level + Critical +) + +// String returns severity human-friendly name. +func (s Severity) String() string { + switch s { + case Normal: + return "normal" + case Medium: + return "medium" + case Critical: + return "critical" + default: + return "unknown" + } +} + +// ParseSeverityFromString parses the severity from the string representation. +func ParseSeverityFromString(sever string) Severity { + switch sever { + case "normal", "Normal": + return Normal + case "medium", "Medium": + return Medium + case "critical", "Critical": + return Critical + default: + return Normal + } +} + +// Alert encapsulates the state of an alert. +type Alert struct { + // Title is the short title that summarizes the purpose of the alert. + Title string + // Text is the longer textual content that further explains what this alert is about. + Text string + // Tags contains a sequence of tags for categorizing the alerts. + Tags []string + // Severity determines the severity of this alert. + Severity Severity +} + +// String returns the alert string representation. +func (a Alert) String() string { + return fmt.Sprintf("Title: %s, Text: %s, Severity: %s, Tags: %v", a.Title, a.Text, a.Severity, a.Tags) +} + +// NewAlert builds a new alert. +func NewAlert(title, text string, tags []string, severity Severity) Alert { + return Alert{Title: title, Text: text, Tags: tags, Severity: severity} +} diff --git a/pkg/alertsender/config.go b/pkg/alertsender/config.go new file mode 100644 index 000000000..5052c4f6e --- /dev/null +++ b/pkg/alertsender/config.go @@ -0,0 +1,25 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package alertsender + +// Config is the container for the alert sender configuration structure. +type Config struct { + Type Type + Sender interface{} +} diff --git a/pkg/alertsender/mail/config.go b/pkg/alertsender/mail/config.go new file mode 100644 index 000000000..368c5778d --- /dev/null +++ b/pkg/alertsender/mail/config.go @@ -0,0 +1,60 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package mail + +import "github.com/spf13/pflag" + +const ( + host = "alertsenders.mail.host" + port = "alertsenders.mail.port" + user = "alertsenders.mail.user" + pass = "alertsenders.mail.password" + from = "alertsenders.mail.from" + to = "alertsenders.mail.to" + enabled = "alertsenders.mail.enabled" +) + +// Config contains the configuration for the mail alert sender. +type Config struct { + // Host is the host of the SMTP server. + Host string `mapstructure:"host"` + // Port is the port of the SMTP server. + Port int `mapstructure:"port"` + // User specifies the user name when authenticating to the SMTP server. + User string `mapstructure:"user"` + // Pass specifies the password when authenticating to the SMTP server. + Pass string `mapstructure:"password"` + // From specifies the sender address. + From string `mapstructure:"from"` + // To specifies recipients that receive the alert. + To []string `mapstructure:"to"` + // Enabled indicates whether mail alert sender is enabled + Enabled bool `mapstructure:"enabled"` +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.String(host, "", "Represents the host of the SMTP server") + flags.Int(port, 25, "Represents the port of the SMTP server") + flags.String(user, "", "Specifies the user name when authenticating to the SMTP server") + flags.String(pass, "", "Specifies the password when authenticating to the SMTP server") + flags.String(from, "", "Specifies the sender's address") + flags.StringSlice(to, []string{}, "Specifies all the recipients that'll receive the alert") + flags.Bool(enabled, false, "Indicates whether mail alert sender is enabled") +} diff --git a/pkg/alertsender/mail/mail.go b/pkg/alertsender/mail/mail.go new file mode 100644 index 000000000..acd46f120 --- /dev/null +++ b/pkg/alertsender/mail/mail.go @@ -0,0 +1,61 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package mail + +import ( + "github.com/rabbitstack/fibratus/pkg/alertsender" + "gopkg.in/gomail.v2" +) + +type mail struct { + dialer *gomail.Dialer + c Config +} + +func init() { + alertsender.Register(alertsender.Mail, makeSender) +} + +// makeSender constructs a new instance of the email alert sender. +func makeSender(config alertsender.Config) (alertsender.Sender, error) { + c, ok := config.Sender.(Config) + if !ok { + return nil, alertsender.ErrInvalidConfig(alertsender.Mail) + } + dialer := gomail.NewDialer(c.Host, c.Port, c.User, c.Pass) + return &mail{dialer: dialer, c: c}, nil +} + +func (s mail) Send(alert alertsender.Alert) error { + sender, err := s.dialer.Dial() + if err != nil { + return err + } + defer sender.Close() + return gomail.Send(sender, composeMessage(s.c.From, s.c.To, alert)) +} + +func composeMessage(from string, to []string, alert alertsender.Alert) *gomail.Message { + msg := gomail.NewMessage() + msg.SetHeader("From", from) + msg.SetHeader("To", to...) + msg.SetHeader("Subject", alert.Title) + msg.SetBody("text/plain", alert.Text) + return msg +} diff --git a/pkg/alertsender/sender.go b/pkg/alertsender/sender.go new file mode 100644 index 000000000..261f35bf3 --- /dev/null +++ b/pkg/alertsender/sender.go @@ -0,0 +1,122 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package alertsender + +import "fmt" + +// ErrInvalidConfig signals an invalid sender config +var ErrInvalidConfig = func(name Type) error { return fmt.Errorf("invalid config for %q sender", name) } + +var factories = map[Type]Factory{} +var alertsenders = map[Type]Sender{} + +// Factory defines the alias for the alert sender factory +type Factory func(config Config) (Sender, error) + +// Type defines the alias for the alert sender type +type Type uint8 + +const ( + // Mail designates mail alert sender + Mail Type = iota + // Slack designates Slack alert sender + Slack + // Noop is a noop alert sender. Useful for testing. + Noop + // None is the type for unknown alert sender + None +) + +// String returns the string representation of the alert sender type. +func (s Type) String() string { + switch s { + case Mail: + return "mail" + case Slack: + return "slack" + case Noop: + return "noop" + default: + return "none" + } +} + +// Sender is the minimal interface all alert senders have to implement. +type Sender interface { + // Send emits an alert. + Send(Alert) error +} + +// ToType converts the string representation of the alert sender to its corresponding type. +func ToType(s string) Type { + switch s { + case "mail": + return Mail + case "slack": + return Slack + case "noop": + return Noop + default: + return None + } +} + +// Register registers a new alert sender. +func Register(typ Type, factory Factory) { + if _, ok := factories[typ]; ok { + panic(fmt.Sprintf("%q alert sender is already registered", typ)) + } + factories[typ] = factory +} + +// Find locates the sender. +func Find(typ Type) Sender { + return alertsenders[typ] +} + +// FindAll returns all registered senders. +func FindAll() []Sender { + senders := make([]Sender, 0, len(alertsenders)) + for _, s := range alertsenders { + senders = append(senders, s) + } + return senders +} + +// Load loads an alert sender from the registry. +func Load(config Config) (Sender, error) { + typ := config.Type + factory := factories[typ] + if factory == nil { + return nil, fmt.Errorf("%q alert sender not availaible in the factory", typ) + } + return factory(config) +} + +// LoadAll loads all alert senders from the configuration inputs. +func LoadAll(configs []Config) error { + for _, config := range configs { + alertsender, err := Load(config) + if err != nil { + return fmt.Errorf("fail to load %q alertsender: %v", config.Type, err) + } + alertsenders[config.Type] = alertsender + } + return nil +} diff --git a/pkg/alertsender/slack/config.go b/pkg/alertsender/slack/config.go new file mode 100644 index 000000000..76cd4471d --- /dev/null +++ b/pkg/alertsender/slack/config.go @@ -0,0 +1,52 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package slack + +import "github.com/spf13/pflag" + +const ( + enabled = "alertsenders.slack.enabled" + url = "alertsenders.slack.url" + workspace = "alertsenders.slack.workspace" + channel = "alertsenders.slack.channel" + botemoji = "alertsenders.slack.emoji" +) + +// Config stores the settings that dictate the behaviour of the Slack alert sender. +type Config struct { + // URL represents the Webhook URL of the workspace where alerts will be dispatched. + URL string `mapstructure:"url"` + // Workspace designates the Slack workspace where alerts will be routed. + Workspace string `mapstructure:"workspace"` + // Channel is the slack channel in which to post alerts. + Channel string `mapstructure:"channel"` + // BotEmoji is the emoji icon for the Slack bot. + BotEmoji string `mapstructure:"emoji"` + // Enabled determines if Slack alert sender is enabled. + Enabled bool `mapstructure:"enabled"` +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.Bool(enabled, false, "Determines whether Slack alert sender is enabled") + flags.String(url, "", "Represents the Webhook URL of the workspace where alerts will be dispatched") + flags.String(workspace, "", "Designates the Slack workspace where alerts will be routed") + flags.String(channel, "", "Represents the slack channel in which to post alerts") + flags.String(botemoji, "", "Represents the emoji icon for the Slack bot") +} diff --git a/pkg/alertsender/slack/slack.go b/pkg/alertsender/slack/slack.go new file mode 100644 index 000000000..a1a7849f1 --- /dev/null +++ b/pkg/alertsender/slack/slack.go @@ -0,0 +1,129 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package slack + +import ( + "bytes" + "encoding/json" + "errors" + "fmt" + "github.com/rabbitstack/fibratus/pkg/alertsender" + "io/ioutil" + "net" + "net/http" + "time" +) + +const botName = "fibratus" + +type slack struct { + client *http.Client + config Config +} + +// attachment represents Slack attachment info +type attachment struct { + Fallback string `json:"fallback"` + Color string `json:"color"` + Text string `json:"text"` + Mdin []string `json:"mrkdwn_in"` +} + +func init() { + alertsender.Register(alertsender.Slack, makeSender) +} + +// makeSender constructs a new instance of the Slack alert sender. +func makeSender(config alertsender.Config) (alertsender.Sender, error) { + c, ok := config.Sender.(Config) + if !ok { + return nil, alertsender.ErrInvalidConfig(alertsender.Slack) + + } + client := &http.Client{ + Transport: &http.Transport{ + DialContext: (&net.Dialer{ + Timeout: 10 * time.Second, + KeepAlive: 30 * time.Second, + }).DialContext, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + }, + } + return &slack{config: c, client: client}, nil +} + +func (s slack) Send(alert alertsender.Alert) error { + var color string + switch alert.Severity { + case alertsender.Medium: + color = "warning" + case alertsender.Critical: + color = "danger" + default: + color = "good" + } + + attach := attachment{ + Fallback: alert.Text, + Text: alert.Text, + Color: color, + Mdin: []string{"text"}, + } + + params := make(map[string]interface{}) + params["as_user"] = false + params["channel"] = s.config.Channel + params["text"] = "" + params["attachments"] = []attachment{attach} + params["username"] = botName + if s.config.BotEmoji != "" { + params["icon_emoji"] = s.config.BotEmoji + } + + var body bytes.Buffer + enc := json.NewEncoder(&body) + err := enc.Encode(params) + if err != nil { + return nil + } + + resp, err := s.client.Post(s.config.URL, "application/json", &body) + if err != nil { + return err + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + return err + } + type response struct { + Error string `json:"error"` + } + r := &response{Error: fmt.Sprintf("failed to send alert to Slack. code: %d content: %s", resp.StatusCode, string(body))} + b := bytes.NewReader(body) + dec := json.NewDecoder(b) + if err := dec.Decode(r); err != nil { + return err + } + return errors.New(r.Error) + } + return nil +} diff --git a/pkg/api/handler/config.go b/pkg/api/handler/config.go new file mode 100644 index 000000000..da305f58e --- /dev/null +++ b/pkg/api/handler/config.go @@ -0,0 +1,33 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handler + +import ( + "github.com/rabbitstack/fibratus/pkg/config" + "net/http" +) + +// Config is the handler the serves the current configuration state as pretty-formatted text. +func Config(c *config.Config) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if _, err := w.Write([]byte(c.Print())); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + } + }) +} diff --git a/pkg/api/listener.go b/pkg/api/listener.go new file mode 100644 index 000000000..dab6d74f6 --- /dev/null +++ b/pkg/api/listener.go @@ -0,0 +1,65 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package api + +import ( + "context" + "fmt" + "github.com/Microsoft/go-winio" + "net" + "strings" +) + +// MakePipeListener produces a new listener for receiving requests over a named pipe. +func MakePipeListener(pipePath, descriptor string) (net.Listener, error) { + npipe := transformPipePath(pipePath) + l, err := winio.ListenPipe(npipe, &winio.PipeConfig{SecurityDescriptor: descriptor}) + if err != nil { + return nil, fmt.Errorf("fail to listen on the %q pipe: %v", pipePath, err) + } + return l, nil +} + +// makeTCPListener produces a new listener for receiving requests over TCP. +func makeTCPListener(addr string) (net.Listener, error) { + return net.Listen("tcp", addr) +} + +// DialPipe creates a dialer to be used with the http.Client to connect to a named pipe. +func DialPipe(pipePath string) func(context.Context, string, string) (net.Conn, error) { + npipe := transformPipePath(pipePath) + return func(ctx context.Context, _, _ string) (net.Conn, error) { + return winio.DialPipeContext(ctx, npipe) + } +} + +// transformPipePath takes an input type name defined as a URI like `npipe:///hello` and transform it into +// `\\.\pipe\hello`. Borrowed from https://github.com/elastic/beats/blob/master/libbeat/api/npipe/listener_windows.go +func transformPipePath(name string) string { + if strings.HasPrefix(name, "npipe:///") { + path := strings.TrimPrefix(name, "npipe:///") + return `\\.\pipe\` + path + } + + if strings.HasPrefix(name, `\\.\pipe\`) { + return name + } + + return name +} diff --git a/pkg/api/server.go b/pkg/api/server.go new file mode 100644 index 000000000..ecd581e0e --- /dev/null +++ b/pkg/api/server.go @@ -0,0 +1,89 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package api + +import ( + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/api/handler" + "github.com/rabbitstack/fibratus/pkg/config" + "net" + "net/http" + "net/http/pprof" + "os/user" + "runtime/debug" + "strings" + // register expvar stats + _ "expvar" + // register pprof handlers + _ "net/http/pprof" +) + +var listener net.Listener + +// StartServer starts the HTTP server with the specified configuration. +func StartServer(c *config.Config) error { + var err error + apiConfig := c.API + if strings.HasPrefix(apiConfig.Transport, `npipe:///`) { + usr, err := user.Current() + if err != nil { + return fmt.Errorf("failed to retrieve the current user: %v", err) + } + // Named pipe security and access rights. + // We create the pipe and the specific users should only be able to write to it. + // See docs: https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights + // String definition: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + // Give generic read/write access to the specified user. + descriptor := "D:P(A;;GA;;;" + usr.Uid + ")" + listener, err = MakePipeListener(apiConfig.Transport, descriptor) + } else { + listener, err = makeTCPListener(apiConfig.Transport) + } + if err != nil { + return err + } + + mux := http.NewServeMux() + mux.Handle("/config", handler.Config(c)) + mux.Handle("/debug/vars", expvar.Handler()) + + mux.HandleFunc("/debug/pprof/", pprof.Index) + mux.HandleFunc("/debug/pprof/profile", pprof.Profile) + mux.HandleFunc("/debug/freemem", func(writer http.ResponseWriter, request *http.Request) { + debug.FreeOSMemory() + }) + + srv := &http.Server{ + //WriteTimeout: apiConfig.Timeout, + Handler: mux, + } + + go srv.Serve(listener) + + return nil +} + +// CloseServer shutdowns the server by stopping the listener. +func CloseServer() error { + if listener != nil { + return listener.Close() + } + return nil +} diff --git a/pkg/config/_fixtures/fibratus.json b/pkg/config/_fixtures/fibratus.json new file mode 100644 index 000000000..56bd02b44 --- /dev/null +++ b/pkg/config/_fixtures/fibratus.json @@ -0,0 +1,53 @@ +{ + "aggregator": { + "flush-period": "230ms", + "flush-timeout": "8s" + }, + + "alertsenders": { + "mail": { + "enabled": false + }, + + "slack": { + "enabled": false + } + }, + + "api": { + "transport": "localhost:8090", + "timeout": "5s" + }, + + "debug-privilege": true, + + "filament": { + "name": "", + "flush-period": "200ms" + }, + + "handle": { + "init-snapshot": true + }, + + "kevent": { + + }, + + "kcap": { + + }, + + "kstream": {}, + "logging": {}, + "output": { + "console": { + "enabled": true, + "format": "pretty", + "kv-delimiter": "->" + } + }, + "pe": {}, + "transformers": {}, + "yara": {} +} \ No newline at end of file diff --git a/pkg/config/_fixtures/fibratus.yml b/pkg/config/_fixtures/fibratus.yml new file mode 100644 index 000000000..32447be67 --- /dev/null +++ b/pkg/config/_fixtures/fibratus.yml @@ -0,0 +1,230 @@ +###################### Fibratus Configuration File ##################################### + +# =============================== Aggregator ========================================== + +# Aggregator is responsible for creating kernel event batches, applying transformers to each event +# present in the batch, and forwarding those batches to the output sinks. +aggregator: + # Determines the flush period that triggers the flushing of the kernel event batches to output sinks. + flush-period: 230ms + + # Represents the max time to wait before announcing failed flushing of enqueued events when fibratus + # is stopped. + flush-timeout: 8s + +# =============================== Alert senders ======================================== + +# Alert senders deal with emitting alerts via different channels. +alertsenders: + # Mail sender transports the alerts via SMTP protocol. + mail: + # Enables/disables mail alert sender. + enabled: true + + # Represents the host of the SMTP server. + host: smtp.gmail.com + + # Represents the port of the SMTP server. + port: 587 + + # Specifies the user name when authenticating to the SMTP server. + user: bunny + + # Specifies the password when authenticating to the SMTP server. + password: changeit + + # Specifies the sender's address. + from: bunny@gmail.com + + # Specifies all the recipients that'll receive the alert. + to: + - bunny@gmail.com + - rabbit@gmail.com + - cuniculus@gmail.com + + # Slack sender transports the alerts to the Slack workspace. + slack: + # Enables/disables Slack alert sender. + enabled: true + + # Represents the Webhook URL of the workspace where alerts will be dispatched. + url: https://fibratus/232sfghagjhfasr + + # Designates the Slack workspace where alerts will be routed. + workspace: fibratus + + # Is the slack channel in which to post alerts. + channel: fibratus + + # Represents the emoji icon surrounded in ':' characters for the Slack bot. + #emoji: "" + +# =============================== API ================================================== + +# Settings that influence the behaviour of the HTTP server that exposes a number of endpoints such as +# expvar metrics, internal state, and so on. +api: + # Specifies the underlying transport protocol for the API HTTP server. The transport can either be the + # named pipe or TCP socket. Default is named pipe but you can override it to expose theAPI server on + # TCP address, e.g. 192.168.1.32:8084. + transport: npipe:///fibratus + + # Represents the timeout interval for the HTTP server responses. + timeout: 5s + +# =============================== General ============================================== + +# Indicates whether debug privilege is set in Fibratus process' token. Enabling this security policy allows +# Fibratus to obtain handles of protected processes for the purpose of querying the Process Environment Block +# regions. +debug-privilege: true + +# =============================== Filament ============================================= + +# Filaments are lightweight Python scriplets that are executed on top of the kernel event stream. You can easily +# extend Fibratus with custom features that is encapsulated in filaments. This section controls the behaviour of +# the filament engine. +filament: + # Specifies the name of the filament that is executed with the run command. + name: top_netio + + # The directory where all filaments are located. By default, they are stored within the fibratus program + # files directory. + path: $(PROGRAMFILES)/fibratus/filaments + + flush-period: 300ms + +# =============================== Handle =============================================== + +# Indicates whether initial handle snapshot is taken. +handle: + init-snapshot: true + +# =============================== Kcap ================================================= + +kcap: + file: "" + +# =============================== Kevent =============================================== + +kevent: + serialize-threads: false + serialize-images: false + serialize-handles: false + serialize-pe: false + +# =============================== Kstream ============================================== + +kstream: + max-buffers: 2 + min-buffers: 1 + flush-interval: 1s + blacklist: + events: + - CreateThread + - CreateHandle + - CloseHandle + images: + - System + + +# =============================== Logging ================================================ + +logging: + level: info + # max-age: + # max-backups: + # max-size: + # formatter: + # path: + # log-stdout: false + + +# =============================== Output ================================================ + +output: + console: + enabled: false + format: json + template: "" + + + elasticsearch: + enabled: false + servers: + - http://localhost:9200 + timeout: 5s + + amqp: + enabled: true + url: amqp://localhost:5672 + timeout: 5s + exchange-type: topic + routing-key: fibratus + vhost: / + +# =============================== Portable Executable (PE) ============================= + +pe: + enabled: false + read-resources: true + read-symbols: true + read-sections: false + +# =============================== Transformers ========================================= + +transformers: + remove: + enabled: true + kparams: + - disposition + rename: + enabled: true + kparams: + - old: "a" + new: "b" + - old: "c" + new: "d" + replace: + enabled: false + replacements: + - kparam: key_name + old: HKEY_CURRENT_USER + new: HCU + tags: + enabled: false + tags: + - key: foo + value: bar + trim: + enabled: false + prefixes: + - kparam: key_name + trim: CurrentControlSet + suffixes: + - kparam: file_name + trim: .exe + +# =============================== YARA ================================================= + +yara: + enabled: true + rule: + paths: + - path: "C:\\yara-rules" + namespace: default + strings: + - string: "rule test : tag1 { meta: author = \"Hilko Bengen\" strings: $a = \"abc\" fullword condition: $a }" + namespace: default + alert-via: slack + alert-template: + title: "" + text: "" + fastscan: true + scan-timeout: 20s + skip-files: true + excluded-files: + - kernel32.dll + excluded-procs: + - system + - spotify.exe diff --git a/pkg/config/_fixtures/output.yml b/pkg/config/_fixtures/output.yml new file mode 100644 index 000000000..d2db8139e --- /dev/null +++ b/pkg/config/_fixtures/output.yml @@ -0,0 +1,23 @@ +kstream: + max-buffers: 10 + min-buffers: 8 + flush-interval: 1s + blacklist: + events: + - CreateThread + +filament: top_hives_io + +output: + console: + enabled: false + format: pretty + elasticsearch: + amqp: + enabled: true + url: amqp://localhost:5672 + timeout: 5s + exchange: fibratus + exchange-type: topic + routing-key: fibratus + diff --git a/pkg/config/_fixtures/transformers.yml b/pkg/config/_fixtures/transformers.yml new file mode 100644 index 000000000..9785d071e --- /dev/null +++ b/pkg/config/_fixtures/transformers.yml @@ -0,0 +1,29 @@ +kstream: + max-buffers: 10 + min-buffers: 8 + flush-interval: 1s + blacklist: + events: + - CreateThread + +filament: top_hives_io + +output.console: + format: pretty + +transformers.tags: + enabled: true + tags: + - key: 1 + value: k + +transformers.remove: + enabled: true + kparams: + - key_handle + +transformers.rename: + enabled: true + kparams: + - old: key_handle + new: KeyHandle \ No newline at end of file diff --git a/pkg/config/alertsender.go b/pkg/config/alertsender.go new file mode 100644 index 000000000..3c7558f58 --- /dev/null +++ b/pkg/config/alertsender.go @@ -0,0 +1,83 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "errors" + "fmt" + "github.com/rabbitstack/fibratus/pkg/alertsender" + "github.com/rabbitstack/fibratus/pkg/alertsender/mail" + "github.com/rabbitstack/fibratus/pkg/alertsender/slack" + "reflect" +) + +var errNoAlertsendersSection = errors.New("no alertsenders section in config") + +var errAlertsenderConfig = func(sender string, err error) error { + return fmt.Errorf("%s alert sender invalid config: %v", sender, err) +} + +func (c *Config) tryLoadAlertSenders() error { + configs := make([]alertsender.Config, 0) + alertsenders := c.viper.AllSettings()["alertsenders"] + if alertsenders == nil { + return errNoAlertsendersSection + } + + mapping, ok := alertsenders.(map[string]interface{}) + if !ok { + return fmt.Errorf("expected map[string]interface{} type for alertsenders but found %s", reflect.TypeOf(alertsenders)) + } + + for typ, config := range mapping { + switch typ { + case "mail": + var mailConfig mail.Config + if err := decode(config, &mailConfig); err != nil { + return errAlertsenderConfig(typ, err) + } + if !mailConfig.Enabled { + continue + } + config := alertsender.Config{ + Type: alertsender.Mail, + Sender: mailConfig, + } + configs = append(configs, config) + + case "slack": + var slackConfig slack.Config + if err := decode(config, &slackConfig); err != nil { + return errAlertsenderConfig(typ, err) + } + if !slackConfig.Enabled { + continue + } + config := alertsender.Config{ + Type: alertsender.Slack, + Sender: slackConfig, + } + configs = append(configs, config) + } + } + + c.Alertsenders = configs + + return nil +} diff --git a/pkg/config/api.go b/pkg/config/api.go new file mode 100644 index 000000000..22589bb76 --- /dev/null +++ b/pkg/config/api.go @@ -0,0 +1,43 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "github.com/spf13/viper" + "time" +) + +const ( + transport = "api.transport" + timeout = "api.timeout" +) + +// Config contains API specific config options. +type APIConfig struct { + // Transport specifies the underlying transport protocol for the API HTTP server. + Transport string `json:"api.transport" yaml:"api.transport"` + // Timeout determines the timeout for the API server responses + Timeout time.Duration `json:"api.timeout" yaml:"api.timeout"` +} + +// initFromViper initializes API configuration from Viper. +func (c *APIConfig) initFromViper(v *viper.Viper) { + c.Transport = v.GetString(transport) + c.Timeout = v.GetDuration(timeout) +} diff --git a/pkg/config/config.go b/pkg/config/config.go new file mode 100644 index 000000000..bcde16d80 --- /dev/null +++ b/pkg/config/config.go @@ -0,0 +1,338 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "encoding/json" + "fmt" + "github.com/rabbitstack/fibratus/pkg/aggregator" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + removet "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/remove" + replacet "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/replace" + tagst "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/tags" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/elasticsearch" + "github.com/rabbitstack/fibratus/pkg/util/log" + "github.com/rabbitstack/fibratus/pkg/util/multierror" + yara "github.com/rabbitstack/fibratus/pkg/yara/config" + "gopkg.in/yaml.v2" + "io/ioutil" + "time" + + renamet "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/rename" + trimt "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/trim" + + "github.com/rabbitstack/fibratus/pkg/alertsender" + mailsender "github.com/rabbitstack/fibratus/pkg/alertsender/mail" + slacksender "github.com/rabbitstack/fibratus/pkg/alertsender/slack" + "github.com/rabbitstack/fibratus/pkg/outputs" + "github.com/rabbitstack/fibratus/pkg/outputs/console" + "github.com/rabbitstack/fibratus/pkg/pe" + "github.com/spf13/cobra" + "github.com/spf13/pflag" + "github.com/spf13/viper" + "os" + "path/filepath" + "strings" +) + +const ( + kcapFile = "kcap.file" + configFile = "config-file" + debugPrivilege = "debug-privilege" + initHandleSnapshot = "handle.init-snapshot" + + serializeThreads = "kevent.serialize-threads" + serializeImages = "kevent.serialize-images" + serializeHandles = "kevent.serialize-handles" + serializePE = "kevent.serialize-pe" + serializeEnvs = "kevent.serialize-envs" +) + +// Config stores configuration options for fine tuning the behaviour of Fibratus. +type Config struct { + // Kstream stores different configuration options for fine tuning kstream consumer/controller settings. + Kstream KstreamConfig `json:"kstream" yaml:"kstream"` + // Filament contains filament settings + Filament FilamentConfig `json:"filament" yaml:"filament"` + // PE contains the settings that influences the behaviour of the PE (Portable Executable) reader. + PE pe.Config `json:"pe" yaml:"pe"` + // Output stores the currently active output config + Output outputs.Config + // InitHandleSnapshot indicates whether initial handle snapshot is built + InitHandleSnapshot bool `json:"init-handle-snapshot" yaml:"init-handle-snapshot"` + DebugPrivilege bool `json:"debug-privilege" yaml:"debug-privilege"` + KcapFile string + + // API stores global HTTP API preferences + API APIConfig `json:"api" yaml:"api"` + // Yara contains configuration that influences the behaviour of the Yara engine + Yara yara.Config `json:"yara" yaml:"yara"` + // Aggregator stores event aggregator configuration + Aggregator aggregator.Config `json:"aggregator" yaml:"aggregator"` + // Log contains log-specific configuration options + Log log.Config `json:"logging" yaml:"logging"` + + // Transformers stores transformer configurations + Transformers []transformers.Config + // Alertsenders stores alert sender configurations + Alertsenders []alertsender.Config + + flags *pflag.FlagSet + viper *viper.Viper + opts *Options +} + +// Options determines which config flags are toggled depending on the command type. +type Options struct { + capture bool + replay bool + run bool + list bool + stats bool +} + +// Option is the type alias for the config option. +type Option func(*Options) + +// WithCapture determines the capture command is executed. +func WithCapture() Option { + return func(o *Options) { + o.capture = true + } +} + +// WithReplay determines the replay command is executed. +func WithReplay() Option { + return func(o *Options) { + o.replay = true + } +} + +// WithRun determines the main command is executed. +func WithRun() Option { + return func(o *Options) { + o.run = true + } +} + +// WithList determines the list command is executed. +func WithList() Option { + return func(o *Options) { + o.list = true + } +} + +// WithStats determines the stats command is executed. +func WithStats() Option { + return func(o *Options) { + o.stats = true + } +} + +// NewWithOpts builds a new configuration store from a variety of sources such as configuration files, +// environment variables or command line flags. +func NewWithOpts(options ...Option) *Config { + opts := &Options{} + + for _, opt := range options { + opt(opts) + } + + v := viper.New() + v.AutomaticEnv() + v.SetEnvKeyReplacer(strings.NewReplacer("-", "_", ".", "_")) + + flagSet := new(pflag.FlagSet) + + c := &Config{ + Kstream: KstreamConfig{}, + Filament: FilamentConfig{}, + API: APIConfig{}, + PE: pe.Config{}, + Log: log.Config{}, + Aggregator: aggregator.Config{}, + viper: v, + flags: flagSet, + opts: opts, + } + + if opts.run || opts.replay { + aggregator.AddFlags(flagSet) + console.AddFlags(flagSet) + amqp.AddFlags(flagSet) + elasticsearch.AddFlags(flagSet) + removet.AddFlags(flagSet) + replacet.AddFlags(flagSet) + renamet.AddFlags(flagSet) + trimt.AddFlags(flagSet) + tagst.AddFlags(flagSet) + mailsender.AddFlags(flagSet) + slacksender.AddFlags(flagSet) + yara.AddFlags(flagSet) + } + + if opts.run || opts.capture { + pe.AddFlags(flagSet) + } + + c.addFlags() + + return c +} + +// GetConfigFile gets the path of the configuration file from Viper value. +func (c Config) GetConfigFile() string { + return c.viper.GetString(configFile) +} + +// MustViperize adds the flag set to the Cobra command and binds them within Viper flags. +func (c *Config) MustViperize(cmd *cobra.Command) { + cmd.PersistentFlags().AddFlagSet(c.flags) + if err := c.viper.BindPFlags(cmd.PersistentFlags()); err != nil { + panic(err) + } + if c.opts.capture || c.opts.replay { + if err := cmd.MarkPersistentFlagRequired(kcapFile); err != nil { + panic(err) + } + } +} + +// Init setups the configuration state from Viper. +func (c *Config) Init() error { + c.Kstream.initFromViper(c.viper) + c.Filament.initFromViper(c.viper) + c.API.initFromViper(c.viper) + c.PE.InitFromViper(c.viper) + c.Aggregator.InitFromViper(c.viper) + c.Log.InitFromViper(c.viper) + c.Yara.InitFromViper(c.viper) + + c.InitHandleSnapshot = c.viper.GetBool(initHandleSnapshot) + c.DebugPrivilege = c.viper.GetBool(debugPrivilege) + c.KcapFile = c.viper.GetString(kcapFile) + + kevent.SerializeThreads = c.viper.GetBool(serializeThreads) + kevent.SerializeImages = c.viper.GetBool(serializeImages) + kevent.SerializeHandles = c.viper.GetBool(serializeHandles) + kevent.SerializePE = c.viper.GetBool(serializePE) + kevent.SerializeEnvs = c.viper.GetBool(serializeEnvs) + + if c.opts.run || c.opts.replay { + if err := c.tryLoadOutput(); err != nil { + return err + } + if err := c.tryLoadTransformers(); err != nil { + return err + } + if err := c.tryLoadAlertSenders(); err != nil { + return err + } + } + return nil +} + +// TryLoadFile attempts to load the configuration file from specified path on the file system. +func (c *Config) TryLoadFile(file string) error { + c.viper.SetConfigFile(file) + return c.viper.ReadInConfig() +} + +// Validate ensures that all configuration options provided by user have the expected values. It returns +// a list of validation errors prefixed with the offending configuration property/flag. +func (c *Config) Validate() error { + // we'll first validate the structure and values of the config file + file := c.viper.GetString(configFile) + var out interface{} + b, err := ioutil.ReadFile(file) + if err != nil { + return err + } + switch filepath.Ext(file) { + case ".yaml", ".yml": + err = yaml.Unmarshal(b, &out) + case ".json": + err = json.Unmarshal(b, &out) + default: + return fmt.Errorf("%s is not a supported config file extension", filepath.Ext(file)) + } + if err != nil { + return fmt.Errorf("couldn't read the config file: %v", err) + } + // validate config file content + valid, errs := validate(out) + if !valid || len(errs) > 0 { + return fmt.Errorf("invalid config: %v", multierror.Wrap(errs)) + } + // now validate the Viper config flags + valid, errs = validate(c.viper.AllSettings()) + if !valid || len(errs) > 0 { + return fmt.Errorf("invalid config: %v", multierror.Wrap(errs)) + } + return nil +} + +// File returns the config file path. +func (c *Config) File() string { return c.viper.GetString(configFile) } + +func (c *Config) addFlags() { + c.flags.String(configFile, filepath.Join(os.Getenv("PROGRAMFILES"), "fibratus", "config", "fibratus.yml"), "Indicates the location of the configuration file") + if c.opts.run || c.opts.replay { + c.flags.StringP(filamentName, "f", "", "Specifies the filament to execute") + } + if c.opts.capture { + c.flags.StringP(kcapFile, "o", "", "The path of the output kcap file") + } + if c.opts.replay { + c.flags.StringP(kcapFile, "k", "", "The path of the input kcap file") + + } + if c.opts.run || c.opts.replay || c.opts.list { + c.flags.String(filamentPath, filepath.Join(os.Getenv("PROGRAMFILES"), "fibratus", "filaments"), "Denotes the directory where filaments are located") + } + if c.opts.run || c.opts.replay || c.opts.capture || c.opts.stats { + c.flags.String(transport, `localhost:8080`, "Specifies the underlying transport protocol for the API HTTP server") + c.flags.Duration(timeout, time.Second*15, "Determines the timeout for the API server responses") + } + if c.opts.run || c.opts.capture { + c.flags.Bool(initHandleSnapshot, true, "Indicates whether initial handle snapshot is built. This implies scanning the system handles table and producing an entry for each handle object") + + c.flags.Bool(enableThreadKevents, true, "Determines whether thread kernel events are collected by Kernel Logger provider") + c.flags.Bool(enableRegistryKevents, true, "Determines whether registry kernel events are collected by Kernel Logger provider") + c.flags.Bool(enableNetKevents, true, "Determines whether network (TCP/UDP) kernel events are collected by Kernel Logger provider") + c.flags.Bool(enableFileIOKevents, true, "Determines whether disk I/O kernel events are collected by Kernel Logger provider") + c.flags.Bool(enableImageKevents, true, "Determines whether file I/O kernel events are collected by Kernel Logger provider") + c.flags.Bool(enableHandleKevents, false, "Determines whether object manager kernel events (handle creation/destruction) are collected by Kernel Logger provider") + c.flags.Int(bufferSize, int(maxBufferSize), "Represents the amount of memory allocated for each event tracing session buffer, in kilobytes. The buffer size affects the rate at which buffers fill and must be flushed (small buffer size requires less memory but it increases the rate at which buffers must be flushed)") + c.flags.Int(minBuffers, int(defaultMinBuffers), "Determines the minimum number of buffers allocated for the event tracing session's buffer pool") + c.flags.Int(maxBuffers, int(defaultMaxBuffers), "Determines the maximum number of buffers allocated for the event tracing session's buffer pool") + c.flags.Duration(flushInterval, defaultFlushInterval, "Specifies how often the trace buffers are forcibly flushed") + c.flags.StringSlice(blacklistEvents, []string{}, "A list of symbolical kernel event names that will be dropped from the kernel event stream. By default all events are accepted") + c.flags.StringSlice(blacklistImages, []string{"System"}, "A list of image names that will be dropped from the kernel event stream. Image names are case insensitive") + + c.flags.Bool(serializeThreads, false, "Indicates if threads are serialized as part of the process state") + c.flags.Bool(serializeImages, false, "Indicates if images are serialized as part of the process state") + c.flags.Bool(serializeHandles, false, "Indicates if handles are serialized as part of the process state") + c.flags.Bool(serializePE, false, "Indicates if the PE metadata are serialized as part of the process state") + c.flags.Bool(serializeEnvs, true, "Indicates if environment variables are serialized as part of the process state") + } + c.Log.AddFlags(c.flags) +} diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go new file mode 100644 index 000000000..ff0bc333f --- /dev/null +++ b/pkg/config/config_test.go @@ -0,0 +1,113 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/rename" + "github.com/rabbitstack/fibratus/pkg/alertsender" + "github.com/rabbitstack/fibratus/pkg/alertsender/mail" + "github.com/rabbitstack/fibratus/pkg/alertsender/slack" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" + "time" +) + +func TestNewFromYamlFile(t *testing.T) { + c := NewWithOpts(WithRun()) + + err := c.flags.Parse([]string{"--config-file=_fixtures/fibratus.yml"}) + require.NoError(t, c.viper.BindPFlags(c.flags)) + require.NoError(t, err) + require.NoError(t, c.TryLoadFile(c.GetConfigFile())) + + require.NoError(t, c.Init()) + + errs := c.Validate() + + require.Empty(t, errs) + + assert.Equal(t, time.Millisecond*230, c.Aggregator.FlushPeriod) + assert.Equal(t, time.Second*8, c.Aggregator.FlushTimeout) + + assert.Len(t, c.Alertsenders, 2) + + for _, c := range c.Alertsenders { + switch c.Type { + case alertsender.Slack: + assert.IsType(t, slack.Config{}, c.Sender) + case alertsender.Mail: + assert.IsType(t, mail.Config{}, c.Sender) + mailConfig := c.Sender.(mail.Config) + assert.Equal(t, "smtp.gmail.com", mailConfig.Host) + assert.Equal(t, 587, mailConfig.Port) + assert.Equal(t, "bunny", mailConfig.User) + assert.Equal(t, "changeit", mailConfig.Pass) + assert.Equal(t, "bunny@gmail.com", mailConfig.From) + assert.Equal(t, []string{"bunny@gmail.com", "rabbit@gmail.com", "cuniculus@gmail.com"}, mailConfig.To) + } + } + + assert.Equal(t, "npipe:///fibratus", c.API.Transport) + assert.Equal(t, time.Second*5, c.API.Timeout) + assert.True(t, c.DebugPrivilege) + + assert.Equal(t, "top_netio", c.Filament.Name) + + require.Len(t, c.Transformers, 2) + + for _, tr := range c.Transformers { + switch tr.Type { + case transformers.Rename: + rconfig := tr.Transformer.(rename.Config) + assert.Len(t, rconfig.Kparams, 2) + r1 := rconfig.Kparams[0] + assert.Equal(t, "b", r1.New) + } + } + + assert.True(t, c.Yara.Enabled) + + require.Len(t, c.Yara.Rule.Paths, 1) + assert.Len(t, c.Yara.Rule.Strings, 1) + + assert.Equal(t, "C:\\yara-rules", c.Yara.Rule.Paths[0].Path) + assert.Equal(t, "default", c.Yara.Rule.Paths[0].Namespace) + +} + +func TestNewFromJsonFile(t *testing.T) { + c := NewWithOpts(WithRun()) + + err := c.flags.Parse([]string{"--config-file=_fixtures/fibratus.json"}) + require.NoError(t, c.viper.BindPFlags(c.flags)) + require.NoError(t, err) + require.NoError(t, c.TryLoadFile(c.GetConfigFile())) + + require.NoError(t, c.Init()) + + errs := c.Validate() + + require.Empty(t, errs) + + assert.Equal(t, time.Millisecond*230, c.Aggregator.FlushPeriod) + assert.Equal(t, time.Second*8, c.Aggregator.FlushTimeout) + +} diff --git a/pkg/config/decoder.go b/pkg/config/decoder.go new file mode 100644 index 000000000..ec3c7d99f --- /dev/null +++ b/pkg/config/decoder.go @@ -0,0 +1,38 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import "github.com/mitchellh/mapstructure" + +func decode(input, output interface{}) error { + var decoderConfig = &mapstructure.DecoderConfig{ + Metadata: nil, + Result: output, + WeaklyTypedInput: true, + DecodeHook: mapstructure.ComposeDecodeHookFunc( + mapstructure.StringToTimeDurationHookFunc(), + mapstructure.StringToSliceHookFunc(","), + ), + } + decoder, err := mapstructure.NewDecoder(decoderConfig) + if err != nil { + return err + } + return decoder.Decode(input) +} diff --git a/pkg/config/filament.go b/pkg/config/filament.go new file mode 100644 index 000000000..038567eda --- /dev/null +++ b/pkg/config/filament.go @@ -0,0 +1,41 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "github.com/spf13/viper" + "time" +) + +const ( + filamentName = "filament.name" + filamentPath = "filament.path" +) + +// FilamentConfig stores config parameters for tweaking the behaviour of the filament engine. +type FilamentConfig struct { + Name string + Path string + FlushPeriod time.Duration +} + +func (f *FilamentConfig) initFromViper(v *viper.Viper) { + f.Name = v.GetString(filamentName) + f.Path = v.GetString(filamentPath) +} diff --git a/pkg/config/kstream.go b/pkg/config/kstream.go new file mode 100644 index 000000000..26c06452a --- /dev/null +++ b/pkg/config/kstream.go @@ -0,0 +1,94 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "github.com/spf13/viper" + "runtime" + "time" +) + +const ( + enableThreadKevents = "kstream.enable-thread" + enableRegistryKevents = "kstream.enable-registry" + enableNetKevents = "kstream.enable-net" + enableFileIOKevents = "kstream.enable-fileio" + enableImageKevents = "kstream.enable-image" + enableHandleKevents = "kstream.enable-handle" + bufferSize = "kstream.buffer-size" + minBuffers = "kstream.min-buffers" + maxBuffers = "kstream.max-buffers" + flushInterval = "kstream.flush-interval" + + blacklistEvents = "kstream.blacklist.events" + blacklistImages = "kstream.blacklist.images" + + maxBufferSize = uint32(1024) +) + +var ( + defaultMinBuffers = uint32(runtime.NumCPU() * 2) + defaultMaxBuffers = defaultMinBuffers + 20 + defaultFlushInterval = time.Second +) + +// KstreamConfig stores different configuration options for fine tuning kstream consumer/controller settings. +type KstreamConfig struct { + // EnableThreadKevents indicates if thread kernel events are collected by the ETW provider. + EnableThreadKevents bool `json:"enable-thread" yaml:"enable-thread"` + // EnableRegistryKevents indicates if registry kernel events are collected by the ETW provider. + EnableRegistryKevents bool `json:"enable-registry" yaml:"enable-registry"` + // EnableNetKevents determines whether network (TCP/UDP) events are collected by the ETW provider. + EnableNetKevents bool `json:"enable-net" yaml:"enable-net"` + // EnableFileIOKevents indicates if file I/O kernel events are collected by the ETW provider. + EnableFileIOKevents bool `json:"enable-fileio" yaml:"enable-fileio"` + // EnableImageKevents indicates if image kernel events are collected by the ETW provider. + EnableImageKevents bool `json:"enable-image" yaml:"enable-image"` + // EnableHandleKevents indicates whether handle creation/disposal events are enabled. + EnableHandleKevents bool `json:"enable-handle" yaml:"enable-handle"` + // BufferSize represents the amount of memory allocated for each event tracing session buffer, in kilobytes. + // The buffer size affects the rate at which buffers fill and must be flushed (small buffer size requires + // less memory but it increases the rate at which buffers must be flushed). + BufferSize uint32 `json:"buffer-size" yaml:"buffer-size"` + // MinBuffers determines the minimum number of buffers allocated for the event tracing session's buffer pool. + MinBuffers uint32 `json:"min-buffers" yaml:"min-buffers"` + // MaxBuffers is the maximum number of buffers allocated for the event tracing session's buffer pool. + MaxBuffers uint32 `json:"max-buffers" yaml:"max-buffers"` + // FlushTimer specifies how often the trace buffers are forcibly flushed. + FlushTimer time.Duration `json:"flush-interval" yaml:"flush-interval"` + // BlacklistKevents are kernel event names that will be dropped from the kernel event stream. + BlacklistKevents []string `json:"blacklist.events" yaml:"blacklist.events"` + // BlacklistImages are process image names that will be rejected if they generate a kernel event. + BlacklistImages []string `json:"blacklist.images" yaml:"blacklist.images"` +} + +func (c *KstreamConfig) initFromViper(v *viper.Viper) { + c.EnableThreadKevents = v.GetBool(enableThreadKevents) + c.EnableRegistryKevents = v.GetBool(enableRegistryKevents) + c.EnableNetKevents = v.GetBool(enableNetKevents) + c.EnableFileIOKevents = v.GetBool(enableFileIOKevents) + c.EnableImageKevents = v.GetBool(enableImageKevents) + c.EnableHandleKevents = v.GetBool(enableHandleKevents) + c.BufferSize = uint32(v.GetInt(bufferSize)) + c.MinBuffers = uint32(v.GetInt(minBuffers)) + c.MaxBuffers = uint32(v.GetInt(maxBuffers)) + c.FlushTimer = v.GetDuration(flushInterval) + c.BlacklistKevents = v.GetStringSlice(blacklistEvents) + c.BlacklistImages = v.GetStringSlice(blacklistImages) +} diff --git a/pkg/config/kstream_test.go b/pkg/config/kstream_test.go new file mode 100644 index 000000000..8e2d012a2 --- /dev/null +++ b/pkg/config/kstream_test.go @@ -0,0 +1,48 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" +) + +func TestKstreamConfig(t *testing.T) { + c := NewWithOpts(WithRun()) + + err := c.flags.Parse([]string{ + "--kstream.enable-thread=false", + "--kstream.enable-registry=false", + "--kstream.enable-fileio=false", + "--kstream.enable-net=false", + "--kstream.enable-image=false", + }) + require.NoError(t, err) + require.NoError(t, c.viper.BindPFlags(c.flags)) + require.NoError(t, err) + + require.NoError(t, c.Init()) + + assert.False(t, c.Kstream.EnableThreadKevents) + assert.False(t, c.Kstream.EnableNetKevents) + assert.False(t, c.Kstream.EnableRegistryKevents) + assert.False(t, c.Kstream.EnableImageKevents) + assert.False(t, c.Kstream.EnableFileIOKevents) +} diff --git a/pkg/config/output.go b/pkg/config/output.go new file mode 100644 index 000000000..45ea21d79 --- /dev/null +++ b/pkg/config/output.go @@ -0,0 +1,137 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "errors" + "fmt" + "github.com/rabbitstack/fibratus/pkg/outputs" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/console" + "github.com/rabbitstack/fibratus/pkg/outputs/elasticsearch" + "github.com/rabbitstack/fibratus/pkg/outputs/null" + log "github.com/sirupsen/logrus" + "golang.org/x/sys/windows/svc" + "reflect" + "strconv" +) + +var errNoOutputSection = errors.New("no output section in config") + +var errOutputConfig = func(output string, err error) error { return fmt.Errorf("%s output invalid config: %v", output, err) } + +func (c *Config) tryLoadOutput() error { + output := c.viper.AllSettings()["output"] + if output == nil { + return errNoOutputSection + } + mapping, ok := output.(map[string]interface{}) + if !ok { + return fmt.Errorf("expected map[string]interface{} type for output but found %s", reflect.TypeOf(output)) + } + + humNum := func(n int) string { + switch n { + case 2: + return "two" + case 3: + return "three" + case 4: + return "four" + case 5: + return "five" + case 6: + return "six" + case 7: + return "seven" + default: + return strconv.Itoa(n) + } + } + // don't permit if there are various outputs enabled at a time + activeOutputs := findActiveOutputs(mapping) + if len(activeOutputs) > 1 { + return fmt.Errorf("expected one but found %s active outputs: %s", humNum(len(activeOutputs)), activeOutputs) + } + + for typ, config := range mapping { + switch typ { + case "console": + var consoleConfig console.Config + if err := decode(config, &consoleConfig); err != nil { + return errOutputConfig(typ, err) + } + if !consoleConfig.Enabled { + continue + } + c.Output.Type, c.Output.Output = outputs.Console, consoleConfig + + case "amqp": + var amqpConfig amqp.Config + if err := decode(config, &amqpConfig); err != nil { + return errOutputConfig(typ, err) + } + if !amqpConfig.Enabled { + continue + } + c.Output.Type, c.Output.Output = outputs.AMQP, amqpConfig + + case "elasticsearch": + var esConfig elasticsearch.Config + if err := decode(config, &esConfig); err != nil { + return errOutputConfig(typ, err) + } + if !esConfig.Enabled { + continue + } + c.Output.Type, c.Output.Output = outputs.Elasticsearch, esConfig + } + } + + // if it is not an interactive session but the console output is enabled + // we default to null output and warn about that + in, err := svc.IsAnInteractiveSession() + if err == nil && !in && c.Output.Output != nil { + if c.Output.Type == outputs.Console { + log.Warn("running in non-interactive session with console output. " + + "Please configure a different output type. Defaulting to null output") + c.Output.Type, c.Output.Output = outputs.Null, &null.Config{} + return nil + } + } + + // default to null output + if c.Output.Output == nil { + log.Warn("all outputs disabled. Defaulting to null output") + c.Output.Type, c.Output.Output = outputs.Null, &null.Config{} + } + + return nil +} + +func findActiveOutputs(outputs map[string]interface{}) []string { + outputTypes := make([]string, 0) + for typ, rawConfig := range outputs { + enabled, ok := rawConfig.(map[string]interface{})["enabled"].(bool) + if ok && enabled { + outputTypes = append(outputTypes, typ) + } + } + return outputTypes +} diff --git a/pkg/config/output_test.go b/pkg/config/output_test.go new file mode 100644 index 000000000..5e2b9a0a5 --- /dev/null +++ b/pkg/config/output_test.go @@ -0,0 +1,49 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs/amqp" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" + "time" +) + +func TestOutput(t *testing.T) { + c := NewWithOpts(WithRun()) + + err := c.flags.Parse([]string{"--config-file=_fixtures/output.yml"}) + require.NoError(t, c.viper.BindPFlags(c.flags)) + require.NoError(t, err) + require.NoError(t, c.TryLoadFile(c.GetConfigFile())) + + require.NoError(t, c.Init()) + + require.NotNil(t, c.Output) + require.IsType(t, amqp.Config{}, c.Output.Output) + + amqpConfig := c.Output.Output.(amqp.Config) + assert.Equal(t, "amqp://localhost:5672", amqpConfig.URL) + assert.Equal(t, time.Second*5, amqpConfig.Timeout) + assert.Equal(t, "fibratus", amqpConfig.Exchange) + assert.Equal(t, "topic", amqpConfig.ExchangeType) + assert.Equal(t, "fibratus", amqpConfig.RoutingKey) + assert.Equal(t, "/", amqpConfig.Vhost) +} diff --git a/pkg/config/print.go b/pkg/config/print.go new file mode 100644 index 000000000..df68ca868 --- /dev/null +++ b/pkg/config/print.go @@ -0,0 +1,108 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "bytes" + "fmt" + "reflect" + "sort" + "strings" +) + +func (c *Config) printArray(arr []interface{}) string { + var buffer bytes.Buffer + for v := range arr { + buffer.WriteString(fmt.Sprintf("%v;", v)) + } + return buffer.String() +} + +func (c *Config) printMap(m map[string]interface{}) string { + var buffer bytes.Buffer + buffer.WriteString("[") + for k, v := range m { + val := c.print(v) + if len(val) > 0 { + buffer.WriteString(" ") + buffer.WriteString(k) + buffer.WriteString("=>") + if strings.Contains(k, "password") { + buffer.WriteString("********") + } else { + buffer.WriteString(val) + } + } + } + buffer.WriteString("]") + return buffer.String() +} + +func (c *Config) print(value interface{}) string { + t := reflect.TypeOf(value) + switch t.Kind() { + case reflect.Array: + return c.printArray(value.([]interface{})) + case reflect.Map: + return c.printMap(value.(map[string]interface{})) + default: + return fmt.Sprintf("%v", value) + } +} + +func (c *Config) printLine(buffer *bytes.Buffer, maxLength int, key string, value string) { + if value != "" { + buffer.WriteString("\n\t") + buffer.WriteString(key) + buffer.WriteString(" ") + buffer.WriteString(strings.Repeat(".", maxLength-len(key)+5)) + buffer.WriteString(" ") + buffer.WriteString(value) + } +} + +// Print returns the string with all the config options pretty-printed. +func (c *Config) Print() string { + opts := c.viper.AllSettings() + + var buffer bytes.Buffer + var maxKeyLen = 20 + + type kv struct { + k string + v interface{} + } + + sorted := make([]kv, 0, len(opts)) + // for printing we need to find the max key length + for key, v := range opts { + if len(key) > maxKeyLen { + maxKeyLen = len(key) + } + sorted = append(sorted, kv{k: key, v: v}) + } + sort.Slice(sorted, func(i, j int) bool { return sorted[i].k < sorted[j].k }) + + // print the options + for _, kv := range sorted { + c.printLine(&buffer, maxKeyLen, kv.k, c.print(kv.v)) + } + + return buffer.String() +} diff --git a/pkg/config/print_test.go b/pkg/config/print_test.go new file mode 100644 index 000000000..4e5f9b4ec --- /dev/null +++ b/pkg/config/print_test.go @@ -0,0 +1,34 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "github.com/stretchr/testify/require" + "testing" +) + +func TestConfigPrint(t *testing.T) { + c := NewWithOpts(WithRun()) + err := c.flags.Parse([]string{"--kstream.enable-thread=false", "--config-file=_fixtures/fibratus.yml"}) + require.NoError(t, c.viper.BindPFlags(c.flags)) + require.NoError(t, err) + require.NoError(t, c.TryLoadFile(c.GetConfigFile())) + opts := c.Print() + require.NotEmpty(t, opts) +} diff --git a/pkg/config/schema.go b/pkg/config/schema.go new file mode 100644 index 000000000..d91fabdc5 --- /dev/null +++ b/pkg/config/schema.go @@ -0,0 +1,446 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "bytes" + "text/template" +) + +var schema = ` +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "definitions": {"yara": {"$id": "#yara", "type": "object", "properties": {"enabled": {"type": "boolean"}}}}, + + "type": "object", + "properties": { + "aggregator": { + "type": "object", + "properties": { + "flush-period": {"type": "string", "minLength": 2, "pattern": "[0-9]+ms|s"}, + "flush-timeout": {"type": "string", "minLength": 2, "pattern": "[0-9]+s"} + }, + "additionalProperties": false + }, + "alertsenders": { + "type": "object", + "anyOf": [{ + "properties": { + "mail": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "host": {"type": "string"}, + "port": {"type": "number"}, + "user": {"type": "string"}, + "password": {"type": "string"}, + "from": {"type": "string"}, + "to": {"type": "array", "items": {"type": "string", "format": "email"}} + }, + "if": { + "properties": {"enabled": { "const": true }} + }, + "then": { + "properties": { + "from": {"type": "string", "format": "email"}, + "to": {"type": "array", "minItems": 1, "items": {"type": "string", "format": "email"}} + } + }, + "additionalProperties": false + }, + "slack": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "url": {"type": "string"}, + "workspace": {"type": "string"}, + "channel": {"type": "string"}, + "emoji": {"type": "string"} + }, + "if": { + "properties": {"enabled": { "const": true }} + }, + "then": { + "properties": {"url": {"type": "string", "format": "uri", "minLength": 1, "pattern": "^(https?|http?)://"}} + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + ] + }, + "api": { + "type": "object", + "properties": { + "transport": {"type": "string", "minLength": 3}, + "timeout": {"type": "string", "minLength": 2, "pattern": "[0-9]+s"} + }, + "additionalProperties": false + }, + "config-file": {"type": "string"}, + "debug-privilege": {"type": "boolean"}, + "handle": { + "type": "object", + "properties": { + "init-snapshot": {"type": "boolean"} + }, + "additionalProperties": false + }, + "kcap": { + "type": "object", + "properties": { + "file": {"type": "string"} + }, + "additionalProperties": false + }, + "filament": { + "type": "object", + "properties": { + "name": {"type": "string"}, + "path": {"type": "string"}, + "flush-period": {"type": "string", "minLength": 2, "pattern": "[0-9]+ms|s"} + }, + "additionalProperties": false + }, + "kevent": { + "type": "object", + "properties": { + "serialize-threads": {"type": "boolean"}, + "serialize-images": {"type": "boolean"}, + "serialize-handles": {"type": "boolean"}, + "serialize-pe": {"type": "boolean"}, + "serialize-envs": {"type": "boolean"} + }, + "additionalProperties": false + }, + "kstream": { + "type": "object", + "properties": { + "enable-thread": {"type": "boolean"}, + "enable-image": {"type": "boolean"}, + "enable-registry": {"type": "boolean"}, + "enable-fileio": {"type": "boolean"}, + "enable-handle": {"type": "boolean"}, + "enable-net": {"type": "boolean"}, + "min-buffers": {"type": "integer", "minimum": 1, "maximum": {{ .MinBuffers }}}, + "max-buffers": {"type": "integer", "minimum": 2, "maximum": {{ .MaxBuffers }}}, + "buffer-size": {"type": "integer", "maximum": {{ .MaxBufferSize }}}, + "flush-interval": {"type": "string", "minLength": 2, "pattern": "[0-9]+s"}, + "blacklist": { + "type": "object", + "properties": { + "events": {"type": "array", "items": [{"type": "string", "enum": ["CreateProcess", "CreateThread", "TerminateProcess", "TerminateThread", "LoadImage", "UnloadImage", "CreateFile", "CloseFile", "ReadFile", "WriteFile", "DeleteFile", "RenameFile", "SetFileInformation", "EnumDirectory", "RegCreateKey", "RegOpenKey", "RegSetValue", "RegQueryValue", "RegQueryKey", "RegDeleteKey", "RegDeleteValue", "Accept", "Send", "Recv", "Connect", "Disconnect", "Reconnect", "Retransmit", "CreateHandle", "CloseHandle"]}]}, + "images": {"type": "array", "items": [{"type": "string", "minLength": 1}]} + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "logging": { + "type": "object", + "properties": { + "level": {"type": "string"}, + "max-age": {"type": "integer"}, + "max-backups": {"type": "integer", "minimum": 1}, + "max-size": {"type": "integer", "minimum": 1}, + "formatter": {"type": "string", "enum": ["json", "text"]}, + "path": {"type": "string"}, + "log-stdout": {"type": "boolean"} + }, + "additionalProperties": false + }, + "output": { + "type": "object", + "anyOf": [{ + "properties": { + "console": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "format": {"type": "string", "enum": ["json", "pretty"]}, + "template": {"type": "string"}, + "kv-delimiter": {"type": "string"} + }, + "additionalProperties": false + }, + "elasticsearch": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "servers": {"type": "array", "items": [{"type": "string", "minItems": 1, "format": "uri", "minLength": 1, "maxLength": 255, "pattern": "^(https?|http?)://"}]}, + "timeout": {"type": "string"}, + "index-name": {"type": "string", "minLength": 1}, + "template-config": {"type": "string"}, + "template-name": {"type": "string", "minLength": 1}, + "healthcheck": {"type": "boolean"}, + "bulk-workers": {"type": "integer", "minimum": 1}, + "sniff": {"type": "boolean"}, + "trace-log": {"type": "boolean"}, + "gzip-compression": {"type": "boolean"}, + "healthcheck-interval": {"type": "string", "minLength": 2, "pattern": "[0-9]+s|m}"}, + "healthcheck-timeout": {"type": "string", "minLength": 2, "pattern": "[0-9]+s|m}"}, + "flush-period": {"type": "string", "minLength": 2, "pattern": "[0-9]+s|m}"}, + "username": {"type": "string"}, + "password": {"type": "string"}, + "tls-key": {"type": "string"}, + "tls-cert": {"type": "string"}, + "tls-ca": {"type": "string"}, + "tls-insecure-skip-verify": {"type": "boolean"} + }, + "additionalProperties": false + }, + "amqp": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "url": {"type": "string", "format": "uri", "minLength": 1, "maxLength": 255, "pattern": "^(amqps?|amqp?)://"}, + "timeout": {"type": "string"}, + "exchange": {"type": "string", "minLength": 1}, + "exchange-type": {"type": "string", "enum": ["direct", "topic", "fanout", "header", "x-consistent-hash"]}, + "routing-key": {"type": "string", "minLength": 1}, + "delivery-mode": {"type": "string", "enum": ["transient", "persistent"]}, + "vhost": {"type": "string", "minLength": 1}, + "passive": {"type": "boolean"}, + "durable": {"type": "boolean"}, + "username": {"type": "string"}, + "password": {"type": "string"}, + "tls-key": {"type": "string"}, + "tls-cert": {"type": "string"}, + "tls-ca": {"type": "string"}, + "tls-insecure-skip-verify": {"type": "boolean"}, + "headers": {"type": "object", "additionalProperties": true} + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + ] + }, + "pe": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "read-resources": {"type": "boolean"}, + "read-symbols": {"type": "boolean"}, + "read-sections": {"type": "boolean"}, + "excluded-images": {"type": "array", "items": [{"type": "string"}]} + }, + "additionalProperties": false + }, + "transformers": { + "type": "object", + "anyOf": [{ + "properties": { + "remove": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "kparams": {"type": "array", "items": [{"type": "string"}]} + }, + "if": { + "properties": {"enabled": { "const": true }} + }, + "then": { + "properties": {"kparams": {"type": "array", "minItems": 1, "items": [{"type": "string"}]}} + }, + "additionalProperties": false + }, + "rename": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "kparams": {"type": "array", "items": [ + { + "type": "object", + "properties": { + "old": {"type": "string", "minLength": 1}, + "new": {"type": "string", "minLength": 1} + }, + "additionalProperties": false + } + ]} + }, + "if": { + "properties": {"enabled": { "const": true }} + }, + "then": { + "properties": {"kparams": {"minItems": 1}} + }, + "additionalProperties": false + }, + "replace": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "replacements": {"type": "array", "items": [ + { + "type": "object", + "properties": { + "kparam": {"type": "string", "minLength": 1}, + "old": {"type": "string", "minLength": 1}, + "new": {"type": "string"} + }, + "additionalProperties": false + } + ]} + }, + "if": { + "properties": {"enabled": { "const": true }} + }, + "then": { + "properties": {"replacements": {"minItems": 1}} + }, + "additionalProperties": false + }, + "tags": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "tags": {"type": "array", "items": [ + { + "type": "object", + "properties": { + "key": {"type": "string", "minLength": 1}, + "value": {"type": "string", "minLength": 1} + }, + "additionalProperties": false + } + ]} + }, + "if": { + "properties": {"enabled": { "const": true }} + }, + "then": { + "properties": {"tags": {"minItems": 1}} + }, + "additionalProperties": false + }, + "trim": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "prefixes": {"type": "array", "items": [ + { + "type": "object", + "properties": { + "kparam": {"type": "string", "minLength": 1}, + "trim": {"type": "string", "minLength": 1} + }, + "additionalProperties": false + } + ]}, + "suffixes": {"type": "array", "items": [ + { + "type": "object", + "properties": { + "kparam": {"type": "string", "minLength": 1}, + "trim": {"type": "string", "minLength": 1} + }, + "additionalProperties": false + } + ]} + }, + "if": { + "properties": {"enabled": { "const": true }} + }, + "then": { + "properties": {"suffixes": {"minItems": 1}, "prefixes": {"minItems": 1}} + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + ] + }, + "yara": { + "type": "object", + "properties": { + "enabled": {"type": "boolean"}, + "rule": { + "type": "object", + "anyOf": [{ + "properties": { + "paths": {"type": "array", "items": [ + { + "type": "object", + "properties": { + "path": {"type": "string"}, + "namespace": {"type": "string"} + }, + "if": { + "properties": {"enabled": {"$ref": "#yara", "const": true }} + }, + "then": { + "properties": {"path": {"minLength": 0}} + }, + "additionalProperties": false + }] + }, + "strings": {"type": "array"} + }, + "additionalProperties": false + }] + }, + "alert-via": {"type": "string", "enum": ["slack", "mail"]}, + "alert-template": { + "type": "object", + "properties": { + "text": {"type": "string"}, + "title": {"type": "string"} + }, + "additionalProperties": false + }, + "fastscan": {"type": "boolean"}, + "skip-files": {"type": "boolean"}, + "scan-timeout": {"type": "string", "minLength": 2, "pattern": "[0-9]+s"}, + "excluded-files": {"type": "array", "items": [{"type": "string", "minLength": 1}]}, + "excluded-procs": {"type": "array", "items": [{"type": "string", "minLength": 1}]} + }, + "additionalProperties": false + } + }, + "additionalProperties": false +} +` + +type schemaConfig struct { + MaxBuffers uint32 + MinBuffers uint32 + MaxBufferSize uint32 +} + +func interpolateSchema() string { + tmpl := template.Must(template.New("schema").Parse(schema)) + + var b bytes.Buffer + err := tmpl.Execute(&b, &schemaConfig{ + MaxBuffers: defaultMaxBuffers, + MinBuffers: defaultMinBuffers, + MaxBufferSize: maxBufferSize, + }) + if err != nil { + return "" + } + + return b.String() +} diff --git a/pkg/config/transformer.go b/pkg/config/transformer.go new file mode 100644 index 000000000..24b5df7d6 --- /dev/null +++ b/pkg/config/transformer.go @@ -0,0 +1,123 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/remove" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/rename" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/replace" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/tags" + "github.com/rabbitstack/fibratus/pkg/aggregator/transformers/trim" + "reflect" +) + +var errTransformerConfig = func(t string, err error) error { return fmt.Errorf("%s transformer invalid config: %v", t, err) } + +func (c *Config) tryLoadTransformers() error { + transforms := c.viper.AllSettings()["transformers"] + if transforms == nil { + return nil + } + mapping, ok := transforms.(map[string]interface{}) + if !ok { + return fmt.Errorf("expected map[string]interface{} type for transformers but found %s", reflect.TypeOf(transforms)) + } + + configs := make([]transformers.Config, 0) + + for typ, config := range mapping { + switch typ { + case "remove": + var removeConfig remove.Config + if err := decode(config, &removeConfig); err != nil { + return errTransformerConfig(typ, err) + } + if !removeConfig.Enabled { + continue + } + config := transformers.Config{ + Type: transformers.Remove, + Transformer: removeConfig, + } + configs = append(configs, config) + + case "rename": + var renameConfig rename.Config + if err := decode(config, &renameConfig); err != nil { + return errTransformerConfig(typ, err) + } + if !renameConfig.Enabled { + continue + } + config := transformers.Config{ + Type: transformers.Rename, + Transformer: renameConfig, + } + configs = append(configs, config) + + case "replace": + var replaceConfig replace.Config + if err := decode(config, &replaceConfig); err != nil { + return errTransformerConfig(typ, err) + } + if !replaceConfig.Enabled { + continue + } + config := transformers.Config{ + Type: transformers.Replace, + Transformer: replaceConfig, + } + configs = append(configs, config) + + case "trim": + var trimConfig trim.Config + if err := decode(config, &trimConfig); err != nil { + return errTransformerConfig(typ, err) + } + if !trimConfig.Enabled { + continue + } + config := transformers.Config{ + Type: transformers.Trim, + Transformer: trimConfig, + } + configs = append(configs, config) + + case "tags": + var tagsConfig tags.Config + if err := decode(config, &tagsConfig); err != nil { + return errTransformerConfig(typ, err) + } + if !tagsConfig.Enabled { + continue + } + config := transformers.Config{ + Type: transformers.Tags, + Transformer: tagsConfig, + } + configs = append(configs, config) + } + } + + c.Transformers = configs + + return nil +} diff --git a/pkg/config/transformer_test.go b/pkg/config/transformer_test.go new file mode 100644 index 000000000..9000fd3d0 --- /dev/null +++ b/pkg/config/transformer_test.go @@ -0,0 +1,37 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "github.com/stretchr/testify/require" + "testing" +) + +func TestTransformers(t *testing.T) { + c := NewWithOpts(WithRun()) + + err := c.flags.Parse([]string{"--config-file=_fixtures/transformers.yml"}) + require.NoError(t, c.viper.BindPFlags(c.flags)) + require.NoError(t, err) + require.NoError(t, c.TryLoadFile(c.GetConfigFile())) + + require.NoError(t, c.Init()) + + require.Len(t, c.Transformers, 3) +} diff --git a/pkg/config/validation.go b/pkg/config/validation.go new file mode 100644 index 000000000..0214328f0 --- /dev/null +++ b/pkg/config/validation.go @@ -0,0 +1,108 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "fmt" + "github.com/pkg/errors" + "github.com/xeipuuv/gojsonschema" +) + +func validate(m interface{}) (bool, []error) { + converted, err := convertToStringKeysRecursive(m, "") + if err != nil { + return false, []error{fmt.Errorf("fail to convert keys to string: %v", err)} + } + loader := gojsonschema.NewGoLoader(converted) + sc := gojsonschema.NewStringLoader(interpolateSchema()) + r, err := gojsonschema.Validate(sc, loader) + if err != nil { + return false, []error{fmt.Errorf("fail to validate config file through schema: %v", err)} + } + errs := make([]error, len(r.Errors())) + for i, err := range r.Errors() { + errs[i] = errors.New(err.String()) + } + return r.Valid(), errs +} + +// convertToStringKeysRecursive ensures keys are converted to strings for jsonschema. +func convertToStringKeysRecursive(value interface{}, keyPrefix string) (interface{}, error) { + if mapping, ok := value.(map[string]interface{}); ok { + dict := make(map[string]interface{}) + for str, entry := range mapping { + var newKeyPrefix string + if keyPrefix == "" { + newKeyPrefix = str + } else { + newKeyPrefix = fmt.Sprintf("%s.%s", keyPrefix, str) + } + convertedEntry, err := convertToStringKeysRecursive(entry, newKeyPrefix) + if err != nil { + return nil, err + } + dict[str] = convertedEntry + } + return dict, nil + } + if mapping, ok := value.(map[interface{}]interface{}); ok { + dict := make(map[string]interface{}) + for key, entry := range mapping { + str, ok := key.(string) + if !ok { + return nil, formatInvalidKeyError(keyPrefix, key) + } + var newKeyPrefix string + if keyPrefix == "" { + newKeyPrefix = str + } else { + newKeyPrefix = fmt.Sprintf("%s.%s", keyPrefix, str) + } + convertedEntry, err := convertToStringKeysRecursive(entry, newKeyPrefix) + if err != nil { + return nil, err + } + dict[str] = convertedEntry + } + return dict, nil + } + if list, ok := value.([]interface{}); ok { + var convertedList []interface{} + for index, entry := range list { + newKeyPrefix := fmt.Sprintf("%s[%d]", keyPrefix, index) + convertedEntry, err := convertToStringKeysRecursive(entry, newKeyPrefix) + if err != nil { + return nil, err + } + convertedList = append(convertedList, convertedEntry) + } + return convertedList, nil + } + return value, nil +} + +func formatInvalidKeyError(keyPrefix string, key interface{}) error { + var location string + if keyPrefix == "" { + location = "at top level" + } else { + location = fmt.Sprintf("in %s", keyPrefix) + } + return errors.Errorf("non-string key %s: %#v", location, key) +} diff --git a/pkg/config/validation_test.go b/pkg/config/validation_test.go new file mode 100644 index 000000000..bcaabb25a --- /dev/null +++ b/pkg/config/validation_test.go @@ -0,0 +1,92 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "gopkg.in/yaml.v2" + "testing" +) + +func TestValidate(t *testing.T) { + var tests = []struct { + text string + valid bool + errs int + }{ + {text: `aggregator: + flush-period: 20ms + flush-timeout: 1s`, valid: true}, + {text: `aggregator: + flush-period: 20 + flush-timeout: 1s`, valid: false, errs: 1}, + {text: `aggregator: + flush-perio: 20ms + flush-timeout: 1`, valid: false, errs: 2}, + + {text: `alertsenders: + mail: + enabled: true + host: smtp.gmail.com + port: 465 + user: user + pass: pas$ + from: from@mail.com + to: + - to@mail.com + slack: + enabled: true + url: https://slack.url + workspace: fibratus + channel: fibratus + emoji: ""`, valid: true}, + {text: `alertsenders: + mail: + enabled: true + host: smtp.gmail.com + port: + user: user + pass: pas$ + from: from@mail.com + to: + - invalidmail@ + slack: + enabled: true + url: https://slack.url + workspace: fibratus + channel: fibratus + emoji: ""`, valid: false, errs: 3}, + {text: `api: + transport: "" + timeout: 1s`, valid: false, errs: 1}, + } + + for i, tt := range tests { + var m interface{} + err := yaml.Unmarshal([]byte(tt.text), &m) + if err != nil { + t.Fatal(err) + } + valid, errs := validate(m) + if valid != tt.valid { + t.Errorf("%d. valid mismatch: text=%q exp=%#v got=%#v", i, tt.text, tt.valid, valid) + } else if len(errs) != tt.errs { + t.Errorf("%d. error count mismatch: text=%q exp=%#v got=%#v", i, tt.text, tt.errs, len(errs)) + } + } +} diff --git a/pkg/errors/errors.go b/pkg/errors/errors.go new file mode 100644 index 000000000..003382ab6 --- /dev/null +++ b/pkg/errors/errors.go @@ -0,0 +1,89 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package errors + +import ( + "errors" + "fmt" +) + +var ( + // ErrTraceAccessDenied is returned when user doesn't have enough privileges to start kernel trace + ErrTraceAccessDenied = errors.New("not enough privileges to start the kernel trace. Only users with administrative privileges or users in the Performance Log Users group can start kernel traces") + // ErrTraceInvalidParameter signals invalid values for trace session + ErrTraceInvalidParameter = errors.New("trace has invalid values") + // ErrTraceBadLength signals an incorrect size for internal structure buffer + ErrTraceBadLength = errors.New("incorrect size of internal structure buffer") + // ErrCannotUpdateTrace signals that the session with the same GUID was running and couldn't be updated + ErrCannotUpdateTrace = errors.New("couldn't update the running trace") + // ErrTraceNoSysResources signals that the maximum number of logging sessions has been reached + ErrTraceNoSysResources = errors.New("maximum number of logging sessions has been reached") + // ErrTraceDiskFull signals that there is not enough space on disk for the log file. Should never happen for real-time loggers + ErrTraceDiskFull = errors.New("not enough disk space for writing to log file") + // ErrInvalidTrace signals invalid trace handle + ErrInvalidTrace = errors.New("invalid kernel trace handle") + // ErrStopTrace is bubbled when controller is not able to stop kernel trace session + ErrStopTrace = errors.New("an error occurred while stopping kernel trace") + // ErrRestartTrace signals an error that is thrown when currently running kernel trace cannot be restarted + ErrRestartTrace = errors.New("couldn't restart an already running kernel trace") + // ErrTraceAlreadyRunning identifies kernel trace already running errors + ErrTraceAlreadyRunning = errors.New("kernel trace is already running") + // ErrEventCallbackException signals that an exception has occurred in the event processing function + ErrEventCallbackException = errors.New("an exception occurred in the event callback function") + // ErrKsessionNotRunning is thrown when kernel session from which consumer is trying to collect events is not running + ErrKsessionNotRunning = errors.New("kernel session from which you are trying to consume events in real time is not running") + // ErrTraceCancelled is thrown when in-progress kernel event trace is cancelled + ErrTraceCancelled = errors.New("kernel event trace has been cancelled") + // ErrInsufficentBuffer raises when the buffer size for allocating event metadata is higher then regular buffer size + ErrInsufficentBuffer = errors.New("insufficient buffer size to allocate event metadata") + // ErrEventSchemaNotFound signals missing event schema + ErrEventSchemaNotFound = errors.New("event schema not found") + // ErrNeedsReallocateBuffer is signaled when an API function requires bigger buffer size + ErrNeedsReallocateBuffer = errors.New("buffer size is too small") + // ErrCancelUpstreamKevent represents the error that is returned to denote that event is not going to be passed to upstream components such as aggregator or outputs + ErrCancelUpstreamKevent = errors.New("cancel bubbling up the kernel event to upstream components") + + // ErrFeatureUnsupported is thrown when a certain feature was not triggered via the build flag + ErrFeatureUnsupported = func(s string) error { + return fmt.Errorf("fibratus was compiled without %s support. Please compile with the '%s' build flag", s, s) + } +) + +// ErrKparamNotFound is the error is thrown when a parameter is not present in the list of parameters +type ErrKparamNotFound struct { + Name string +} + +// Error returns the error message. +func (e ErrKparamNotFound) Error() string { + return "couldn't find " + e.Name + " in event parameters" +} + +// IsCancelUpstreamKevent determines if the error being passed if of `ErrCancelUpstreamKevent` type. +func IsCancelUpstreamKevent(err error) bool { return err == ErrCancelUpstreamKevent } + +// IsKparamNotFound returns true if the error is KparamNotFound. +func IsKparamNotFound(err error) bool { + switch err.(type) { + case *ErrKparamNotFound: + return true + default: + return false + } +} diff --git a/tests/fixtures/filaments/test_filament_interval.py b/pkg/filament/_fixtures/test_filter.py similarity index 80% rename from tests/fixtures/filaments/test_filament_interval.py rename to pkg/filament/_fixtures/test_filter.py index 5c1efcd3d..33c1afbbb 100644 --- a/tests/fixtures/filaments/test_filament_interval.py +++ b/pkg/filament/_fixtures/test_filter.py @@ -1,6 +1,7 @@ # Copyright 2016 by Nedim Sabic (RabbitStack) # All Rights Reserved. -# +# http://rabbitstack.github.io + # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at @@ -14,17 +15,13 @@ # under the License. """ -Test filament description +Tests the filter expression. """ +kevents = [] def on_init(): - pass - + kfilter('ps.name in (%s)' % ','.join(["'svchost.exe'", "'cmd.exe'", "'mimikatz.exe'"])) def on_next_kevent(kevent): - pass - - -def on_interval(): pass \ No newline at end of file diff --git a/tests/fixtures/filaments/test_filament_invalid_interval.py b/pkg/filament/_fixtures/test_on_next_kevent.py similarity index 62% rename from tests/fixtures/filaments/test_filament_invalid_interval.py rename to pkg/filament/_fixtures/test_on_next_kevent.py index 95abafae4..07b490f96 100644 --- a/tests/fixtures/filaments/test_filament_invalid_interval.py +++ b/pkg/filament/_fixtures/test_on_next_kevent.py @@ -1,4 +1,4 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) +# Copyright 2016 by Nedim Sabic (RabbitStack) # All Rights Reserved. # http://rabbitstack.github.io @@ -15,13 +15,20 @@ # under the License. """ -Test filament description +Tests the on_next_kevent function. """ +kevents = [] def on_init(): - set_interval('10') - + interval(1) + columns(['Key', '#Seq']) + sort_by('#Seq') def on_next_kevent(kevent): - pass \ No newline at end of file + kevents.append({'key_name': kevent['kparams']['key_name'], 'seq': kevent['seq'], 'dip': kevent['kparams']['dip']}) + +def on_interval(): + for key in kevents: + add_row([key['key_name'], key['seq']]) + render_table() \ No newline at end of file diff --git a/tests/fixtures/filaments/test_filament.py b/pkg/filament/_fixtures/top_hives_io.py similarity index 76% rename from tests/fixtures/filaments/test_filament.py rename to pkg/filament/_fixtures/top_hives_io.py index 8b80e92db..b58fcc640 100644 --- a/tests/fixtures/filaments/test_filament.py +++ b/pkg/filament/_fixtures/top_hives_io.py @@ -1,4 +1,4 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) +# Copyright 2016 by Nedim Sabic (RabbitStack) # All Rights Reserved. # http://rabbitstack.github.io @@ -15,18 +15,20 @@ # under the License. """ -Test filament description +Shows top registry hives by I/O activity. """ +import collections -def on_init(): - pass +hives = collections.Counter() -def on_next_kevent(kevent): - pass +def on_init(): + interval(4) + columns(['Hive', "1", ["d"]]) + sort_by("1") -def on_stop(): +def on_next_kevent(kevent): pass diff --git a/pkg/filament/_fixtures/top_keys_io_table.py b/pkg/filament/_fixtures/top_keys_io_table.py new file mode 100644 index 000000000..104e3cdb8 --- /dev/null +++ b/pkg/filament/_fixtures/top_keys_io_table.py @@ -0,0 +1,43 @@ +# Copyright 2016 by Nedim Sabic (RabbitStack) +# All Rights Reserved. +# http://rabbitstack.github.io + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +""" +Shows top registry keys by I/O activity. +""" + +import collections + +keys = collections.Counter() + + +def on_init(): + interval(1) + columns(['Key', '#Ops']) + sort_by('#Ops') + + +def on_next_kevent(kevent): + pass + + +def on_interval(): + keys.update(("HKLM\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\Protocol_Catalog9",)) + keys.update(("HKLM\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\Protocol_Catalog9",)) + keys.update(("HKLM\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\Protocol_Catalog9",)) + keys.update(("HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids",)) + for key, count in keys.items(): + add_row([key, count]) + render_table() \ No newline at end of file diff --git a/filaments/top_hives_io.py b/pkg/filament/cpython/_fixtures/top_hives_io.py similarity index 77% rename from filaments/top_hives_io.py rename to pkg/filament/cpython/_fixtures/top_hives_io.py index d6ab4401e..9695ab4fe 100644 --- a/filaments/top_hives_io.py +++ b/pkg/filament/cpython/_fixtures/top_hives_io.py @@ -24,19 +24,22 @@ def on_init(): - set_filter('RegOpenKey', 'RegQueryKey', 'RegCreateKey') - columns(["Hive", "#Ops"]) - sort_by('#Ops') - set_interval(1) + set_interval(2) + print("on_init") + #set_filter('RegOpenKey or proc.name=java') + #columns(["Hive", "#Ops"]) + #sort_by('#Ops') + #set_interval(1) def on_next_kevent(kevent): - if '' not in kevent.params.hive: - hive = (kevent.params.hive, ) - hives.update(hive) - + print("KEVENT\n", kevent["kparams"]) + #raise Exception('eggs', 'eggs') def on_interval(): for hive, count in hives.items(): add_row([hive, count]) render_tabular() + +def sum(v): + return 1 + 1 \ No newline at end of file diff --git a/pkg/filament/cpython/api.c b/pkg/filament/cpython/api.c new file mode 100644 index 000000000..111a97441 --- /dev/null +++ b/pkg/filament/cpython/api.c @@ -0,0 +1,163 @@ +/* + * Copyright 2019-2020 by Nedim Sabic + * http://rabbitstack.github.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. You may obtain + * a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include "api.h" + +int PyArg_ParseInt(PyObject *args, int n) { + int i; + int res; + switch (n) { + case 1: + res = PyArg_ParseTuple(args, "i", &i); + break; + case 2: + res = PyArg_ParseTuple(args, "Oi", &i, &i); + break; + case 3: + res = PyArg_ParseTuple(args, "OOi", &i, &i, &i); + break; + default: + return i; + } + if (!res) { + PyErr_SetString(PyExc_ValueError, "argument must be an integer"); + return 0; + } + return i; +} + +PyObject* PyArg_ParseList(PyObject *args, int n) { + PyObject *ob; + int res; + switch (n) { + case 1: + res = PyArg_ParseTuple(args, "O!", &PyList_Type, &ob); + break; + case 2: + res = PyArg_ParseTuple(args, "OO!", &ob, &PyList_Type, &ob); + break; + case 3: + res = PyArg_ParseTuple(args, "OOO!", &ob, &ob, &PyList_Type, &ob); + break; + default: + return NULL; + } + if (!res) { + PyErr_SetString(PyExc_ValueError, "argument must be a list"); + return NULL; + } + return ob; +} + +PyObject* PyArg_ParseString(PyObject *args, int n) { + PyObject *ob; + int res; + switch (n) { + case 1: + res = PyArg_ParseTuple(args, "U", &ob); + break; + case 2: + res = PyArg_ParseTuple(args, "OU", &ob, &ob); + break; + case 3: + res = PyArg_ParseTuple(args, "OOU", &ob, &ob, &ob); + break; + default: + return NULL; + } + if (!res) { + PyErr_SetString(PyExc_ValueError, "argument must be a string"); + return NULL; + } + return ob; +} + +void PyArg_ParseKeywords(PyObject *args, PyObject *kwargs, char *kwlist[], PyObject **ob1, PyObject **ob2, PyObject **ob3, PyObject **ob4) { + int res; + + res = PyArg_ParseTupleAndKeywords(args, + kwargs, + "OO|$OO", kwlist, + ob1, ob2, ob3, ob4); + if (!res) { + PyErr_SetString(PyExc_ValueError, "parse keywords failed"); + } +} + +PyObject* PyTime_FromDateTime(int year, int month, int day, int hour, int minute, int second, int usecond) { + return PyDateTime_FromDateAndTime(year, month, day, hour, minute, second, usecond); +} + +PyObject* PyChar_FromChar(char v) { + return Py_BuildValue("b", v); +} + +PyObject* PyChar_FromUnsignedChar(unsigned char v) { + return Py_BuildValue("B", v); +} + +PyObject* PyShort_FromShort(short v) { + return Py_BuildValue("h", v); +} + +PyObject* PyShort_FromUnsignedShort(unsigned short v) { + return Py_BuildValue("H", v); +} + +bool Py_IsUnicode(PyObject *ob) { + if (ob == NULL) + return false; + return PyUnicode_CheckExact(ob); +} + +bool Py_IsInteger(PyObject *ob) { + if (ob == NULL) + return false; + return PyLong_CheckExact(ob); +} + +void Py_DateTimeImport() { + PyDateTime_IMPORT; +} + + +bool Py_IsDateTime(PyObject *ob) { + if (ob == NULL) + return false; + return PyDateTime_CheckExact(ob); +} + +const char* Py_Type(PyObject *ob) { + return Py_TYPE(ob)->tp_name; +} + +int PyDate_GetYear(PyObject *ob) { + return PyDateTime_GET_YEAR(ob); +} +int PyDate_GetMonth(PyObject *ob) { + return PyDateTime_GET_MONTH(ob); +} +int PyDate_GetDay(PyObject *ob) { + return PyDateTime_GET_DAY(ob); +} +int PyDate_GetHour(PyObject *ob) { + return PyDateTime_DATE_GET_HOUR(ob); +} +int PyDate_GetMinute(PyObject *ob) { + return PyDateTime_DATE_GET_MINUTE(ob); +} +int PyDate_GetSecond(PyObject *ob) { + return PyDateTime_DATE_GET_SECOND(ob); +} +int PyDate_GetMicroSecond(PyObject *ob) { + return PyDateTime_DATE_GET_MICROSECOND(ob); +} \ No newline at end of file diff --git a/pkg/filament/cpython/api.h b/pkg/filament/cpython/api.h new file mode 100644 index 000000000..62d322eba --- /dev/null +++ b/pkg/filament/cpython/api.h @@ -0,0 +1,58 @@ +/* + * Copyright 2019-2020 by Nedim Sabic + * http://rabbitstack.github.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. You may obtain + * a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include "datetime.h" + +typedef char i8; +typedef unsigned char u8; +typedef short i16; +typedef unsigned short u16; +typedef long i32; +typedef long long i64; +typedef unsigned long long u64; +typedef unsigned long u32; + +/* +Cgo doesn't know how to deal with C macros/variadic functions. This is the main reason we need the wrapper for +some CPython API functions in pure C. +*/ + +int PyArg_ParseInt(PyObject *args, int n); +PyObject* PyArg_ParseString(PyObject *args, int n); +PyObject* PyArg_ParseList(PyObject *args, int n); + +void PyArg_ParseKeywords(PyObject *args, PyObject *kwargs, char *kwlist[], PyObject **ob1, PyObject **ob2, PyObject **ob3, PyObject **ob4); + +PyObject* PyTime_FromDateTime(int year, int month, int day, int hour, int minute, int second, int usecond); +PyObject* PyChar_FromChar(char v); +PyObject* PyChar_FromUnsignedChar(unsigned char v); +PyObject* PyShort_FromShort(short v); +PyObject* PyShort_FromUnsignedShort(unsigned short v); + +bool Py_IsUnicode(PyObject *ob); +bool Py_IsInteger(PyObject *ob); +bool Py_IsDateTime(PyObject *ob); + +void Py_DateTimeImport(); + +int PyDate_GetYear(PyObject *ob); +int PyDate_GetMonth(PyObject *ob); +int PyDate_GetDay(PyObject *ob); +int PyDate_GetHour(PyObject *ob); +int PyDate_GetMinute(PyObject *ob); +int PyDate_GetSecond(PyObject *ob); +int PyDate_GetMicroSecond(PyObject *ob); + +const char* Py_Type(PyObject *ob); \ No newline at end of file diff --git a/pkg/filament/cpython/dict.go b/pkg/filament/cpython/dict.go new file mode 100644 index 000000000..ddf0a2220 --- /dev/null +++ b/pkg/filament/cpython/dict.go @@ -0,0 +1,55 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +/* +#include "api.h" +*/ +import "C" + +// Dict represents the abstraction over the Python dictionary object. +type Dict struct { + *PyObject +} + +// NewDict constructs a new empty dictionary object. +func NewDict() *Dict { + return &Dict{PyObject: &PyObject{rawptr: C.PyDict_New()}} +} + +// NewDictFromObject constructs a new dictionary object from the existing dictionary. +func NewDictFromObject(o *PyObject) *Dict { + return &Dict{PyObject: o} +} + +// Insert inserts a value into the dictionary indexed with a key. Key must be hashable, otherwise TypeError is raised. +func (d *Dict) Insert(k, v *PyObject) { + C.PyDict_SetItem(d.rawptr, k.rawptr, v.rawptr) +} + +// Get returns the object from dictionary with the provided key. Returns a null object if the key key is not present, +// but without setting an exception. +func (d *Dict) Get(k *PyObject) *PyObject { + return &PyObject{rawptr: C.PyDict_GetItem(d.rawptr, k.rawptr)} +} + +// Object returns the underlying Python object reference. +func (d *Dict) Object() *PyObject { + return d.PyObject +} diff --git a/pkg/filament/cpython/dict_test.go b/pkg/filament/cpython/dict_test.go new file mode 100644 index 000000000..cd9139c63 --- /dev/null +++ b/pkg/filament/cpython/dict_test.go @@ -0,0 +1,36 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +import ( + "github.com/magiconair/properties/assert" + "github.com/stretchr/testify/require" + "testing" +) + +func TestDict(t *testing.T) { + dict := NewDict() + require.False(t, dict.IsNull()) + + dict.Insert(PyUnicodeFromString("filename"), PyUnicodeFromString("C:\\Windows\\System32\\kernel32.dll")) + v := dict.Get(PyUnicodeFromString("filename")) + require.NotNil(t, v) + + assert.Equal(t, `'C:\\Windows\\System32\\kernel32.dll'`, v.String()) +} diff --git a/pkg/filament/cpython/errors.go b/pkg/filament/cpython/errors.go new file mode 100644 index 000000000..0247e1016 --- /dev/null +++ b/pkg/filament/cpython/errors.go @@ -0,0 +1,86 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +/* +#include "api.h" +*/ +import "C" +import ( + "errors" + "sync" +) + +var once sync.Once +var formatException *PyObject + +// FetchErr retrieves the error indicator into three variables whose addresses are passed. If the error indicator is not +// set, set all three variables to NULL. If it is set, it will be cleared and you own a reference to each object retrieved. +// The value and traceback object may be NULL even when the type object is not. +func FetchErr() error { + if C.PyErr_Occurred() == nil { + // error indicator not set, nothing to do + return nil + } + + exc := &PyObject{} + val := &PyObject{} + traceback := &PyObject{} + defer exc.DecRef() + defer val.DecRef() + defer traceback.DecRef() + + C.PyErr_Fetch(&exc.rawptr, &val.rawptr, &traceback.rawptr) + // normalize exception values as per python C API + C.PyErr_NormalizeException(&exc.rawptr, &val.rawptr, &traceback.rawptr) + + if !traceback.IsNull() { + once.Do(func() { + tb, _ := NewModule("traceback") + if tb != nil { + formatException, _ = tb.GetAttrString("format_exception") + } + }) + if !formatException.IsNull() { + ob := formatException.Call(exc, val, traceback) + if !ob.IsNull() { + defer ob.DecRef() + return errors.New(ob.String()) + } + } + return errors.New("can't format traceback exception") + } + if !val.IsNull() { + return errors.New(val.String()) + } + if !exc.IsNull() { + return errors.New(exc.String()) + } + return nil +} + +// ClearError clears the error indicator. +func ClearError() { + C.PyErr_Clear() +} + +// CheckSignal checks the signal queue. +func CheckSignals() bool { + return C.PyErr_CheckSignals() == -1 +} diff --git a/pkg/filament/cpython/gil.go b/pkg/filament/cpython/gil.go new file mode 100644 index 000000000..539325848 --- /dev/null +++ b/pkg/filament/cpython/gil.go @@ -0,0 +1,85 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +/* +#include "api.h" +*/ +import "C" +import ( + "fmt" + "runtime" + "sync/atomic" +) + +// PyGILState is the type alias for the native Python GIL state +type PyGILState C.PyGILState_STATE + +// GIL is responsible for interacting with the Python GIL. Goroutines are executed on +// multiple threads and the scheduler might decide to pause the goroutine on one thread +// and resume it later in a different thread. This would cause catastrophic effects if +// the Python interpreter finds out the GIL was acquired in one thread but released in a +// different one. We have to provide extra safety to avoid runtime crashes at the cost of +// sacrificing some performance since we'll always stick the goroutine to be scheduled on +// the same thread. +type GIL struct { + locked uint32 + state PyGILState + tstate *C.PyThreadState +} + +// NewGIL creates a new instance of the GIL manager. +func NewGIL() *GIL { + return &GIL{} +} + +// SaveThread releases the global interpreter lock (if it has been created and thread +// support is enabled) and reset the thread state to NULL, returning the +// previous thread state (which is not NULL). +func (g *GIL) SaveThread() { + g.tstate = C.PyEval_SaveThread() +} + +// RestoreThread acquire the global interpreter lock (if it has been created and thread +// support is enabled) and set the thread state to tstate, which must not be +// NULL. If the lock has been created, the current thread must not have +// acquired it, otherwise deadlock ensues. +func (g *GIL) RestoreThread() { + C.PyEval_RestoreThread(g.tstate) +} + +// Lock acquires the GIL lock by ensuring the current thread is ready to call Python C API. +func (g *GIL) Lock() { + runtime.LockOSThread() + atomic.StoreUint32(&g.locked, 1) + g.state = PyGILState(C.PyGILState_Ensure()) +} + +// Unlock releases the lock on the GIL. +func (g *GIL) Unlock() { + atomic.StoreUint32(&g.locked, 0) + C.PyGILState_Release(C.PyGILState_STATE(g.state)) + runtime.UnlockOSThread() +} + +// Locked indicates if the lock on the GIL was acquired. +func (g *GIL) Locked() bool { + fmt.Println(atomic.LoadUint32(&g.locked) > 0) + return atomic.LoadUint32(&g.locked) > 0 +} diff --git a/pkg/filament/cpython/gil_test.go b/pkg/filament/cpython/gil_test.go new file mode 100644 index 000000000..38e49b24f --- /dev/null +++ b/pkg/filament/cpython/gil_test.go @@ -0,0 +1,42 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +import ( + "github.com/stretchr/testify/require" + "testing" +) + +func TestGILLock(t *testing.T) { + require.NoError(t, Initialize()) + defer Finalize() + gil := NewGIL() + gil.Lock() + require.True(t, gil.Locked()) +} + +func TestGILUnlock(t *testing.T) { + require.NoError(t, Initialize()) + defer Finalize() + gil := NewGIL() + gil.Lock() + require.True(t, gil.Locked()) + gil.Unlock() + require.False(t, gil.Locked()) +} diff --git a/pkg/filament/cpython/interpreter.go b/pkg/filament/cpython/interpreter.go new file mode 100644 index 000000000..86cc6e32c --- /dev/null +++ b/pkg/filament/cpython/interpreter.go @@ -0,0 +1,91 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +/* +#cgo pkg-config: python-37 + +#include "api.h" + +*/ +import "C" +import ( + "github.com/pkg/errors" + log "github.com/sirupsen/logrus" + "syscall" + "unsafe" +) + +// ErrPyInit signals that an error ocurred while initializing the Python interpreter +var ErrPyInit = errors.New("couldn't initialize the Python interpreter") + +// ErrGILInit indicates that the global interpreter lock failed to initialize +var ErrGILInit = errors.New("unable to initialize the GIL") + +// Initialize initializes the Python interpreter and its global interpreter lock (GIL). +func Initialize() error { + if C.Py_IsInitialized() == 0 { + // initialize the interpreter without signal handlers + C.Py_InitializeEx(0) + } + if C.Py_IsInitialized() == 0 { + return ErrPyInit + } + if C.PyEval_ThreadsInitialized() == 0 { + C.PyEval_InitThreads() + } + if C.PyEval_ThreadsInitialized() == 0 { + return ErrGILInit + } + // this calls into PyDateTime_IMPORT macro to initialize the PyDateTimeAPI + C.Py_DateTimeImport() + + if err := initializeIpFnAndClasses(); err != nil { + log.Warn(err) + } + + return nil +} + +// Finalize undos all initializations made by Initialize() and subsequent use of Python/C API functions, +// and destroys all sub-interpreters that were created and not yet destroyed since the last call to Initialize(). +// Ideally, this frees all memory allocated by the Python interpreter. +func Finalize() { + C.Py_Finalize() +} + +// AddPythonPath adds a new path to the PYTHONPATH environment variable. +func AddPythonPath(path string) { + syspath := C.CString("path") + defer C.free(unsafe.Pointer(syspath)) + newPath := PyUnicodeFromString(path) + defer newPath.DecRef() + C.PyList_Append(C.PySys_GetObject(syspath), newPath.rawptr) +} + +// SetPath sets the default module search path. If this function is called before Py_Initialize(), then Py_GetPath() +// won’t attempt to compute a default search path but uses the one provided instead. This is useful if Python is +// embedded by an application that has full knowledge of the location of all modules. +func SetPath(path string) { + w, err := syscall.UTF16FromString(path) + if err != nil { + return + } + C.Py_SetPath((*C.wchar_t)(&w[0])) +} diff --git a/pkg/filament/cpython/interpreter_test.go b/pkg/filament/cpython/interpreter_test.go new file mode 100644 index 000000000..5823b1524 --- /dev/null +++ b/pkg/filament/cpython/interpreter_test.go @@ -0,0 +1,29 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +import ( + "github.com/stretchr/testify/require" + "testing" +) + +func TestInitialize(t *testing.T) { + require.NoError(t, Initialize()) + Finalize() +} diff --git a/pkg/filament/cpython/ip.go b/pkg/filament/cpython/ip.go new file mode 100644 index 000000000..d493d3ebb --- /dev/null +++ b/pkg/filament/cpython/ip.go @@ -0,0 +1,50 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +import "errors" + +var ipv4Class *PyObject +var ipv6Class *PyObject +var ipaddressFn *PyObject + +func initializeIpFnAndClasses() error { + mod, err := NewModule("ipaddress") + if err != nil { + return err + } + if mod.IsNull() { + return errors.New("ipaddress module was not initialized") + } + + ipaddressFn, err = mod.GetAttrString("ip_address") + if err != nil { + return err + } + ipv4Class, err = mod.GetAttrString("IPv4Address") + if err != nil { + return err + } + ipv6Class, err = mod.GetAttrString("IPv6Address") + if err != nil { + return err + } + + return nil +} diff --git a/pkg/filament/cpython/module.go b/pkg/filament/cpython/module.go new file mode 100644 index 000000000..b87889816 --- /dev/null +++ b/pkg/filament/cpython/module.go @@ -0,0 +1,88 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +/* +#include +#include "api.h" +*/ +import "C" +import ( + "fmt" + "syscall" + "unsafe" +) + +type Module struct { + *PyObject + name string +} + +// NewModule imports a module leaving the globals and locals arguments set to NULL and level set to 0. When the name argument contains +// a dot (when it specifies a submodule of a package), the fromlist argument is set to the list ['*'] so that the return +// value is the named module rather than the top-level package containing it as would otherwise be the case. +// (Unfortunately, this has an additional side effect when name in fact specifies a subpackage instead of a submodule: +// the submodules specified in the package’s __all__ variable are loaded.) Return a new reference to the imported module, +// or NULL with an exception set on failure. A failing import of a module doesn't leave the module in sys.modules. +func NewModule(name string) (*Module, error) { + n := C.CString(name) + defer C.free(unsafe.Pointer(n)) + mod := C.PyImport_ImportModule(n) + if mod == nil { + return nil, fmt.Errorf("couldn't import %q module", name) + } + return &Module{ + PyObject: &PyObject{rawptr: mod}, + name: name, + }, nil +} + +// MethFlags is the type alias for the method flags +type MethFlags int + +const ( + MethVarArgs MethFlags = C.METH_VARARGS + MethKeyWords MethFlags = C.METH_KEYWORDS + MethNoArgs MethFlags = C.METH_NOARGS +) + +// DefaultMethFlags represents the default method flags +var DefaultMethFlags = MethVarArgs | MethKeyWords + +// declared globally to guard PyMethodDef structures from the garbage collector +var defs = map[string]*C.PyMethodDef{} + +// RegisterFn anchors the function to this module. The callable Python object is built from the method definition +// that specifies the function name, the args expected by the function and the pointer to the Go callback. +func (m *Module) RegisterFn(name string, fn interface{}, flags MethFlags) error { + n := C.CString(name) + defer C.free(unsafe.Pointer(n)) + defs[name] = &C.PyMethodDef{ + ml_name: n, + ml_meth: (C.PyCFunction)(unsafe.Pointer(syscall.NewCallback(fn))), + ml_flags: C.int(flags), + } + mod := C.CString(m.name) + defer C.free(unsafe.Pointer(mod)) + f := C.PyCFunction_NewEx((*C.PyMethodDef)(unsafe.Pointer(defs[name])), m.rawptr, C.PyUnicode_FromString(mod)) + if f == nil { + return fmt.Errorf("unable to attach the %s function to the %s module", name, m.name) + } + return m.SetAttrString(name, f) +} diff --git a/pkg/filament/cpython/module_test.go b/pkg/filament/cpython/module_test.go new file mode 100644 index 000000000..cb16d64cc --- /dev/null +++ b/pkg/filament/cpython/module_test.go @@ -0,0 +1,60 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +import ( + "github.com/stretchr/testify/require" + "testing" +) + +func TestNewModule(t *testing.T) { + require.NoError(t, Initialize()) + defer Finalize() + AddPythonPath("_fixtures/") + mod, err := NewModule("top_hives_io") + require.NoError(t, err) + require.NotNil(t, mod) +} + +func TestModuleRegisterFn(t *testing.T) { + require.NoError(t, Initialize()) + defer Finalize() + AddPythonPath("_fixtures/") + mod, err := NewModule("top_hives_io") + require.NoError(t, err) + require.NotNil(t, mod) + + f := func() uintptr { return 0 } + + err = mod.RegisterFn("set_interval", f, MethVarArgs) + require.NoError(t, err) + + fn, err := mod.GetAttrString("set_interval") + require.NoError(t, err) + require.False(t, fn.IsNull()) + require.True(t, fn.IsCallable()) + fn.Call() + + fn, err = mod.GetAttrString("sum") + require.NoError(t, err) + require.False(t, fn.IsNull()) + require.True(t, fn.IsCallable()) + r := fn.Call(PyUnicodeFromString("test")) + require.False(t, r.IsNull()) +} diff --git a/pkg/filament/cpython/object.go b/pkg/filament/cpython/object.go new file mode 100644 index 000000000..928320b9d --- /dev/null +++ b/pkg/filament/cpython/object.go @@ -0,0 +1,379 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +/* +#include "api.h" +*/ +import "C" +import ( + "errors" + "fmt" + "github.com/rabbitstack/fibratus/pkg/fs" + "net" + "syscall" + "time" + "unsafe" +) + +var errTypeNotList = errors.New("couldn't parse the argument. It is probably not a list") + +// PyRawObject is the type alias for the raw Python object pointer. +type PyRawObject *C.PyObject + +// PyArgs represents the alias for the Python positional arguments. +type PyArgs uintptr + +// PyKwargs represents the alias for the Python keyword arguments. +type PyKwargs uintptr + +// GetInt returns the nth positional argument as an integer. +func (args PyArgs) GetInt(n uint8) int { + return int(C.PyArg_ParseInt((*C.PyObject)(unsafe.Pointer(args)), C.int(n))) +} + +// GetString returns the nth positional argument as a string. +func (args PyArgs) GetString(n uint8) string { + return fromRawOb(C.PyArg_ParseString((*C.PyObject)(unsafe.Pointer(args)), C.int(n))).String() +} + +// GetStringSlice returns the nth argument as a slice of string values. +func (args PyArgs) GetStringSlice(n uint8) ([]string, error) { + ob := C.PyArg_ParseList((*C.PyObject)(unsafe.Pointer(args)), C.int(n)) + if ob == nil { + return nil, errTypeNotList + } + l := int(C.PyList_Size(ob)) + s := make([]string, l) + for i := 0; i < l; i++ { + item := C.PyList_GetItem(ob, C.longlong(i)) + if item == nil { + continue + } + isUnicode := bool(C.Py_IsUnicode(item)) + if !isUnicode { + continue + } + s[i] = fromRawOb(item).String() + } + return s, nil +} + +// GetSlice returns the nth argument as a slice of generic values. +func (args PyArgs) GetSlice(n uint8) ([]interface{}, error) { + ob := C.PyArg_ParseList((*C.PyObject)(unsafe.Pointer(args)), C.int(n)) + if ob == nil { + return nil, errTypeNotList + } + l := int(C.PyList_Size(ob)) + if l < 0 { + return nil, nil + } + s := make([]interface{}, l) + for i := 0; i < l; i++ { + item := C.PyList_GetItem(ob, C.longlong(i)) + if item == nil { + continue + } + switch { + case bool(C.Py_IsUnicode(item)): + s[i] = fromRawOb(item).String() + case bool(C.Py_IsInteger(item)): + s[i] = fromRawOb(item).Int() + case bool(C.Py_IsDateTime(item)): + s[i] = fromRawOb(item).Time() + default: + if ipv4Class != nil { + if !ipv4Class.IsNull() && C.PyObject_IsInstance(item, ipv4Class.rawptr) > 0 { + s[i] = net.ParseIP(fromRawOb(item).String()) + } + } + if ipv6Class != nil { + if !ipv6Class.IsNull() && C.PyObject_IsInstance(item, ipv6Class.rawptr) > 0 { + s[i] = net.ParseIP(fromRawOb(item).String()) + } + } + } + } + return s, nil +} + +// PyArgsParseKeywords parses tuple and keywords arguments. +func PyArgsParseKeywords(args PyArgs, kwargs PyKwargs, kwlist []string) (string, string, string, []string) { + var ( + ob1 *C.PyObject + ob2 *C.PyObject + ob3 *C.PyObject + ob4 *C.PyObject + ) + + klist := make([]*C.char, len(kwlist)+1) + + for i, k := range kwlist { + klist[i] = C.CString(k) + defer C.free(unsafe.Pointer(klist[i])) + } + + C.PyArg_ParseKeywords( + (*C.PyObject)(unsafe.Pointer(args)), + (*C.PyObject)(unsafe.Pointer(kwargs)), + &klist[0], + (**C.PyObject)(unsafe.Pointer(&ob1)), + (**C.PyObject)(unsafe.Pointer(&ob2)), + (**C.PyObject)(unsafe.Pointer(&ob3)), + (**C.PyObject)(unsafe.Pointer(&ob4)), + ) + + return fromRawOb(ob1).String(), fromRawOb(ob2).String(), fromRawOb(ob3).String(), fromRawOb(ob4).StringSlice() +} + +// PyObject is the main abstraction for manipulating the native CPython objects. +type PyObject struct { + rawptr *C.PyObject +} + +// NewPyNone creates a new none Python object. +func NewPyNone() *C.PyObject { + return C.Py_None +} + +func NewPyLong(v int64) *C.PyObject { + return C.PyLong_FromLongLong(C.i64(v)) +} + +// NewPyObjectFromFmt builds a new Python object based on the underlying interface type. +func NewPyObjectFromValue(value interface{}) *PyObject { + var ob *C.PyObject + switch v := value.(type) { + case int8: + ob = C.PyChar_FromChar(C.i8(v)) + case uint8: + ob = C.PyChar_FromUnsignedChar(C.u8(v)) + case int16: + ob = C.PyShort_FromShort(C.i16(v)) + case uint16: + ob = C.PyShort_FromUnsignedShort(C.u16(v)) + case int32: + ob = C.PyLong_FromLong(C.i32(v)) + case uint32: + ob = C.PyLong_FromUnsignedLong(C.u32(v)) + case int64: + ob = C.PyLong_FromLongLong(C.i64(v)) + case uint64: + ob = C.PyLong_FromUnsignedLongLong(C.u64(v)) + case string: + ob = PyUnicodeFromString(v).asRaw() + case fs.FileDisposition: + ob = PyUnicodeFromString(v.String()).asRaw() + case time.Time: + ob = C.PyTime_FromDateTime(C.int(v.Year()), C.int(v.Month()), C.int(v.Day()), C.int(v.Hour()), C.int(v.Minute()), C.int(v.Second()), C.int(v.Nanosecond()/1000)) + case net.IP: + if !ipaddressFn.IsNull() { + ob = ipaddressFn.Call(PyUnicodeFromString(v.String())).asRaw() + } else { + ob = PyUnicodeFromString(v.String()).asRaw() + } + case func(arg1, arg2 PyArgs) PyRawObject: + n := C.CString("func") + defer C.free(unsafe.Pointer(n)) + mdef := &C.PyMethodDef{ + ml_name: n, + ml_meth: (C.PyCFunction)(unsafe.Pointer(syscall.NewCallback(v))), + ml_flags: C.int(DefaultMethFlags), + } + ob = C.PyCFunction_NewEx((*C.PyMethodDef)(unsafe.Pointer(mdef)), nil, C.PyUnicode_FromString(n)) + } + return &PyObject{rawptr: ob} +} + +// fromRawOb builds a new Python object from the raw pointer. +func fromRawOb(ob *C.PyObject) *PyObject { return &PyObject{rawptr: ob} } + +// DecRef decrements the reference count for object o. If the object is NULL, nothing happens. If the reference count +// reaches zero, the object’s type’s deallocation function (which must not be NULL) is invoked. +func (ob *PyObject) DecRef() { + if ob != nil || ob.rawptr == nil { + return + } + C.Py_DecRef(ob.rawptr) +} + +// IncRef increment the reference count for object o. The object may be NULL, in which case this method has no effect. +func (ob *PyObject) IncRef() { + if ob != nil && ob.rawptr == nil { + return + } + C.Py_IncRef(ob.rawptr) +} + +// IsNull determines whether this object's instance is null. +func (ob *PyObject) IsNull() bool { + if ob == nil { + return true + } + return ob.rawptr == nil +} + +func (ob *PyObject) asRaw() *C.PyObject { + return ob.rawptr +} + +// SetAttrString set the value of the attribute provided for this object to the specified value. +func (ob *PyObject) SetAttrString(name string, value *C.PyObject) error { + attr := C.CString(name) + defer C.free(unsafe.Pointer(attr)) + err := int(C.PyObject_SetAttrString(ob.rawptr, attr, value)) + if err == -1 { + return fmt.Errorf("couldn't set the value of the %q attribute", name) + } + return nil +} + +// GetAttrString retrieves an attribute named from object the object. Returns an error if the attribute can't be fetched. +func (ob *PyObject) GetAttrString(name string) (*PyObject, error) { + attr := C.CString(name) + defer C.free(unsafe.Pointer(attr)) + v := C.PyObject_GetAttrString(ob.rawptr, attr) + if v == nil { + return nil, fmt.Errorf("couldn't get the %q attribute", name) + } + return &PyObject{rawptr: v}, nil +} + +// HasAttr determines if the Python object has the specified attribute. +func (ob *PyObject) HasAttr(name string) bool { + attr := C.CString(name) + defer C.free(unsafe.Pointer(attr)) + return C.PyObject_HasAttrString(ob.rawptr, attr) > 0 +} + +var encoding = C.CString("utf-8") +var codecErrors = C.CString("strict") + +// String encodes an Unicode object and returns the result as a Python bytes object converted to the Go string. +func (ob *PyObject) String() string { + if ob.rawptr == nil { + return "" + } + repr := C.PyObject_Str(ob.rawptr) + if repr == nil { + return "" + } + defer C.Py_DecRef(repr) + s := C.PyUnicode_AsEncodedString(repr, encoding, codecErrors) + if s == nil { + return "invalid Unicode string" + } + defer C.Py_DecRef(s) + return C.GoString(C.PyBytes_AsString(s)) +} + +// StringSlice returns this object as a string slice. +func (ob *PyObject) StringSlice() []string { + if ob.rawptr == nil { + return []string{} + } + l := int(C.PyList_Size(ob.asRaw())) + if l < 0 { + return nil + } + s := make([]string, l) + for i := 0; i < l; i++ { + item := C.PyList_GetItem(ob.asRaw(), C.longlong(i)) + if item == nil { + continue + } + isUnicode := bool(C.Py_IsUnicode(item)) + if !isUnicode { + continue + } + s[i] = fromRawOb(item).String() + } + return s +} + +// Uint32 returns an uint32 integer from the raw Python object. +func (ob *PyObject) Uint32() uint32 { + return uint32(C.PyLong_AsUnsignedLong(ob.rawptr)) +} + +// Uint64 returns an uint64 integer from the raw Python object. +func (ob *PyObject) Uint64() uint64 { + return uint64(C.PyLong_AsUnsignedLongLong(ob.rawptr)) +} + +// Uint64 returns an integer from the raw Python object. +func (ob *PyObject) Int() int { + return int(C.PyLong_AsUnsignedLongLong(ob.rawptr)) +} + +// Time returns the time from the raw Python object. +func (ob *PyObject) Time() time.Time { + year := int(C.PyDate_GetYear((*C.PyObject)(unsafe.Pointer(ob)))) + month := int(C.PyDate_GetMonth((*C.PyObject)(unsafe.Pointer(ob)))) + day := int(C.PyDate_GetDay((*C.PyObject)(unsafe.Pointer(ob)))) + hour := int(C.PyDate_GetHour((*C.PyObject)(unsafe.Pointer(ob)))) + minute := int(C.PyDate_GetMinute((*C.PyObject)(unsafe.Pointer(ob)))) + second := int(C.PyDate_GetSecond((*C.PyObject)(unsafe.Pointer(ob)))) + microsecond := int(C.PyDate_GetMicroSecond((*C.PyObject)(unsafe.Pointer(ob)))) + return time.Date(year, time.Month(month), day, hour, minute, second, microsecond*1000, time.Local) +} + +// Type returns the Python type representation. +func (ob *PyObject) Type() string { + return C.GoString(C.Py_Type(ob.rawptr)) +} + +// IsCallable determines if the object is callable. +func (ob *PyObject) IsCallable() bool { + return C.PyCallable_Check(ob.rawptr) > 0 +} + +// CallableArgCount returns the number of arguments declared in the callable Python object. +func (ob *PyObject) CallableArgCount() uint32 { + fnCode, err := ob.GetAttrString("__code__") + if err != nil || fnCode.IsNull() { + return 0 + } + defer fnCode.DecRef() + count, err := fnCode.GetAttrString("co_argcount") + if err != nil { + return 0 + } + defer count.DecRef() + return count.Uint32() +} + +// Call calls a callable Python object with arguments given by the tuple args. If no arguments are needed, then args +// may be NULL. Returns the result of the call on success, or a null reference on failure. +func (ob *PyObject) Call(args ...*PyObject) *PyObject { + if ob.rawptr == nil { + return nil + } + if len(args) == 0 { + return &PyObject{rawptr: C.PyObject_CallObject(ob.rawptr, nil)} + } + tuple := NewTuple(len(args)) + for pos, arg := range args { + tuple.Set(pos, arg) + } + defer tuple.DecRef() + r := C.PyObject_CallObject(ob.rawptr, tuple.rawptr) + return &PyObject{rawptr: r} +} diff --git a/pkg/filament/cpython/sequence.go b/pkg/filament/cpython/sequence.go new file mode 100644 index 000000000..25047f0d0 --- /dev/null +++ b/pkg/filament/cpython/sequence.go @@ -0,0 +1,39 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +/* +#include "api.h" +*/ +import "C" + +// Tuple represents the Python tuple sequence object. +type Tuple struct { + *PyObject +} + +// NewTuple constructs a new tuple object of the provided size. +func NewTuple(size int) *Tuple { + return &Tuple{PyObject: &PyObject{rawptr: C.PyTuple_New(C.Py_ssize_t(size))}} +} + +// Set inserts a reference to object at specified position of the tuple. +func (t *Tuple) Set(pos int, ob *PyObject) { + C.PyTuple_SetItem(t.rawptr, C.Py_ssize_t(pos), ob.rawptr) +} diff --git a/pkg/filament/cpython/string.go b/pkg/filament/cpython/string.go new file mode 100644 index 000000000..18a9042c2 --- /dev/null +++ b/pkg/filament/cpython/string.go @@ -0,0 +1,32 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cpython + +/* + #include "api.h" +*/ +import "C" +import "unsafe" + +// PyUnicodeFromString creates the Python Unicode object from the Go string. +func PyUnicodeFromString(s string) *PyObject { + u := C.CString(s) + defer C.free(unsafe.Pointer(u)) + return &PyObject{rawptr: C.PyUnicode_FromString(u)} +} diff --git a/pkg/filament/filament.go b/pkg/filament/filament.go new file mode 100644 index 000000000..2c5085b0b --- /dev/null +++ b/pkg/filament/filament.go @@ -0,0 +1,554 @@ +// +build filament + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filament + +import ( + "errors" + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/alertsender" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/filament/cpython" + "github.com/rabbitstack/fibratus/pkg/filter" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/util/multierror" + "github.com/rabbitstack/fibratus/pkg/util/term" + log "github.com/sirupsen/logrus" + "io" + "io/ioutil" + "os" + "path/filepath" + "strings" + "time" + // initialize alert senders + _ "github.com/rabbitstack/fibratus/pkg/alertsender/mail" + _ "github.com/rabbitstack/fibratus/pkg/alertsender/slack" +) + +// pyver designates the current Python version +const pyver = "37" + +// useEmbeddedPython instructs the filament engine to use the embedded Python distribution. +var useEmbeddedPython = true + +const ( + intervalFn = "interval" + columnsFn = "columns" + sortbyFn = "sort_by" + kfilterFn = "kfilter" + addRowFn = "add_row" + maxRowsFn = "max_rows" + titleFn = "title" + renderTableFn = "render_table" + findHandleFn = "find_handle" + findHandlesFn = "find_handles" + findProcessFn = "find_process" + findProcessesFn = "find_processes" + emitAlertFn = "emit_alert" + + onInitFn = "on_init" + onStopFn = "on_stop" + onNextKeventFn = "on_next_kevent" + onIntervalFn = "on_interval" + doc = "__doc__" +) + +var ( + keventErrors = expvar.NewMap("filament.kevent.errors") + keventProcessErrors = expvar.NewInt("filament.kevent.process.errors") + kdictErrors = expvar.NewInt("filament.kdict.errors") + batchFlushes = expvar.NewInt("filament.kevent.batch.flushes") + + errFilamentsDir = func(path string) error { return fmt.Errorf("%s does not exist or is not a directory", path) } + + errNoDoc = errors.New("filament description is required") + errNoOnNextKevent = errors.New("required on_next_kevent function is not defined") + errOnNextKeventNotCallable = errors.New("on_next_kevent is not callable") + errOnNextKeventMismatchArgs = func(c uint32) error { return fmt.Errorf("expected 1 argument for on_next_kevent but found %d args", c) } + + tableOutput io.Writer +) + +type kbatch []*kevent.Kevent + +func (k *kbatch) append(kevt *kevent.Kevent) { + if *k == nil { + *k = make([]*kevent.Kevent, 0) + } + *k = append(*k, kevt) +} + +func (k *kbatch) reset() { *k = nil } +func (k kbatch) len() int { return len(k) } + +type filament struct { + name string + sortBy string + interval time.Duration + columns []string + fexpr string + fnerrs chan error + close chan struct{} + gil *cpython.GIL + + tick *time.Ticker + mod *cpython.Module + + config config.FilamentConfig + + psnap ps.Snapshotter + hsnap handle.Snapshotter + filter filter.Filter + + initErrors []error + + onNextKevent *cpython.PyObject + onStop *cpython.PyObject + + table tab +} + +// New creates a new instance of the filament by starting an embedded Python interpreter. It imports the filament +// module and anchors required functions for controlling the filament options as well as providing the access to +// the kernel event flow. +func New( + name string, + psnap ps.Snapshotter, + hsnap handle.Snapshotter, + config config.FilamentConfig, +) (Filament, error) { + if useEmbeddedPython { + exe, err := os.Executable() + if err != nil { + return nil, err + } + pylib := filepath.Join(filepath.Dir(exe), "..", "Python", fmt.Sprintf("python%s.zip", pyver)) + if _, err := os.Stat(pylib); err != nil { + return nil, fmt.Errorf("python lib not found: %v", err) + } + // set the default module search path so it points to our embedded Python distribution + cpython.SetPath(pylib) + } + + // initialize the Python interpreter + if err := cpython.Initialize(); err != nil { + return nil, err + } + + // set the PYTHON_PATH to the filaments directory so the interpreter + // is aware of our filament module prior to its loading + path := config.Path + fstat, err := os.Stat(path) + if err != nil || !fstat.IsDir() { + return nil, errFilamentsDir(path) + } + filaments, err := ioutil.ReadDir(path) + if err != nil { + return nil, err + } + // check if the filament is present in the directory + var exists bool + for _, f := range filaments { + if strings.TrimSuffix(f.Name(), filepath.Ext(f.Name())) == name { + exists = true + } + } + + if !exists { + return nil, fmt.Errorf("%q filament does not exist. Run 'fibratus list filaments' to view available filaments", name) + } + + cpython.AddPythonPath(path) + mod, err := cpython.NewModule(name) + if err != nil { + if err = cpython.FetchErr(); err != nil { + return nil, err + } + return nil, err + } + + // ensure required attributes are present before proceeding with + // further initialization. For instance, if the documentation + // string is not provided, on_next_kevent function is missing + // or has a wrong signature we won't run the filament + doc, err := mod.GetAttrString(doc) + if err != nil || doc.IsNull() { + return nil, errNoDoc + } + defer doc.DecRef() + if !mod.HasAttr(onNextKeventFn) { + return nil, errNoOnNextKevent + } + onNextKevent, err := mod.GetAttrString(onNextKeventFn) + if err != nil || onNextKevent.IsNull() { + return nil, errNoOnNextKevent + } + if !onNextKevent.IsCallable() { + return nil, errOnNextKeventNotCallable + } + argCount := onNextKevent.CallableArgCount() + if argCount != 1 { + return nil, errOnNextKeventMismatchArgs(argCount) + } + + f := &filament{ + name: name, + mod: mod, + config: config, + psnap: psnap, + hsnap: hsnap, + close: make(chan struct{}, 1), + fnerrs: make(chan error, 100), + gil: cpython.NewGIL(), + columns: make([]string, 0), + onNextKevent: onNextKevent, + interval: time.Second, + initErrors: make([]error, 0), + table: newTable(), + } + + if mod.HasAttr(onStopFn) { + f.onStop, _ = mod.GetAttrString(onStopFn) + } + // register all the functions for interacting with filament + // within the Python module + err = f.mod.RegisterFn(addRowFn, f.addRowFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(renderTableFn, f.renderTableFn, cpython.MethNoArgs) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(titleFn, f.titleFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(sortbyFn, f.sortByFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(maxRowsFn, f.maxRowsFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(columnsFn, f.columnsFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(kfilterFn, f.kfilterFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(intervalFn, f.intervalFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(emitAlertFn, f.emitAlertFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(findHandleFn, f.findHandleFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(findHandlesFn, f.findHandlesFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(findProcessFn, f.findProcessFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + err = f.mod.RegisterFn(findProcessesFn, f.findProcessesFn, cpython.DefaultMethFlags) + if err != nil { + return nil, err + } + // invoke the on_init function if it has been declared in the filament + if mod.HasAttr(onInitFn) { + onInit, _ := mod.GetAttrString(onInitFn) + if !onInit.IsNull() { + onInit.Call() + if err := cpython.FetchErr(); err != nil { + return nil, fmt.Errorf("filament init error: %v", err) + } + if len(f.initErrors) > 0 { + return nil, multierror.Wrap(f.initErrors) + } + } + } + + // initialize the console frame buffer + var fb io.Writer + if len(f.columns) > 0 { + fb, err = term.NewFrameBuffer() + if err != nil { + return nil, fmt.Errorf("couldn't create console frame buffer: %v", err) + } + } + if fb != nil { + f.table.setWriter(fb) + f.table.setColumnConfigs(f.columns, term.GetColumns()/2+15) + } else if tableOutput != nil { + f.table.setWriter(tableOutput) + } else { + f.table.setWriter(os.Stdout) + } + if len(f.columns) > 0 && f.sortBy != "" { + var sortBy bool + for _, col := range f.columns { + if col == f.sortBy { + sortBy = true + break + } + } + if !sortBy { + return nil, fmt.Errorf("%s column can't be sorted since it is not defined", f.sortBy) + } + } + + // compile filter from the expression + if f.fexpr != "" { + f.filter = filter.New(f.fexpr) + if err := f.filter.Compile(); err != nil { + return nil, err + } + } + // if on_interval function has been declared in the module, we'll + // schedule the ticker to the interval value set during filament + // bootstrap in on_init function or otherwise we'll use the default interval + if mod.HasAttr(onIntervalFn) { + onInterval, err := mod.GetAttrString(onIntervalFn) + if err == nil && !onInterval.IsNull() { + f.tick = time.NewTicker(f.interval) + go f.onInterval(onInterval) + } + } + // we acquired the GIL as a side effect of threading initialization (the call to cpython.Initialize()) + // but now we have to reset the current thread state and release the GIL. It is the responsibility of + // the caller to acquire the GIL before executing any Python code from now on + f.gil.SaveThread() + + return f, nil +} + +func (f *filament) Run(kevents chan *kevent.Kevent, errs chan error) error { + var batch kbatch + var flusher = time.NewTicker(time.Second) + for { + select { + case <-f.close: + flusher.Stop() + return nil + default: + } + + select { + case kevt := <-kevents: + batch.append(kevt) + case err := <-errs: + keventErrors.Add(err.Error(), 1) + case <-flusher.C: + batchFlushes.Add(1) + if batch.len() > 0 { + err := f.pushKevents(batch) + if err != nil { + log.Warnf("on_next_kevent failed: %v", err) + keventProcessErrors.Add(1) + } + batch.reset() + } + case err := <-f.fnerrs: + return err + case <-f.close: + flusher.Stop() + return nil + } + } +} + +func (f *filament) pushKevents(b kbatch) error { + f.gil.Lock() + defer f.gil.Unlock() + for _, kevt := range b { + kdict, err := newKDict(kevt) + kevt.Release() + if err != nil { + kdict.DecRef() + kdictErrors.Add(1) + continue + } + r := f.onNextKevent.Call(kdict.Object()) + if r != nil { + r.DecRef() + } + kdict.DecRef() + if err := cpython.FetchErr(); err != nil { + return err + } + } + return nil +} + +func (f *filament) Close() error { + if f.onStop != nil && !f.onStop.IsNull() { + f.gil.Lock() + f.onStop.Call() + f.gil.Unlock() + } + f.close <- struct{}{} + if f.tick != nil { + f.tick.Stop() + } + return nil +} + +func (f *filament) Filter() filter.Filter { return f.filter } + +func (f *filament) intervalFn(_, args cpython.PyArgs) cpython.PyRawObject { + f.interval = time.Second * time.Duration(args.GetInt(1)) + if f.interval == 0 { + f.initErrors = append(f.initErrors, errors.New("invalid interval value specified")) + } + return cpython.NewPyNone() +} + +func (f *filament) sortByFn(_, args cpython.PyArgs) cpython.PyRawObject { + f.sortBy = args.GetString(1) + f.table.sortBy(f.sortBy) + return cpython.NewPyNone() +} + +func (f *filament) maxRowsFn(_, args cpython.PyArgs) cpython.PyRawObject { + f.table.maxRows(args.GetInt(1)) + return cpython.NewPyNone() +} + +func (f *filament) columnsFn(_, args cpython.PyArgs) cpython.PyRawObject { + var err error + f.columns, err = args.GetStringSlice(1) + if err != nil { + f.initErrors = append(f.initErrors, err) + } + f.table.appendHeader(f.columns) + return cpython.NewPyNone() +} + +func (f *filament) kfilterFn(_, args cpython.PyArgs) cpython.PyRawObject { + f.fexpr = args.GetString(1) + return cpython.NewPyNone() +} + +func (f *filament) addRowFn(_, args cpython.PyArgs) cpython.PyRawObject { + s, err := args.GetSlice(1) + if err != nil { + f.fnerrs <- err + return cpython.NewPyNone() + } + if len(s) != len(f.columns) { + f.fnerrs <- fmt.Errorf("add_row has %d row(s) but expected %d rows(s)", len(s), len(f.columns)) + return cpython.NewPyNone() + } + f.table.appendRow(s) + return cpython.NewPyLong(int64(len(s))) +} + +func (f *filament) renderTableFn(_ cpython.PyArgs, args cpython.PyArgs) cpython.PyRawObject { + f.table.render() + f.table.reset() + return cpython.NewPyNone() +} + +func (f *filament) titleFn(_ cpython.PyArgs, args cpython.PyArgs) cpython.PyRawObject { + f.table.title(args.GetString(1)) + return cpython.NewPyNone() +} + +var keywords = []string{"", "", "severity", "tags"} + +func (f *filament) emitAlertFn(_, args cpython.PyArgs, kwargs cpython.PyKwargs) cpython.PyRawObject { + f.gil.Lock() + defer f.gil.Unlock() + senders := alertsender.FindAll() + if len(senders) == 0 { + log.Warn("no alertsenders registered. Alert won't be sent") + return cpython.NewPyNone() + } + + title, text, sever, tags := cpython.PyArgsParseKeywords(args, kwargs, keywords) + + for _, s := range senders { + alert := alertsender.NewAlert( + title, + text, + tags, + alertsender.ParseSeverityFromString(sever), + ) + if err := s.Send(alert); err != nil { + log.Warnf("unable to emit alert from filament: %v", err) + } + } + + return cpython.NewPyNone() +} + +func (f *filament) findProcessFn(_, args cpython.PyArgs) cpython.PyRawObject { + f.gil.Lock() + defer f.gil.Unlock() + return cpython.NewPyNone() +} + +func (f *filament) findHandleFn(_, args cpython.PyArgs) cpython.PyRawObject { + f.gil.Lock() + defer f.gil.Unlock() + return cpython.NewPyNone() +} + +func (f *filament) findProcessesFn(_, args cpython.PyArgs) cpython.PyRawObject { + f.gil.Lock() + defer f.gil.Unlock() + return cpython.NewPyNone() +} + +func (f *filament) findHandlesFn(_, args cpython.PyArgs) cpython.PyRawObject { + f.gil.Lock() + defer f.gil.Unlock() + return cpython.NewPyNone() +} + +func (f *filament) onInterval(fn *cpython.PyObject) { + for { + select { + case <-f.tick.C: + f.gil.Lock() + r := fn.Call() + if r != nil { + r.DecRef() + } + if err := cpython.FetchErr(); err != nil { + f.fnerrs <- err + } + f.gil.Unlock() + } + } +} diff --git a/pkg/filament/filament_test.go b/pkg/filament/filament_test.go new file mode 100644 index 000000000..eace8b87e --- /dev/null +++ b/pkg/filament/filament_test.go @@ -0,0 +1,127 @@ +// +build filament + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filament + +import ( + "bufio" + "bytes" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "net" + "strings" + "testing" + "time" +) + +func init() { + useEmbeddedPython = false +} + +func TestNewFilament(t *testing.T) { + filament, err := New("top_hives_io", nil, nil, config.FilamentConfig{Path: "_fixtures"}) + require.NoError(t, err) + require.NotNil(t, filament) + defer filament.Close() +} + +var buf bytes.Buffer + +func init() { + tableOutput = &buf +} + +func TestFilamentTable(t *testing.T) { + filament, err := New("top_keys_io_table", nil, nil, config.FilamentConfig{Path: "_fixtures"}) + require.NoError(t, err) + require.NotNil(t, filament) + defer filament.Close() + + time.Sleep(time.Millisecond * 1020) + output := "╭──────────────────────────────────────────────────────────────────────────┬──────╮\n│ KEY │ #OPS │\n├──────────────────────────────────────────────────────────────────────────┼──────┤\n│ HKLM\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\Protocol_Catalog9 │ 3 │\n│ HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids │ 1 │\n╰──────────────────────────────────────────────────────────────────────────┴──────╯\n" + + assert.Equal(t, output, buf.String()) +} + +func TestOnNextKevent(t *testing.T) { + filament, err := New("test_on_next_kevent", nil, nil, config.FilamentConfig{FlushPeriod: time.Millisecond * 250, Path: "_fixtures"}) + require.NoError(t, err) + require.NotNil(t, filament) + time.AfterFunc(time.Millisecond*1050, func() { + filament.Close() + }) + + kevents := make(chan *kevent.Kevent, 100) + errs := make(chan error, 10) + for i := 1; i <= 100; i++ { + kevt := &kevent.Kevent{ + Type: ktypes.RegCreateKey, + Tid: 2484, + Pid: 859, + Name: "RegCreateKey", + Host: "archrabbit", + CPU: uint8(i / 2), + Category: ktypes.Registry, + Seq: uint64(i), + Timestamp: time.Now(), + Kparams: kevent.Kparams{ + kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `HKEY_LOCAL_MACHINE\SYSTEM\Setup`}, + kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.HexInt64, Value: kparams.NewHex(uint64(18446666033449935464))}, + kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, + }, + } + kevents <- kevt + } + err = filament.Run(kevents, errs) + require.Nil(t, err) + sn := bufio.NewScanner(strings.NewReader(buf.String())) + const headerOffset = 4 + rows := 0 + for sn.Scan() { + rows++ + } + assert.Equal(t, 100, rows-headerOffset) +} + +func TestFilamentFilter(t *testing.T) { + filament, err := New("test_filter", nil, nil, config.FilamentConfig{Path: "_fixtures"}) + require.NoError(t, err) + require.NotNil(t, filament) + defer filament.Close() + require.NotNil(t, filament.Filter()) + kpars := kevent.Kparams{ + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\svchost.exe -k RPCSS"}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.AnsiString, Value: "svchost.exe"}, + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.Uint32, Value: uint32(1234)}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.Uint32, Value: uint32(345)}, + } + + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kpars, + Name: "CreateProcess", + } + + require.True(t, filament.Filter().Run(kevt)) +} diff --git a/pkg/filament/filament_unsupported.go b/pkg/filament/filament_unsupported.go new file mode 100644 index 000000000..546e65af2 --- /dev/null +++ b/pkg/filament/filament_unsupported.go @@ -0,0 +1,38 @@ +// +build !filament + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filament + +import ( + "github.com/rabbitstack/fibratus/pkg/config" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/ps" +) + +// New returns unsupported filament error. +func New( + name string, + psnap ps.Snapshotter, + hsnap handle.Snapshotter, + config config.FilamentConfig, +) (Filament, error) { + return nil, kerrors.ErrFeatureUnsupported("filament") +} diff --git a/pkg/filament/kdict.go b/pkg/filament/kdict.go new file mode 100644 index 000000000..6957f4d0e --- /dev/null +++ b/pkg/filament/kdict.go @@ -0,0 +1,89 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filament + +import ( + "errors" + "github.com/rabbitstack/fibratus/pkg/filament/cpython" + "github.com/rabbitstack/fibratus/pkg/kevent" +) + +var ( + seq = cpython.PyUnicodeFromString("seq") + pid = cpython.PyUnicodeFromString("pid") + ppid = cpython.PyUnicodeFromString("ppid") + cwd = cpython.PyUnicodeFromString("cwd") + exec = cpython.PyUnicodeFromString("exe") + comm = cpython.PyUnicodeFromString("comm") + sid = cpython.PyUnicodeFromString("sid") + tid = cpython.PyUnicodeFromString("tid") + cpu = cpython.PyUnicodeFromString("cpu") + name = cpython.PyUnicodeFromString("name") + cat = cpython.PyUnicodeFromString("category") + desc = cpython.PyUnicodeFromString("description") + host = cpython.PyUnicodeFromString("host") + ts = cpython.PyUnicodeFromString("timestamp") + kparamsk = cpython.PyUnicodeFromString("kparams") + + errDictAllocate = errors.New("couldn't allocate a new dict") +) + +// newKDict constructs a Python dictionary object from the kernel event structure. This dictionary object is +// passed to the event dispatching function in the filament. +func newKDict(kevt *kevent.Kevent) (*cpython.Dict, error) { + kdict := cpython.NewDict() + if kdict.IsNull() { + return nil, errDictAllocate + } + + // insert canonical kevent fields + kdict.Insert(seq, cpython.NewPyObjectFromValue(kevt.Seq)) + kdict.Insert(pid, cpython.NewPyObjectFromValue(kevt.PID)) + kdict.Insert(tid, cpython.NewPyObjectFromValue(kevt.Tid)) + kdict.Insert(cpu, cpython.NewPyObjectFromValue(kevt.CPU)) + kdict.Insert(name, cpython.NewPyObjectFromValue(kevt.Name)) + kdict.Insert(cat, cpython.NewPyObjectFromValue(string(kevt.Category))) + kdict.Insert(desc, cpython.NewPyObjectFromValue(kevt.Description)) + kdict.Insert(host, cpython.NewPyObjectFromValue(kevt.Host)) + kdict.Insert(ts, cpython.NewPyObjectFromValue(kevt.Timestamp)) + + // insert process state fields + ps := kevt.PS + if ps != nil { + kdict.Insert(ppid, cpython.NewPyObjectFromValue(ps.Ppid)) + kdict.Insert(cwd, cpython.NewPyObjectFromValue(ps.Cwd)) + kdict.Insert(exec, cpython.NewPyObjectFromValue(ps.Name)) + kdict.Insert(comm, cpython.NewPyObjectFromValue(ps.Comm)) + kdict.Insert(sid, cpython.NewPyObjectFromValue(ps.SID)) + } + + // insert kevent parameters + kpars := cpython.NewDict() + for _, kpar := range kevt.Kparams { + kparam := cpython.NewPyObjectFromValue(kpar.Value) + if kparam.IsNull() { + continue + } + kpars.Insert(cpython.PyUnicodeFromString(kpar.Name), kparam) + } + + kdict.Insert(kparamsk, kpars.Object()) + + return kdict, nil +} diff --git a/pkg/filament/kdict_test.go b/pkg/filament/kdict_test.go new file mode 100644 index 000000000..5da5fe854 --- /dev/null +++ b/pkg/filament/kdict_test.go @@ -0,0 +1,117 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filament + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/filament/cpython" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "net" + "testing" + "time" +) + +func TestProduceKdict(t *testing.T) { + err := cpython.Initialize() + require.NoError(t, err) + defer cpython.Finalize() + now := time.Now() + kevt := &kevent.Kevent{ + Seq: uint64(12456738026482168384), + Tid: 2484, + PID: 859, + CPU: 1, + Name: "CreateFile", + Timestamp: now, + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + } + dict, err := newKDict(kevt) + require.NoError(t, err) + require.NotNil(t, dict) + + assert.Equal(t, uint64(12456738026482168384), dict.Get(seq).Uint64()) + assert.Equal(t, uint32(859), dict.Get(pid).Uint32()) + assert.Equal(t, uint32(2484), dict.Get(tid).Uint32()) + assert.Equal(t, uint8(1), uint8(dict.Get(cpu).Uint32())) + assert.Equal(t, "CreateFile", dict.Get(name).String()) + assert.Equal(t, "file", dict.Get(cat).String()) + assert.Equal(t, "archrabbit", dict.Get(host).String()) + assert.Equal(t, "Creates or opens a new file, directory, I/O device, pipe, console", dict.Get(desc).String()) + assert.Equal(t, fmt.Sprintf("%d-%0d-%02d %d:%d:%d.%d", now.Year(), now.Month(), now.Day(), now.Hour(), now.Minute(), now.Second(), now.Nanosecond()/1000), dict.Get(ts).String()) +} + +func TestProduceKdictWithIPAddresses(t *testing.T) { + err := cpython.Initialize() + require.NoError(t, err) + defer cpython.Finalize() + + kevt := &kevent.Kevent{ + Name: "Send", + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.NetDport: {Name: kparams.NetDport, Type: kparams.Uint16, Value: uint16(443)}, + kparams.NetSport: {Name: kparams.NetSport, Type: kparams.Uint16, Value: uint16(43123)}, + kparams.NetSIP: {Name: kparams.NetSIP, Type: kparams.IPv6, Value: net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334")}, + kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, + }, + } + + dict, err := newKDict(kevt) + require.NoError(t, err) + require.NotNil(t, dict) + + kpars := dict.Get(cpython.PyUnicodeFromString("kparams")) + kparamsDict := cpython.NewDictFromObject(kpars) + + assert.Equal(t, "216.58.201.174", kparamsDict.Get(cpython.PyUnicodeFromString("dip")).String()) + assert.Equal(t, "2001:db8:85a3::8a2e:370:7334", kparamsDict.Get(cpython.PyUnicodeFromString("sip")).String()) +} + +func BenchmarkTestProduceKdict(b *testing.B) { + b.ReportAllocs() + err := cpython.Initialize() + require.NoError(b, err) + defer cpython.Finalize() + + kevt := &kevent.Kevent{ + Seq: uint64(12456738026482168384), + Tid: 2484, + PID: 859, + CPU: 1, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + } + + for i := 0; i < b.N; i++ { + dict, err := newKDict(kevt) + if err != nil || dict.IsNull() { + b.Fatal("invalid dict produced") + } + } +} diff --git a/pkg/filament/table.go b/pkg/filament/table.go new file mode 100644 index 000000000..b39bef382 --- /dev/null +++ b/pkg/filament/table.go @@ -0,0 +1,78 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filament + +import ( + "github.com/jedib0t/go-pretty/v6/table" + "io" +) + +type tab struct { + writer table.Writer +} + +func newTable() tab { + writer := table.NewWriter() + writer.SetStyle(table.StyleLight) + return tab{writer: writer} +} + +func (t tab) setWriter(output io.Writer) { + t.writer.SetOutputMirror(output) +} + +func (t tab) setColumnConfigs(cols []string, maxWidth int) { + configs := make([]table.ColumnConfig, len(cols)) + for i, col := range cols { + configs[i] = table.ColumnConfig{Name: col, WidthMax: maxWidth} + } + t.writer.SetColumnConfigs(configs) +} + +func (t tab) appendHeader(cols []string) { + r := make(table.Row, len(cols)) + for i, col := range cols { + r[i] = col + } + t.writer.AppendHeader(r) +} + +func (t tab) appendRow(row []interface{}) { + t.writer.AppendRow(row) +} + +func (t tab) sortBy(column string) { + t.writer.SortBy([]table.SortBy{{Name: column, Mode: table.DscNumeric}}) +} + +func (t tab) maxRows(size int) { + t.writer.SetPageSize(size) +} + +func (t tab) render() { + t.writer.Render() +} + +func (t tab) reset() { + t.writer.ResetRows() +} + +func (t tab) title(title string) { + t.writer.SetTitle(title) +} diff --git a/pkg/filament/table_test.go b/pkg/filament/table_test.go new file mode 100644 index 000000000..ed40ad25b --- /dev/null +++ b/pkg/filament/table_test.go @@ -0,0 +1,36 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filament + +import ( + "os" + "testing" +) + +func TestTable(t *testing.T) { + table := newTable() + table.setWriter(os.Stdout) + table.appendHeader([]string{"Hive", "#Ops"}) + table.appendRow([]interface{}{"HKLM/CurrentUser", 2000}) + table.render() + + table.reset() + table.appendRow([]interface{}{"HKLM/CurrentUser", 2000}) + table.render() +} diff --git a/pkg/filament/types.go b/pkg/filament/types.go new file mode 100644 index 000000000..e29b679c2 --- /dev/null +++ b/pkg/filament/types.go @@ -0,0 +1,41 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filament + +import ( + "github.com/rabbitstack/fibratus/pkg/filter" + "github.com/rabbitstack/fibratus/pkg/kevent" +) + +// Filament defines the set of operations all filaments have to satisfy. Filament represents a full-fledged +// Python interpreter that runs the modules given by users. +type Filament interface { + // Run consumes all events from the kernel event stream and dispatches them to the filament. + Run(chan *kevent.Kevent, chan error) error + // Close shutdowns the filament by releasing all allocated resources. + Close() error + // Filter returns the filter compiled from filament. + Filter() filter.Filter +} + +// Info stores metadata about the filament. +type Info struct { + Name string + Description string +} diff --git a/pkg/filter/accessor.go b/pkg/filter/accessor.go new file mode 100644 index 000000000..994a1a0b7 --- /dev/null +++ b/pkg/filter/accessor.go @@ -0,0 +1,543 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filter + +import ( + "errors" + "github.com/rabbitstack/fibratus/pkg/filter/fields" + "github.com/rabbitstack/fibratus/pkg/fs" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/net" + "github.com/rabbitstack/fibratus/pkg/pe" + "path/filepath" + "strings" +) + +// accessor dictates the behaviour of the field accessors. One of the main responsibilities of the accessor is +// to extract the underlying parameter for the field given in the filter expression. It can also produce a value +// from the non-params constructs such as process' state or PE metadata. +type accessor interface { + // get fetches the parameter value for the specified filter field. + get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) +} + +// kevtAccessor extracts kernel event specific values. +type kevtAccessor struct{} + +func newKevtAccessor() accessor { + return &kevtAccessor{} +} + +const timeFmt = "15:04:05" +const dateFmt = "2006-01-02" + +func (k *kevtAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { + switch f { + case fields.KevtSeq: + return kevt.Seq, nil + case fields.KevtPID: + return kevt.PID, nil + case fields.KevtTID: + return kevt.Tid, nil + case fields.KevtCPU: + return kevt.CPU, nil + case fields.KevtName: + return kevt.Name, nil + case fields.KevtCategory: + return string(kevt.Category), nil + case fields.KevtDesc: + return kevt.Description, nil + case fields.KevtHost: + return kevt.Host, nil + case fields.KevtTime: + return kevt.Timestamp.Format(timeFmt), nil + case fields.KevtTimeHour: + return uint8(kevt.Timestamp.Hour()), nil + case fields.KevtTimeMin: + return uint8(kevt.Timestamp.Minute()), nil + case fields.KevtTimeSec: + return uint8(kevt.Timestamp.Second()), nil + case fields.KevtTimeNs: + return kevt.Timestamp.UnixNano(), nil + case fields.KevtDate: + return kevt.Timestamp.Format(dateFmt), nil + case fields.KevtDateDay: + return uint8(kevt.Timestamp.Day()), nil + case fields.KevtDateMonth: + return uint8(kevt.Timestamp.Month()), nil + case fields.KevtDateTz: + tz, _ := kevt.Timestamp.Zone() + return tz, nil + case fields.KevtDateYear: + return uint32(kevt.Timestamp.Year()), nil + case fields.KevtDateWeek: + _, week := kevt.Timestamp.ISOWeek() + return uint8(week), nil + case fields.KevtDateWeekday: + return kevt.Timestamp.Weekday().String(), nil + case fields.KevtNparams: + return uint64(kevt.Kparams.Len()), nil + default: + return nil, nil + } +} + +// psAccessor extracts process's state or kevent specific values. +type psAccessor struct{} + +func newPSAccessor() accessor { return &psAccessor{} } + +func (ps *psAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { + switch f { + case fields.PsPid: + return kevt.PID, nil + case fields.PsPpid: + ps := kevt.PS + if ps == nil { + return kevt.Kparams.GetPpid() + } + return ps.Ppid, nil + case fields.PsName: + ps := kevt.PS + if ps == nil || ps.Name == "" { + return kevt.Kparams.GetString(kparams.ProcessName) + } + return ps.Name, nil + case fields.PsComm: + ps := kevt.PS + if ps == nil { + return kevt.Kparams.GetString(kparams.Comm) + } + return ps.Comm, nil + case fields.PsExe: + ps := kevt.PS + if ps == nil { + return nil, nil + } + return ps.Exe, nil + case fields.PsArgs: + ps := kevt.PS + if ps == nil { + return nil, nil + } + return ps.Args, nil + case fields.PsCwd: + ps := kevt.PS + if ps == nil { + return nil, nil + } + return ps.Cwd, nil + case fields.PsSID: + ps := kevt.PS + if ps == nil { + return nil, nil + } + return ps.SID, nil + case fields.PsSessionID: + ps := kevt.PS + if ps == nil { + return nil, nil + } + return ps.SessionID, nil + case fields.PsEnvs: + ps := kevt.PS + if ps == nil { + return nil, nil + } + envs := make([]string, 0, len(ps.Envs)) + for env := range ps.Envs { + envs = append(envs, env) + } + return envs, nil + case fields.PsModules: + ps := kevt.PS + if ps == nil { + return nil, nil + } + mods := make([]string, 0, len(ps.Modules)) + for _, m := range ps.Modules { + mods = append(mods, filepath.Base(m.Name)) + } + return mods, nil + case fields.PsHandles: + ps := kevt.PS + if ps == nil { + return nil, nil + } + handles := make([]string, len(ps.Handles)) + for i, handle := range ps.Handles { + handles[i] = handle.Name + } + return handles, nil + case fields.PsHandleTypes: + ps := kevt.PS + if ps == nil { + return nil, nil + } + types := make([]string, len(ps.Handles)) + for i, handle := range ps.Handles { + if types[i] == handle.Type { + continue + } + types[i] = handle.Type + } + return types, nil + default: + field := f.String() + switch { + case strings.HasPrefix(field, fields.PsEnvsSubfield): + // access the specific environment variable + env, _ := captureInBrackets(field) + ps := kevt.PS + if ps == nil { + return nil, nil + } + v, ok := ps.Envs[env] + if ok { + return v, nil + } + // match on prefix + for k, v := range ps.Envs { + if strings.HasPrefix(k, env) { + return v, nil + } + } + + case strings.HasPrefix(field, fields.PsModsSubfield): + name, subfield := captureInBrackets(field) + ps := kevt.PS + if ps == nil { + return nil, nil + } + mod := ps.FindModule(name) + if mod == nil { + return nil, nil + } + + switch subfield { + case fields.ModuleSize: + return mod.Size, nil + case fields.ModuleChecksum: + return mod.Checksum, nil + case fields.ModuleBaseAddress: + return mod.BaseAddress.String(), nil + case fields.ModuleDefaultAddress: + return mod.DefaultBaseAddress.String(), nil + case fields.ModuleLocation: + return filepath.Dir(mod.Name), nil + } + } + + return nil, nil + } +} + +// threadAccessor fetches thread parameters from thread kernel events. +type threadAccessor struct{} + +func newThreadAccessor() accessor { + return &threadAccessor{} +} + +func (t *threadAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { + switch f { + case fields.ThreadBasePrio: + return kevt.Kparams.GetUint8(kparams.BasePrio) + case fields.ThreadIOPrio: + return kevt.Kparams.GetUint8(kparams.IOPrio) + case fields.ThreadPagePrio: + return kevt.Kparams.GetUint8(kparams.PagePrio) + case fields.ThreadKstackBase: + v, err := kevt.Kparams.GetHex(kparams.KstackBase) + if err != nil { + return nil, err + } + return v.String(), nil + case fields.ThreadKstackLimit: + v, err := kevt.Kparams.GetHex(kparams.KstackLimit) + if err != nil { + return nil, err + } + return v.String(), nil + case fields.ThreadUstackBase: + v, err := kevt.Kparams.GetHex(kparams.UstackBase) + if err != nil { + return nil, err + } + return v.String(), nil + case fields.ThreadUstackLimit: + v, err := kevt.Kparams.GetHex(kparams.UstackLimit) + if err != nil { + return nil, err + } + return v.String(), nil + case fields.ThreadEntrypoint: + v, err := kevt.Kparams.GetHex(kparams.ThreadEntrypoint) + if err != nil { + return nil, err + } + return v.String(), nil + } + return nil, nil +} + +// fileAccessor extracts file specific values. +type fileAccessor struct{} + +func newFileAccessor() accessor { + return &fileAccessor{} +} + +func (l *fileAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { + switch f { + case fields.FileName: + return kevt.Kparams.GetString(kparams.FileName) + case fields.FileOffset: + return kevt.Kparams.GetUint64(kparams.FileOffset) + case fields.FileIOSize: + return kevt.Kparams.GetUint32(kparams.FileIoSize) + case fields.FileShareMask: + m, err := kevt.Kparams.Get(kparams.FileShareMask) + if err != nil { + return nil, err + } + mode, ok := m.(fs.FileShareMode) + if !ok { + return nil, errors.New("couldn't type assert to file share mode enum") + } + return mode.String(), nil + case fields.FileOperation: + op, err := kevt.Kparams.Get(kparams.FileOperation) + if err != nil { + return nil, err + } + fop, ok := op.(fs.FileDisposition) + if !ok { + return nil, errors.New("couldn't type assert to file operation enum") + } + return fop.String(), nil + case fields.FileObject: + return kevt.Kparams.GetUint64(kparams.FileObject) + case fields.FileType: + return kevt.Kparams.GetString(kparams.FileType) + } + return nil, nil +} + +// imageAccessor extracts image (DLL) kevent values. +type imageAccessor struct{} + +func newImageAccessor() accessor { + return &imageAccessor{} +} + +func (i *imageAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { + switch f { + case fields.ImageName: + return kevt.Kparams.GetString(kparams.ImageFilename) + case fields.ImageDefaultAddress: + address, err := kevt.Kparams.GetHex(kparams.ImageDefaultBase) + if err != nil { + return nil, err + } + return address.String(), nil + case fields.ImageBase: + address, err := kevt.Kparams.GetHex(kparams.ImageBase) + if err != nil { + return nil, err + } + return address.String(), nil + case fields.ImageSize: + return kevt.Kparams.GetUint32(kparams.ImageSize) + case fields.ImageChecksum: + return kevt.Kparams.GetUint32(kparams.ImageCheckSum) + } + return nil, nil +} + +// registryAccessor extracts registry specific parameters. +type registryAccessor struct{} + +func newRegistryAccessor() accessor { + return ®istryAccessor{} +} + +func (r *registryAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { + switch f { + case fields.RegistryKeyName: + return kevt.Kparams.GetString(kparams.RegKeyName) + case fields.RegistryKeyHandle: + keyHandle, err := kevt.Kparams.GetHex(kparams.RegKeyHandle) + if err != nil { + return nil, err + } + return keyHandle.String(), nil + case fields.RegistryValue: + return kevt.Kparams.Get(kparams.RegValue) + case fields.RegistryValueType: + return kevt.Kparams.GetString(kparams.RegValueType) + case fields.RegistryStatus: + return kevt.Kparams.GetString(kparams.NTStatus) + } + return nil, nil +} + +// netAccessor deals with extracting the network specific kernel event parameters. +type netAccessor struct{} + +func newNetAccessor() accessor { return &netAccessor{} } + +func (n *netAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { + switch f { + case fields.NetDIP: + return kevt.Kparams.GetIP(kparams.NetDIP) + case fields.NetSIP: + return kevt.Kparams.GetIP(kparams.NetSIP) + case fields.NetDport: + return kevt.Kparams.GetUint16(kparams.NetDport) + case fields.NetSport: + return kevt.Kparams.GetUint16(kparams.NetSport) + case fields.NetDportName: + return kevt.Kparams.GetString(kparams.NetDportName) + case fields.NetSportName: + return kevt.Kparams.GetString(kparams.NetSportName) + case fields.NetL4Proto: + v, err := kevt.Kparams.Get(kparams.NetL4Proto) + if err != nil { + return nil, err + } + l4proto, ok := v.(net.L4Proto) + if !ok { + return nil, errors.New("couldn't type assert to L4 proto enum") + } + return l4proto.String(), nil + case fields.NetPacketSize: + return kevt.Kparams.GetUint32(kparams.NetSize) + } + return nil, nil +} + +// handleAccessor extracts handle event values. +type handleAccessor struct{} + +func newHandleAccessor() accessor { return &handleAccessor{} } + +func (h *handleAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { + switch f { + case fields.HandleID: + return kevt.Kparams.GetHexAsUint32(kparams.HandleID) + case fields.HandleType: + return kevt.Kparams.GetString(kparams.HandleObjectTypeName) + case fields.HandleName: + return kevt.Kparams.GetString(kparams.HandleObjectName) + case fields.HandleObject: + handleObject, err := kevt.Kparams.GetHex(kparams.HandleObject) + if err != nil { + return nil, err + } + return handleObject.String(), nil + } + return nil, nil +} + +// peAccessor extracts PE specific values. +type peAccessor struct{} + +func newPEAccessor() accessor { + return &peAccessor{} +} + +func (p *peAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value, error) { + var pex *pe.PE + if kevt.PS != nil && kevt.PS.PE != nil { + pex = kevt.PS.PE + } + if pex == nil { + return nil, nil + } + + switch f { + case fields.PeEntrypoint: + return pex.EntryPoint, nil + case fields.PeBaseAddress: + return pex.ImageBase, nil + case fields.PeNumSections: + return pex.NumberOfSections, nil + case fields.PeNumSymbols: + return pex.NumberOfSymbols, nil + case fields.PeSymbols: + return pex.Symbols, nil + case fields.PeImports: + return pex.Imports, nil + default: + field := f.String() + if strings.HasPrefix(field, fields.PeSectionsSubfield) { + // get the section name + sname, subfield := captureInBrackets(field) + sec := pex.Section(sname) + if sec == nil { + return nil, nil + } + switch subfield { + case fields.SectionEntropy: + return sec.Entropy, nil + case fields.SectionMD5Hash: + return sec.Md5, nil + case fields.SectionSize: + return sec.Size, nil + } + } + + if strings.HasPrefix(field, fields.PeResourcesSubfield) { + // consult the resource name + key, _ := captureInBrackets(field) + v, ok := pex.VersionResources[key] + if ok { + return v, nil + } + // match on prefix (e.g. pe.resources[Org] = Blackwater) + for k, v := range pex.VersionResources { + if strings.HasPrefix(k, key) { + return v, nil + } + } + } + } + + return nil, nil +} + +func captureInBrackets(s string) (string, fields.Subfield) { + lbracket := strings.Index(s, "[") + if lbracket == -1 { + return "", "" + } + rbracket := strings.Index(s, "]") + if rbracket == -1 { + return "", "" + } + if lbracket+1 > len(s) { + return "", "" + } + if rbracket+2 < len(s) { + return s[lbracket+1 : rbracket], fields.Subfield(s[rbracket+2:]) + } + return s[lbracket+1 : rbracket], "" +} diff --git a/pkg/filter/accessor_test.go b/pkg/filter/accessor_test.go new file mode 100644 index 000000000..e254c32c1 --- /dev/null +++ b/pkg/filter/accessor_test.go @@ -0,0 +1,98 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filter + +import ( + "github.com/rabbitstack/fibratus/pkg/filter/fields" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/pe" + ptypes "github.com/rabbitstack/fibratus/pkg/ps/types" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" + "time" +) + +func TestPSAccessor(t *testing.T) { + ps := newPSAccessor() + kevt := &kevent.Kevent{ + PS: &ptypes.PS{ + Envs: map[string]string{"ALLUSERSPROFILE": "C:\\ProgramData", "OS": "Windows_NT", "ProgramFiles(x86)": "C:\\Program Files (x86)"}, + }, + } + + env, err := ps.get(fields.Field("ps.envs[ALLUSERSPROFILE]"), kevt) + require.NoError(t, err) + assert.Equal(t, "C:\\ProgramData", env) + + env, err = ps.get(fields.Field("ps.envs[ALLUSER]"), kevt) + require.NoError(t, err) + assert.Equal(t, "C:\\ProgramData", env) + + env, err = ps.get(fields.Field("ps.envs[ProgramFiles]"), kevt) + require.NoError(t, err) + assert.Equal(t, "C:\\Program Files (x86)", env) +} + +func TestPEAccessor(t *testing.T) { + pea := newPEAccessor() + kevt := &kevent.Kevent{ + PS: &ptypes.PS{ + PE: &pe.PE{ + NumberOfSections: 2, + NumberOfSymbols: 10, + EntryPoint: "0x20110", + ImageBase: "0x140000000", + LinkTime: time.Now(), + Sections: []pe.Sec{ + {Name: ".text", Size: 132608, Entropy: 6.368381, Md5: "db23dce3911a42e987041d98abd4f7cd"}, + {Name: ".rdata", Size: 35840, Entropy: 5.996976, Md5: "ffa5c960b421ca9887e54966588e97e8"}, + }, + Symbols: []string{"SelectObject", "GetTextFaceW", "EnumFontsW", "TextOutW", "GetProcessHeap"}, + Imports: []string{"GDI32.dll", "USER32.dll", "msvcrt.dll", "api-ms-win-core-libraryloader-l1-2-0.dl"}, + VersionResources: map[string]string{"CompanyName": "Microsoft Corporation", "FileDescription": "Notepad", "FileVersion": "10.0.18362.693"}, + }, + }, + } + + entropy, err := pea.get(fields.Field("pe.sections[.text].entropy"), kevt) + require.NoError(t, err) + assert.Equal(t, 6.368381, entropy) + + v, err := pea.get(fields.Field("pe.sections[.text].md6"), kevt) + require.Nil(t, v) + + md5, err := pea.get(fields.Field("pe.sections[.rdata].md5"), kevt) + require.Nil(t, v) + assert.Equal(t, "ffa5c960b421ca9887e54966588e97e8", md5) + + company, err := pea.get(fields.Field("pe.resources[CompanyName]"), kevt) + require.NoError(t, err) + assert.Equal(t, "Microsoft Corporation", company) +} + +func TestCaptureInBrackets(t *testing.T) { + v, subfield := captureInBrackets("ps.envs[ALLUSERSPROFILE]") + assert.Equal(t, "ALLUSERSPROFILE", v) + assert.Empty(t, subfield) + + v, subfield = captureInBrackets("ps.pe.sections[.debug$S].entropy") + assert.Equal(t, ".debug$S", v) + assert.Equal(t, fields.SectionEntropy, subfield) +} diff --git a/pkg/filter/fields/fields.go b/pkg/filter/fields/fields.go new file mode 100644 index 000000000..769cb2988 --- /dev/null +++ b/pkg/filter/fields/fields.go @@ -0,0 +1,309 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package fields + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "regexp" + "sort" +) + +var subfieldRegexp = regexp.MustCompile(`(pe.sections|pe.resources|ps.envs|ps.modules)\[.+\s*].?(.*)`) + +// Field represents the type alias for the field +type Field string + +const ( + PsPid Field = "ps.pid" + PsPpid Field = "ps.ppid" + PsName Field = "ps.name" + PsComm Field = "ps.comm" + PsExe Field = "ps.exe" + PsArgs Field = "ps.args" + PsCwd Field = "ps.cwd" + PsSID Field = "ps.sid" + PsSessionID Field = "ps.sessionid" + PsEnvs Field = "ps.envs" + PsHandles Field = "ps.handles" + PsHandleTypes Field = "ps.handle.types" + PsDTB Field = "ps.dtb" + PsModules Field = "ps.modules" + + ThreadBasePrio Field = "thread.prio" + ThreadIOPrio Field = "thread.io.prio" + ThreadPagePrio Field = "thread.page.prio" + ThreadKstackBase Field = "thread.kstack.base" + ThreadKstackLimit Field = "thread.kstack.limit" + ThreadUstackBase Field = "thread.ustack.base" + ThreadUstackLimit Field = "thread.ustack.limit" + ThreadEntrypoint Field = "thread.entrypoint" + + PeNumSections Field = "pe.nsections" + PeSections Field = "pe.sections" + PeNumSymbols Field = "pe.nsymbols" + PeSymbols Field = "pe.symbols" + PeImports Field = "pe.imports" + PeTimestamp Field = "pe.timestamp" + PeBaseAddress Field = "pe.address.base" + PeEntrypoint Field = "pe.address.entrypoint" + PeResources Field = "pe.resources" + + KevtSeq Field = "kevt.seq" + KevtPID Field = "kevt.pid" + KevtTID Field = "kevt.tid" + KevtCPU Field = "kevt.cpu" + KevtDesc Field = "kevt.desc" + KevtHost Field = "kevt.host" + KevtTime Field = "kevt.time" + KevtTimeHour Field = "kevt.time.h" + KevtTimeMin Field = "kevt.time.m" + KevtTimeSec Field = "kevt.time.s" + KevtTimeNs Field = "kevt.time.ns" + KevtDate Field = "kevt.date" + KevtDateDay Field = "kevt.date.d" + KevtDateMonth Field = "kevt.date.m" + KevtDateYear Field = "kevt.date.y" + KevtDateTz Field = "kevt.date.tz" + KevtDateWeek Field = "kevt.date.week" + KevtDateWeekday Field = "kevt.date.weekday" + KevtName Field = "kevt.name" + KevtCategory Field = "kevt.category" + KevtMeta Field = "kevt.meta" + KevtNparams Field = "kevt.nparams" + + HandleID Field = "handle.id" + HandleObject Field = "handle.object" + HandleName Field = "handle.name" + HandleType Field = "handle.type" + + NetDIP Field = "net.dip" + NetSIP Field = "net.sip" + NetDport Field = "net.dport" + NetSport Field = "net.sport" + NetDportName Field = "net.dport.name" + NetSportName Field = "net.sport.name" + NetL4Proto Field = "net.l4.proto" + NetPacketSize Field = "net.size" + + FileObject Field = "file.object" + FileName Field = "file.name" + FileOperation Field = "file.operation" + FileShareMask Field = "file.share.mask" + FileIOSize Field = "file.io.size" + FileOffset Field = "file.offset" + FileType Field = "file.type" + + RegistryKeyName Field = "registry.key.name" + RegistryKeyHandle Field = "registry.key.handle" + RegistryValue Field = "registry.value" + RegistryValueType Field = "registry.value.type" + RegistryStatus Field = "registry.status" + + ImageBase Field = "image.base.address" + ImageSize Field = "image.size" + ImageChecksum Field = "image.checksum" + ImageDefaultAddress Field = "image.default.address" + ImageName Field = "image.name" + ImagePID Field = "image.pid" + + None Field = "" +) + +// String casts the field type to string. +func (f Field) String() string { return string(f) } + +// Subfield represents the type alias for the subfield. +type Subfield string + +const ( + // SectionEntropy is the entropy value of the specific PE section + SectionEntropy Subfield = "entropy" + // SectionMD5Hash refers to the section md5 sum + SectionMD5Hash Subfield = "md5" + SectionSize Subfield = "size" + + ModuleSize Subfield = "size" + ModuleChecksum Subfield = "checksum" + ModuleLocation Subfield = "location" + ModuleBaseAddress Subfield = "address.base" + ModuleDefaultAddress Subfield = "address.default" +) + +const ( + PsEnvsSubfield = "ps.envs[" + PsModsSubfield = "ps.modules[" + PeSectionsSubfield = "pe.sections[" + PeResourcesSubfield = "pe.resources[" +) + +// FieldInfo is the field metadata descriptor. +type FieldInfo struct { + Field Field + Desc string + Type kparams.Type + Examples []string +} + +var fields = map[Field]FieldInfo{ + KevtSeq: {KevtSeq, "event sequence number", kparams.Uint64, []string{"kevt.seq > 666"}}, + KevtPID: {KevtPID, "process identifier generating the kernel event", kparams.Uint32, []string{"kevt.pid = 6"}}, + KevtTID: {KevtTID, "thread identifier generating the kernel event", kparams.Uint32, []string{"kevt.tid = 1024"}}, + KevtCPU: {KevtCPU, "logical processor core where the event was generated", kparams.Uint8, []string{"kevt.cpu = 2"}}, + KevtName: {KevtName, "symbolical kernel event name", kparams.AnsiString, []string{"kevt.name = 'CreateThread'"}}, + KevtCategory: {KevtCategory, "event category", kparams.AnsiString, []string{"kevt.category = 'registry'"}}, + KevtDesc: {KevtDesc, "event description", kparams.AnsiString, []string{"kevt.desc contains 'Creates a new process'"}}, + KevtHost: {KevtHost, "host name on which the event was produced", kparams.UnicodeString, []string{"kevt.host contains 'kitty'"}}, + KevtTime: {KevtTime, "event timestamp as a time string", kparams.Time, []string{"kevt.time = '17:05:32'"}}, + KevtTimeHour: {KevtTimeHour, "hour within the day on which the event occurred", kparams.Time, []string{"kevt.time.h = 23"}}, + KevtTimeMin: {KevtTimeMin, "minute offset within the hour on which the event occurred", kparams.Time, []string{"kevt.time.m = 54"}}, + KevtTimeSec: {KevtTimeSec, "second offset within the minute on which the event occurred", kparams.Time, []string{"kevt.time.s = 0"}}, + KevtTimeNs: {KevtTimeNs, "nanoseconds specified by event timestamp", kparams.Int64, []string{"kevt.time.ns > 1591191629102337000"}}, + KevtDate: {KevtDate, "event timestamp as a date string", kparams.Time, []string{"kevt.date = '2018-03-03'"}}, + KevtDateDay: {KevtDateDay, "day of the month on which the event occurred", kparams.Time, []string{"kevt.date.d = 12"}}, + KevtDateMonth: {KevtDateMonth, "month of the year on which the event occurred", kparams.Time, []string{"kevt.date.m = 11"}}, + KevtDateYear: {KevtDateYear, "year on which the event occurred", kparams.Uint32, []string{"kevt.date.y = 2020"}}, + KevtDateTz: {KevtDateTz, "time zone associated with the event timestamp", kparams.AnsiString, []string{"kevt.date.tz = 'UTC'"}}, + KevtDateWeek: {KevtDateWeek, "week number within the year on which the event occurred", kparams.Uint8, []string{"kevt.date.week = 2"}}, + KevtDateWeekday: {KevtDateWeekday, "week day on which the event occurred", kparams.AnsiString, []string{"kevt.date.weekday = 'Monday'"}}, + KevtNparams: {KevtNparams, "number of parameters", kparams.Int8, []string{"kevt.nparams > 2"}}, + + PsPid: {PsPid, "process identifier", kparams.PID, []string{"ps.pid = 1024"}}, + PsPpid: {PsPpid, "parent process identifier", kparams.PID, []string{"ps.ppid = 45"}}, + PsName: {PsName, "process image name including the file extension", kparams.UnicodeString, []string{"ps.name contains 'firefox'"}}, + PsComm: {PsComm, "process command line", kparams.UnicodeString, []string{"ps.comm contains 'java'"}}, + PsExe: {PsExe, "full name of the process' executable", kparams.UnicodeString, []string{"ps.exe = 'C:\\Windows\\system32\\cmd.exe'"}}, + PsArgs: {PsArgs, "process command line arguments", kparams.Slice, []string{"ps.args in ('/cdir', '/-C')"}}, + PsCwd: {PsCwd, "process current working directory", kparams.UnicodeString, []string{"ps.cwd = 'C:\\Users\\Default'"}}, + PsSID: {PsSID, "security identifier under which this process is run", kparams.UnicodeString, []string{"ps.sid contains 'SYSTEM'"}}, + PsSessionID: {PsSessionID, "unique identifier for the current session", kparams.Int16, []string{"ps.sessionid = 1"}}, + PsEnvs: {PsEnvs, "process environment variables", kparams.Slice, []string{"ps.envs in ('MOZ_CRASHREPORTER_DATA_DIRECTORY')"}}, + PsHandles: {PsHandles, "allocated process handle names", kparams.Slice, []string{"ps.handles in ('\\BaseNamedObjects\\__ComCatalogCache__')"}}, + PsHandleTypes: {PsHandleTypes, "allocated process handle types", kparams.Slice, []string{"ps.handle.types in ('Key', 'Mutant', 'Section')"}}, + PsDTB: {PsDTB, "process directory table base address", kparams.HexInt64, []string{"ps.dtb = '7ffe0000'"}}, + PsModules: {PsModules, "modules loaded by the process", kparams.Slice, []string{"ps.modules in ('crypt32.dll', 'xul.dll')"}}, + + ThreadBasePrio: {ThreadBasePrio, "scheduler priority of the thread", kparams.Int8, []string{"thread.prio = 5"}}, + ThreadIOPrio: {ThreadIOPrio, "I/O priority hint for scheduling I/O operations", kparams.Int8, []string{"thread.io.prio = 4"}}, + ThreadPagePrio: {ThreadPagePrio, "memory page priority hint for memory pages accessed by the thread", kparams.Int8, []string{"thread.page.prio = 12"}}, + ThreadKstackBase: {ThreadKstackBase, "base address of the thread's kernel space stack", kparams.HexInt64, []string{"thread.kstack.base = 'a65d800000'"}}, + ThreadKstackLimit: {ThreadKstackLimit, "limit of the thread's kernel space stack", kparams.HexInt64, []string{"thread.kstack.limit = 'a85d800000'"}}, + ThreadUstackBase: {ThreadUstackBase, "base address of the thread's user space stack", kparams.HexInt64, []string{"thread.ustack.base = '7ffe0000'"}}, + ThreadUstackLimit: {ThreadUstackLimit, "limit of the thread's user space stack", kparams.HexInt64, []string{"thread.ustack.limit = '8ffe0000'"}}, + ThreadEntrypoint: {ThreadEntrypoint, "starting address of the function to be executed by the thread", kparams.HexInt64, []string{"thread.entrypoint = '7efe0000'"}}, + + ImageName: {ImageName, "full image name", kparams.UnicodeString, []string{"image.name contains 'advapi32.dll'"}}, + ImageBase: {ImageBase, "the base address of process in which the image is loaded", kparams.HexInt64, []string{"image.base.address = 'a65d800000'"}}, + ImageChecksum: {ImageChecksum, "image checksum", kparams.Uint32, []string{"image.checksum = 746424"}}, + ImageSize: {ImageSize, "image size", kparams.Uint32, []string{"image.size > 1024"}}, + ImageDefaultAddress: {ImageDefaultAddress, "default image address", kparams.HexInt64, []string{"image.default.address = '7efe0000'"}}, + + FileObject: {FileObject, "file object address", kparams.Uint64, []string{"file.object = 18446738026482168384"}}, + FileName: {FileName, "full file name", kparams.UnicodeString, []string{"file.name contains 'mimikatz'"}}, + FileOperation: {FileOperation, "file operation", kparams.AnsiString, []string{"file.operation = 'open'"}}, + FileShareMask: {FileShareMask, "file share mask", kparams.AnsiString, []string{"file.share.mask = 'rw-'"}}, + FileIOSize: {FileIOSize, "file I/O size", kparams.Uint32, []string{"file.io.size > 512"}}, + FileOffset: {FileOffset, "file offset", kparams.Uint64, []string{"file.offset = 1024"}}, + FileType: {FileType, "file type", kparams.AnsiString, []string{"file.type = 'directory'"}}, + + RegistryKeyName: {RegistryKeyName, "fully qualified key name", kparams.UnicodeString, []string{"registry.key.name contains 'HKEY_LOCAL_MACHINE'"}}, + RegistryKeyHandle: {RegistryKeyHandle, "registry key object address", kparams.HexInt64, []string{"registry.key.handle = 'FFFFB905D60C2268'"}}, + RegistryValue: {RegistryValue, "registry value content", kparams.UnicodeString, []string{"registry.value = '%SystemRoot%\\system32'"}}, + RegistryValueType: {RegistryValueType, "type of registry value", kparams.UnicodeString, []string{"registry.value.type = 'REG_SZ'"}}, + RegistryStatus: {RegistryStatus, "status of registry operation", kparams.UnicodeString, []string{"registry.status != 'success'"}}, + + NetDIP: {NetDIP, "destination IP address", kparams.IP, []string{"net.dip = 172.17.0.3"}}, + NetSIP: {NetSIP, "source IP address", kparams.IP, []string{"net.sip = 127.0.0.1"}}, + NetDport: {NetDport, "destination port", kparams.Uint16, []string{"net.dport in (80, 443, 8080)"}}, + NetSport: {NetSport, "source port", kparams.Uint16, []string{"net.sport != 3306"}}, + NetDportName: {NetDportName, "destination port name", kparams.AnsiString, []string{"net.dport.name = 'dns'"}}, + NetSportName: {NetSportName, "source port name", kparams.AnsiString, []string{"net.sport.name = 'http'"}}, + NetL4Proto: {NetL4Proto, "layer 4 protocol name", kparams.AnsiString, []string{"net.l4.proto = 'TCP"}}, + NetPacketSize: {NetPacketSize, "packet size", kparams.Uint32, []string{"net.size > 512"}}, + + HandleID: {HandleID, "handle identifier", kparams.Uint16, []string{"handle.id = 24"}}, + HandleObject: {HandleObject, "handle object address", kparams.HexInt64, []string{"handle.object = 'FFFFB905DBF61988'"}}, + HandleName: {HandleName, "handle name", kparams.UnicodeString, []string{"handle.name = '\\Device\\NamedPipe\\chrome.12644.28.105826381'"}}, + HandleType: {HandleType, "handle type", kparams.AnsiString, []string{"handle.type = 'Mutant'"}}, + + PeNumSections: {PeNumSections, "number of sections", kparams.Uint16, []string{"pe.nsections < 5"}}, + PeNumSymbols: {PeNumSymbols, "number of entries in the symbol table", kparams.Uint32, []string{"pe.nsymbols > 230"}}, + PeBaseAddress: {PeBaseAddress, "image base address", kparams.HexInt64, []string{"pe.address.base = '140000000'"}}, + PeEntrypoint: {PeEntrypoint, "address of the entrypoint function", kparams.HexInt64, []string{"pe.address.entrypoint = '20110'"}}, + PeSections: {PeSections, "PE sections", kparams.Object, []string{"pe.sections[.text].entropy > 6.2"}}, + PeSymbols: {PeSymbols, "imported symbols", kparams.Slice, []string{"pe.symbols in ('GetTextFaceW', 'GetProcessHeap')"}}, + PeImports: {PeImports, "imported dynamic linked libraries", kparams.Slice, []string{"pe.imports in ('msvcrt.dll', 'GDI32.dll'"}}, + PeResources: {PeResources, "version and other resources", kparams.Map, []string{"pe.resources[FileDescription] = 'Notepad'"}}, +} + +// Get returns a slice of field information. +func Get() []FieldInfo { + fi := make([]FieldInfo, 0, len(fields)) + for _, field := range fields { + fi = append(fi, field) + } + sort.Slice(fi, func(i, j int) bool { return fi[i].Field < fi[j].Field }) + return fi +} + +// Lookup finds the field literal in the map. For the nested fields, it checks the pattern matches +// the expected one and compares the subfields. If all checks pass, the full nested field literal +// is returned. +func Lookup(name string) Field { + if _, ok := fields[Field(name)]; ok { + return Field(name) + } + groups := subfieldRegexp.FindStringSubmatch(name) + if len(groups) != 3 { + return None + } + + field := groups[1] + subfield := groups[2] + + switch Field(field) { + case PeSections: + switch Subfield(subfield) { + case SectionEntropy: + return Field(name) + case SectionMD5Hash: + return Field(name) + case SectionSize: + return Field(name) + } + case PeResources: + return Field(name) + case PsEnvs: + return Field(name) + case PsModules: + switch Subfield(subfield) { + case ModuleSize: + return Field(ModuleSize) + case ModuleChecksum: + return Field(ModuleChecksum) + case ModuleDefaultAddress: + return Field(ModuleDefaultAddress) + case ModuleBaseAddress: + return Field(ModuleBaseAddress) + case ModuleLocation: + return Field(ModuleLocation) + } + } + + return None +} diff --git a/pkg/filter/fields/fields_test.go b/pkg/filter/fields/fields_test.go new file mode 100644 index 000000000..edabef219 --- /dev/null +++ b/pkg/filter/fields/fields_test.go @@ -0,0 +1,38 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package fields + +import ( + "github.com/stretchr/testify/assert" + "testing" +) + +func TestLookup(t *testing.T) { + assert.Equal(t, PsPid, Lookup("ps.pid")) + assert.Equal(t, Field("ps.envs[ALLUSERSPROFILE]"), Lookup("ps.envs[ALLUSERSPROFILE]")) + assert.Empty(t, Lookup("ps.envs[ALLUSERSPROFILE")) + assert.Empty(t, Lookup("ps.envs[")) + assert.Empty(t, Lookup("ps.envs[]")) + assert.Equal(t, PsEnvs, Lookup("ps.envs")) + assert.Equal(t, Field("ps.pe.sections[.debug$S].entropy"), Lookup("ps.pe.sections[.debug$S].entropy")) + assert.Empty(t, Lookup("ps.pe.sections[.debug$S")) + assert.Empty(t, Lookup("ps.pe.sections[.debug$S]")) + assert.Empty(t, Lookup("ps.pe.sections[.debug$S].")) + assert.Empty(t, Lookup("ps.pe.sections[.debug$S].e")) +} diff --git a/pkg/filter/filter.go b/pkg/filter/filter.go new file mode 100644 index 000000000..64e4156b3 --- /dev/null +++ b/pkg/filter/filter.go @@ -0,0 +1,133 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filter + +import ( + "errors" + "expvar" + "fmt" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/filter/fields" + "github.com/rabbitstack/fibratus/pkg/filter/ql" + "github.com/rabbitstack/fibratus/pkg/kevent" + "strings" +) + +var ( + accessorErrors = expvar.NewMap("filter.accessor.errors") + errNoFields = errors.New("expected at least one field or operator but zero found") +) + +// Filter is the main interface for the filter engine implementors. +type Filter interface { + // Compile compiles the filter by parsing the filtering expression. + Compile() error + // Run runs a filter on the inbound kernel event and decides whether the event should be dropped or propagated to the downstream channel. + Run(kevt *kevent.Kevent) bool +} + +type filter struct { + expr ql.Expr + parser *ql.Parser + accessors []accessor + fields []fields.Field +} + +// New creates a new filter with the specified filter expression. The consumers must ensure the expression is lexically +// well-parsed before executing the filter. This is achieved by calling the`Compile` method after constructing the filter. +func New(expr string) Filter { + return &filter{ + parser: ql.NewParser(expr), + accessors: []accessor{ + // general event parameters + newKevtAccessor(), + // process state and parameters + newPSAccessor(), + // thread parameters + newThreadAccessor(), + // image parameters + newImageAccessor(), + // file parameters + newFileAccessor(), + // registry parameters + newRegistryAccessor(), + // network parameters + newNetAccessor(), + // handle parameters + newHandleAccessor(), + // PE attributes + newPEAccessor(), + }, + fields: make([]fields.Field, 0), + } +} + +// NewFromCLI builds and compiles a filter by joining all the command line arguments into the filter expression. +func NewFromCLI(args []string) (Filter, error) { + expr := strings.Join(args, " ") + if expr == "" { + return nil, nil + } + filter := New(expr) + if err := filter.Compile(); err != nil { + return nil, fmt.Errorf("bad filter: \n %v", err) + } + return filter, nil +} + +func (f *filter) Compile() error { + expr, err := f.parser.ParseExpr() + if err != nil { + return err + } + f.expr = expr + ql.WalkFunc(expr, func(n ql.Node) { + if ex, ok := n.(*ql.BinaryExpr); ok { + if lhs, ok := ex.LHS.(*ql.FieldLiteral); ok { + f.fields = append(f.fields, fields.Field(lhs.Value)) + } + } + }) + if len(f.fields) == 0 { + return errNoFields + } + return nil +} + +func (f *filter) Run(kevt *kevent.Kevent) bool { + valuer := make(map[string]interface{}) + // for each field present in the AST, we run the + // accessors and extract the field vales that are + // supplied to the valuer. The valuer feeds the + // expression with correct values. + for _, field := range f.fields { + for _, accessor := range f.accessors { + v, err := accessor.get(field, kevt) + if err != nil && !kerrors.IsKparamNotFound(err) { + accessorErrors.Add(err.Error(), 1) + continue + } + if v == nil { + continue + } + valuer[field.String()] = v + } + } + return ql.Eval(f.expr, valuer) +} diff --git a/pkg/filter/filter_test.go b/pkg/filter/filter_test.go new file mode 100644 index 000000000..bb1f03157 --- /dev/null +++ b/pkg/filter/filter_test.go @@ -0,0 +1,297 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filter + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/pe" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + "github.com/stretchr/testify/require" + "net" + "testing" + "time" +) + +func TestFilterCompile(t *testing.T) { + f := New(`ps.name = 'cmd.exe'`) + require.NoError(t, f.Compile()) + f = New(`'cmd.exe'`) + require.EqualError(t, f.Compile(), "expected at least one field or operator but zero found") + f = New(`ps.name`) + require.EqualError(t, f.Compile(), "expected at least one field or operator but zero found") + f = New(`ps.name =`) + require.EqualError(t, f.Compile(), "ps.name =\n ^ expected field, string, number, bool, ip") +} + +func TestFilterRunProcessKevent(t *testing.T) { + kpars := kevent.Kparams{ + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\svchost.exe -k RPCSS"}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.AnsiString, Value: "svchost.exe"}, + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.Uint32, Value: uint32(1234)}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.Uint32, Value: uint32(345)}, + } + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kpars, + Name: "CreateProcess", + PS: &pstypes.PS{ + Envs: map[string]string{"ALLUSERSPROFILE": "C:\\ProgramData", "OS": "Windows_NT", "ProgramFiles(x86)": "C:\\Program Files (x86)"}, + Modules: []pstypes.Module{ + {Name: "C:\\Windows\\System32\\kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Hex("fff23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, + {Name: "C:\\Windows\\System32\\user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Hex("fef23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, + }, + }, + } + kevt.Timestamp, _ = time.Parse(time.RFC3339, "2011-05-03T15:04:05.323Z") + + var tests = []struct { + filter string + matches bool + }{ + + {`ps.name = 'svchost.exe'`, true}, + {`ps.name = 'svchot.exe'`, false}, + {`ps.name = 'mimikatz.exe' or ps.name contains 'svc'`, true}, + {`ps.envs in ('ALLUSERSPROFILE')`, true}, + {`kevt.name='CreateProcess' and ps.name contains 'svchost'`, true}, + + {`ps.modules IN ('kernel32.dll')`, true}, + {`ps.modules[kernel32.dll].size = 12354`, true}, + {`ps.modules[kernel32.dll].checksum = 23123343`, true}, + {`ps.modules[kernel32.dll].address.default = 'fff124fd'`, true}, + {`ps.modules[kernel32.dll].address.base = 'fff23fff'`, true}, + {`ps.modules[kernel32.dll].location = 'C:\\Windows\\System32'`, true}, + {`ps.modules[xul.dll].size = 12354`, false}, + } + + for i, tt := range tests { + f := New(tt.filter) + err := f.Compile() + if err != nil { + t.Fatal(err) + } + matches := f.Run(kevt) + if matches != tt.matches { + t.Errorf("%d. %q ps filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) + } + } +} + +func TestFilterRunThreadKevent(t *testing.T) { + kpars := kevent.Kparams{ + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\svchost.exe -k RPCSS"}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.AnsiString, Value: "svchost.exe"}, + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.Uint32, Value: uint32(1234)}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.Uint32, Value: uint32(345)}, + } + + kevt := &kevent.Kevent{ + Type: ktypes.CreateThread, + Kparams: kpars, + Name: "CreateThread", + PS: &pstypes.PS{ + Envs: map[string]string{"ALLUSERSPROFILE": "C:\\ProgramData", "OS": "Windows_NT", "ProgramFiles(x86)": "C:\\Program Files (x86)"}, + }, + } + + var tests = []struct { + filter string + matches bool + }{ + + {`ps.name = 'svchost.exe'`, true}, + } + + for i, tt := range tests { + f := New(tt.filter) + err := f.Compile() + if err != nil { + t.Fatal(err) + } + matches := f.Run(kevt) + if matches != tt.matches { + t.Errorf("%d. %q thread filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) + } + } +} + +func TestFilterRunKevent(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "barz"}, + } + + kevt.Timestamp, _ = time.Parse(time.RFC3339, "2011-05-03T15:04:05.323Z") + + var tests = []struct { + filter string + matches bool + }{ + + {`kevt.seq = 2`, true}, + {`kevt.pid = 859`, true}, + {`kevt.tid = 2484`, true}, + {`kevt.cpu = 1`, true}, + {`kevt.name = 'CreateFile'`, true}, + {`kevt.category = 'file'`, true}, + {`kevt.host = 'archrabbit'`, true}, + {`kevt.nparams = 4`, true}, + + {`kevt.desc contains 'Creates or opens a new file'`, true}, + + {`kevt.date.d = 3 AND kevt.date.m = 5 AND kevt.time.s = 5 AND kevt.time.m = 4 and kevt.time.h = 15`, true}, + {`kevt.time = '15:04:05'`, true}, + } + + for i, tt := range tests { + f := New(tt.filter) + err := f.Compile() + if err != nil { + t.Fatal(err) + } + matches := f.Run(kevt) + if matches != tt.matches { + t.Errorf("%d. %q kevt filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) + } + } +} + +func TestFilterRunNetKevent(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.SendTCPv4, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.NetDport: {Name: kparams.NetDport, Type: kparams.Uint16, Value: uint16(443)}, + kparams.NetSport: {Name: kparams.NetSport, Type: kparams.Uint16, Value: uint16(43123)}, + kparams.NetSIP: {Name: kparams.NetSIP, Type: kparams.IPv4, Value: net.ParseIP("127.0.0.1")}, + kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, + }, + } + + var tests = []struct { + filter string + matches bool + }{ + + {`net.dip = 216.58.201.174`, true}, + {`net.dip != 216.58.201.174`, false}, + {`net.dip != 116.58.201.174`, true}, + } + + for i, tt := range tests { + f := New(tt.filter) + err := f.Compile() + if err != nil { + t.Fatal(err) + } + matches := f.Run(kevt) + if matches != tt.matches { + t.Errorf("%d. %q net filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) + } + } +} + +func TestFilterRunPE(t *testing.T) { + kevt := &kevent.Kevent{ + PS: &pstypes.PS{ + PE: &pe.PE{ + NumberOfSections: 2, + NumberOfSymbols: 10, + EntryPoint: "20110", + ImageBase: "140000000", + LinkTime: time.Now(), + Sections: []pe.Sec{ + {Name: ".text", Size: 132608, Entropy: 6.368381, Md5: "db23dce3911a42e987041d98abd4f7cd"}, + {Name: ".rdata", Size: 35840, Entropy: 5.996976, Md5: "ffa5c960b421ca9887e54966588e97e8"}, + }, + Symbols: []string{"SelectObject", "GetTextFaceW", "EnumFontsW", "TextOutW", "GetProcessHeap"}, + Imports: []string{"GDI32.dll", "USER32.dll", "msvcrt.dll", "api-ms-win-core-libraryloader-l1-2-0.dl"}, + VersionResources: map[string]string{"CompanyName": "Microsoft Corporation", "FileDescription": "Notepad", "FileVersion": "10.0.18362.693"}, + }, + }, + } + + var tests = []struct { + filter string + matches bool + }{ + + {`pe.sections[.text].entropy = 6.368381`, true}, + {`pe.sections[.text].entropy > 4.45`, true}, + {`pe.sections[.text].size = 132608`, true}, + {`pe.symbols IN ('GetTextFaceW', 'GetProcessHeap')`, true}, + {`pe.resources[FileDesc] = 'Notepad'`, true}, + {`pe.nsymbols = 10 AND pe.nsections = 2`, true}, + {`pe.nsections > 1`, true}, + {`pe.address.base = '140000000' AND pe.address.entrypoint = '20110'`, true}, + } + + for i, tt := range tests { + f := New(tt.filter) + err := f.Compile() + if err != nil { + t.Fatal(err) + } + matches := f.Run(kevt) + if matches != tt.matches { + t.Errorf("%d. %q ps filter mismatch: exp=%t got=%t", i, tt.filter, tt.matches, matches) + } + } + +} + +func BenchmarkFilterRun(b *testing.B) { + b.ReportAllocs() + f := New(`ps.name = 'mimikatz.exe' or ps.name contains 'svc'`) + require.NoError(b, f.Compile()) + + kpars := kevent.Kparams{ + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\svchost.exe -k RPCSS"}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.AnsiString, Value: "svchost.exe"}, + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.Uint32, Value: uint32(1234)}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.Uint32, Value: uint32(345)}, + } + + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kpars, + Name: "CreateProcess", + } + + for i := 0; i < b.N; i++ { + f.Run(kevt) + } +} diff --git a/pkg/filter/ql/ast.go b/pkg/filter/ql/ast.go new file mode 100644 index 000000000..b28a1196e --- /dev/null +++ b/pkg/filter/ql/ast.go @@ -0,0 +1,611 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2013-2016 Errplane Inc. + */ + +package ql + +import ( + "net" + "strings" +) + +// Eval evaluates expr against a map. +func Eval(expr Expr, m map[string]interface{}) bool { + eval := ValuerEval{Valuer: MapValuer(m)} + v, ok := eval.Eval(expr).(bool) + if !ok { + return false + } + return v +} + +// MapValuer is a valuer that substitutes values for the mapped interface. +type MapValuer map[string]interface{} + +// Value returns the value for a key in the MapValuer. +func (m MapValuer) Value(key string) (interface{}, bool) { + v, ok := m[key] + return v, ok +} + +// Valuer is the interface that wraps the Value() method. +type Valuer interface { + // Value returns the value and existence flag for a given key. + Value(key string) (interface{}, bool) +} + +// ValuerEval will evaluate an expression using the Valuer. +type ValuerEval struct { + Valuer Valuer + + // IntegerFloatDivision will set the eval system to treat + // a division between two integers as a floating point division. + IntegerFloatDivision bool +} + +// Eval evaluates an expression and returns a value. +func (v *ValuerEval) Eval(expr Expr) interface{} { + if expr == nil { + return nil + } + + switch expr := expr.(type) { + case *BinaryExpr: + return v.evalBinaryExpr(expr) + case *IntegerLiteral: + return expr.Value + case *UnsignedLiteral: + return expr.Value + case *DecimalLiteral: + return expr.Value + case *ParenExpr: + return v.Eval(expr.Expr) + case *StringLiteral: + return expr.Value + case *ListLiteral: + return expr.Values + case *FieldLiteral: + val, ok := v.Valuer.Value(expr.Value) + if !ok { + return nil + } + return val + case *IPLiteral: + return expr.Value + default: + return nil + } +} + +func (v *ValuerEval) evalBinaryExpr(expr *BinaryExpr) interface{} { + lhs := v.Eval(expr.LHS) + rhs := v.Eval(expr.RHS) + if lhs == nil && rhs != nil { + // when the LHS is nil and the RHS is a boolean, implicitly cast the + // nil to false. + if _, ok := rhs.(bool); ok { + lhs = false + } + } else if lhs != nil && rhs == nil { + // implicit cast of the RHS nil to false when the LHS is a boolean. + if _, ok := lhs.(bool); ok { + rhs = false + } + } + // evaluate if both sides are simple types. + switch lhs := lhs.(type) { + case bool: + rhs, ok := rhs.(bool) + switch expr.Op { + case and: + return ok && (lhs && rhs) + case or: + return ok && (lhs || rhs) + case eq: + return ok && (lhs == rhs) + case neq: + return ok && (lhs != rhs) + } + case uint8: + switch rhs := rhs.(type) { + case float64: + lhs := float64(lhs) + switch expr.Op { + case eq: + return lhs == rhs + case neq: + return lhs != rhs + case lt: + return lhs < rhs + case lte: + return lhs <= rhs + case gt: + return lhs > rhs + case gte: + return lhs >= rhs + } + case int64: + switch expr.Op { + case eq: + return int64(lhs) == rhs + case neq: + return int64(lhs) != rhs + case lt: + return int64(lhs) < rhs + case lte: + return int64(lhs) <= rhs + case gt: + return int64(lhs) > rhs + case gte: + return int64(lhs) >= rhs + } + case uint64: + switch expr.Op { + case eq: + return uint64(lhs) == rhs + case neq: + return uint64(lhs) != rhs + case lt: + if lhs < 0 { + return true + } + return uint64(lhs) < rhs + case lte: + if lhs < 0 { + return true + } + return uint64(lhs) <= rhs + case gt: + if lhs < 0 { + return false + } + return uint64(lhs) > rhs + case gte: + if lhs < 0 { + return false + } + return uint64(lhs) >= rhs + } + } + case float64: + // try the rhs as a float64, int64, or uint64 + rhsf, ok := rhs.(float64) + if !ok { + switch val := rhs.(type) { + case int64: + rhsf, ok = float64(val), true + case uint64: + rhsf, ok = float64(val), true + } + } + + rhs := rhsf + switch expr.Op { + case eq: + return ok && (lhs == rhs) + case neq: + return ok && (lhs != rhs) + case lt: + return ok && (lhs < rhs) + case lte: + return ok && (lhs <= rhs) + case gt: + return ok && (lhs > rhs) + case gte: + return ok && (lhs >= rhs) + } + case int64: + // try as a float64 to see if a float cast is required. + switch rhs := rhs.(type) { + case float64: + lhs := float64(lhs) + switch expr.Op { + case eq: + return lhs == rhs + case neq: + return lhs != rhs + case lt: + return lhs < rhs + case lte: + return lhs <= rhs + case gt: + return lhs > rhs + case gte: + return lhs >= rhs + } + case int64: + switch expr.Op { + case eq: + return lhs == rhs + case neq: + return lhs != rhs + case lt: + return lhs < rhs + case lte: + return lhs <= rhs + case gt: + return lhs > rhs + case gte: + return lhs >= rhs + } + case uint64: + switch expr.Op { + case eq: + return uint64(lhs) == rhs + case neq: + return uint64(lhs) != rhs + case lt: + if lhs < 0 { + return true + } + return uint64(lhs) < rhs + case lte: + if lhs < 0 { + return true + } + return uint64(lhs) <= rhs + case gt: + if lhs < 0 { + return false + } + return uint64(lhs) > rhs + case gte: + if lhs < 0 { + return false + } + return uint64(lhs) >= rhs + } + } + case uint64: + // try as a float64 to see if a float cast is required. + switch rhs := rhs.(type) { + case float64: + lhs := float64(lhs) + switch expr.Op { + case eq: + return lhs == rhs + case neq: + return lhs != rhs + case lt: + return lhs < rhs + case lte: + return lhs <= rhs + case gt: + return lhs > rhs + case gte: + return lhs >= rhs + } + case int64: + switch expr.Op { + case eq: + return lhs == uint64(rhs) + case neq: + return lhs != uint64(rhs) + case lt: + if rhs < 0 { + return false + } + return lhs < uint64(rhs) + case lte: + if rhs < 0 { + return false + } + return lhs <= uint64(rhs) + case gt: + if rhs < 0 { + return true + } + return lhs > uint64(rhs) + case gte: + if rhs < 0 { + return true + } + return lhs >= uint64(rhs) + } + case uint64: + switch expr.Op { + case eq: + return lhs == rhs + case neq: + return lhs != rhs + case lt: + return lhs < rhs + case lte: + return lhs <= rhs + case gt: + return lhs > rhs + case gte: + return lhs >= rhs + } + } + case uint32: + switch rhs := rhs.(type) { + case float64: + lhs := float64(lhs) + switch expr.Op { + case eq: + return lhs == rhs + case neq: + return lhs != rhs + case lt: + return lhs < rhs + case lte: + return lhs <= rhs + case gt: + return lhs > rhs + case gte: + return lhs >= rhs + } + case int32: + switch expr.Op { + case eq: + return lhs == uint32(rhs) + case neq: + return lhs != uint32(rhs) + case lt: + if rhs < 0 { + return false + } + return lhs < uint32(rhs) + case lte: + if rhs < 0 { + return false + } + return lhs <= uint32(rhs) + case gt: + if rhs < 0 { + return true + } + return lhs > uint32(rhs) + case gte: + if rhs < 0 { + return true + } + return lhs >= uint32(rhs) + } + case int64: + switch expr.Op { + case eq: + return lhs == uint32(rhs) + case neq: + return lhs != uint32(rhs) + case lt: + if rhs < 0 { + return false + } + return lhs < uint32(rhs) + case lte: + if rhs < 0 { + return false + } + return lhs <= uint32(rhs) + case gt: + if rhs < 0 { + return true + } + return lhs > uint32(rhs) + case gte: + if rhs < 0 { + return true + } + return lhs >= uint32(rhs) + } + case uint32: + switch expr.Op { + case eq: + return lhs == rhs + case neq: + return lhs != rhs + case lt: + return lhs < rhs + case lte: + return lhs <= rhs + case gt: + return lhs > rhs + case gte: + return lhs >= rhs + } + } + case uint16: + switch rhs := rhs.(type) { + case float64: + lhs := float64(lhs) + switch expr.Op { + case eq: + return lhs == rhs + case neq: + return lhs != rhs + case lt: + return lhs < rhs + case lte: + return lhs <= rhs + case gt: + return lhs > rhs + case gte: + return lhs >= rhs + } + case int32: + switch expr.Op { + case eq: + return lhs == uint16(rhs) + case neq: + return lhs != uint16(rhs) + case lt: + if rhs < 0 { + return false + } + return lhs < uint16(rhs) + case lte: + if rhs < 0 { + return false + } + return lhs <= uint16(rhs) + case gt: + if rhs < 0 { + return true + } + return lhs > uint16(rhs) + case gte: + if rhs < 0 { + return true + } + return lhs >= uint16(rhs) + } + case int64: + switch expr.Op { + case eq: + return lhs == uint16(rhs) + case neq: + return lhs != uint16(rhs) + case lt: + if rhs < 0 { + return false + } + return lhs < uint16(rhs) + case lte: + if rhs < 0 { + return false + } + return lhs <= uint16(rhs) + case gt: + if rhs < 0 { + return true + } + return lhs > uint16(rhs) + case gte: + if rhs < 0 { + return true + } + return lhs >= uint16(rhs) + } + case uint16: + switch expr.Op { + case eq: + return lhs == rhs + case neq: + return lhs != rhs + case lt: + return lhs < rhs + case lte: + return lhs <= rhs + case gt: + return lhs > rhs + case gte: + return lhs >= rhs + } + } + case string: + switch expr.Op { + case eq: + rhs, ok := rhs.(string) + if !ok { + return false + } + return lhs == rhs + case neq: + rhs, ok := rhs.(string) + if !ok { + return false + } + return lhs != rhs + case contains: + rhs, ok := rhs.(string) + if !ok { + return false + } + return strings.Contains(lhs, rhs) + case icontains: + rhs, ok := rhs.(string) + if !ok { + return false + } + return strings.Contains(strings.ToLower(lhs), strings.ToLower(rhs)) + case in: + rhs, ok := rhs.([]string) + if !ok { + return false + } + for _, i := range rhs { + if i == lhs { + return true + } + } + case startswith: + rhs, ok := rhs.(string) + if !ok { + return false + } + return strings.HasPrefix(lhs, rhs) + case endswith: + rhs, ok := rhs.(string) + if !ok { + return false + } + return strings.HasSuffix(lhs, rhs) + } + case net.IP: + switch expr.Op { + case eq: + rhs, ok := rhs.(net.IP) + if !ok { + return false + } + return lhs.Equal(rhs) + case neq: + rhs, ok := rhs.(net.IP) + if !ok { + return false + } + return !lhs.Equal(rhs) + } + case []string: + switch expr.Op { + case contains: + rhs, ok := rhs.(string) + if !ok { + return false + } + for _, s := range lhs { + if s == rhs { + return true + } + } + case in: + rhs, ok := rhs.([]string) + if !ok { + return false + } + for _, i := range lhs { + for _, j := range rhs { + if i == j { + return true + } + } + } + } + } + + // the types were not comparable. If our operation was an equality operation, + // return false instead of true. + switch expr.Op { + case eq, neq, lt, lte, gt, gte: + return false + } + return nil +} diff --git a/pkg/filter/ql/error.go b/pkg/filter/ql/error.go new file mode 100644 index 000000000..376624e24 --- /dev/null +++ b/pkg/filter/ql/error.go @@ -0,0 +1,57 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ql + +import ( + "fmt" + "strings" +) + +// ParseError represents an error that occurred during parsing. +type ParseError struct { + Expr string + Message string + Found string + Expected []string + Pos int +} + +// newParseError returns a new instance of ParseError. +func newParseError(found string, expected []string, pos int, expr string) *ParseError { + return &ParseError{Found: found, Expected: expected, Pos: pos, Expr: expr} +} + +// Error returns the string representation of the error. +func (e *ParseError) Error() string { + if e.Message != "" { + return fmt.Sprintf("%s at line %d, char %d", e.Message, e.Pos+1, e.Pos+1) + } + l := e.Pos + 1 + var sb strings.Builder + sb.WriteString(e.Expr) + sb.WriteRune('\n') + for l > 0 { + l-- + sb.WriteRune(' ') + if l == 0 { + sb.WriteString(fmt.Sprintf("^ expected %s", strings.Join(e.Expected, ", "))) + } + } + return sb.String() +} diff --git a/pkg/filter/ql/error_test.go b/pkg/filter/ql/error_test.go new file mode 100644 index 000000000..835e4272e --- /dev/null +++ b/pkg/filter/ql/error_test.go @@ -0,0 +1,31 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ql + +import ( + "github.com/magiconair/properties/assert" + "testing" +) + +func TestParseError(t *testing.T) { + err := newParseError("[", []string{"("}, 10, "ps.name in ['svchost.exe', 'cmd.exe')") + expected := "ps.name in ['svchost.exe', 'cmd.exe')\n" + + " ^ expected (" + assert.Equal(t, expected, err.Error()) +} diff --git a/pkg/filter/ql/expr.go b/pkg/filter/ql/expr.go new file mode 100644 index 000000000..7111d399e --- /dev/null +++ b/pkg/filter/ql/expr.go @@ -0,0 +1,51 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ql + +import "fmt" + +// Node represents a node in the abstract syntax tree. +type Node interface { + String() string +} + +// Expr represents an expression that can be evaluated to a value. +type Expr interface { + Node +} + +// ParenExpr represents a parenthesized expression. +type ParenExpr struct { + Expr Expr +} + +// String returns a string representation of the parenthesized expression. +func (e *ParenExpr) String() string { return fmt.Sprintf("(%s)", e.Expr.String()) } + +// BinaryExpr represents an operation between two expressions. +type BinaryExpr struct { + Op token + LHS Expr + RHS Expr +} + +// String returns a string representation of the binary expression. +func (e *BinaryExpr) String() string { + return fmt.Sprintf("%s %s %s", e.LHS.String(), e.Op.String(), e.RHS.String()) +} diff --git a/pkg/filter/ql/lexer.go b/pkg/filter/ql/lexer.go new file mode 100644 index 000000000..f87898d0d --- /dev/null +++ b/pkg/filter/ql/lexer.go @@ -0,0 +1,507 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2013-2016 Errplane Inc. + */ + +package ql + +import ( + "bufio" + "bytes" + "errors" + "io" + "strconv" + "strings" +) + +// scanner is responsible for splitting up the filter expression into individual tokens. This code is mostly borrowed +// from the influxql repository (https://github.com/influxdata/influxql) with some changes to support the lexing +// of additional tokens such as IP addresses. +type scanner struct { + r *reader +} + +func newScanner(r io.Reader) *scanner { + return &scanner{r: &reader{r: bufio.NewReader(r)}} +} + +// scan returns the next token and position from the underlying reader. +// Also returns the literal text read for strings, numbers, and duration tokens +// since these token types can have different literal representations. +func (s *scanner) scan() (tok token, pos int, lit string) { + // Read next code point. + ch0, pos := s.r.read() + + // if we see whitespace then consume all contiguous whitespace. + // if we see a letter, or certain acceptable special characters, then consume + // as an ident or reserved word. + if isWhitespace(ch0) { + return s.scanWhitespace() + } else if isLetter(ch0) || ch0 == '_' { + s.r.unread() + return s.scanIdent() + } else if isDigit(ch0) { + return s.scanNumber() + } + + // Otherwise parse individual characters. + switch ch0 { + case reof: + return eof, pos, "" + case '"': + s.r.unread() + return s.scanIdent() + case '\'': + return s.scanString() + case '.': + ch1, _ := s.r.read() + s.r.unread() + if isDigit(ch1) { + return s.scanNumber() + } + return dot, pos, "" + case '=': + return eq, pos, "" + case '!': + if ch1, _ := s.r.read(); ch1 == '=' { + return neq, pos, "" + } + s.r.unread() + case '>': + if ch1, _ := s.r.read(); ch1 == '=' { + return gte, pos, "" + } + s.r.unread() + return gt, pos, "" + case '<': + if ch1, _ := s.r.read(); ch1 == '=' { + return lte, pos, "" + } else if ch1 == '>' { + return neq, pos, "" + } + s.r.unread() + return lt, pos, "" + case '(': + return lparen, pos, "" + case ')': + return rparen, pos, "" + case ',': + return comma, pos, "" + } + return illegal, pos, string(ch0) +} + +// scanWhitespace consumes the current rune and all contiguous whitespace. +func (s *scanner) scanWhitespace() (tok token, pos int, lit string) { + // Create a buffer and read the current character into it. + var buf bytes.Buffer + ch, pos := s.r.curr() + _, _ = buf.WriteRune(ch) + + // Read every subsequent whitespace character into the buffer. + // Non-whitespace characters and EOF will cause the loop to exit. + for { + ch, _ = s.r.read() + if ch == reof { + break + } else if !isWhitespace(ch) { + s.r.unread() + break + } else { + _, _ = buf.WriteRune(ch) + } + } + + return ws, pos, buf.String() +} + +func (s *scanner) scanIdent() (tok token, pos int, lit string) { + // Save the starting position of the identifier. + _, pos = s.r.read() + s.r.unread() + + var buf bytes.Buffer + for { + if ch, _ := s.r.read(); ch == reof { + break + } else if ch == '"' { + tok0, pos0, lit0 := s.scanString() + if tok0 == badstr || tok0 == badesc { + return tok0, pos0, lit0 + } + return ident, pos, lit0 + } else if isIdentChar(ch) { + s.r.unread() + buf.WriteString(scanBareIdent(s.r)) + } else { + s.r.unread() + break + } + } + lit = buf.String() + + if tok, lit = lookup(lit); tok != ident { + return tok, pos, lit + } + + return ident, pos, lit +} + +// scanNumber consumes anything that looks like the start of a number. +func (s *scanner) scanNumber() (tok token, pos int, lit string) { + var buf bytes.Buffer + + // Check if the initial rune is a ".". + ch, pos := s.r.curr() + if ch == '.' { + // Peek and see if the next rune is a digit. + ch1, _ := s.r.read() + s.r.unread() + if !isDigit(ch1) { + return illegal, pos, "." + } + // Unread the full stop so we can read it later. + s.r.unread() + } else { + s.r.unread() + } + + // Read as many digits as possible. + _, _ = buf.WriteString(s.scanDigits()) + + // If next code points are a full stop and digit then consume them. + isDecimal := false + if ch0, _ := s.r.read(); ch0 == '.' { + isDecimal = true + if ch1, _ := s.r.read(); isDigit(ch1) { + _, _ = buf.WriteRune(ch0) + _, _ = buf.WriteRune(ch1) + _, _ = buf.WriteString(s.scanDigits()) + } else { + s.r.unread() + } + } else { + s.r.unread() + } + + // Check if next token is a "." and has at least 2 more subsequent "." runes + // to confirm we have an IP address string + ch, _ = s.r.read() + if ch == '.' { + buf.WriteRune(ch) + nbDots := 2 + for { + buf.WriteString(s.scanDigits()) + ch, _ := s.r.read() + if ch != '.' { + s.r.unread() + break + } + nbDots++ + _, _ = buf.WriteRune(ch) + } + if nbDots != 3 { + s.r.unread() + return badip, pos, buf.String() + } + octets := strings.Split(buf.String(), ".") + if len(octets) != 4 { + return badip, pos, buf.String() + } + // check the range of each octet + for _, oct := range octets { + n, err := strconv.Atoi(oct) + if err != nil { + return badip, pos, buf.String() + } + if n < 0 || n > 255 { + return badip, pos, buf.String() + } + } + return ip, pos, buf.String() + } else { + s.r.unread() + } + + // Read as a duration or integer if it doesn't have a fractional part. + if !isDecimal { + // If the next rune is a letter then this is a duration token. + if ch0, _ := s.r.read(); isLetter(ch0) || ch0 == 'µ' { + _, _ = buf.WriteRune(ch0) + for { + ch1, _ := s.r.read() + if !isLetter(ch1) && ch1 != 'µ' { + s.r.unread() + break + } + _, _ = buf.WriteRune(ch1) + } + + // Continue reading digits and letters as part of this token. + for { + if ch0, _ := s.r.read(); isLetter(ch0) || ch0 == 'µ' || isDigit(ch0) { + _, _ = buf.WriteRune(ch0) + } else { + s.r.unread() + break + } + } + return duration, pos, buf.String() + } else { + s.r.unread() + return integer, pos, buf.String() + } + } + + return dec, pos, buf.String() +} + +// scanDigits consumes a contiguous series of digits. +func (s *scanner) scanDigits() string { + var buf bytes.Buffer + for { + ch, _ := s.r.read() + if !isDigit(ch) { + s.r.unread() + break + } + _, _ = buf.WriteRune(ch) + } + return buf.String() +} + +// scanBareIdent reads bare identifier from a rune reader. +func scanBareIdent(r io.RuneScanner) string { + // Read every ident character into the buffer. + // Non-ident characters and EOF will cause the loop to exit. + var buf bytes.Buffer + for { + ch, _, err := r.ReadRune() + if err != nil { + break + } else if !isIdentChar(ch) { + _ = r.UnreadRune() + break + } else { + _, _ = buf.WriteRune(ch) + } + } + return buf.String() +} + +// scanString consumes a contiguous string of non-quote characters. +// Quote characters can be consumed if they're first escaped with a backslash. +func (s *scanner) scanString() (tok token, pos int, lit string) { + s.r.unread() + _, pos = s.r.curr() + + var err error + lit, err = ScanString(s.r) + if err == errBadString { + return badstr, pos, lit + } else if err == errBadEscape { + _, pos = s.r.curr() + return badstr, pos, lit + } + return str, pos, lit +} + +var errBadString = errors.New("bad string") +var errBadEscape = errors.New("bad escape") + +// ScanString reads a quoted string from a rune reader. +func ScanString(r io.RuneScanner) (string, error) { + ending, _, err := r.ReadRune() + if err != nil { + return "", errBadString + } + + var buf bytes.Buffer + for { + ch0, _, err := r.ReadRune() + if ch0 == ending { + return buf.String(), nil + } else if err != nil || ch0 == '\n' { + return buf.String(), errBadString + } else if ch0 == '\\' { + // If the next character is an escape then write the escaped char. + // If it's not a valid escape then return an error. + ch1, _, _ := r.ReadRune() + if ch1 == 'n' { + _, _ = buf.WriteRune('\n') + } else if ch1 == '\\' { + _, _ = buf.WriteRune('\\') + } else if ch1 == '"' { + _, _ = buf.WriteRune('"') + } else if ch1 == '\'' { + _, _ = buf.WriteRune('\'') + } else { + return string(ch0) + string(ch1), errBadEscape + } + } else { + _, _ = buf.WriteRune(ch0) + } + } +} + +// bufScanner represents a wrapper for scanner to add a buffer. +// It provides a fixed-length circular buffer that can be unread. +type bufScanner struct { + s *scanner + i int // buffer index + n int // buffer size + buf [3]struct { + tok token + pos int + lit string + } +} + +// newBufScanner returns a new buffered scanner for a reader. +func newBufScanner(r io.Reader) *bufScanner { + return &bufScanner{s: newScanner(r)} +} + +// scan reads the next token from the scanner. +func (s *bufScanner) scan() (tok token, pos int, lit string) { + return s.scanFunc(s.s.scan) +} + +// scanFunc uses the provided function to scan the next token. +func (s *bufScanner) scanFunc(scan func() (token, int, string)) (tok token, pos int, lit string) { + // If we have unread tokens then read them off the buffer first. + if s.n > 0 { + s.n-- + return s.curr() + } + + // Move buffer position forward and save the token. + s.i = (s.i + 1) % len(s.buf) + buf := &s.buf[s.i] + buf.tok, buf.pos, buf.lit = scan() + + return s.curr() +} + +// unscan pushes the previously token back onto the buffer. +func (s *bufScanner) unscan() { s.n++ } + +// curr returns the last read token. +func (s *bufScanner) curr() (tok token, pos int, lit string) { + buf := &s.buf[(s.i-s.n+len(s.buf))%len(s.buf)] + return buf.tok, buf.pos, buf.lit +} + +type reader struct { + r io.RuneScanner + i int + n int // buffer char count + pos int // last read rune position + buf [3]struct { + ch rune + pos int + } + eof bool +} + +// readRune reads the next rune from the reader. +// This is a wrapper function to implement the io.RuneReader interface. +// Note that this function does not return size. +func (r *reader) ReadRune() (ch rune, size int, err error) { + ch, _ = r.read() + if ch == reof { + err = io.EOF + } + return +} + +// unreadRune pushes the previously read rune back onto the buffer. +// This is a wrapper function to implement the io.RuneScanner interface. +func (r *reader) UnreadRune() error { + r.unread() + return nil +} + +var reof = rune(0) + +// read reads the next rune from the reader. +func (r *reader) read() (ch rune, pos int) { + // if we have unread characters then read them off the buffer first. + if r.n > 0 { + r.n-- + return r.curr() + } + + // Read next rune from underlying reader. + // Any error (including io.EOF) should return as EOF. + ch, _, err := r.r.ReadRune() + if err != nil { + ch = reof + } else if ch == '\r' { + if ch, _, err := r.r.ReadRune(); err != nil { + // nop + } else if ch != '\n' { + _ = r.r.UnreadRune() + } + ch = '\n' + } + + // Save character and position to the buffer. + r.i = (r.i + 1) % len(r.buf) + buf := &r.buf[r.i] + buf.ch, buf.pos = ch, r.pos + + // Update position. + if !r.eof { + r.pos++ + } + + // Mark the reader as EOF. + // This is used so we don't double count EOF characters. + if ch == reof { + r.eof = true + } + + return r.curr() +} + +// unread pushes the previously read rune back onto the buffer. +func (r *reader) unread() { r.n++ } + +// curr returns the last read character and position. +func (r *reader) curr() (ch rune, pos int) { + i := (r.i - r.n + len(r.buf)) % len(r.buf) + buf := &r.buf[i] + return buf.ch, buf.pos +} + +// isWhitespace returns true if the rune is a space, tab, or newline. +func isWhitespace(ch rune) bool { return ch == ' ' || ch == '\t' || ch == '\n' } + +// isLetter returns true if the rune is a letter. +func isLetter(ch rune) bool { + return (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z') +} + +// isDigit returns true if the rune is a digit. +func isDigit(ch rune) bool { return ch >= '0' && ch <= '9' } + +// isIdentChar returns true if the rune can be used in an unquoted identifier. $ rune is for special PE section names (e.g. .debug$ | .tls$) +func isIdentChar(ch rune) bool { + return isLetter(ch) || isDigit(ch) || ch == '_' || ch == '.' || ch == '[' || ch == ']' || ch == '$' +} diff --git a/pkg/filter/ql/lexer_test.go b/pkg/filter/ql/lexer_test.go new file mode 100644 index 000000000..a8f1cc04d --- /dev/null +++ b/pkg/filter/ql/lexer_test.go @@ -0,0 +1,97 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ql + +import ( + "strings" + "testing" +) + +func TestScanner(t *testing.T) { + var tests = []struct { + s string + tok token + lit string + pos int + }{ + // special tokens + {s: ``, tok: eof}, + {s: `#`, tok: illegal, lit: `#`}, + {s: ` `, tok: ws, lit: " "}, + {s: "\t", tok: ws, lit: "\t"}, + + // logical operators + {s: `AND`, tok: and}, + {s: `and`, tok: and}, + {s: `OR`, tok: or}, + {s: `or`, tok: or}, + + {s: `=`, tok: eq}, + {s: `<>`, tok: neq}, + {s: `! `, tok: illegal, lit: "!"}, + {s: `<`, tok: lt}, + {s: `<=`, tok: lte}, + {s: `>`, tok: gt}, + {s: `>=`, tok: gte}, + {s: `IN`, tok: in}, + {s: `in`, tok: in}, + + // misc tokens + {s: `(`, tok: lparen}, + {s: `)`, tok: rparen}, + {s: `,`, tok: comma}, + + // fields + {s: `ps.name`, tok: field, lit: "ps.name"}, + {s: `ps.pe.sections[.debug$S].entropy`, tok: field, lit: "ps.pe.sections[.debug$S].entropy"}, + {s: `ps.envs[CommonProgramFiles86]`, tok: field, lit: "ps.envs[CommonProgramFiles86]"}, + + // identifiers + {s: `foo`, tok: ident, lit: `foo`}, + {s: `_foo`, tok: ident, lit: `_foo`}, + {s: `Zx12_3U_-`, tok: ident, lit: `Zx12_3U_`}, + {s: `"foo\"bar\""`, tok: ident, lit: `foo"bar"`}, + + // IP address + {s: "172.17.0.1", tok: ip, lit: "172.17.0.1"}, + {s: "172.17.1", tok: badip, lit: "172.17.1"}, + {s: "172.317.1.2", tok: badip, lit: "172.317.1.2"}, + {s: "172.2.266.2", tok: badip, lit: "172.2.266.2"}, + + // strings + {s: `'testing 123!'`, tok: str, lit: `testing 123!`}, + {s: `'foo\nbar'`, tok: str, lit: "foo\nbar"}, + {s: `'foo\\bar'`, tok: str, lit: "foo\\bar"}, + + // numbers + {s: "6.2323", tok: dec, lit: "6.2323"}, + } + + for i, tt := range tests { + s := newScanner(strings.NewReader(tt.s)) + tok, pos, lit := s.scan() + if tt.tok != tok { + t.Errorf("%d. %q token mismatch: exp=%q got=%q <%q>", i, tt.s, tt.tok, tok, lit) + } else if tt.pos != pos { + t.Errorf("%d. %q pos mismatch: exp=%#v got=%#v", i, tt.s, tt.pos, pos) + } else if tt.lit != lit { + t.Errorf("%d. %q literal mismatch: exp=%q got=%q", i, tt.s, tt.lit, lit) + } + } +} diff --git a/pkg/filter/ql/literal.go b/pkg/filter/ql/literal.go new file mode 100644 index 000000000..a3939ee50 --- /dev/null +++ b/pkg/filter/ql/literal.go @@ -0,0 +1,98 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ql + +import ( + "bytes" + "net" + "strconv" +) + +// StringLiteral represents a string literal. +type StringLiteral struct { + Value string +} + +// FieldLiteral represents a field literal. +type FieldLiteral struct { + Value string +} + +// IntegerLiteral represents a signed number literal. +type IntegerLiteral struct { + Value int64 +} + +// UnsignedLiteral represents an unsigned number literal. +type UnsignedLiteral struct { + Value uint64 +} + +// DecimalLiteral represents an floating point number literal. +type DecimalLiteral struct { + Value float64 +} + +// IPLiteral represents an IP literal. +type IPLiteral struct { + Value net.IP +} + +func (i IPLiteral) String() string { + return i.Value.String() +} + +func (i IntegerLiteral) String() string { + return strconv.Itoa(int(i.Value)) +} + +func (s StringLiteral) String() string { + return s.Value +} + +func (f FieldLiteral) String() string { + return f.Value +} + +func (u UnsignedLiteral) String() string { + return strconv.Itoa(int(u.Value)) +} + +func (d DecimalLiteral) String() string { + return strconv.FormatFloat(d.Value, 'e', -1, 64) +} + +// ListLiteral represents a list of tag key literals. +type ListLiteral struct { + Values []string +} + +// String returns a string representation of the literal. +func (s *ListLiteral) String() string { + var buf bytes.Buffer + _, _ = buf.WriteString("(") + for idx, tagKey := range s.Values { + if idx != 0 { + _, _ = buf.WriteString(", ") + } + _, _ = buf.WriteString(tagKey) + } + _, _ = buf.WriteString(")") + return buf.String() +} diff --git a/pkg/filter/ql/parser.go b/pkg/filter/ql/parser.go new file mode 100644 index 000000000..c8e7339cf --- /dev/null +++ b/pkg/filter/ql/parser.go @@ -0,0 +1,203 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2013-2016 Errplane Inc. + */ + +package ql + +import ( + "net" + "strconv" + "strings" +) + +// Parser builds the binary expression tree from the filter string. +type Parser struct { + s *bufScanner + lparen bool + expr string +} + +// NewParsers builds a new parser instance from the expression string. +func NewParser(expr string) *Parser { + return &Parser{s: newBufScanner(strings.NewReader(expr)), expr: expr} +} + +// ParseExpr parses an expression by building the binary expression tree. +func (p *Parser) ParseExpr() (Expr, error) { + var err error + root := &BinaryExpr{} + + // parse a non-binary expression type to start. This variable will always be + // the root of the expression tree. + root.RHS, err = p.parseUnaryExpr() + if err != nil { + return nil, err + } + + // loop over operations and unary exprs and build a tree based on precendence. + for { + // if the next token is NOT an operator then return the expression. + op, pos, lit := p.scanIgnoreWhitespace() + if !op.isOperator() { + p.unscan() + if op == rparen && !p.lparen { + return nil, newParseError(tokstr(op, lit), []string{"("}, pos, p.expr) + } + if op != eof && op != rparen { + return nil, newParseError(tokstr(op, lit), []string{"operator"}, pos, p.expr) + } + return root.RHS, nil + } + + var rhs Expr + if op == in { + // parse required ( token + if tok, pos, lit := p.scanIgnoreWhitespace(); tok != lparen { + return nil, newParseError(tokstr(tok, lit), []string{"("}, pos, p.expr) + } + + // parse a comma-separated list + tagKeys, err := p.parseList() + if err != nil { + return nil, err + } + + // parse required ) token + if tok, pos, lit := p.scanIgnoreWhitespace(); tok != rparen { + return nil, newParseError(tokstr(tok, lit), []string{")"}, pos, p.expr) + } + + rhs = &ListLiteral{Values: tagKeys} + } else { + // Otherwise parse the next expression. + rhs, err = p.parseUnaryExpr() + if err != nil { + return nil, err + } + } + + // find the right spot in the tree to add the new expression by + // descending the RHS of the expression tree until we reach the last + // BinaryExpr or a BinaryExpr whose RHS has an operator with + // precedence >= the operator being added. + for node := root; ; { + r, ok := node.RHS.(*BinaryExpr) + if !ok || r.Op.precedence() >= op.precedence() { + // Add the new expression here and break. + node.RHS = &BinaryExpr{LHS: node.RHS, RHS: rhs, Op: op} + break + } + node = r + } + } +} + +// parseUnaryExpr parses an non-binary expression. +func (p *Parser) parseUnaryExpr() (Expr, error) { + // If the first token is a LPAREN then parse it as its own grouped expression. + if tok, _, _ := p.scanIgnoreWhitespace(); tok == lparen { + p.lparen = true + expr, err := p.ParseExpr() + if err != nil { + return nil, err + } + // Expect an RPAREN at the end. + if tok, pos, lit := p.scanIgnoreWhitespace(); tok != rparen { + return nil, newParseError(tokstr(tok, lit), []string{")"}, pos, p.expr) + } + return &ParenExpr{Expr: expr}, nil + } + + p.unscan() + + tok, pos, lit := p.scanIgnoreWhitespace() + switch tok { + case ip: + return &IPLiteral{Value: net.ParseIP(lit)}, nil + case str: + return &StringLiteral{Value: lit}, nil + case field: + return &FieldLiteral{Value: lit}, nil + case integer: + v, err := strconv.ParseInt(lit, 10, 64) + if err != nil { + // The literal may be too large to fit into an int64. If it is, use an unsigned integer. + // The check for negative numbers is handled somewhere else so this should always be a positive number. + if v, err := strconv.ParseUint(lit, 10, 64); err == nil { + return &UnsignedLiteral{Value: v}, nil + } + return nil, &ParseError{Message: "unable to parse integer", Pos: pos} + } + return &IntegerLiteral{Value: v}, nil + case dec: + v, err := strconv.ParseFloat(lit, 64) + if err != nil { + return nil, &ParseError{Message: "unable to parse decimal", Pos: pos} + } + return &DecimalLiteral{Value: v}, nil + } + + expectations := []string{"field", "string", "number", "bool", "ip"} + if tok == badip { + expectations = []string{"a valid IP address"} + } + p.lparen = false + + return nil, newParseError(tokstr(tok, lit), expectations, pos, p.expr) +} + +func (p *Parser) parseList() ([]string, error) { + tok, pos, lit := p.scanIgnoreWhitespace() + if tok != str { + return []string{}, newParseError(tokstr(tok, lit), []string{"identifier"}, pos, p.expr) + } + idents := []string{lit} + + // parse remaining identifiers + for { + if tok, _, _ := p.scanIgnoreWhitespace(); tok != comma { + p.unscan() + return idents, nil + } + + tok, pos, lit := p.scanIgnoreWhitespace() + if tok != str { + return []string{}, newParseError(tokstr(tok, lit), []string{"identifier"}, pos, p.expr) + } + + idents = append(idents, lit) + } +} + +// scan returns the next token from the underlying scanner. +func (p *Parser) scan() (tok token, pos int, lit string) { return p.s.scan() } + +// scanIgnoreWhitespace scans the next non-whitespace. +func (p *Parser) scanIgnoreWhitespace() (tok token, pos int, lit string) { + for { + tok, pos, lit = p.scan() + if tok == ws { + continue + } + return + } +} + +// unscan pushes the previously read token back onto the buffer. +func (p *Parser) unscan() { p.s.unscan() } diff --git a/pkg/filter/ql/parser_test.go b/pkg/filter/ql/parser_test.go new file mode 100644 index 000000000..a8330bcf2 --- /dev/null +++ b/pkg/filter/ql/parser_test.go @@ -0,0 +1,69 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ql + +import ( + "errors" + "testing" +) + +func TestParser(t *testing.T) { + var tests = []struct { + expr string + err error + }{ + {expr: "ps.name = 'cmd.exe'"}, + {expr: "ps.name != 'cmd.exe'"}, + {expr: "ps.name <> 'cmd.exe'"}, + {expr: "ps.name <> 'cmd.exe", err: errors.New("ps.name <> 'cmd.exe\n" + + " ^ expected field, string, number, bool, ip")}, + {expr: "ps.name = 123"}, + {expr: "net.dip = 172.17.0.9"}, + {expr: "net.dip = 172.17.0", err: errors.New("net.dip = 172.17.0\n" + + " ^ expected a valid IP address")}, + + {expr: "ps.name = 'cmd.exe' OR ps.name contains 'svc'"}, + {expr: "ps.name = 'cmd.exe' AND (ps.name contains 'svc' OR ps.name != 'lsass')"}, + {expr: "ps.name = 'cmd.exe' AND ps.name contains 'svc' OR ps.name != 'lsass')", err: errors.New("ps.name = 'cmd.exe' AND ps.name contains 'svc' OR ps.name != 'lsass')" + + "^ expected)")}, + {expr: "ps.name = 'cmd.exe' AND (ps.name contains 'svc' OR ps.name != 'lsass'", err: errors.New("ps.name = 'cmd.exe' AND (ps.name contains 'svc' OR ps.name != 'lsass'" + + "^ expected")}, + + {expr: "ps.name = 'cmd.exe' OR ((ps.name contains 'svc' AND ps.name != 'lsass') AND ps.ppid != 1)"}, + + {expr: "ps.name = 'cmd.exe' OR ((ps.name contains 'svc' AND ps.name != 'lsass' AND ps.ppid != 1)", err: errors.New("ps.name = 'cmd.exe' OR ((ps.name contains 'svc' AND ps.name != 'lsass' AND ps.ppid != 1)" + + " ^ expected )")}, + + {expr: "ps.name = 'cmd.exe' OR ((ps.name contains 'svc' AND ps.name != 'lsass') AND ps.ppid != 1", err: errors.New("ps.name = 'cmd.exe' OR ((ps.name contains 'svc' AND ps.name != 'lsass') AND ps.ppid != 1" + + " ^ expected )")}, + + {expr: "ps.none = 'cmd.exe'", err: errors.New("ps.none = 'cmd.exe'" + + " ^ expected field, string, number, bool, ip")}, + } + + for i, tt := range tests { + p := NewParser(tt.expr) + _, err := p.ParseExpr() + if err == nil && tt.err != nil { + t.Errorf("%d. exp=%s expected error=%v", i, tt.expr, tt.err) + } else if err != nil && tt.err == nil { + t.Errorf("%d. exp=%s got error=%v", i, tt.expr, err) + } + } +} diff --git a/pkg/filter/ql/token.go b/pkg/filter/ql/token.go new file mode 100644 index 000000000..24924fc57 --- /dev/null +++ b/pkg/filter/ql/token.go @@ -0,0 +1,157 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ql + +import ( + "github.com/rabbitstack/fibratus/pkg/filter/fields" + "strings" +) + +// token represents the lexical token of the filter expression +type token int + +const ( + illegal token = iota + ws + eof + + field // ps.name + str // 'cmd.exe' + badstr + badesc + ident + dec // 123.3 + integer // 123 + duration // 13h + ip // 192.168.1.23 + badip // 192.156.300.12 + + opBeg + and // and + or // or + not // not + in // in + contains // contains + icontains // icontains + startswith // startswith + endswith // endswith + eq // = + neq // != + lt // < + lte // <= + gt // > + gte // >= + opEnd + + lparen // ( + rparen // ) + comma // , + dot // . +) + +var keywords map[string]token + +func init() { + keywords = make(map[string]token) + for _, tok := range []token{and, or, contains, icontains, not, in, startswith, endswith} { + keywords[strings.ToLower(tokens[tok])] = tok + } +} + +var tokens = [...]string{ + illegal: "ILLEGAL", + eof: "EOF", + ws: "WS", + + ident: "IDENT", + field: "FIELD", + integer: "INTEGER", + dec: "DECIMAL", + duration: "DURATION", + str: "STRING", + badstr: "BADSTRING", + badesc: "BADESCAPE", + ip: "IPADDRESS", + badip: "BADIPADDRESS", + + and: "AND", + or: "OR", + contains: "CONTAINS", + icontains: "ICONTAINS", + not: "NOT", + in: "IN", + startswith: "STARTSWITH", + endswith: "ENDSWITH", + + eq: "=", + neq: "!=", + lt: "<", + lte: "<=", + gt: ">", + gte: ">=", + + lparen: "(", + rparen: ")", + comma: ",", + dot: ".", +} + +// isOperator determines whether the current token is an operator. +func (tok token) isOperator() bool { return tok > opBeg && tok < opEnd } + +// String returns the string representation of the token. +func (tok token) String() string { + if tok >= 0 && tok < token(len(tokens)) { + return tokens[tok] + } + return "" +} + +// precedence returns the operator precedence of the binary operator token. +func (tok token) precedence() int { + switch tok { + case or: + return 1 + case and: + return 2 + case eq, neq, lt, lte, gt, gte: + return 3 + case in, contains, icontains, startswith, endswith: + return 4 + } + return 0 +} + +func tokstr(tok token, lit string) string { + if lit != "" { + return lit + } + return tok.String() +} + +// lookup returns the token associated with a given string. +func lookup(id string) (token, string) { + if tok, ok := keywords[strings.ToLower(id)]; ok { + return tok, "" + } + if tok := fields.Lookup(id); tok != "" { + return field, id + } + return ident, id +} diff --git a/pkg/filter/ql/visitor.go b/pkg/filter/ql/visitor.go new file mode 100644 index 000000000..1010a567a --- /dev/null +++ b/pkg/filter/ql/visitor.go @@ -0,0 +1,49 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ql + +// Visitor can be called by Walk to traverse an AST hierarchy. +// The Visit() function is called once per node. +type Visitor interface { + Visit(Node) Visitor +} + +// Walk traverses a node hierarchy in depth-first order. +func Walk(v Visitor, node Node) { + if node == nil { + return + } + if v = v.Visit(node); v == nil { + return + } + switch n := node.(type) { + case *BinaryExpr: + Walk(v, n.LHS) + Walk(v, n.RHS) + } +} + +// WalkFunc traverses a node hierarchy in depth-first order. +func WalkFunc(node Node, fn func(Node)) { + Walk(walkFuncVisitor(fn), node) +} + +type walkFuncVisitor func(Node) + +func (fn walkFuncVisitor) Visit(n Node) Visitor { fn(n); return fn } diff --git a/fibratus/output/__init__.py b/pkg/fs/_fixtures/.gitkeep similarity index 100% rename from fibratus/output/__init__.py rename to pkg/fs/_fixtures/.gitkeep diff --git a/pkg/fs/attrs.go b/pkg/fs/attrs.go new file mode 100644 index 000000000..607dcff52 --- /dev/null +++ b/pkg/fs/attrs.go @@ -0,0 +1,64 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package fs + +// FileAttr represents a type alias for the file attribute enumeration. +type FileAttr uint32 + +const ( + FileDirectory FileAttr = 0x10 + // FileArchive denotes a file or directory that is an archive file or directory. Applications typically use this attribute to mark files for backup or removal. + FileArchive FileAttr = 0x20 + // FileCompressed represents a file or a directory that is compressed. + FileCompressed FileAttr = 0x800 + // FileEncrypted represents a file or a directory that is encrypted + FileEncrypted FileAttr = 0x4000 + // FileHidden designates a file or directory that is hidden, i.e. it is not included in an ordinary directory listing. + FileHidden FileAttr = 0x2 + // FileReparsePoint represents a file or directory that has an associated reparse point, or a file that is a symbolic link. + FileReparsePoint FileAttr = 0x400 + // FileSparse denotes a sparse file. Spares files can optimize disk usage as the system does not allocate disk space for the file regions with sparse data. + FileSparse = 0x200 + // FileTemporary denotes files that are used for temporary storage. + FileTemporary = 0x100 +) + +// FileAttr returns human-readable file attribute name. +func (fa FileAttr) String() string { + switch fa { + case FileDirectory: + return "directory" + case FileArchive: + return "archive" + case FileCompressed: + return "compressed" + case FileEncrypted: + return "encrypted" + case FileHidden: + return "hidden" + case FileReparsePoint: + return "junction" + case FileSparse: + return "sparse" + case FileTemporary: + return "temporary" + default: + return "unknown" + } +} diff --git a/pkg/fs/dev.go b/pkg/fs/dev.go new file mode 100644 index 000000000..0154dc511 --- /dev/null +++ b/pkg/fs/dev.go @@ -0,0 +1,67 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package fs + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/file" + "strings" +) + +const deviceOffset = 8 + +// DevMapper is the minimal interface for the device converters. +type DevMapper interface { + // Convert receives the fully qualified file path and replaces the DOS device name with a drive letter. + Convert(filename string) string +} + +type mapper struct { + cache map[string]string +} + +// NewDevMapper creates a new instance of the DOS device replacer. +func NewDevMapper() DevMapper { + m := &mapper{ + cache: make(map[string]string, 0), + } + // loop through logical drives and query the DOS device name + for _, drive := range file.GetLogicalDrives() { + device, err := file.QueryDosDevice(drive) + if err != nil { + continue + } + m.cache[device] = drive + } + return m +} + +func (m *mapper) Convert(filename string) string { + if filename == "" || len(filename) < deviceOffset { + return filename + } + i := strings.Index(filename[deviceOffset:], "\\") + if i < 0 { + return m.cache[filename] + } + dev := filename[:i+deviceOffset] + if drive, ok := m.cache[dev]; ok { + return strings.Replace(filename, dev, drive, 1) + } + return filename +} diff --git a/pkg/fs/dev_test.go b/pkg/fs/dev_test.go new file mode 100644 index 000000000..f5617fa83 --- /dev/null +++ b/pkg/fs/dev_test.go @@ -0,0 +1,70 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package fs + +import ( + "fmt" + "github.com/stretchr/testify/assert" + "strings" + "testing" +) + +var drives = []string{ + "A", + "B", + "C", + "D", + "E", + "F", + "G", + "H", + "I", + "J", + "K", + "L", + "M", + "N", + "O", + "P", + "Q", + "R", + "S", + "T", + "U", + "V", + "W", + "X", + "Y", + "Z"} + +func TestConvertDosDevice(t *testing.T) { + mapper := NewDevMapper() + files := make([]string, 0, len(drives)) + for _, drive := range drives { + files = append(files, fmt.Sprintf("%s:\\Windows\\system32\\kernel32.dll", drive)) + } + var filename string + for i := 0; i < len(drives); i++ { + filename = mapper.Convert(fmt.Sprintf("\\Device\\HarddiskVolume%d\\Windows\\system32\\kernel32.dll", i)) + if !strings.HasPrefix(filename, "\\Device") { + break + } + } + assert.Contains(t, files, filename) +} diff --git a/pkg/fs/file.go b/pkg/fs/file.go new file mode 100644 index 000000000..cf363974d --- /dev/null +++ b/pkg/fs/file.go @@ -0,0 +1,114 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package fs + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/syscall/file" + "os" + "path/filepath" + "strings" +) + +const ( + directoryFile = 0x00000001 // file being created or opened is a directory file + + deviceCDROM = 0x00000002 + deviceCDROMFs = 0x00000003 + deviceController = 0x00000004 + deviceDatalink = 0x00000005 + deviceDFS = 0x00000006 + deviceDisk = 0x00000007 + deviceDiskFs = 0x00000008 + + devMailslot = 0x0000000c + devNamedPipe = 0x00000011 + + deviceVirtualDisk = 0x00000024 + devConsole = 0x00000050 +) + +// queryVolumeCalls represents the number of times the query volume function was called +var queryVolumeCalls = expvar.NewInt("file.query.volume.info.calls") + +// GetFileType returns the underlying file type. The opts parameter corresponds to the NtCreateFile CreateOptions argument +// that specifies the options to be applied when creating or opening the file. +func GetFileType(filename string, opts uint32) FileType { + if filename == "" { + return Other + } + // if the CreateOptions argument of the NtCreateFile syscall has been invoked + // with the FILE_DIRECTORY_FILE flag, it is likely that the target file object + // is a directory. We ensure that by calling the API function for checking whether + // the path name is truly a directory + if (opts&directoryFile) != 0 && file.IsPathDirectory(filename) { + return Directory + } + // FILE_DIRECTORY_FILE flag only gives us a hint on the CreateFile op outcome. If this flag is + // not present in the argument but the file is a directory, we can apply some simple heuristics + // like checking the extension/suffix, even though they are not bullet proof + if filename[:len(filename)-1] == "\\" || filepath.Ext(filename) == "" { + return Directory + } + // non directory file can be a regular file, logical, virtual or physical device or a volume. + // If the filename doesn't start with a drive letter it's probably not a regular + // file since we already have mapped the DOS name to drive letter + if !strings.HasPrefix(filename, "\\Device") { + return Regular + } + // if the filename contains the HardiskVolume string then we assume it is a file. This + // could happen if we fail to resolve the DOS name + if strings.HasPrefix(filename, "\\Device\\HarddiskVolume") { + return Regular + } + // logical, virtual, physical device or a volume + // obtain the device type that is linked to this file object + return getFileTypeFromVolumeInfo(filename) +} + +func getFileTypeFromVolumeInfo(filename string) FileType { + f, err := os.Open(filename) + if err != nil { + return Other + } + defer f.Close() + + queryVolumeCalls.Add(1) + + dev, err := file.QueryVolumeInfo(f.Fd()) + if err != nil { + return Other + } + switch dev.Type { + case deviceCDROM, deviceCDROMFs, deviceController, + deviceDatalink, deviceDFS, deviceDisk, deviceDiskFs: + if file.IsPathDirectory(filename) { + return Directory + } + return Regular + case devConsole: + return Console + case devMailslot: + return Mailslot + case devNamedPipe: + return Pipe + default: + return Other + } +} diff --git a/pkg/fs/file_test.go b/pkg/fs/file_test.go new file mode 100644 index 000000000..acea22efe --- /dev/null +++ b/pkg/fs/file_test.go @@ -0,0 +1,35 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package fs + +import ( + "github.com/stretchr/testify/assert" + "testing" +) + +func TestGetFileType(t *testing.T) { + typ := GetFileType(`_fixtures`, 16777249) + assert.Equal(t, Directory, typ) + + typ = GetFileType(`_fixtures`, 25165857) + assert.Equal(t, Directory, typ) + + typ = GetFileType(`C:\Users\bunny\AppData\Local\Mozilla\Firefox\Profiles\profile1.tmp`, 18874368) + assert.Equal(t, Regular, typ) +} diff --git a/pkg/fs/types.go b/pkg/fs/types.go new file mode 100644 index 000000000..96087a9ff --- /dev/null +++ b/pkg/fs/types.go @@ -0,0 +1,123 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package fs + +// FileDisposition is the alias for the file disposition modes +type FileDisposition uint8 + +const ( + // Supersede dictates that if the file already exists, it is replaced with the given file. Otherwise the file with given name is created. + Supersede FileDisposition = iota + // Open opens the file if it already exists instead of creating a new file. + Open + // Create fails if the file already exists. + Create + // OpenIf opens the file if it already exists or creates a new file otherwise. + OpenIf + // Overwrite opens and overwrites the file if it already exists. Otherwise it fails. + Overwrite + // OverwriteIf opens and overwrites the file is it already exists. Otherwise it creates a new file. + OverwriteIf +) + +// String returns the textual representation of the file disposition. +func (fd FileDisposition) String() string { + switch fd { + case Supersede: + return "supersede" + case Open: + return "open" + case Create: + return "create" + case OpenIf: + return "openif" + case Overwrite: + return "overwrite" + case OverwriteIf: + return "overwriteif" + default: + return "" + } +} + +// FileType is the the type alias for the file type +type FileType uint8 + +const ( + // File represents the file, volume or hard disk device. + Regular FileType = iota + Directory + Pipe + Console + Mailslot + Other + Unknown +) + +// String returns the textual representation of the file type. +func (typ FileType) String() string { + switch typ { + case Regular: + return "file" + case Directory: + return "directory" + case Pipe: + return "pipe" + case Console: + return "console" + case Mailslot: + return "mailslot" + case Other: + return "other" + default: + return "unknown" + } +} + +// FileShareMode designates a type alias for file share mode values +type FileShareMode uint8 + +const ( + // FileShareRead allows threads to gain read access to the file + FileShareRead FileShareMode = 1 + // FileShareWrite allows threads to gain write access to the file + FileShareWrite FileShareMode = 1 << 1 + // FileShareDelete grants threads the possibility to delete files + FileShareDelete FileShareMode = 1 << 2 +) + +// String returns user-friendly representation of the file share mask. +func (shareMode FileShareMode) String() string { + if shareMode == FileShareRead { + return "r--" + } else if shareMode == FileShareWrite { + return "-w-" + } else if shareMode == FileShareDelete { + return "--d" + } else if shareMode&FileShareRead == FileShareRead && shareMode&FileShareWrite == FileShareWrite { + return "rw-" + } else if shareMode&FileShareRead == FileShareRead && shareMode&FileShareDelete == FileShareDelete { + return "r-d" + } else if shareMode&FileShareWrite == FileShareWrite && shareMode&FileShareDelete == FileShareDelete { + return "-wd" + } else if shareMode&FileShareRead == FileShareRead && shareMode&FileShareWrite == FileShareWrite && shareMode&FileShareDelete == FileShareDelete { + return "rwd" + } + return "---" +} diff --git a/pkg/handle/_fixtures/.fibratus b/pkg/handle/_fixtures/.fibratus new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/handle/alpc.go b/pkg/handle/alpc.go new file mode 100644 index 000000000..76da4b24b --- /dev/null +++ b/pkg/handle/alpc.go @@ -0,0 +1,35 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/object" + "unsafe" +) + +// GetAlpcPort get ALPC port information for the specified ALPC handle and process id. +func GetAlpcPort(h handle.Handle) (*htypes.AlpcPortInfo, error) { + buf := make([]byte, 16) + if err := object.GetAlpcInformation(h, object.AlpcBasicPortInfo, buf); err != nil { + return nil, err + } + return (*htypes.AlpcPortInfo)(unsafe.Pointer(&buf[0])), nil +} diff --git a/pkg/handle/key.go b/pkg/handle/key.go new file mode 100644 index 000000000..661e28e58 --- /dev/null +++ b/pkg/handle/key.go @@ -0,0 +1,111 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/syscall/registry" + "github.com/rabbitstack/fibratus/pkg/syscall/security" + "strings" + "sync" +) + +const ( + hklmPrefixUppercase = "\\REGISTRY\\MACHINE" + hklmPrefixCapitalized = "\\Registry\\Machine" + hkcrPrefixUppercase = "\\REGISTRY\\MACHINE\\SOFTWARE\\CLASSES" + hkcrPrefixCapitalized = "\\Registry\\Machine\\Software\\Classes" + hkuPrefixUppercase = "\\REGISTRY\\USER" + hkuPrefixCapitalized = "\\Registry\\User" + // hive represents an application hive. Application hives are loaded by user-mode processes via RegLoadAppKey to store application-specific state data. + hive = "\\REGISTRY\\A" +) + +var ( + keys = make([]string, 0) + mux sync.Mutex + once sync.Once + // sidsCount reflects the total count of the resolved SIDs + sidsCount = expvar.NewInt("sids.count") + lookupSids = security.LookupAllSids +) + +// FormatKey produces a root,key tuple from registry native key name. +func FormatKey(key string) (registry.Key, string) { + if strings.HasPrefix(key, hklmPrefixUppercase) || strings.HasPrefix(key, hklmPrefixCapitalized) { + return registry.LocalMachine, subkey(key, hklmPrefixUppercase) + } + + if strings.HasPrefix(key, hkcrPrefixUppercase) || strings.HasPrefix(key, hkcrPrefixCapitalized) { + return registry.ClassesRoot, subkey(key, hkcrPrefixUppercase) + } + + once.Do(func() { initKeys() }) + + if root, k := findSIDKey(key); root != registry.InvalidKey { + return root, k + } + + if strings.HasPrefix(key, hkuPrefixUppercase) || strings.HasPrefix(key, hkuPrefixCapitalized) { + return registry.Users, subkey(key, hkuPrefixUppercase) + } + + if strings.HasPrefix(key, hive) { + return registry.Hive, key + } + + return registry.InvalidKey, key +} + +// initKeys retrieves all security identifiers on the local machine and builds a slice of +// prefixes targeting \\Registry\\User\\ and \\Registry\\User\\\\_Classes keys. +func initKeys() { + sids, err := lookupSids() + if err != nil { + return + } + sidsCount.Add(int64(len(sids))) + mux.Lock() + defer mux.Unlock() + for _, sid := range sids { + user := hkuPrefixUppercase + "\\" + sid + keys = append(keys, user, user+"\\_Classes") + } +} + +func findSIDKey(key string) (registry.Key, string) { + mux.Lock() + defer mux.Unlock() + for _, k := range keys { + if strings.HasPrefix(key, k) { + if strings.Contains(key, "_Classes") { + return registry.CurrentUser, strings.Replace(subkey(key, k), "_Classes", "Software\\Classes", -1) + } + return registry.CurrentUser, subkey(key, k) + } + } + return registry.InvalidKey, key +} + +func subkey(key string, prefix string) string { + if len(key) > len(prefix) { + return key[len(prefix)+1:] + } + return "" +} diff --git a/pkg/handle/key_test.go b/pkg/handle/key_test.go new file mode 100644 index 000000000..130f7c7de --- /dev/null +++ b/pkg/handle/key_test.go @@ -0,0 +1,55 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/registry" + "github.com/stretchr/testify/assert" + "testing" +) + +func init() { + lookupSids = func() ([]string, error) { + return []string{"S-1-5-21-2271034452-2606270099-984871569-500", "S-1-5-21-2271034452-2606270099-984871569-501"}, nil + } +} + +func TestFormatKey(t *testing.T) { + root, key := FormatKey(`\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 4.0.0.0\Linkage`) + assert.Equal(t, registry.LocalMachine, root) + assert.Equal(t, `SYSTEM\ControlSet001\Services\Windows Workflow Foundation 4.0.0.0\Linkage`, key) + + root, key = FormatKey(`\Registry\Machine\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 4.0.0.0\Linkage`) + assert.Equal(t, `SYSTEM\ControlSet001\Services\Windows Workflow Foundation 4.0.0.0\Linkage`, key) + + root, key = FormatKey(`\REGISTRY\MACHINE`) + assert.Equal(t, registry.LocalMachine, root) + + root, key = FormatKey(`\REGISTRY\USER\S-1-5-21-2271034452-2606270099-984871569-500\Console`) + assert.Equal(t, registry.CurrentUser, root) + assert.Equal(t, `Console`, key) + + root, key = FormatKey(`\REGISTRY\USER\S-1-5-21-2271034452-2606270099-984871569-500\_Classes`) + assert.Equal(t, registry.CurrentUser, root) + assert.Equal(t, `Software\Classes`, key) + + root, key = FormatKey(`\REGISTRY\USER\S-1-5-21-2271034452-2606270099-984871569-500\_Classes\.all`) + assert.Equal(t, registry.CurrentUser, root) + assert.Equal(t, `Software\Classes\.all`, key) +} diff --git a/pkg/handle/mutant.go b/pkg/handle/mutant.go new file mode 100644 index 000000000..7a0e0c354 --- /dev/null +++ b/pkg/handle/mutant.go @@ -0,0 +1,42 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/object" + "unsafe" +) + +type mutant struct { + count int32 + owned bool + abandoned bool +} + +// GetMutant gets the information about specified mutant handle. +func GetMutant(h handle.Handle) (*htypes.MutantInfo, error) { + buf := make([]byte, 8) + if err := object.QueryMutant(h, object.MutantBasicInfo, buf); err != nil { + return nil, err + } + basicInfo := (*mutant)(unsafe.Pointer(&buf[0])) + return &htypes.MutantInfo{Count: basicInfo.count, IsAbandoned: basicInfo.abandoned}, nil +} diff --git a/pkg/handle/object.go b/pkg/handle/object.go new file mode 100644 index 000000000..c3f39a19b --- /dev/null +++ b/pkg/handle/object.go @@ -0,0 +1,249 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + "errors" + "expvar" + "fmt" + errs "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/fs" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/syscall/file" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/object" + "github.com/rabbitstack/fibratus/pkg/syscall/process" + "github.com/rabbitstack/fibratus/pkg/syscall/registry" + "github.com/rabbitstack/fibratus/pkg/util/typesize" + "os" + "sort" + "unsafe" +) + +var ( + // typeBufSize specifies the size of the object type name buffer + typeBufSize = 512 + // nameBufSize specifies the size of the object name buffer + nameBufSize = 1024 + // typesCount counts the number of resolved object type names + typesCount = expvar.NewInt("handle.types.count") + typeMisses = expvar.NewInt("handle.types.name.misses") +) + +var devMapper = fs.NewDevMapper() + +// ObjectTypeStore holds all object type names as exposed by the Object Manager. The store represents a efficient +// way of resolving object type indices to human-friendly names. +type ObjectTypeStore interface { + FindByID(id uint8) string + RegisterType(id uint8, typ string) + TypeNames() []string +} + +type otstore struct { + types map[uint8]string +} + +// NewObjectTypeStore creates a new object store instance. +func NewObjectTypeStore() ObjectTypeStore { + s := &otstore{ + types: make(map[uint8]string), + } + s.queryTypes() + return s +} + +func (s *otstore) FindByID(id uint8) string { + if typ, ok := s.types[id]; ok { + return typ + } + typeMisses.Add(1) + return "" +} + +func (s *otstore) RegisterType(id uint8, typ string) { + s.types[id] = typ +} + +func (s *otstore) TypeNames() []string { + types := make([]string, 0, len(s.types)) + for _, v := range s.types { + types = append(types, v) + } + sort.Slice(types, func(i, j int) bool { return types[i] < types[j] }) + return types +} + +func (s *otstore) queryTypes() { + bufSize := 8824 + buf := make([]byte, bufSize) + size, err := object.Query(0, object.TypesInformationClass, buf) + if err == errs.ErrNeedsReallocateBuffer { + buf = make([]byte, size) + if _, err = object.Query(0, object.TypesInformationClass, buf); err != nil { + return + } + } + + if err != nil { + return + } + + types := (*object.TypesInformation)(unsafe.Pointer(&buf[0])) + typesCount.Add(int64(types.NumberOfTypes)) + + // heavily influenced by ProcessHacker pointer arithmetic hackery to + // dereference the first and all subsequent file object type instances + // starting from the address of the TypesInformation structure + objectTypeInfo := (*object.TypeInformation)(unsafe.Pointer(s.first(buf))) + for i := 0; i < int(types.NumberOfTypes); i++ { + objectTypeInfo = (*object.TypeInformation)(unsafe.Pointer(s.next(objectTypeInfo))) + s.types[objectTypeInfo.TypeIndex] = objectTypeInfo.TypeName.String() + } +} + +func (s *otstore) first(b []byte) unsafe.Pointer { + return unsafe.Pointer(uintptr(unsafe.Pointer(&b[0])) + (unsafe.Sizeof(object.TypesInformation{})+typesize.Pointer()-1)&^(typesize.Pointer()-1)) +} + +func (s *otstore) next(typ *object.TypeInformation) unsafe.Pointer { + align := (uintptr(typ.TypeName.MaxLength) + typesize.Pointer() - 1) &^ (typesize.Pointer() - 1) + offset := uintptr(unsafe.Pointer(typ)) + unsafe.Sizeof(object.TypeInformation{}) + return unsafe.Pointer(offset + align) +} + +// Duplicate duplicates the handle in the caller process's address space. +func Duplicate(h handle.Handle, pid uint32, access handle.DuplicateAccess) (handle.Handle, error) { + targetPs, err := process.Open(process.DupHandle, false, pid) + if err != nil { + return ^handle.Handle(0), err + } + defer targetPs.Close() + currentPs, err := process.Open(process.DupHandle, false, uint32(os.Getpid())) + if err != nil { + return ^handle.Handle(0), err + } + defer currentPs.Close() + // duplicate the remote handle in the current process's address space. + // Note that for certain handle types this operation might fail + // as they don't permit duplicate operations + dup, err := h.Duplicate(targetPs, currentPs, access) + if err != nil { + return ^handle.Handle(0), fmt.Errorf("couldn't duplicate handle: %v", err) + } + return dup, nil +} + +// QueryType returns the type of the specified handle. +func QueryType(handle handle.Handle) (string, error) { + buffer := make([]byte, typeBufSize) + size, err := object.Query(handle, object.TypeInformationClass, buffer) + if err == errs.ErrNeedsReallocateBuffer { + buffer = make([]byte, size) + if _, err = object.Query(handle, object.TypeInformationClass, buffer); err != nil { + return "", fmt.Errorf("couldn't query handle type after buffer reallocation: %v", err) + } + } + if err != nil { + return "", fmt.Errorf("couldn't query handle type: %v", err) + } + // transform buffer into type information structure and get + // the underlying UNICODE string that identifies handle's type name + typeInfo := (*object.TypeInformation)(unsafe.Pointer(&buffer[0])) + length := typeInfo.TypeName.Length + if length > 0 { + return typeInfo.TypeName.String(), nil + } + return "", errors.New("zero length handle type name encountered") +} + +// QueryName gets the name of the underlying handle reference and extra metadata if it is available. +func QueryName(handle handle.Handle, typ string, withTimeout bool) (string, htypes.Meta, error) { + switch typ { + case File: + if !withTimeout { + return "", nil, nil + } + // delegate the name resolution to the deadlock aware handle timeout + name, err := GetHandleWithTimeout(handle, 500) + if err != nil { + return "", nil, err + } + name = devMapper.Convert(name) + fileInfo := &htypes.FileInfo{IsDirectory: file.IsPathDirectory(name)} + return name, fileInfo, nil + case ALPCPort: + port, err := GetAlpcPort(handle) + if err != nil { + return "", nil, nil + } + return "", port, nil + case Process: + name, err := process.QueryFullImageName(handle) + if err != nil { + return "", nil, nil + } + return name, nil, nil + case Mutant: + mutant, err := GetMutant(handle) + if err != nil { + return "", nil, nil + } + return "", mutant, nil + default: + name, err := queryObjectName(handle) + if err != nil { + return "", nil, err + } + switch typ { + case Key: + key, subkey := FormatKey(name) + rootKey := key.String() + if key == registry.InvalidKey { + return name, nil, nil + } + if subkey != "" { + return rootKey + "\\" + subkey, nil, nil + } + return key.String(), nil, nil + default: + return name, nil, nil + } + } +} + +func queryObjectName(handle handle.Handle) (string, error) { + buffer := make([]byte, nameBufSize) + size, err := object.Query(handle, object.NameInformationClass, buffer) + if err == errs.ErrNeedsReallocateBuffer { + buffer = make([]byte, size) + if _, err = object.Query(handle, object.NameInformationClass, buffer); err != nil { + return "", fmt.Errorf("couldn't query handle name after buffer reallocation: %v", err) + } + } + if err != nil { + return "", fmt.Errorf("couldn't query handle name: %v", err) + } + nameInfo := (*object.NameInformation)(unsafe.Pointer(&buffer[0])) + length := nameInfo.ObjectName.Length + if length > 0 { + return nameInfo.ObjectName.String(), nil + } + return "", nil +} diff --git a/pkg/handle/object_test.go b/pkg/handle/object_test.go new file mode 100644 index 000000000..19e022bfe --- /dev/null +++ b/pkg/handle/object_test.go @@ -0,0 +1,108 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/process" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "os" + "path/filepath" + "syscall" + "testing" + "unsafe" +) + +var ( + modkernel32 = syscall.NewLazyDLL("kernel32.dll") + + procCreateNamedPipeW = modkernel32.NewProc("CreateNamedPipeW") +) + +func createNamedPipe(name *uint16, openMode uint32, pipeMode uint32, maxInstances uint32, outBufSize uint32, inBufSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) { + r0, _, e1 := syscall.Syscall9(procCreateNamedPipeW.Addr(), 8, uintptr(unsafe.Pointer(name)), uintptr(openMode), uintptr(pipeMode), uintptr(maxInstances), uintptr(outBufSize), uintptr(inBufSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)), 0) + handle = syscall.Handle(r0) + if handle == syscall.InvalidHandle { + if e1 != 0 { + err = error(e1) + } else { + err = syscall.EINVAL + } + } + return +} + +// createPipe is mainly borrowed from: https://github.com/natefinch/npipe for testing purposes. +func createPipe(address string, first bool) (syscall.Handle, error) { + n, err := syscall.UTF16PtrFromString(address) + if err != nil { + return 0, err + } + mode := uint32(0x3 | syscall.FILE_FLAG_OVERLAPPED) + if first { + mode |= 0x00080000 + } + return createNamedPipe(n, + mode, + 0x0, + 255, + 512, 512, 0, nil) +} + +func TestQueryAllObjectTypes(t *testing.T) { + otstore := NewObjectTypeStore() + require.Contains(t, otstore.TypeNames(), "Directory") + require.Contains(t, otstore.TypeNames(), "Key") +} + +func TestQueryType(t *testing.T) { + h, err := process.Open(process.QueryInformation, false, uint32(os.Getpid())) + require.NoError(t, err) + defer h.Close() + typeName, err := QueryType(h) + require.NoError(t, err) + assert.Equal(t, Process, typeName) +} + +func TestQueryTypeSmallBuffer(t *testing.T) { + typeBufSize = 25 + h, err := process.Open(process.QueryInformation, false, uint32(os.Getpid())) + require.NoError(t, err) + typeName, err := QueryType(h) + assert.Equal(t, Process, typeName) +} + +func TestQueryNameFileHandle(t *testing.T) { + f, err := syscall.Open("_fixtures/.fibratus", syscall.O_RDONLY, syscall.S_ISUID) + require.NoError(t, err) + defer syscall.Close(f) + handleName, _, err := QueryName(handle.Handle(f), File, false) + require.NoError(t, err) + assert.Equal(t, ".fibratus", filepath.Base(handleName)) +} + +func TestQueryNamedPipe(t *testing.T) { + h, err := createPipe(`\\.\pipe\fibratus`, true) + require.NoError(t, err) + defer syscall.Close(h) + handleName, _, err := QueryName(handle.Handle(h), File, true) + require.NoError(t, err) + assert.Equal(t, `\Device\NamedPipe\fibratus`, handleName) +} diff --git a/pkg/handle/snapshotter.go b/pkg/handle/snapshotter.go new file mode 100644 index 000000000..2842ec07f --- /dev/null +++ b/pkg/handle/snapshotter.go @@ -0,0 +1,414 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/config" + errs "github.com/rabbitstack/fibratus/pkg/errors" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/object" + "github.com/rabbitstack/fibratus/pkg/syscall/process" + "github.com/rabbitstack/fibratus/pkg/syscall/sys" + log "github.com/sirupsen/logrus" + "os" + "strconv" + "sync" + "time" + "unsafe" +) + +var ( + globalBufferSize = 4096 + bufferSize = 1024 + + handleNameQueryFailures = expvar.NewMap("handle.name.query.failures") + handleSnapshotCount = expvar.NewInt("handle.snapshot.count") + handleSnapshotBytes = expvar.NewInt("handle.snapshot.bytes") + + currentPid = uint32(os.Getpid()) +) + +// CreateCallback defines the function that is triggered when new handle is conceived +type CreateCallback func(pid uint32, handle htypes.Handle) + +// DestroyCallback defines the function signature that is fired upon handle's destruction +type DestroyCallback func(pid uint32, num handle.Handle) + +// SnapshotBuildCompleted is the function type for snapshot completed signal +type SnapshotBuildCompleted func(total uint64, withName uint64) + +// Snapshotter keeps the system-wide snapshot of allocated handles always when handle kernel events are enabled or +// supported on the target system. It also provides facilities for obtaining a list of handles pertaining to the specific +// process. +type Snapshotter interface { + // Write updates the snapshotter state by storing a new entry for the inbound create handle event. It also notifies + // the registered callback that a new handle has been created. + Write(kevt *kevent.Kevent) error + // Remove destroys the handle state for the specified handle object. The removal callback is triggered when an item + // is deleted from the store. + Remove(kevt *kevent.Kevent) error + // FindHandles returns a list of all known handles for the specified process identifier. + FindHandles(pid uint32) ([]htypes.Handle, error) + // FindByObject returns the handle for the given handle object reference. + FindByObject(object uint64) (htypes.Handle, bool) + // RegisterCreateCallback registers a function that's triggered when new handle is created. + RegisterCreateCallback(fn CreateCallback) + // RegisterDestroyCallback registers a function that's called when existing handle is disposed. + RegisterDestroyCallback(fn DestroyCallback) + // GetSnapshot returns all the handles present in the snapshotter state. + GetSnapshot() []htypes.Handle +} + +type snapshotter struct { + sync.Mutex + handlesByObject map[uint64]htypes.Handle + hc chan htypes.Handle + hdone chan struct{} + config *config.Config + snapshotBuildCompleted SnapshotBuildCompleted + createCallback CreateCallback + destroyCallback DestroyCallback + store ObjectTypeStore + housekeepTick *time.Ticker + initSnap bool + capture bool +} + +// NewSnapshotter constructs a new instance of the handle snapshotter. If `SnapshotBuildCompleted` function is provided +// it will receive the total number of discovered handles as well as the count of the non-nameless handles. +func NewSnapshotter(config *config.Config, fn SnapshotBuildCompleted) Snapshotter { + s := &snapshotter{ + hc: make(chan htypes.Handle), + hdone: make(chan struct{}, 1), + handlesByObject: make(map[uint64]htypes.Handle), + snapshotBuildCompleted: fn, + config: config, + store: NewObjectTypeStore(), + housekeepTick: time.NewTicker(time.Minute), + initSnap: config.InitHandleSnapshot, + } + + if s.initSnap { + go s.consumeHandles() + go s.initSnapshot() + go s.housekeeping() + } else { + if fn != nil { + fn(0, 0) + } + } + + return s +} + +func NewFromKcap(handles []htypes.Handle) Snapshotter { + handlesByObject := make(map[uint64]htypes.Handle) + for _, h := range handles { + handlesByObject[h.Object] = h + } + return &snapshotter{ + handlesByObject: handlesByObject, + capture: true, + } +} + +func (s *snapshotter) FindByObject(object uint64) (htypes.Handle, bool) { + s.Lock() + defer s.Unlock() + if h, ok := s.handlesByObject[object]; ok { + return h, ok + } + return htypes.Handle{}, false +} + +func (s *snapshotter) FindHandles(pid uint32) ([]htypes.Handle, error) { + if pid == currentPid || pid == 0 { // ignore current and idle processes + return []htypes.Handle{}, nil + } + if s.capture { + handles := make([]htypes.Handle, 0) + s.Lock() + defer s.Unlock() + for _, h := range s.handlesByObject { + if h.Pid == pid { + handles = append(handles, h) + } + } + return handles, nil + } + ps, err := process.Open(process.QueryInformation, false, pid) + if err != nil { + // trying to obtain the handle with `QueryInformation` access on a protected + // process will always fail, so our best effort is to collect handles for those + // processes in the snapshot's state + handles := make([]htypes.Handle, 0) + s.Lock() + defer s.Unlock() + for _, h := range s.handlesByObject { + if h.Pid == pid && h.Type != "" { + handles = append(handles, h) + } + } + return handles, nil + } + defer ps.Close() + buf := make([]byte, bufferSize) + n, err := process.QueryInfo(ps, process.HandleInformationClass, buf) + if err == errs.ErrNeedsReallocateBuffer { + buf = make([]byte, n) + _, err = process.QueryInfo(ps, process.HandleInformationClass, buf) + } + if err != nil { + return nil, fmt.Errorf("unable to query handles for process id %d: %v", pid, err) + } + + snapshot := (*object.ProcessHandleSnapshotInformation)(unsafe.Pointer(&buf[0])) + + // enumerate process's handles and try to resolve + // the type and the name of each allocated handle + handles := make([]htypes.Handle, 0) + count := snapshot.NumberOfHandles + sysHandles := (*[1 << 30]object.ProcessHandleTableEntryInfo)(unsafe.Pointer(&snapshot.Handles[0]))[:count:count] + + for _, sh := range sysHandles { + h, err := s.getHandle(sh.Handle, 0, uint8(sh.ObjectTypeIndex), pid, false) + if err != nil { + continue + } + // ignore file handles since we can't get the file name... + if h.Type == File && h.Name == "" { + continue + } + handles = append(handles, h) + } + + return handles, nil +} + +// initSnapshot builds the initial snapshot state by enumerating system-wide handles. +func (s *snapshotter) initSnapshot() { + size := globalBufferSize + buf := make([]byte, size) + for { + _, err := sys.QuerySystemInformation(object.SystemExtendedHandleInformation, buf) + if err == errs.ErrNeedsReallocateBuffer { + size *= 2 + buf = make([]byte, size) + } else if err == nil { + sysHandleInfo := (*object.SystemHandleInformationEx)(unsafe.Pointer(&buf[0])) + count := int(sysHandleInfo.NumberOfHandles) + sysHandles := (*[1 << 30]object.SystemHandleTableEntryInfoEx)(unsafe.Pointer(&sysHandleInfo.Handles[0]))[:count:count] + + // iterate through available handles to get extended info + // and send handle structure instances to the channel + for _, sysHandle := range sysHandles { + pid := sysHandle.ProcessID + if pid == uintptr(currentPid) { + continue + } + h, err := s.getHandle(sysHandle.Handle, sysHandle.Object, sysHandle.ObjectTypeIndex, uint32(pid), true) + if err != nil || h.Type == "" { + continue + } + s.hc <- h + } + s.hdone <- struct{}{} + break + } else { + log.Warnf("couldn't enumerate system-wide handles: %v", err) + break + } + } +} + +func (s *snapshotter) getHandle(rawHandle handle.Handle, obj uint64, typeIndex uint8, pid uint32, withTimeout bool) (htypes.Handle, error) { + typ := s.store.FindByID(typeIndex) + if typ == "" { + dup, err := Duplicate(rawHandle, pid, handle.AllAccess) + if err != nil { + return htypes.Handle{Num: rawHandle, Object: obj}, nil + } + defer dup.Close() + typ, err = QueryType(dup) + if err != nil { + return htypes.Handle{Num: rawHandle, Object: obj}, nil + } + } + h := htypes.Handle{ + Num: rawHandle, + Object: obj, + Type: typ, + Pid: pid, + } + // use the required duplicate access to query handle name + var dupAccess handle.DuplicateAccess + switch typ { + case ALPCPort: + dupAccess = handle.ReadControlAccess + case Process: + dupAccess = handle.ProcessQueryAccess + case Mutant: + dupAccess = handle.SemaQueryAccess + default: + dupAccess = handle.AllAccess + } + dup, err := Duplicate(rawHandle, pid, dupAccess) + if err != nil { + return h, err + } + defer dup.Close() + h.Name, h.MD, err = QueryName(dup, typ, withTimeout) + if err != nil { + // even though we weren't able to query handle name we still + // return handle info with handle type and other metadata + handleNameQueryFailures.Add(strconv.Itoa(int(pid)), 1) + return h, nil + } + return h, nil +} + +func (s *snapshotter) consumeHandles() { + for { + select { + case h := <-s.hc: + s.Lock() + handleSnapshotCount.Add(1) + handleSnapshotBytes.Add(int64(h.Len())) + s.handlesByObject[h.Object] = h + s.Unlock() + case <-s.hdone: + log.Debug("initial handle enumeration has finalized") + s.Lock() + var withName uint64 + for _, h := range s.handlesByObject { + if h.Name != "" { + withName++ + } + if s.createCallback != nil && h.Type == File { + // for safety reasons related to deadlocks we are skipping file handles + // for Enum/Create process events, we'll send these handles after initial + // system-wide scan has completed + if h.Name != "" { + s.createCallback(h.Pid, h) + } + } + } + s.Unlock() + if s.snapshotBuildCompleted != nil { + s.snapshotBuildCompleted(uint64(len(s.handlesByObject)), withName) + } + return + } + } +} + +func (s *snapshotter) housekeeping() { + for { + <-s.housekeepTick.C + + size := globalBufferSize + buf := make([]byte, size) + loop: + for { + _, err := sys.QuerySystemInformation(object.SystemExtendedHandleInformation, buf) + if err == errs.ErrNeedsReallocateBuffer { + size *= 2 + buf = make([]byte, size) + } else if err == nil { + sysHandleInfo := (*object.SystemHandleInformationEx)(unsafe.Pointer(&buf[0])) + count := int(sysHandleInfo.NumberOfHandles) + sysHandles := (*[1 << 30]object.SystemHandleTableEntryInfoEx)(unsafe.Pointer(&sysHandleInfo.Handles[0]))[:count:count] + + s.Lock() + for _, sysHandle := range sysHandles { + if h, ok := s.handlesByObject[sysHandle.Object]; !ok { + handleSnapshotCount.Add(-1) + handleSnapshotBytes.Add(-int64(h.Len())) + delete(s.handlesByObject, sysHandle.Object) + } + } + s.Unlock() + + break loop + } else { + log.Warnf("couldn't get system-wide handles in housekeeping timer: %v", err) + break loop + } + } + } +} + +func (s *snapshotter) RegisterCreateCallback(fn CreateCallback) { + s.createCallback = fn +} + +func (s *snapshotter) RegisterDestroyCallback(fn DestroyCallback) { + s.destroyCallback = fn +} + +func (s *snapshotter) GetSnapshot() []htypes.Handle { + handles := make([]htypes.Handle, 0, len(s.handlesByObject)) + for _, h := range s.handlesByObject { + handles = append(handles, h) + } + return handles +} + +func (s *snapshotter) Write(kevt *kevent.Kevent) error { + if kevt.Type != ktypes.CreateHandle { + return fmt.Errorf("expected CreateHandle kernel event but got %s", kevt.Type) + } + h := unwrapHandle(kevt) + obj, err := kevt.Kparams.GetHexAsUint64(kparams.HandleObject) + if err != nil { + return err + } + s.Lock() + s.handlesByObject[obj] = h + s.Unlock() + return nil +} + +func (s *snapshotter) Remove(kevt *kevent.Kevent) error { + if kevt.Type != ktypes.CloseHandle { + return fmt.Errorf("expected CloseHandle kernel event but got %s", kevt.Type) + } + obj, err := kevt.Kparams.GetHexAsUint64(kparams.HandleObject) + if err != nil { + return err + } + s.Lock() + delete(s.handlesByObject, obj) + s.Unlock() + return nil +} + +func unwrapHandle(kevt *kevent.Kevent) htypes.Handle { + h := htypes.Handle{} + h.Type, _ = kevt.Kparams.GetString(kparams.HandleObjectTypeName) + h.Object, _ = kevt.Kparams.GetHexAsUint64(kparams.HandleObject) + h.Name, _ = kevt.Kparams.GetString(kparams.HandleObjectName) + return h +} diff --git a/pkg/handle/snapshotter_mock.go b/pkg/handle/snapshotter_mock.go new file mode 100644 index 000000000..3b864f4ab --- /dev/null +++ b/pkg/handle/snapshotter_mock.go @@ -0,0 +1,42 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/stretchr/testify/mock" +) + +type SnapshotterMock struct { + mock.Mock +} + +func (s *SnapshotterMock) Write(kevt *kevent.Kevent) error { return nil } +func (s *SnapshotterMock) Remove(kevt *kevent.Kevent) error { return nil } +func (s *SnapshotterMock) FindHandles(pid uint32) ([]htypes.Handle, error) { return nil, nil } +func (s *SnapshotterMock) FindByObject(object uint64) (htypes.Handle, bool) { + return htypes.Handle{}, false +} +func (s *SnapshotterMock) RegisterCreateCallback(fn CreateCallback) {} +func (s *SnapshotterMock) RegisterDestroyCallback(fn DestroyCallback) {} +func (s *SnapshotterMock) GetSnapshot() []htypes.Handle { + handles := s.Called() + return handles.Get(0).([]htypes.Handle) +} diff --git a/pkg/handle/snapshotter_test.go b/pkg/handle/snapshotter_test.go new file mode 100644 index 000000000..0ef809650 --- /dev/null +++ b/pkg/handle/snapshotter_test.go @@ -0,0 +1,45 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/stretchr/testify/require" + "testing" +) + +func TestInitSnapshot(t *testing.T) { + ch := make(chan bool) + snap := NewSnapshotter(&config.Config{}, func(total, known uint64) { + ch <- true + }) + require.NotNil(t, snap) + <-ch +} + +func TestFindHandles(t *testing.T) { + snap := NewSnapshotter(&config.Config{}, nil) + handles, err := snap.FindHandles(uint32(6716)) + require.NoError(t, err) + require.NotEmpty(t, handles) + for _, h := range handles { + fmt.Println(h) + } +} diff --git a/pkg/handle/timeout.go b/pkg/handle/timeout.go new file mode 100644 index 000000000..f5a889641 --- /dev/null +++ b/pkg/handle/timeout.go @@ -0,0 +1,122 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + "errors" + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/object" + "github.com/rabbitstack/fibratus/pkg/syscall/thread" + "sync/atomic" + "syscall" +) + +var ( + threadHandle handle.Handle + rawHandle atomic.Value + ini object.Event + done object.Event + name string + + waitTimeoutCounts = expvar.NewInt("handle.wait.timeouts") +) + +func init() { + ini, _ = object.NewEvent(false, false) + done, _ = object.NewEvent(false, false) +} + +// GetHandleWithTimeout is in charge of resolving handle names on handle instances that are under the risk +// of producing a deadlock, and thus hanging the caller thread. To prevent this kind of unwanted scenarios, +// deadlock aware timeout calls into `NtQueryObject` in a separate native thread. The thread is reused across +// invocations as it is blocked waiting to be signaled by an event, but the query thread also signals back the main +// thread after completion of the `NtQueryObject` call. If the query thread doesn't notify the main thread after a prudent +// timeout, then the query thread is killed. Subsequent calls for handle name resolution will recreate the thread in case +// of it not being alive. +func GetHandleWithTimeout(handle handle.Handle, timeout uint32) (string, error) { + if threadHandle == 0 { + if err := ini.Reset(); err != nil { + return "", fmt.Errorf("couldn't reset init event: %v", err) + } + if err := done.Reset(); err != nil { + return "", fmt.Errorf("couldn't reset done event: %v", err) + } + h, _, err := thread.Create(nil, syscall.NewCallback(cb)) + if err != nil { + return "", fmt.Errorf("cannot create handle query thread: %v", err) + } + threadHandle = h + } + + rawHandle.Store(handle) + + if err := ini.Set(); err != nil { + return "", err + } + + switch s, _ := syscall.WaitForSingleObject(syscall.Handle(done), timeout); s { + case syscall.WAIT_OBJECT_0: + return name, nil + case syscall.WAIT_TIMEOUT: + waitTimeoutCounts.Add(1) + // kill the thread and wait for its termination to orderly cleanup resources + if err := thread.Terminate(threadHandle, 0); err != nil { + return "", fmt.Errorf("unable to terminate timeout thread: %v", err) + } + if _, err := syscall.WaitForSingleObject(syscall.Handle(threadHandle), timeout); err != nil { + return "", fmt.Errorf("failed awaiting timeout thread termination: %v", err) + } + threadHandle = 0 + threadHandle.Close() + + return "", errors.New("couldn't resolve handle name due to timeout") + } + return "", nil +} + +// CloseTimeout releases handle timeut resources. +func CloseTimeout() error { + if err := ini.Close(); err != nil { + return done.Close() + } + threadHandle.Close() + return done.Close() +} + +func cb(ctx uintptr) uintptr { + for { + s, err := syscall.WaitForSingleObject(syscall.Handle(ini), syscall.INFINITE) + if err != nil || s != syscall.WAIT_OBJECT_0 { + break + } + name, err = queryObjectName(rawHandle.Load().(handle.Handle)) + if err != nil { + if err := done.Set(); err != nil { + break + } + continue + } + if err := done.Set(); err != nil { + break + } + } + return 0 +} diff --git a/pkg/handle/timeout_test.go b/pkg/handle/timeout_test.go new file mode 100644 index 000000000..c6f8c419d --- /dev/null +++ b/pkg/handle/timeout_test.go @@ -0,0 +1,30 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + "github.com/stretchr/testify/require" + "testing" +) + +func TestTimeout(t *testing.T) { + deadlockTimeout, err := GetHandleWithTimeout(1, 500) + require.NoError(t, err) + require.NotNil(t, deadlockTimeout) +} diff --git a/pkg/handle/types.go b/pkg/handle/types.go new file mode 100644 index 000000000..fe2f64299 --- /dev/null +++ b/pkg/handle/types.go @@ -0,0 +1,72 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +const ( + // ALPCPort represents the ALPC (Advanced Local Procedure Call) object ports + ALPCPort = "ALPC Port" + // Directory designates directory objects. They exist only within the object manager scope and do not correspond to any directory on the disk. + Directory = "Directory" + EtwRegistration = "EtwRegistration" + EtwConsumer = "EtwConsumer" + Event = "Event" + // File designates file handles (e.g. pipe, device, mailslot) + File = "File" + Key = "Key" + Job = "Job" + WaitCompletionPacket = "WaitCompletionPacket" + IRTimer = "IRTimer" + TpWorkerFactory = "TpWorkerFactory" + IoCompletion = "IoCompletion" + Thread = "Thread" + Semaphore = "Semaphore" + Section = "Section" + Mutant = "Mutant" + Desktop = "Desktop" + WindowStation = "WindowStation" + Token = "Token" + UserApcReserve = "UserApcReserve" + + Process = "Process" + Unknown = "Unknown" +) + +// GetShortName returns the short name for the handle type. +func GetShortName(typ string) string { + switch typ { + case ALPCPort: + return "alpc" + case Directory: + return "d" + case EtwRegistration: + return "etwr" + case Event: + return "e" + case File: + return "f" + case Process: + return "ps" + case Section: + return "sec" + case Semaphore: + return "sem" + default: + return Unknown + } +} diff --git a/pkg/handle/types/marshaller.go b/pkg/handle/types/marshaller.go new file mode 100644 index 000000000..50f34b92f --- /dev/null +++ b/pkg/handle/types/marshaller.go @@ -0,0 +1,166 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package types + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/util/bytes" + "unsafe" +) + +// md is the type alias for the metadata type +type md uint8 + +const ( + alpcport md = iota + 1 + mutant + file + unknown + none +) + +// Offset returns the next offset from which to read the binary data. +func (h Handle) Offset() uint16 { + offset := 8 + 8 + 4 + 2 + uint16(len(h.Type)) + 2 + uint16(len(h.Name)) + 1 + if h.MD != nil { + switch h.MD.(type) { + case *AlpcPortInfo: + offset += 16 + case *MutantInfo: + offset += 5 + case *FileInfo: + offset += 1 + } + } + return offset +} + +// Marshal dumps the state of the handle to byte slice that is suitable for serializing to kcap file. +func (h *Handle) Marshal() []byte { + b := make([]byte, 0) + + // write handle id, object address and the pid that owns this handle + b = append(b, bytes.WriteUint64(uint64(h.Num))...) + b = append(b, bytes.WriteUint64(h.Object)...) + b = append(b, bytes.WriteUint32(h.Pid)...) + + // write handle type and name + b = append(b, bytes.WriteUint16(uint16(len(h.Type)))...) + b = append(b, h.Type...) + + b = append(b, bytes.WriteUint16(uint16(len(h.Name)))...) + b = append(b, h.Name...) + + // write handle metadata + if h.MD != nil { + switch meta := h.MD.(type) { + case *AlpcPortInfo: + b = append(b, byte(alpcport)) + b = append(b, bytes.WriteUint32(meta.Flags)...) + b = append(b, bytes.WriteUint32(meta.Seqno)...) + b = append(b, bytes.WriteUint64(uint64(meta.Context))...) + case *MutantInfo: + b = append(b, byte(mutant)) + b = append(b, bytes.WriteUint32(uint32(meta.Count))...) + if meta.IsAbandoned { + b = append(b, 1) + } else { + b = append(b, 0) + } + case *FileInfo: + b = append(b, byte(file)) + if meta.IsDirectory { + b = append(b, 1) + } else { + b = append(b, 0) + } + default: + b = append(b, byte(unknown)) + } + } else { + b = append(b, byte(none)) + } + + return b +} + +// Unmarshal transforms the byte slice back to handle structure. +func (h *Handle) Unmarshal(b []byte) error { + if len(b) < 20 { + return fmt.Errorf("expected at least 20 bytes but got %d bytes", len(b)) + } + + // read handle identifier + h.Num = handle.Handle(bytes.ReadUint64(b[0:])) + // read object address + h.Object = bytes.ReadUint64(b[8:]) + // read pid + h.Pid = bytes.ReadUint32(b[16:]) + + // read handle type and name + l := bytes.ReadUint16(b[20:]) + buf := b[22:] + offset := l + if len(buf) > 0 { + h.Type = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + } + + l = bytes.ReadUint16(b[22+offset:]) + buf = b[24+offset:] + offset += l + if len(buf) > 0 { + h.Name = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + } + + typ := md(b[24+offset]) + if typ == none { + return nil + } + + switch typ { + case alpcport: + alpcPort := &AlpcPortInfo{ + Flags: bytes.ReadUint32(b[25+offset:]), + Seqno: bytes.ReadUint32(b[29+offset:]), + Context: uintptr(bytes.ReadUint64(b[33+offset:])), + } + h.MD = alpcPort + case mutant: + mut := &MutantInfo{ + Count: int32(bytes.ReadUint32(b[25+offset:])), + IsAbandoned: utob(b[29+offset]), + } + h.MD = mut + case file: + f := &FileInfo{ + IsDirectory: utob(b[25+offset]), + } + h.MD = f + } + + return nil +} + +func utob(u uint8) bool { + if u > 0 { + return true + } + return false +} diff --git a/pkg/handle/types/marshaller_test.go b/pkg/handle/types/marshaller_test.go new file mode 100644 index 000000000..fa5c23803 --- /dev/null +++ b/pkg/handle/types/marshaller_test.go @@ -0,0 +1,72 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package types + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" +) + +func TestMarshaller(t *testing.T) { + h := Handle{ + Num: handle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + } + buf := h.Marshal() + + clone := Handle{} + err := clone.Unmarshal(buf) + require.NoError(t, err) + + assert.Equal(t, handle.Handle(18446692422059208560), clone.Num) + assert.Equal(t, "Key", clone.Type) + assert.Equal(t, `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, clone.Name) + assert.Equal(t, uint32(1023), clone.Pid) + assert.Equal(t, uint64(777488883434455544), clone.Object) + + h = Handle{ + Num: handle.Handle(0xefffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + } + buf = h.Marshal() + + err = clone.Unmarshal(buf) + require.NoError(t, err) + + assert.Equal(t, handle.Handle(0xefffd105e9adaf70), clone.Num) + assert.Equal(t, "ALPC Port", clone.Type) + assert.Equal(t, `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, clone.Name) + assert.Equal(t, uint32(1023), clone.Pid) + assert.NotNil(t, clone.MD) + assert.IsType(t, &AlpcPortInfo{}, clone.MD) + alpcPortInfo := clone.MD.(*AlpcPortInfo) + assert.Equal(t, uint32(1), alpcPortInfo.Seqno) +} diff --git a/pkg/handle/types/types.go b/pkg/handle/types/types.go new file mode 100644 index 000000000..aefb68e19 --- /dev/null +++ b/pkg/handle/types/types.go @@ -0,0 +1,105 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package types + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "strings" +) + +// Meta represents the type alias for handle meta information +type Meta interface{} + +// Handles represents a collection of handles. +type Handles []Handle + +// Handle stores various metadata specific to the handle allocated by a process. +type Handle struct { + // Num represents the internal handle identifier. + Num handle.Handle `json:"id"` + // Object is the kernel address that this handle references. + Object uint64 `json:"object"` + // Pid represents the process's identifier that owns the handle. + Pid uint32 `json:"-"` + // Type is the type of this handle (e.g. File, Key, Mutant, Section) + Type string `json:"type"` + // Name is the actual value of the handle (e.g. \Device\HarddiskVolume4\Windows\Temp\DPTF) + Name string `json:"name"` + // MD is the handle meta information (e.g. ALPC port info) + MD Meta `json:"meta,omitempty"` +} + +// String returns a string representation of the handle. +func (h Handle) String() string { + return fmt.Sprintf("Num: %d Type: %s, Name: %s, Object: 0x%x, PID: %d", h.Num, h.Type, h.Name, h.Object, h.Pid) +} + +// Len returns the length in bytes of the Handle structure. +func (h Handle) Len() int { + l := 8 + 8 + 4 + len(h.Type) + len(h.Name) + if h.MD != nil { + switch h.MD.(type) { + case *AlpcPortInfo: + l += 16 + case *MutantInfo: + l += 5 + case *FileInfo: + l += 1 + } + } + return l +} + +// NewFromKcap restores handle state from the kcap buffer. +func NewFromKcap(buf []byte) (Handle, error) { + h := Handle{} + err := h.Unmarshal(buf) + if err != nil { + return Handle{}, err + } + return h, nil +} + +// AlpcPortInfo stores ALPC port basic information. +type AlpcPortInfo struct { + Flags uint32 + Seqno uint32 + Context uintptr +} + +// MutantInfo stores metadata about particular mutant object. +type MutantInfo struct { + Count int32 + IsAbandoned bool +} + +// FileInfo contains file handle metadata. +type FileInfo struct { + IsDirectory bool +} + +// String returns the string representation of all handles. +func (handles Handles) String() string { + var sb strings.Builder + for _, h := range handles { + sb.WriteString(h.String() + " | ") + } + return strings.TrimSuffix(sb.String(), " | ") +} diff --git a/pkg/kcap/_fixtures/cap.kcap b/pkg/kcap/_fixtures/cap.kcap new file mode 100644 index 000000000..369b2152b Binary files /dev/null and b/pkg/kcap/_fixtures/cap.kcap differ diff --git a/pkg/kcap/_fixtures/cap1.kcap b/pkg/kcap/_fixtures/cap1.kcap new file mode 100644 index 000000000..ae42c1715 Binary files /dev/null and b/pkg/kcap/_fixtures/cap1.kcap differ diff --git a/pkg/kcap/config.go b/pkg/kcap/config.go new file mode 100644 index 000000000..bf63f3655 --- /dev/null +++ b/pkg/kcap/config.go @@ -0,0 +1,26 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kcap + +import "time" + +// Config stores options that influences the behaviour of the kernel capture reader/writer. +type Config struct { + FlushPeriod time.Duration +} diff --git a/pkg/kcap/header.go b/pkg/kcap/header.go new file mode 100644 index 000000000..69332424f --- /dev/null +++ b/pkg/kcap/header.go @@ -0,0 +1,51 @@ +// +build kcap + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kcap + +import ( + "github.com/rabbitstack/fibratus/pkg/kcap/section" + kcapver "github.com/rabbitstack/fibratus/pkg/kcap/version" +) + +// magic has two purposes. It is used to identify kcap files. The magic is stored within the first 8 bytes of the file. +// The reader ensures the magic number matches this constant. Besides identifying the capture file, it serves as an +// input for initializing the byte order on the machine where kcap file is read. This implies capture can be taken on a +// machine with different endianness from the one capture is replayed. +const magic = 0x6669627261747573 + +// major represents the major digit of the kcap file format. Incrementing the major digit makes older kcap readers not +// capable to replay the capture file. +const major = uint8(1) + +// minor represents the minor digit of the kcap file format +const minor = uint8(0) + +// flags denotes extra flags for the purpose of the header description +const flags = uint64(0) + +// ws writes the section block with the specified parameters. +func (w *writer) ws(typ section.Type, ver kcapver.Version, l, size uint32) error { + sec := section.New(typ, ver, l, size) + if _, err := w.zw.Write(sec[:]); err != nil { + return errWriteSection(typ, err) + } + return nil +} diff --git a/pkg/kcap/reader.go b/pkg/kcap/reader.go new file mode 100644 index 000000000..c335f1c3e --- /dev/null +++ b/pkg/kcap/reader.go @@ -0,0 +1,254 @@ +// +build kcap + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kcap + +import ( + "context" + "errors" + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/filter" + "github.com/rabbitstack/fibratus/pkg/handle" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kcap/section" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/util/bytes" + log "github.com/sirupsen/logrus" + zstd "github.com/valyala/gozstd" + "io" + "os" + "path/filepath" +) + +var ( + errKcapMagicMismatch = errors.New("invalid kcap file magic number") + errMajorVer = errors.New("incompatible kcap version format. Please upgrade Fibratus to newer version") + errReadVersion = func(s string, err error) error { return fmt.Errorf("couldn't read %s version digit: %v", s, err) } + errReadSection = func(s section.Type, err error) error { return fmt.Errorf("couldn't read %s section: %v", s, err) } + + kcapReadKevents = expvar.NewInt("kcap.read.kevents") + kcapDroppedKevents = expvar.NewInt("kcap.dropped.kevents") + kcapReadBytes = expvar.NewInt("kcap.read.bytes") + kcapKeventUnmarshalErrors = expvar.NewInt("kcap.kevent.unmarshal.errors") + kcapHandleUnmarshalErrors = expvar.NewInt("kcap.reader.handle.unmarshal.errors") + kcapDroppedByFilter = expvar.NewInt("kcap.reader.dropped.by.filter") +) + +type reader struct { + zr *zstd.Reader + f *os.File + psnapshotter ps.Snapshotter + hsnapshotter handle.Snapshotter + filter filter.Filter + config *config.Config +} + +// NewReader builds a new instance of the kcap reader. +func NewReader(filename string, config *config.Config) (Reader, error) { + if filepath.Ext(filename) == "" { + filename += ".kcap" + } + f, err := os.Open(filename) + if err != nil { + if os.IsNotExist(err) { + return nil, fmt.Errorf("%q capture file does not exist", filename) + } + return nil, err + } + zr := zstd.NewReader(f) + + mag := make([]byte, 8) + if n, err := zr.Read(mag); err != nil || n != 8 { + return nil, errKcapMagicMismatch + } + bytes.InitNativeEndian(mag) + // from now on all byte reads will use the endianness of the magic number. + // This guarantees we'll be able to replay kcaptures that were taken + // on a machine with a different endianness from the machine where + // actual kcapture is being read. + if bytes.ReadUint64(mag) != magic { + return nil, errKcapMagicMismatch + } + + maj := make([]byte, 1) + min := make([]byte, 1) + + if n, err := zr.Read(maj); err != nil || n != 1 { + return nil, errReadVersion("major", err) + } + if n, err := zr.Read(min); err != nil || n != 1 { + return nil, errReadVersion("minor", err) + } + if maj[0] < major { + return nil, errMajorVer + } + + // read the flags bit vector but do nothing with it at the moment + flags := make([]byte, 8) + if n, err := zr.Read(flags); err != nil || n != 8 { + return nil, fmt.Errorf("fail to read kcap flags: %v", err) + } + + return &reader{f: f, zr: zr, config: config}, nil +} + +func (r *reader) SetFilter(f filter.Filter) { r.filter = f } + +func (r *reader) Read(ctx context.Context) (chan *kevent.Kevent, chan error) { + errsc := make(chan error, 100) + keventsc := make(chan *kevent.Kevent, 55000) + go func() { + for { + select { + case <-ctx.Done(): + return + default: + } + + var sec section.Section + if _, err := io.ReadFull(r.zr, sec[:]); err != nil { + if err != io.EOF { + errsc <- err + continue + } + break + } + + l := sec.Size() + buf := make([]byte, l) + if _, err := io.ReadFull(r.zr, buf); err != nil { + if err != io.EOF { + errsc <- err + continue + } + break + } + kevt, err := kevent.NewFromKcap(buf) + if err != nil { + errsc <- fmt.Errorf("fail to unmarshal kevent: %v", err) + kcapKeventUnmarshalErrors.Add(1) + continue + } + // update the state of the ps/handle snapshotters + if err := r.updateSnapshotters(kevt); err != nil { + log.Warn(err) + } + + if kevt.Type.Dropped(false) { + continue + } + if r.filter != nil && !r.filter.Run(kevt) { + kcapDroppedByFilter.Add(1) + continue + } + + select { + case keventsc <- kevt: + kcapReadKevents.Add(1) + kcapReadBytes.Add(int64(len(buf))) + default: + kcapDroppedKevents.Add(1) + } + } + }() + + return keventsc, errsc +} + +func (r *reader) Close() error { + if r.zr != nil { + r.zr.Release() + } + if r.f != nil { + return r.f.Close() + } + return nil +} + +func (r *reader) updateSnapshotters(kevt *kevent.Kevent) error { + switch kevt.Type { + case ktypes.TerminateThread, ktypes.TerminateProcess, ktypes.UnloadImage: + if err := r.psnapshotter.Remove(kevt); err != nil { + return err + } + case ktypes.CreateProcess, + ktypes.CreateThread, + ktypes.LoadImage, + ktypes.EnumImage, + ktypes.EnumProcess, ktypes.EnumThread: + if err := r.psnapshotter.WriteFromKcap(kevt); err != nil { + return err + } + case ktypes.CreateHandle: + if err := r.hsnapshotter.Write(kevt); err != nil { + return err + } + case ktypes.CloseHandle: + if err := r.hsnapshotter.Remove(kevt); err != nil { + return err + } + } + if kevt.PS == nil { + kevt.PS = r.psnapshotter.Find(kevt.PID) + } + return nil +} + +func (r *reader) RecoverSnapshotters() (handle.Snapshotter, ps.Snapshotter, error) { + hsnap, err := r.recoverHandleSnapshotter() + if err != nil { + return nil, nil, err + } + r.psnapshotter = ps.NewSnapshotterFromKcap(hsnap, r.config) + return hsnap, r.psnapshotter, nil +} + +func (r *reader) recoverHandleSnapshotter() (handle.Snapshotter, error) { + var sec section.Section + if _, err := io.ReadFull(r.zr, sec[:]); err != nil { + return nil, errReadSection(section.Handle, err) + } + nbHandles := sec.Len() + handles := make([]htypes.Handle, nbHandles) + for i := 0; i < int(nbHandles); i++ { + b := make([]byte, 2) + if _, err := io.ReadFull(r.zr, b); err != nil { + continue + } + + l := bytes.ReadUint16(b) + b = make([]byte, l) + if _, err := io.ReadFull(r.zr, b); err != nil { + continue + } + + var err error + handles[i], err = htypes.NewFromKcap(b) + if err != nil { + kcapHandleUnmarshalErrors.Add(1) + } + } + r.hsnapshotter = handle.NewFromKcap(handles) + return r.hsnapshotter, nil +} diff --git a/pkg/kcap/reader_test.go b/pkg/kcap/reader_test.go new file mode 100644 index 000000000..c042ac9eb --- /dev/null +++ b/pkg/kcap/reader_test.go @@ -0,0 +1,56 @@ +// +build kcap + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kcap + +import ( + "context" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/stretchr/testify/require" + "testing" +) + +func TestRead(t *testing.T) { + r, err := NewReader("_fixtures/cap1.kcap", &config.Config{}) + if err != nil { + t.Fatal(err) + } + defer r.Close() + _, _, err = r.RecoverSnapshotters() + require.NoError(t, err) + + ctx := context.Background() + + kevtsc, errs := r.Read(ctx) + i := 0 + for { + select { + case kevt := <-kevtsc: + require.NotNil(t, kevt) + require.True(t, kevt.Seq > 0) + i++ + if i == 100 { + return + } + case err := <-errs: + t.Fatal(t, err) + } + } +} diff --git a/pkg/kcap/reader_unsupported.go b/pkg/kcap/reader_unsupported.go new file mode 100644 index 000000000..d72078763 --- /dev/null +++ b/pkg/kcap/reader_unsupported.go @@ -0,0 +1,31 @@ +// +build !kcap + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kcap + +import ( + "github.com/rabbitstack/fibratus/pkg/config" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" +) + +// NewReader returns unsupported reader. +func NewReader(filename string, config *config.Config) (Reader, error) { + return nil, kerrors.ErrFeatureUnsupported("kcap") +} diff --git a/pkg/kcap/section/section.go b/pkg/kcap/section/section.go new file mode 100644 index 000000000..578543699 --- /dev/null +++ b/pkg/kcap/section/section.go @@ -0,0 +1,86 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package section + +import ( + "fmt" + kcapver "github.com/rabbitstack/fibratus/pkg/kcap/version" + "github.com/rabbitstack/fibratus/pkg/util/bytes" +) + +// Section represents the header describing the type, length and the version of each section. +type Section [10]byte + +func (s Section) String() string { + return fmt.Sprintf("type: %s, version: %d, len: %d, size: %d", s.Type(), s.Version(), s.Len(), s.Size()) +} + +// Type describes the type of a section +type Type uint8 + +const ( + Process Type = iota + 1 + Handle + Kevt + PE +) + +func (s Type) String() string { + switch s { + case Process: + return "process" + case Handle: + return "handle" + case Kevt: + return "kevent" + case PE: + return "pe" + default: + return "" + } +} + +// New buils a new section block with the specified type, version, optional length and size. +func New(typ Type, ver kcapver.Version, l, size uint32) Section { + var s Section + s[0] = uint8(typ) + s[1] = uint8(ver) + copy(s[2:6], bytes.WriteUint32(l)) + copy(s[6:], bytes.WriteUint32(size)) + return s +} + +// Read reads the section from the byte slice. +func Read(b []byte) Section { + var s Section + copy(s[:], b) + return s +} + +// Type returns the type of this section. +func (s Section) Type() Type { return Type(s[0]) } + +// Version returns the version of the captured section block. +func (s Section) Version() kcapver.Version { return kcapver.Version(s[1]) } + +// Len returns the length of the section. +func (s Section) Len() uint32 { return bytes.ReadUint32(s[2:6]) } + +// Size returns the size of the section. +func (s Section) Size() uint32 { return bytes.ReadUint32(s[6:]) } diff --git a/pkg/kcap/section/section_test.go b/pkg/kcap/section/section_test.go new file mode 100644 index 000000000..e464708c1 --- /dev/null +++ b/pkg/kcap/section/section_test.go @@ -0,0 +1,33 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package section + +import ( + kcapver "github.com/rabbitstack/fibratus/pkg/kcap/version" + "github.com/stretchr/testify/assert" + "testing" +) + +func TestSection(t *testing.T) { + s := New(Process, kcapver.ProcessSecV1, uint32(2456), uint32(30000)) + assert.Equal(t, Process, s.Type()) + assert.Equal(t, kcapver.ProcessSecV1, s.Version()) + assert.Equal(t, uint32(2456), s.Len()) + assert.Equal(t, uint32(30000), s.Size()) +} diff --git a/pkg/kcap/types.go b/pkg/kcap/types.go new file mode 100644 index 000000000..33631acef --- /dev/null +++ b/pkg/kcap/types.go @@ -0,0 +1,55 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kcap + +import ( + "context" + "github.com/rabbitstack/fibratus/pkg/filter" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/ps" +) + +// Writer is the minimal interface that all kcap writers need to satisfy. The kcap file format has the layout as +// depicted in the following diagram: +// +// +-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-++-+-+-+ +// | Magic Number | Major | Minor | Flags | +// |---------------------------------------- +// | Handle Section | Handles | +// ----------------------------------------- +// | Kevt Section | Kevt ..................| +// | ......................................| +// | ......................................| +// | ......................................| +// | ........ Kevt Section n Kevt n EOF | +// +-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-++-+-+-+ +// +type Writer interface { + Write(chan *kevent.Kevent, chan error) chan error + Close() error +} + +// Reader offers the mechanism for recovering the state of the kcapture and replaying all captured events. +type Reader interface { + Read(ctx context.Context) (chan *kevent.Kevent, chan error) + Close() error + RecoverSnapshotters() (handle.Snapshotter, ps.Snapshotter, error) + SetFilter(f filter.Filter) +} diff --git a/pkg/kcap/version/version.go b/pkg/kcap/version/version.go new file mode 100644 index 000000000..2851d2f48 --- /dev/null +++ b/pkg/kcap/version/version.go @@ -0,0 +1,38 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package version + +// Version designates the type for specifying the current section version. +type Version uint16 + +const ( + KevtSecV1 Version = iota + 1 +) + +const ( + ProcessSecV1 Version = iota + 1 +) + +const ( + HandleSecV1 Version = iota + 1 +) + +const ( + PESecV1 Version = iota + 1 +) diff --git a/pkg/kcap/writer.go b/pkg/kcap/writer.go new file mode 100644 index 000000000..a2b981574 --- /dev/null +++ b/pkg/kcap/writer.go @@ -0,0 +1,277 @@ +// +build kcap + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kcap + +import ( + "expvar" + "fmt" + "github.com/dustin/go-humanize" + "github.com/jedib0t/go-pretty/v6/table" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kcap/section" + kcapver "github.com/rabbitstack/fibratus/pkg/kcap/version" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/util/bytes" + zstd "github.com/valyala/gozstd" + "math" + "os" + "path/filepath" + "time" +) + +var ( + errWriteMagic = func(err error) error { return fmt.Errorf("couldn't write magic number: %v", err) } + errWriteVersion = func(v string, err error) error { return fmt.Errorf("couldn't write %s kcap digit: %v", v, err) } + errWriteSection = func(s section.Type, err error) error { return fmt.Errorf("couldn't write %s kcap section: %v", s, err) } + + handleWriteErrors = expvar.NewInt("kcap.handle.write.errors") + kevtWriteErrors = expvar.NewInt("kcap.kevt.write.errors") + flusherErrors = expvar.NewMap("kcap.flusher.errors") + overflowKevents = expvar.NewInt("kcap.overflow.kevents") + kstreamConsumerErrors = expvar.NewInt("kcap.kstream.consumer.errors") +) + +const maxKevtSize = math.MaxUint32 + +type stats struct { + kcapFile string + + kevtsWritten uint64 + bytesWritten uint64 + handlesWritten uint64 + procsWritten uint64 + + pids map[uint32]bool +} + +func (s *stats) incKevts(kevt *kevent.Kevent) { + switch kevt.Type { + case ktypes.FileRundown, ktypes.RegCreateKCB, ktypes.FileOpEnd, + ktypes.EnumProcess, ktypes.EnumThread, ktypes.EnumImage, ktypes.RegKCBRundown: + default: + s.kevtsWritten++ + } +} +func (s *stats) incBytes(bytes uint64) { s.bytesWritten += bytes } +func (s *stats) incHandles() { s.handlesWritten++ } +func (s *stats) incProcs(kevt *kevent.Kevent) { + // EnumProcess events can arrive twice for the same kernel session, so we + // ignore incrementing the number of processes if we've already seen the process + if kevt.Type == ktypes.EnumProcess { + pid, _ := kevt.Kparams.GetPid() + if _, ok := s.pids[pid]; ok { + return + } + s.pids[pid] = true + } + if kevt.Type == ktypes.CreateProcess || kevt.Type == ktypes.EnumProcess { + s.procsWritten++ + } +} + +func (s *stats) printStats() { + t := table.NewWriter() + t.SetOutputMirror(os.Stdout) + t.SetTitle("Capture Statistics") + t.SetStyle(table.StyleLight) + + t.AppendRow(table.Row{"File", filepath.Base(s.kcapFile)}) + t.AppendSeparator() + + t.AppendRow(table.Row{"Events written", s.kevtsWritten}) + t.AppendRow(table.Row{"Bytes written", s.bytesWritten}) + t.AppendRow(table.Row{"Processes written", s.procsWritten}) + t.AppendRow(table.Row{"Handles written", s.handlesWritten}) + + f, err := os.Stat(s.kcapFile) + if err != nil { + t.Render() + return + } + t.AppendSeparator() + t.AppendRow(table.Row{"Capture size", humanize.Bytes(uint64(f.Size()))}) + + t.Render() +} + +type writer struct { + zw *zstd.Writer + f *os.File + flusher *time.Ticker + psnap ps.Snapshotter + hsnap handle.Snapshotter + stop chan struct{} + // stats contains the capture statistics + stats *stats +} + +// NewWriter constructs a new instance of the kcap writer. +func NewWriter(filename string, psnap ps.Snapshotter, hsnap handle.Snapshotter) (Writer, error) { + if filepath.Ext(filename) == "" { + filename += ".kcap" + } + f, err := os.Create(filename) + if err != nil { + return nil, err + } + zw := zstd.NewWriter(f) + // start by writing the kcap header that is comprised + // of magic number, major/minor digits and the optional + // flags bit vector. The flags bit vector is reserved + // for the future uses. + // The header is followed by the handle snapshot. + // It contains the current state of the system handles + // at the time the capture was started. + // Handle snapshots are prepended with a section + // that describes the version and the number of handles + // in the snapshot. This information is used by the reader to + // restore the state of the snapshotters. + if _, err := zw.Write(bytes.WriteUint64(magic)); err != nil { + return nil, errWriteMagic(err) + } + if _, err := zw.Write([]byte{major}); err != nil { + return nil, errWriteVersion("major", err) + } + if _, err := zw.Write([]byte{minor}); err != nil { + return nil, errWriteVersion("minor", err) + } + if _, err := zw.Write(bytes.WriteUint64(flags)); err != nil { + return nil, err + } + + w := &writer{ + zw: zw, + f: f, + flusher: time.NewTicker(time.Second), + psnap: psnap, + hsnap: hsnap, + stop: make(chan struct{}, 1), + stats: &stats{kcapFile: filename, pids: make(map[uint32]bool)}, + } + + if err := w.writeSnapshots(); err != nil { + return nil, err + } + + go w.flush() + + return w, nil +} + +func (w *writer) writeSnapshots() error { + handles := w.hsnap.GetSnapshot() + // write handle section and the data blocks + err := w.ws(section.Handle, kcapver.HandleSecV1, uint32(len(handles)), 0) + if err != nil { + return err + } + for _, khandle := range handles { + if err := w.writeHandle(khandle.Marshal()); err != nil { + handleWriteErrors.Add(1) + continue + } + w.stats.incHandles() + } + return w.zw.Flush() +} + +func (w *writer) Write(kevtsc chan *kevent.Kevent, errs chan error) chan error { + errsc := make(chan error, 100) + go func() { + for { + select { + case kevt := <-kevtsc: + b := kevt.MarshalRaw() + l := len(b) + if l == 0 { + continue + } + if l > maxKevtSize { + overflowKevents.Add(1) + errsc <- fmt.Errorf("kevent size overflow by %d bytes", l-maxKevtSize) + continue + } + if err := w.ws(section.Kevt, kcapver.KevtSecV1, 0, uint32(l)); err != nil { + kevtWriteErrors.Add(1) + errsc <- err + continue + } + if _, err := w.zw.Write(b); err != nil { + errsc <- err + kevtWriteErrors.Add(1) + } + // update stats + w.stats.incKevts(kevt) + w.stats.incBytes(uint64(l)) + w.stats.incProcs(kevt) + // return to pool + kevt.Release() + case err := <-errs: + errsc <- err + kstreamConsumerErrors.Add(1) + case <-w.stop: + return + } + } + }() + return errsc +} + +func (w *writer) Close() error { + w.stats.printStats() + + w.flusher.Stop() + w.stop <- struct{}{} + if w.zw != nil { + defer w.zw.Release() + if err := w.zw.Close(); err != nil { + return err + } + } + if w.f != nil { + return w.f.Close() + } + + return nil +} + +func (w *writer) flush() { + for { + <-w.flusher.C + err := w.zw.Flush() + if err != nil { + flusherErrors.Add(err.Error(), 1) + } + } +} + +func (w *writer) writeHandle(buf []byte) error { + l := bytes.WriteUint16(uint16(len(buf))) + if _, err := w.zw.Write(l); err != nil { + return err + } + if _, err := w.zw.Write(buf); err != nil { + return err + } + return nil +} diff --git a/pkg/kcap/writer_test.go b/pkg/kcap/writer_test.go new file mode 100644 index 000000000..dbf1c7e29 --- /dev/null +++ b/pkg/kcap/writer_test.go @@ -0,0 +1,163 @@ +// +build kcap + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kcap + +import ( + "github.com/rabbitstack/fibratus/pkg/handle" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/ps" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + shandle "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/stretchr/testify/require" + "testing" + "time" +) + +func TestWrite(t *testing.T) { + psnap := new(ps.SnapshotterMock) + hsnap := new(handle.SnapshotterMock) + + procs := []*pstypes.PS{ + {PID: 8390, Ppid: 1096, Name: "spotify.exe", Exe: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`, Comm: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`, Cwd: `C:\Users\admin\AppData\Roaming\Spotify`, SID: "admin\\SYSTEM"}, + {PID: 2436, Ppid: 6304, Name: "firefox.exe", Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, Comm: `C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, Cwd: `C:\Program Files\Mozilla Firefox\`, SID: "archrabbit\\SYSTEM"}, + } + + handles := []htypes.Handle{ + {Pid: 8390, Name: "C:\\Windows", Type: "File"}, + {Pid: 8390, Name: "C:\\Windows\\System32", Type: "File"}, + } + + psnap.On("GetSnapshot").Return(procs) + psnap.On("Size").Return(len(procs)) + + hsnap.On("GetSnapshot").Return(handles) + + w, err := NewWriter("_fixtures/cap1.kcap", psnap, hsnap) + require.NoError(t, err) + require.NotNil(t, w) + + kevtsc := make(chan *kevent.Kevent, 100) + errs := make(chan error, 10) + + for i := 0; i < 100; i++ { + typ := ktypes.CreateFile + if i%2 == 0 { + typ = ktypes.CreateProcess + } + kevt := &kevent.Kevent{ + Type: typ, + Tid: 2484, + PID: 859, + CPU: uint8(i / 2), + Seq: uint64(i + 1), + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "barz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel="6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Handles: []htypes.Handle{ + { + Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xe1ffd105e9baaf70), + Type: "Event", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Type: "Event", + }, + { + Num: shandle.Handle(0xe1ecd105e9baaf70), + Type: "Event", + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + if i%2 == 0 { + kevt.PS.Handles = append(kevt.PS.Handles, htypes.Handle{}) + } + kevtsc <- kevt + } + + werrs := w.Write(kevtsc, errs) + quit := make(chan struct{}, 1) + time.AfterFunc(time.Second*5, func() { + quit <- struct{}{} + }) + select { + case err := <-werrs: + t.Fatal(err) + case <-quit: + err := w.Close() + require.NoError(t, err) + return + } +} diff --git a/pkg/kcap/writer_unsupported.go b/pkg/kcap/writer_unsupported.go new file mode 100644 index 000000000..60d7ccba6 --- /dev/null +++ b/pkg/kcap/writer_unsupported.go @@ -0,0 +1,32 @@ +// +build !kcap + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kcap + +import ( + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/ps" +) + +// NewWriter returns unsupported writer. +func NewWriter(filename string, psnap ps.Snapshotter, hsnap handle.Snapshotter) (Writer, error) { + return nil, kerrors.ErrFeatureUnsupported("kcap") +} diff --git a/pkg/kevent/README.md b/pkg/kevent/README.md new file mode 100644 index 000000000..76d143a0b --- /dev/null +++ b/pkg/kevent/README.md @@ -0,0 +1 @@ +`Kevent` is the fundamental data structure for transporting kernel events. diff --git a/pkg/kevent/batch.go b/pkg/kevent/batch.go new file mode 100644 index 000000000..54202c38f --- /dev/null +++ b/pkg/kevent/batch.go @@ -0,0 +1,58 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +// Batch contains a sequence of kernel events. +type Batch struct { + Events []*Kevent +} + +// NewBatch produces a new batch from the group of events. +func NewBatch(evts ...*Kevent) *Batch { + return &Batch{Events: evts} +} + +// Len returns the length of the batch. +func (b *Batch) Len() int64 { return int64(len(b.Events)) } + +// Release releases all events from the batch and returns them to the pool. +func (b *Batch) Release() { + for _, e := range b.Events { + e.Release() + } +} + +// MarshalJSON serializes the batch of events to JSON format. +func (b *Batch) MarshalJSON() []byte { + buf := make([]byte, 0) + buf = append(buf, '[') + for i, kevt := range b.Events { + writeMore := true + if i == len(b.Events)-1 { + writeMore = false + } + buf = append(buf, kevt.MarshalJSON()...) + buf = append(buf, '\n') + if writeMore { + buf = append(buf, ',') + } + } + buf = append(buf, ']') + return buf +} diff --git a/pkg/kevent/batch_test.go b/pkg/kevent/batch_test.go new file mode 100644 index 000000000..3fdd8b34e --- /dev/null +++ b/pkg/kevent/batch_test.go @@ -0,0 +1,252 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + "encoding/json" + "github.com/magiconair/properties/assert" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + shandle "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/stretchr/testify/require" + "testing" + "time" +) + +func TestBatchMarshalJSON(t *testing.T) { + kevt := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + + kevt1 := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 459, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + + kevt2 := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 829, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 829, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + + b := NewBatch(kevt, kevt1, kevt2) + require.Equal(t, int64(3), b.Len()) + + buf := b.MarshalJSON() + var kevts []*Kevent + + err := json.Unmarshal(buf, &kevts) + require.NoError(t, err) + require.Len(t, kevts, 3) + + assert.Equal(t, uint32(859), kevts[0].PID) + assert.Equal(t, uint32(459), kevts[1].PID) + assert.Equal(t, uint32(829), kevts[2].PID) +} diff --git a/pkg/kevent/doc.go b/pkg/kevent/doc.go new file mode 100644 index 000000000..8b601e5c4 --- /dev/null +++ b/pkg/kevent/doc.go @@ -0,0 +1,21 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// Package kevent defines the fundamental data structures that underpin the state of every kernel event pushed from the +// consumer. +package kevent diff --git a/pkg/kevent/formatter.go b/pkg/kevent/formatter.go new file mode 100644 index 000000000..18c0144f8 --- /dev/null +++ b/pkg/kevent/formatter.go @@ -0,0 +1,230 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/util/fasttemplate" + "regexp" + "sort" + "strconv" + "strings" + "unicode" +) + +const ( + // startTag represents the leading tag surrounding field name + startTag = "{{" + // endTag represents the trailing tag surrounding field name + endTag = "}}" + + seq = ".Seq" + ts = ".Timestamp" + pid = ".Pid" + ppid = ".Ppid" + cwd = ".Cwd" + exe = ".Exe" + comm = ".Comm" + tid = ".Tid" + sid = ".Sid" + proc = ".Process" + cat = ".Category" + desc = ".Description" + cpu = ".CPU" + typ = ".Type" + kparameters = ".Kparams" + meta = ".Meta" + host = ".Host" + pe = ".PE" + kparsAccessor = ".Kparams." +) + +var ( + // tmplRegexp defines the regular expression for parsing template fields. + tmplRegexp = regexp.MustCompile(`({{2}.*?}{2})`) + // tmplNormRegepx defines the regular expression for normalizing the template. This basically consists in removing + // the brackets and trailing/leading spaces from the field name. + tmplNormRegexp = regexp.MustCompile(`({{2}\s*([A-Za-z.]+)\s*}{2})`) + // tmplExpandKparamsRegexp determines whether Kparams. fields are expanded + tmplExpandKparamsRegexp = regexp.MustCompile(`{{\s*.Kparams.\S+}}`) +) + +var kfields = map[string]bool{ + seq: true, + ts: true, + pid: true, + ppid: true, + cwd: true, + exe: true, + comm: true, + tid: true, + sid: true, + proc: true, + cat: true, + desc: true, + cpu: true, + typ: true, + kparameters: true, + meta: true, + host: true, + pe: true, +} + +func hintFields() string { + s := make([]string, 0, len(kfields)) + for field := range kfields { + s = append(s, field) + } + sort.Slice(s, func(i, j int) bool { return s[i] < s[j] }) + return strings.Join(s, " ") +} + +// Formatter deals with producing event's output that is dictated by the template. +type Formatter struct { + t *fasttemplate.Template + expandKparamsDot bool +} + +// NewFormatter builds a new instance of event's formatter. +func NewFormatter(template string) (*Formatter, error) { + // check basic template format and ensure all fields + // defined in the template are known to us + fields := tmplRegexp.FindAllStringSubmatch(template, -1) + if len(fields) == 0 { + return nil, fmt.Errorf("invalid template format: %q", template) + } + if ok, pos := isTemplateBalanced(template); !ok { + return nil, fmt.Errorf("template syntax error near field #%d: %q", pos, template) + } + for i, field := range fields { + if len(field) > 0 { + name := sanitize(field[0]) + if strings.HasPrefix(name, kparsAccessor) { + continue + } + if name == "" { + return nil, fmt.Errorf("empty field found at position %d", i+1) + } + if _, ok := kfields[name]; !ok { + return nil, fmt.Errorf("%s is not a known field name. Maybe you meant one "+ + "of the following fields: %s", name, hintFields()) + } + } + } + // user might define the tag such as `{{ .Seq }}` or {{ .Seq}}`. We have to make sure + // inner spaces are removed before building the fast template instance + norm := normalizeTemplate(template) + t, err := fasttemplate.NewTemplate(norm, startTag, endTag) + if err != nil { + return nil, fmt.Errorf("invalid template format %q: %v", norm, err) + } + return &Formatter{ + t: t, + expandKparamsDot: tmplExpandKparamsRegexp.MatchString(norm), + }, nil +} + +func sanitize(s string) string { + return strings.Map(func(r rune) rune { + if r == '{' || r == '}' || unicode.IsSpace(r) { + return -1 + } + return r + }, + s, + ) +} + +func normalizeTemplate(tmpl string) string { return tmplNormRegexp.ReplaceAllString(tmpl, "{{$2}}") } + +const expectedBracketsSeq = "{{}}" + +// isTemplateBalanced ensures the template string is balanced. This means that each tag in the template +// has its pair of leading/trailing brackets. +func isTemplateBalanced(tmpl string) (bool, int) { + // drop all but brackets + s := strings.Map(func(r rune) rune { + if r == '{' || r == '}' { + return r + } + return -1 + }, + tmpl, + ) + // partition slice into 4 groups. Each group must follow + // the correct sequence, otherwise it is an invalid field + partSize := 4 + partitions := len(s) / partSize + var i int + for ; i < partitions; i++ { + if s[i*partSize:(i+1)*partSize] != expectedBracketsSeq { + return false, i + 1 + } + } + if len(s)%partSize != 0 { + if s[i*partSize:] != expectedBracketsSeq { + return false, i + 1 + } + } + return true, -1 +} + +// Format applies the template on the provided kernel event. +func (f *Formatter) Format(kevt *Kevent) []byte { + if kevt == nil { + return []byte{} + } + values := map[string]interface{}{ + ts: kevt.Timestamp.String(), + pid: strconv.FormatUint(uint64(kevt.PID), 10), + tid: strconv.FormatUint(uint64(kevt.Tid), 10), + seq: strconv.FormatUint(kevt.Seq, 10), + cpu: strconv.FormatUint(uint64(kevt.CPU), 10), + typ: kevt.Name, + cat: kevt.Category, + desc: kevt.Description, + host: kevt.Host, + meta: kevt.Metadata.String(), + kparameters: kevt.Kparams.String(), + } + + // add process' metadata + ps := kevt.PS + if ps != nil { + values[proc] = ps.Name + values[ppid] = strconv.FormatUint(uint64(ps.Ppid), 10) + values[cwd] = ps.Cwd + values[exe] = ps.Exe + values[comm] = ps.Comm + values[sid] = ps.SID + if ps.PE != nil { + values[pe] = ps.PE.String() + } + } + + if f.expandKparamsDot { + // expand all parameters into the map so we can ask + // for specific parameter names in the template + for _, kpar := range kevt.Kparams { + values[".Kparams."+strings.Title(kpar.Name)] = kpar.String() + } + } + + return f.t.ExecuteString(values) +} diff --git a/pkg/kevent/formatter_test.go b/pkg/kevent/formatter_test.go new file mode 100644 index 000000000..39f628451 --- /dev/null +++ b/pkg/kevent/formatter_test.go @@ -0,0 +1,137 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + "github.com/stretchr/testify/assert" + + kpars "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/stretchr/testify/require" + "testing" +) + +func TestTemplateUnknownField(t *testing.T) { + template := "{{ .Seq }} {{NUllField1}} {{.Type}}" + _, err := NewFormatter(template) + require.Error(t, err, "NUllField1 is not a known field name. Maybe you meant one of the following fields: .CPU .Category .Comm .Cwd .Description .Exe .Handles .Host .Kparams .Meta .Pid .Ppid .Process .Seq .Sid .Tid .Timestamp .Type") +} + +func TestTemplateEmptyField(t *testing.T) { + template := "{{ .Seq }} {{}} {{.Type}}" + _, err := NewFormatter(template) + require.Error(t, err, "empty field found at position 2") + + template1 := "{{ .Seq }} {{.CPU}} - ({{.Type}}) -- pid: {{}} {{ .Kparams.Pid }} ({{.Kparams}}) {{ .Meta }}" + _, err = NewFormatter(template1) + require.Error(t, err, "empty field found at position 4") +} + +func TestTemplateSyntaxError(t *testing.T) { + template := "{{ .Seq }} {{.CPU}} {.Type}}" + _, err := NewFormatter(template) + require.Error(t, err, "template syntax error near field #3: {{ .Seq }} {{.CPU}} {.Type}}") +} + +func TestFormat(t *testing.T) { + template := "{{ .Seq }} {{.CPU}} - ({{.Type}}) -- pid: {{ .Kparams.Pid }} ({{.Kparams}}) {{ .Meta }}" + f, err := NewFormatter(template) + require.NoError(t, err) + params := Kparams{ + kpars.ProcessID: {Name: kpars.ProcessID, Type: kpars.HexInt32, Value: kpars.Hex("0x36c")}, + } + s := f.Format(&Kevent{CPU: uint8(4), Name: "CreateProcess", Seq: uint64(1999), Kparams: params, Metadata: map[string]string{"key1": "value1", "key2": "value2"}}) + assert.Equal(t, "1999 4 - (CreateProcess) -- pid: 0x36c (pidâžœ 0x36c) key1:value1, key2:value2", string(s)) +} + +func TestFormatPS(t *testing.T) { + template := "{{ .Seq }} {{ .Process }} ({{ .Cwd }}) {{ .Ppid }} ({{ .Sid }})" + f, err := NewFormatter(template) + require.NoError(t, err) + params := Kparams{ + kpars.ProcessID: {Name: kpars.ProcessID, Type: kpars.HexInt32, Value: kpars.Hex("0x36c")}, + } + s := f.Format(&Kevent{ + CPU: uint8(4), + Name: "CreateProcess", + Seq: uint64(1999), + Kparams: params, + PS: &pstypes.PS{ + Name: "cmd.exe", + Cwd: "C:/Windows/System32", + SID: "nedo/archrabbit", + Ppid: 2324, + Handles: htypes.Handles{ + {Name: "C:/Windows/notepad.exe", Type: "File"}, + {Name: "HKEY_LOCAL_MACHINE/Software", Type: "Key"}, + }, + }, + }) + assert.Equal(t, "1999 cmd.exe (C:/Windows/System32) 2324 (nedo/archrabbit)", string(s)) +} + +func TestNormalizeTemplate(t *testing.T) { + assert.Equal(t, "{{.Seq}} {{.CPU}}", normalizeTemplate("{{ .Seq }} {{ .CPU }}")) +} + +func TestIsTemplateBalanced(t *testing.T) { + ok, pos := isTemplateBalanced("{{ .Seq }} {{.CPU}}") + require.True(t, ok) + assert.Equal(t, -1, pos) + + ok, pos = isTemplateBalanced("{{ .Seq }} ({{.CPU}}) [] {{.Type}}") + require.True(t, ok) + assert.Equal(t, -1, pos) + + ok, pos = isTemplateBalanced("{{ .Seq }} {.CPU}} {{.Type}}") + require.False(t, ok) + assert.Equal(t, 2, pos) + + ok, pos = isTemplateBalanced("{.Seq}") + require.False(t, ok) + assert.Equal(t, 1, pos) + + ok, pos = isTemplateBalanced("{{ .Seq }} .CPU }}") + require.False(t, ok) + assert.Equal(t, 2, pos) + + ok, pos = isTemplateBalanced("{{{ .Seq }} {{.CPU}} {{} {{ .Kparams }} { .Kparams.pid}}") + require.False(t, ok) + assert.Equal(t, 1, pos) + + ok, pos = isTemplateBalanced("{{ .Seq }} {{.CPU}} {{} {{ .Kparams }} { .Kparams.pid}}") + require.False(t, ok) + assert.Equal(t, 3, pos) + + ok, pos = isTemplateBalanced("({{ .Seq }}) {{.CPU}} {{}} {{ .Kparams }} { .Kparams.pid}}") + require.False(t, ok) + assert.Equal(t, 5, pos) + + ok, pos = isTemplateBalanced("{{ .Seq } {{.CPU}} {.Type}}") + require.False(t, ok) + assert.Equal(t, 1, pos) + + ok, pos = isTemplateBalanced("{{ .Seq }} {{.CPU}} {.Type}}") + require.False(t, ok) + assert.Equal(t, 3, pos) + + ok, pos = isTemplateBalanced("{{ .Seq }} {{.CPU}} - ({{.Type}}) -- pid: {{]} {{ .Kparams.Pid }} ({{.Kparams}}) {{ .Meta }}") + require.False(t, ok) +} diff --git a/pkg/kevent/kevent.go b/pkg/kevent/kevent.go new file mode 100644 index 000000000..92a888350 --- /dev/null +++ b/pkg/kevent/kevent.go @@ -0,0 +1,191 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + "fmt" + kcapver "github.com/rabbitstack/fibratus/pkg/kcap/version" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + "github.com/rabbitstack/fibratus/pkg/util/hostname" + "strings" + "sync" + "time" +) + +// pool is used to alleviate the pressure on the heap allocator +var pool = sync.Pool{ + New: func() interface{} { + return &Kevent{} + }, +} + +// TimestampFormat is the Go valid format for the kernel event timestamp +var TimestampFormat string + +// Metadata is a type alias for event metadata. Any tag, i.e. key/value pair could be attached to metadata. +type Metadata map[string]string + +// String turns kernel event's metadata into string. +func (md Metadata) String() string { + var sb strings.Builder + for k, v := range md { + sb.WriteString(k + ":" + v + ", ") + } + return strings.TrimSuffix(sb.String(), ", ") +} + +// Kevent encapsulates kernel event's payload. +type Kevent struct { + // Seq is monotonically incremented kernel event sequence. + Seq uint64 `json:"seq"` + // PID is the identifier of the process that generated the event. + PID uint32 `json:"pid"` + // Tid is the thread identifier of the thread that generated the event. + Tid uint32 `json:"tid"` + // Type is the internal representation of the kernel event. This field should be ignored by serializers. + Type ktypes.Ktype `json:"-"` + // CPU designates the processor logical core where the event was originated. + CPU uint8 `json:"cpu"` + // Name is the human friendly name of the kernel event. + Name string `json:"name"` + // Category designates the category to which this event pertains. + Category ktypes.Category `json:"category"` + // Description is the short explanation that describes the purpose of the event. + Description string `json:"description"` + // Host is the machine name that reported the generated event. + Host string `json:"host"` + // Timestamp represents the temporal occurrence of the event. + Timestamp time.Time `json:"timestamp"` + // Kparams stores the collection of kernel event parameters. + Kparams Kparams `json:"params"` + // Metadata represents any tags that are meaningful to this event. + Metadata Metadata `json:"metadata"` + // PS represents process' metadata and its allocated resources such as handles, DLLs, etc. + PS *pstypes.PS `json:"ps,omitempty"` +} + +// String returns event's string representation. +func (kevt *Kevent) String() string { + if kevt.PS != nil { + return fmt.Sprintf(` + Seq: %d + Pid: %d + Tid: %d + Type: %s + CPU: %d + Name: %s + Category: %s + Description: %s + Host: %s, + Timestamp: %s, + Kparams: %s, + Metadata: %s, + %s + `, + kevt.Seq, + kevt.PID, + kevt.Tid, + kevt.Type, + kevt.CPU, + kevt.Name, + kevt.Category, + kevt.Description, + kevt.Host, + kevt.Timestamp, + kevt.Kparams, + kevt.Metadata, + kevt.PS, + ) + } + return fmt.Sprintf(` + Seq: %d + Pid: %d + Tid: %d + Type: %s + CPU: %d + Name: %s + Category: %s + Description: %s + Host: %s, + Timestamp: %s, + Kparams: %s, + Metadata: %s + `, + kevt.Seq, + kevt.PID, + kevt.Tid, + kevt.Type, + kevt.CPU, + kevt.Name, + kevt.Category, + kevt.Description, + kevt.Host, + kevt.Timestamp, + kevt.Kparams, + kevt.Metadata, + ) +} + +// New constructs a new kernel event instance. +func New(seq uint64, pid, tid uint32, cpu uint8, ktype ktypes.Ktype, ts time.Time, kpars Kparams) *Kevent { + kevt := pool.Get().(*Kevent) + metainfo := ktypes.KtypeToKeventInfo(ktype) + *kevt = Kevent{ + Seq: seq, + PID: pid, + Tid: tid, + CPU: cpu, + Type: ktype, + Category: metainfo.Category, + Name: metainfo.Name, + Description: metainfo.Description, + Timestamp: ts, + Kparams: kpars, + Metadata: make(map[string]string), + Host: hostname.Get(), + } + return kevt +} + +// NewFromKcap recovers the kernel event instance from the kcapture byte buffer. +func NewFromKcap(buf []byte) (*Kevent, error) { + kevt := &Kevent{ + Kparams: make(Kparams), + Metadata: make(map[string]string), + } + if err := kevt.UnmarshalRaw(buf, kcapver.KevtSecV1); err != nil { + return nil, err + } + return kevt, nil +} + +// AddMeta appends a key/value pair to event's metadata. +func (kevt *Kevent) AddMeta(k, v string) { + kevt.Metadata[k] = v +} + +// Release returns an event to the pool. +func (kevt *Kevent) Release() { + for _, kpar := range kevt.Kparams { + kpar.Release() + } + *kevt = Kevent{} // clear kevent + pool.Put(kevt) +} diff --git a/pkg/kevent/kevent_test.go b/pkg/kevent/kevent_test.go new file mode 100644 index 000000000..81663ffae --- /dev/null +++ b/pkg/kevent/kevent_test.go @@ -0,0 +1,19 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent diff --git a/pkg/kevent/kparam.go b/pkg/kevent/kparam.go new file mode 100644 index 000000000..85b73ef52 --- /dev/null +++ b/pkg/kevent/kparam.go @@ -0,0 +1,554 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + "fmt" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/fs" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + knet "github.com/rabbitstack/fibratus/pkg/net" + "github.com/rabbitstack/fibratus/pkg/syscall/security" + "github.com/rabbitstack/fibratus/pkg/util/ip" + "net" + "reflect" + "sort" + "strconv" + "strings" + "sync" + "syscall" + "time" +) + +var kparamPool = sync.Pool{ + New: func() interface{} { + return &Kparam{} + }, +} + +// ParamCaseStyle is the type definition for parameter name case style +type ParamCaseStyle uint8 + +const ( + // Snake is the default parameter's name case style. Multi-word parameters are delimited by underscore symbol (e.g. process_object) + SnakeCase ParamCaseStyle = 1 + // Dot style uses a dot to separate multi-word parameter names (e.g. process.object) + DotCase ParamCaseStyle = 2 + // Camel renders parameter name with pascal case naming style (e.g. ProcessObject) + PascalCase ParamCaseStyle = 3 + // CamelCase represents parameter names with camel case naming style (e.g. processObject) + CamelCase ParamCaseStyle = 4 +) + +// ParamNameCaseStyle designates the case style for kernel parameter names +var ParamNameCaseStyle = SnakeCase + +// ParamKVDelimiter specifies the character that delimits parameter's key from its value +var ParamKVDelimiter = "âžœ " + +// Kparam defines the layout of the kernel event parameter. +type Kparam struct { + // Type is the type of the parameter. For example, `sport` parameter has the `Port` type although its value + // is the uint16 numeric type. + Type kparams.Type `json:"-"` + // Value is the container for parameter values. To access the underlying value use the appropriate `Get` methods. + Value kparams.Value `json:"value"` + // Name represents the name of the parameter (e.g. pid, sport). + Name string `json:"name"` +} + +// Kparams is the type that represents the sequence of kernel event parameters +type Kparams map[string]*Kparam + +// NewKparam creates a new event parameter. Since the parameter type is already categorized, +// we can coerce the value to the appropriate representation (e.g. hex, IP address, user security identifier, etc.) +func NewKparam(name string, typ kparams.Type, value kparams.Value) *Kparam { + var v kparams.Value + switch typ { + case kparams.HexInt8, kparams.HexInt16, kparams.HexInt32, kparams.HexInt64: + v = kparams.NewHex(value) + + case kparams.IPv4: + v = ip.ToIPv4(value.(uint32)) + + case kparams.IPv6: + v = ip.ToIPv6(value.([]byte)) + + case kparams.Port: + v = syscall.Ntohs(value.(uint16)) + + case kparams.SID: + account, domain := security.LookupAccount(value.([]byte), false) + if account != "" || domain != "" { + v = joinSID(account, domain) + } + + case kparams.WbemSID: + account, domain := security.LookupAccount(value.([]byte), true) + if account != "" || domain != "" { + v = joinSID(account, domain) + } + + default: + v = value + } + + kparam := kparamPool.Get().(*Kparam) + *kparam = Kparam{Name: name, Type: typ, Value: v} + + return kparam +} + +func NewKparamFromKcap(name string, typ kparams.Type, value kparams.Value) *Kparam { + return &Kparam{Name: name, Type: typ, Value: value} +} + +// String returns the string representation of the parameter value. +func (k Kparam) String() string { + if k.Value == nil { + return "" + } + switch k.Type { + case kparams.UnicodeString, kparams.AnsiString, kparams.SID, kparams.WbemSID: + return k.Value.(string) + case kparams.HexInt32, kparams.HexInt64, kparams.HexInt16, kparams.HexInt8: + return string(k.Value.(kparams.Hex)) + case kparams.Int8: + return strconv.Itoa(int(k.Value.(int8))) + case kparams.Uint8: + return strconv.Itoa(int(k.Value.(uint8))) + case kparams.Int16: + return strconv.Itoa(int(k.Value.(int16))) + case kparams.Uint16, kparams.Port: + return strconv.Itoa(int(k.Value.(uint16))) + case kparams.Uint32, kparams.PID, kparams.TID: + return strconv.Itoa(int(k.Value.(uint32))) + case kparams.Int32: + return strconv.Itoa(int(k.Value.(int32))) + case kparams.Uint64: + return strconv.FormatUint(k.Value.(uint64), 10) + case kparams.Int64: + return strconv.Itoa(int(k.Value.(int64))) + case kparams.IPv4, kparams.IPv6: + return k.Value.(net.IP).String() + case kparams.Bool: + return strconv.FormatBool(k.Value.(bool)) + case kparams.Float: + return strconv.FormatFloat(float64(k.Value.(float32)), 'f', 6, 32) + case kparams.Double: + return strconv.FormatFloat(k.Value.(float64), 'f', 6, 64) + case kparams.Time: + return k.Value.(time.Time).String() + case kparams.Enum: + switch typ := k.Value.(type) { + case fs.FileShareMode: + return typ.String() + case knet.L4Proto: + return typ.String() + case fs.FileDisposition: + return typ.String() + default: + return fmt.Sprintf("%v", k.Value) + } + default: + return fmt.Sprintf("%v", k.Value) + } +} + +// Release returns the param to the pool. +func (k *Kparam) Release() { + kparamPool.Put(k) +} + +// Append adds a new parameter with specified name, type and value. +func (kpars Kparams) Append(name string, typ kparams.Type, value kparams.Value) Kparams { + kpars[name] = NewKparam(name, typ, value) + return kpars +} + +func (kpars Kparams) AppendFromKcap(name string, typ kparams.Type, value kparams.Value) Kparams { + kpars[name] = NewKparamFromKcap(name, typ, value) + return kpars +} + +// Contains determines whether the specified parameter name exists. +func (kpars Kparams) Contains(name string) bool { + _, err := kpars.findParam(name) + return err == nil +} + +// Remove deletes the specified parameter from the map. +func (kpars Kparams) Remove(name string) { + delete(kpars, name) +} + +// Len returns the number of parameters. +func (kpars Kparams) Len() int { return len(kpars) } + +// Set replaces the value that is indexed at existing parameter name. It will return an error +// if the supplied parameter is not present. +func (kpars Kparams) Set(name string, value kparams.Value, typ kparams.Type) error { + _, err := kpars.findParam(name) + if err != nil { + return fmt.Errorf("setting the value on a missing %q parameter is not allowed", name) + } + kpars[name] = &Kparam{Name: name, Value: value, Type: typ} + return nil +} + +// Get returns the raw value for given parameter name. It is the responsibility of the caller to probe type assertion +// on the value before yielding its underlying type. +func (kpars Kparams) Get(name string) (kparams.Value, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return "", err + } + return kpar.Value, nil +} + +func (kpars Kparams) GetString(name string) (string, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return "", err + } + if _, ok := kpar.Value.(string); !ok { + return "", fmt.Errorf("unable to type cast %q parameter to string value", name) + } + return kpar.Value.(string), nil +} + +func (kpars Kparams) GetPid() (uint32, error) { + return kpars.getPid(kparams.ProcessID) +} + +func (kpars Kparams) GetPpid() (uint32, error) { + return kpars.getPid(kparams.ProcessParentID) +} + +func (kpars Kparams) getPid(name string) (uint32, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return uint32(0), err + } + if kpar.Type != kparams.PID { + return uint32(0), fmt.Errorf("%q parameter is not a PID", name) + } + v, ok := kpar.Value.(uint32) + if !ok { + return uint32(0), fmt.Errorf("unable to type cast %q parameter to uint32 value from pid", name) + } + return v, nil +} + +func (kpars Kparams) GetTid() (uint32, error) { + kpar, err := kpars.findParam(kparams.ThreadID) + if err != nil { + return uint32(0), err + } + if kpar.Type != kparams.TID { + return uint32(0), fmt.Errorf("%q parameter is not a TID", kparams.ThreadID) + } + v, ok := kpar.Value.(uint32) + if !ok { + return uint32(0), fmt.Errorf("unable to type cast %q parameter to uint32 value from tid", kparams.ThreadID) + } + return v, nil +} + +func (kpars Kparams) GetUint8(name string) (uint8, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return uint8(0), err + } + v, ok := kpar.Value.(uint8) + if !ok { + return uint8(0), fmt.Errorf("unable to type cast %q parameter to uint8 value", name) + } + return v, nil +} + +func (kpars Kparams) GetInt8(name string) (int8, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return int8(0), err + } + v, ok := kpar.Value.(int8) + if !ok { + return int8(0), fmt.Errorf("unable to type cast %q parameter to int8 value", name) + } + return v, nil + +} + +func (kpars Kparams) GetUint16(name string) (uint16, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return uint16(0), err + } + v, ok := kpar.Value.(uint16) + if !ok { + return uint16(0), fmt.Errorf("unable to type cast %q parameter to uint16 value", name) + } + return v, nil +} + +func (kpars Kparams) GetInt16(name string) (int16, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return int16(0), err + } + v, ok := kpar.Value.(int16) + if !ok { + return int16(0), fmt.Errorf("unable to type cast %q parameter to int16 value", name) + } + return v, nil +} + +func (kpars Kparams) GetUint32(name string) (uint32, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return uint32(0), err + } + v, ok := kpar.Value.(uint32) + if !ok { + return uint32(0), fmt.Errorf("unable to type cast %q parameter to uint32 value", name) + } + return v, nil +} + +func (kpars Kparams) GetInt32(name string) (int32, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return int32(0), err + } + v, ok := kpar.Value.(int32) + if !ok { + return int32(0), fmt.Errorf("unable to type cast %q parameter to int32 value", name) + } + return v, nil +} + +func (kpars Kparams) GetUint64(name string) (uint64, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return uint64(0), err + } + v, ok := kpar.Value.(uint64) + if !ok { + return uint64(0), fmt.Errorf("unable to type cast %q parameter to uint64 value", name) + } + return v, nil +} + +func (kpars Kparams) GetInt64(name string) (int64, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return int64(0), err + } + v, ok := kpar.Value.(int64) + if !ok { + return int64(0), fmt.Errorf("unable to type cast %q parameter to int64 value", name) + } + return v, nil +} + +func (kpars Kparams) GetFloat(name string) (float32, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return float32(0), err + } + v, ok := kpar.Value.(float32) + if !ok { + return float32(0), fmt.Errorf("unable to type cast %q parameter to float32 value", name) + } + return v, nil +} + +func (kpars Kparams) GetDouble(name string) (float64, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return float64(0), err + } + v, ok := kpar.Value.(float64) + if !ok { + return float64(0), fmt.Errorf("unable to type cast %q parameter to float64 value", name) + } + return v, nil + +} + +func (kpars Kparams) GetHexAsUint32(name string) (uint32, error) { + hex, err := kpars.GetHex(name) + if err != nil { + return uint32(0), err + } + return hex.Uint32(), nil +} + +func (kpars Kparams) GetHexAsUint8(name string) (uint8, error) { + hex, err := kpars.GetHex(name) + if err != nil { + return uint8(0), err + } + return hex.Uint8(), nil +} + +func (kpars Kparams) GetHexAsUint64(name string) (uint64, error) { + hex, err := kpars.GetHex(name) + if err != nil { + return uint64(0), err + } + return hex.Uint64(), nil +} + +func (kpars Kparams) GetHex(name string) (kparams.Hex, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return "", err + } + v, ok := kpar.Value.(kparams.Hex) + if !ok { + return "", fmt.Errorf("unable to type cast %q parameter to Hex value", name) + } + return v, nil +} + +func (kpars Kparams) GetIPv4(name string) (net.IP, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return net.IP{}, err + } + if kpar.Type != kparams.IPv4 { + return net.IP{}, fmt.Errorf("%q parameter is not an IPv4 address", name) + } + v, ok := kpar.Value.(net.IP) + if !ok { + return net.IP{}, fmt.Errorf("unable to type cast %q parameter to net.IP value", name) + } + return v, nil +} + +func (kpars Kparams) GetIPv6(name string) (net.IP, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return net.IP{}, err + } + if kpar.Type != kparams.IPv6 { + return net.IP{}, fmt.Errorf("%q parameter is not an IPv6 address", name) + } + v, ok := kpar.Value.(net.IP) + if !ok { + return net.IP{}, fmt.Errorf("unable to type cast %q parameter to net.IP value", name) + } + return v, nil +} + +func (kpars Kparams) GetIP(name string) (net.IP, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return net.IP{}, err + } + if kpar.Type != kparams.IPv4 && kpar.Type != kparams.IPv6 { + return net.IP{}, fmt.Errorf("%q parameter is not an IP address", name) + } + v, ok := kpar.Value.(net.IP) + if !ok { + return net.IP{}, fmt.Errorf("unable to type cast %q parameter to net.IP value", name) + } + return v, nil +} + +func (kpars Kparams) GetTime(name string) (time.Time, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return time.Unix(0, 0), err + } + v, ok := kpar.Value.(time.Time) + if !ok { + return time.Unix(0, 0), fmt.Errorf("unable to type cast %q parameter to Time value", name) + } + return v, nil +} + +func (kpars Kparams) GetStringSlice(name string) ([]string, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return nil, err + } + v, ok := kpar.Value.([]string) + if !ok { + return nil, fmt.Errorf("unable to type cast %q parameter to string slice", name) + } + return v, nil +} + +func (kpars Kparams) GetSlice(name string) (kparams.Value, error) { + kpar, err := kpars.findParam(name) + if err != nil { + return nil, err + } + if reflect.TypeOf(kpar.Value).Kind() != reflect.Slice { + return nil, fmt.Errorf("%q parameter is not a slice", name) + } + return kpar.Value, nil +} + +func (kpars Kparams) String() string { + var sb strings.Builder + // sort parameters by name + pars := make([]*Kparam, 0, len(kpars)) + for _, kpar := range kpars { + pars = append(pars, kpar) + } + sort.Slice(pars, func(i, j int) bool { return pars[i].Name < pars[j].Name }) + for i, kpar := range pars { + switch ParamNameCaseStyle { + case SnakeCase: + sb.WriteString(kpar.Name + ParamKVDelimiter + kpar.String()) + case DotCase: + sb.WriteString(strings.Replace(kpar.Name, "_", ".", -1) + ParamKVDelimiter + kpar.String()) + case PascalCase: + sb.WriteString(strings.Replace(strings.Title(strings.Replace(kpar.Name, "_", " ", -1)), " ", "", -1) + ParamKVDelimiter + kpar.String()) + case CamelCase: + } + if i != len(pars)-1 { + sb.WriteString(", ") + } + } + return sb.String() +} + +// Find returns the kparam with specified name. If it is not found, nil value is returned. +func (kpars Kparams) Find(name string) *Kparam { + kpar, err := kpars.findParam(name) + if err != nil { + return nil + } + return kpar +} + +// findParam lookups a parameter in the map and returns an error if it doesn't exist. +func (kpars Kparams) findParam(name string) (*Kparam, error) { + if _, ok := kpars[name]; !ok { + return nil, &kerrors.ErrKparamNotFound{Name: name} + } + return kpars[name], nil +} + +func joinSID(account, domain string) string { return fmt.Sprintf("%s\\%s", domain, account) } diff --git a/pkg/kevent/kparam_test.go b/pkg/kevent/kparam_test.go new file mode 100644 index 000000000..aaff8dc85 --- /dev/null +++ b/pkg/kevent/kparam_test.go @@ -0,0 +1,62 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + "github.com/rabbitstack/fibratus/pkg/fs" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" +) + +func TestKparams(t *testing.T) { + kpars := Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(18446738026482168384)}, + kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.Uint32, Value: uint32(1484)}, + kparams.FileCreateOptions: {Name: kparams.FileCreateOptions, Type: kparams.Uint32, Value: uint32(1223456)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll"}, + kparams.FileShareMask: {Name: kparams.FileShareMask, Type: kparams.Uint32, Value: uint32(5)}, + } + + assert.True(t, kpars.Contains(kparams.FileObject)) + assert.False(t, kpars.Contains(kparams.FileOffset)) + + filename, err := kpars.GetString(kparams.FileName) + require.NoError(t, err) + assert.Equal(t, "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", filename) + + filename, err = kpars.GetString(kparams.FileObject) + require.Error(t, err) + + assert.Equal(t, 5, kpars.Len()) + + kpars.Remove(kparams.ThreadID) + + assert.False(t, kpars.Contains(kparams.ThreadID)) + assert.Equal(t, 4, kpars.Len()) + + require.NoError(t, kpars.Set(kparams.FileShareMask, fs.FileShareMode(5), kparams.Enum)) + + filemode, err := kpars.Get(kparams.FileShareMask) + require.NoError(t, err) + mode := filemode.(fs.FileShareMode) + + assert.Equal(t, "r-d", mode.String()) +} diff --git a/pkg/kevent/kparams/canonicalize.go b/pkg/kevent/kparams/canonicalize.go new file mode 100644 index 000000000..d12e7dec2 --- /dev/null +++ b/pkg/kevent/kparams/canonicalize.go @@ -0,0 +1,191 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kparams + +const ( + uniqueProcessKey = "UniqueProcessKey" + processID = "ProcessId" + parentID = "ParentId" + sessionID = "SessionId" + exitStatus = "ExitStatus" + dirTableBase = "DirectoryTableBase" + userSID = "UserSID" + imageFileName = "ImageFileName" + commandLine = "CommandLine" + + tthreadID = "TThreadId" + issuingThreadId = "IssuingThreadId" + ttid = "TTID" + + pid = "PID" + + basePriority = "BasePriority" + ioPriority = "IoPriority" + pagePriority = "PagePriority" + stackBase = "StackBase" + stackLimit = "StackLimit" + userStackBase = "UserStackBase" + userStackLimit = "UserStackLimit" + win32StartAddr = "Win32StartAddr" + + fileObject = "FileObject" + fileName = "FileName" + openPath = "OpenPath" + fileCreateOptions = "CreateOptions" + fileShareAccess = "ShareAccess" + fileOffset = "Offset" + fileIoSize = "IoSize" + fileInfoClass = "InfoClass" + fileKey = "FileKey" + fileExtraInfo = "ExtraInfo" + fileIrpPtr = "IrpPtr" + + keyName = "KeyName" + keyHandle = "KeyHandle" + registryStatus = "Status" + ntStatus = "NtStatus" + + imageBase = "ImageBase" + imageSize = "ImageSize" + imageChecksum = "ImageCheckSum" + imageDefaultBase = "DefaultBase" + + netDaddr = "daddr" + netSaddr = "saddr" + netDport = "dport" + netSport = "sport" + netSize = "size" + + handleID = "Handle" + handleObject = "Object" + handleObjectName = "ObjectName" + handleObjectType = "ObjectType" +) + +// Ignored returns the collection of parameters that are ignored by kernel stream consumer. +func Ignored() map[string]bool { + return map[string]bool{ + "Reserved0": true, + "Reserved1": true, + "Reserved2": true, + "Reserved3": true, + "Reserved4": true, + "ThreadFlags": true, + "ApplicationId": true, + "PackageFullName": true, + "IoFlags": true, + } +} + +// Canonicalize takes an original kernel event property name and normalizes it +// to canonical parameter name. +func Canonicalize(name string) string { + switch name { + case tthreadID, issuingThreadId, ttid: + return ThreadID + case processID, pid: + return ProcessID + case uniqueProcessKey: + return ProcessObject + case parentID: + return ProcessParentID + case sessionID: + return SessionID + case imageFileName: + return ProcessName + case commandLine: + return Comm + case userSID: + return UserSID + case exitStatus: + return ExitStatus + case dirTableBase: + return DTB + case basePriority: + return BasePrio + case ioPriority: + return IOPrio + case pagePriority: + return PagePrio + case stackBase: + return KstackBase + case stackLimit: + return KstackLimit + case userStackBase: + return UstackBase + case userStackLimit: + return UstackLimit + case win32StartAddr: + return ThreadEntrypoint + case fileObject: + return FileObject + case fileName, openPath: + return FileName + case fileCreateOptions: + return FileCreateOptions + case fileShareAccess: + return FileShareMask + case fileOffset: + return FileOffset + case fileIoSize: + return FileIoSize + case fileInfoClass: + return FileInfoClass + case fileKey: + return FileKey + case fileExtraInfo: + return FileExtraInfo + case fileIrpPtr: + return FileIrpPtr + case keyName: + return RegKeyName + case keyHandle: + return RegKeyHandle + case imageBase: + return ImageBase + case imageDefaultBase: + return ImageDefaultBase + case imageSize: + return ImageSize + case imageChecksum: + return ImageCheckSum + case netDaddr: + return NetDIP + case netSaddr: + return NetSIP + case netDport: + return NetDport + case netSport: + return NetSport + case netSize: + return NetSize + case handleID: + return HandleID + case handleObject: + return HandleObject + case handleObjectName: + return HandleObjectName + case handleObjectType: + return HandleObjectTypeID + case registryStatus, ntStatus: + return NTStatus + default: + return "" + } +} diff --git a/pkg/kevent/kparams/canonicalize_test.go b/pkg/kevent/kparams/canonicalize_test.go new file mode 100644 index 000000000..06cd22b2c --- /dev/null +++ b/pkg/kevent/kparams/canonicalize_test.go @@ -0,0 +1,19 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kparams diff --git a/pkg/kevent/kparams/fields.go b/pkg/kevent/kparams/fields.go new file mode 100644 index 000000000..b3e5d8d7e --- /dev/null +++ b/pkg/kevent/kparams/fields.go @@ -0,0 +1,147 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kparams + +const ( + // Status is the parameter that identifies the NTSTATUS value. + NTStatus = "status" + + // ProcessID represents the process identifier. + ProcessID = "pid" + // ProcessObject field represents the address of the process object in the kernel. + ProcessObject = "kproc" + ThreadID = "tid" + ProcessParentID = "ppid" + SessionID = "session_id" + UserSID = "sid" + ProcessName = "name" + Exe = "exe" + Comm = "comm" + DTB = "directory_table_base" + ExitStatus = "exit_status" + StartTime = "start_time" + + BasePrio = "base_prio" + IOPrio = "io_prio" + PagePrio = "page_prio" + KstackBase = "kstack" + KstackLimit = "kstack_limit" + UstackBase = "ustack" + UstackLimit = "ustack_limit" + ThreadEntrypoint = "entrypoint" + + // FileObject determines the field name for the file object pointer. + FileObject = "file_object" + // FileName represents the field that designates the absolute path of the file. + FileName = "file_name" + // FileCreateOptions is the field that represents the values passed in the CreateDispositions parameter to the NtCreateFile function. + FileCreateOptions = "options" + // FileDisposition is the field that represents the values passed in the CreateOptions parameter to the NtCreateFile function. + FileOperation = "operation" + // FileCreated represents the name for the file creation field. + FileCreated = "created" + // FileAccessed represents the name for the file access field. + FileAccessed = "accessed" + // FileModified represents the name for the file modification field. + FileModified = "modified" + // FileShareMask represents the field name for the share access mask. + FileShareMask = "share_mask" + // FileType represents the field name that indicates the file type. + FileType = "type" + // FileAttributes is the field that represents file attribute values. + FileAttributes = "attributes" + // FileIoSize is the filed that represents the number of bytes in file read/write operations. + FileIoSize = "io_size" + // FileOffset represents the file for the file offset in read/write operations. + FileOffset = "offset" + // FileInfoClass represents the file information class. + FileInfoClass = "class" + // FileKey represents the directory key identifier in EnumDirectory events. + FileKey = "file_key" + // FileDirectory represents the filed for the directory name in EnumDirectory events. + FileDirectory = "dir" + // FileIrpPtr represents the I/O request packet id. + FileIrpPtr = "irp" + // FileExtraInfo is the parameter that represents extra information returned by the file system for the operation. For example for a read request, the actual number of bytes that were read. + FileExtraInfo = "extra_info" + + // RegKeyHandle identifies the parameter name for the registry key handle. + RegKeyHandle = "key_handle" + // RegKeyName represents the parameter name for the fully qualified key name. + RegKeyName = "key_name" + // RegValue identifies the parameter name that contains the value + RegValue = "value" + // RegValueType identifies the parameter that represents registry value type e.g (DWORD, BINARY) + RegValueType = "type" + + // ImageBase identifies the parameter name for the base address of the process in which the image is loaded. + ImageBase = "base_address" + // ImageSize represents the parameter name for the size of the image in bytes. + ImageSize = "image_size" + // ImageCheckSum is the parameter name for image checksum. + ImageCheckSum = "checksum" + // ImageDefaultBase is the parameter name that represents image's base address. + ImageDefaultBase = "default_address" + // ImageFilename is the parameter name that denotes file name and extension of the DLL/executable image. + ImageFilename = "file_name" + + // NetSize identifies the parameter name that represents the packet size. + NetSize = "size" + // NetDIP is the parameter name that denotes the destination IP address. + NetDIP = "dip" + // NetSIP is the parameter name that denotes the source IP address. + NetSIP = "sip" + // NetDport identifies the parameter name that represents destination port number. + NetDport = "dport" + // NetSport identifies the parameter name that represents source port number. + NetSport = "sport" + // NetMSS is the parameter name that represents the maximum TCP segment size. + NetMSS = "mss" + // NetRcvWin is the parameter name that represents TCP segment's receive window size. + NetRcvWin = "rcvwin" + // NetSAckopt is the parameter name that represents Selective Acknowledgment option in TCP header. + NetSAckopt = "sack_opt" + // NetTsopt is the parameter name that represents the time stamp option in TCP header. + NetTsopt = "timestamp_opt" + // NetWsopt is the parameter name that represents the window scale option in TCP header. + NetWsopt = "window_scale_opt" + // NetRcvWinScale is the parameter name that represents the TCP receive window scaling factor. + NetRcvWinScale = "recv_winscale" + // NetSendWinScale is the parameter name that represents the TCP send window scaling factor. + NetSendWinScale = "send_winscale" + // NetSeqNum is the parameter name that represents that represents the TCP sequence number. + NetSeqNum = "seqnum" + // NetConnID is the parameter name that represents a unique connection identifier. + NetConnID = "connid" + // NetL4Proto is the parameter name that identifies the Layer 4 protocol name. + NetL4Proto = "l4_proto" + NetDportName = "dport_name" + NetSportName = "sport_name" + + // HandleID identifies the parameter that specifies the handle identifier. + HandleID = "handle_id" + // HandleObject identifies the parameter that represents the kernel object to which handle is associated. + HandleObject = "handle_object" + // HandleObjectName identifies the parameter that represents the kernel object name. + HandleObjectName = "handle_name" + // HandleObjectType identifies the parameter that represents the kernel object type identifier. + HandleObjectTypeID = "type_id" + // HandleObjectTypeName identifies the parameter that represents the kernel object type name. + HandleObjectTypeName = "handle_type" +) diff --git a/pkg/kevent/kparams/types.go b/pkg/kevent/kparams/types.go new file mode 100644 index 000000000..4b9f3e167 --- /dev/null +++ b/pkg/kevent/kparams/types.go @@ -0,0 +1,167 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kparams + +import ( + "strconv" +) + +const ( + // NA defines absent parameter's value + NA = "na" +) + +// Value defines the container for parameter values +type Value interface{} + +// Type defines kernel event parameter type +type Type uint16 + +// Hex is the type alias for hexadecimal values +type Hex string + +// NewHex creates a new Hex type from the given integer value. +func NewHex(v Value) Hex { + switch n := v.(type) { + case uint8: + return Hex(strconv.FormatUint(uint64(n), 16)) + case uint16: + return Hex(strconv.FormatUint(uint64(n), 16)) + case uint32: + return Hex(strconv.FormatUint(uint64(n), 16)) + case uint64: + return Hex(strconv.FormatUint(uint64(n), 16)) + case int32: + return Hex(strconv.FormatInt(int64(n), 16)) + case int64: + return Hex(strconv.FormatInt(int64(n), 16)) + default: + return "" + } +} + +// Uint8 yields an uint8 value from its hex representation. +func (hex Hex) Uint8() uint8 { return uint8(hex.parseUint(8)) } + +// Uint16 yields an uint16 value from its hex representation. +func (hex Hex) Uint16() uint16 { return uint16(hex.parseUint(16)) } + +// Uint32 yields an uint32 value from its hex representation. +func (hex Hex) Uint32() uint32 { return uint32(hex.parseUint(32)) } + +// Uint64 yields an uint64 value from its hex representation. +func (hex Hex) Uint64() uint64 { return hex.parseUint(64) } + +func (hex Hex) parseUint(bitSize int) uint64 { + num, err := strconv.ParseUint(string(hex), 16, bitSize) + if err != nil { + return uint64(0) + } + return num +} + +// String returns a string representation of the hex value. +func (hex Hex) String() string { + return string(hex) +} + +const ( + Null Type = iota + UnicodeString + AnsiString + Int8 + Uint8 + Int16 + Uint16 + Int32 + Uint32 + Int64 + Uint64 + Float + Double + Bool + Binary + GUID + Pointer + SID + PID + TID + WbemSID + HexInt8 + HexInt16 + HexInt32 + HexInt64 + Port + IP + IPv4 + IPv6 + Time // timestamp + Slice // sequence of values + Enum // enumeration + Map + Object + Unknown +) + +func (t Type) String() string { + switch t { + case UnicodeString: + return "unicode" + case AnsiString: + return "ansi" + case Int8: + return "int8" + case Uint8: + return "uint8" + case HexInt8: + return "hex8" + case Int16: + return "int16" + case Uint16: + return "uint16" + case HexInt16: + return "hex16" + case Int32: + return "int32" + case Uint32: + return "uint32" + case Int64: + return "int64" + case Uint64: + return "uint64" + case HexInt32: + return "hex32" + case HexInt64: + return "hex64" + case SID, WbemSID: + return "sid" + case TID: + return "tid" + case PID: + return "pid" + case Port: + return "port" + case IPv6: + return "ipv6" + case IPv4: + return "ipv4" + default: + return "unknown" + } +} diff --git a/pkg/kevent/kparams/types_test.go b/pkg/kevent/kparams/types_test.go new file mode 100644 index 000000000..478991edb --- /dev/null +++ b/pkg/kevent/kparams/types_test.go @@ -0,0 +1,38 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kparams + +import ( + "github.com/stretchr/testify/assert" + + "testing" +) + +func TestNewHex(t *testing.T) { + hex := NewHex(uint32(7264)) + assert.Equal(t, Hex("1c60"), hex) + assert.Equal(t, uint32(7264), hex.Uint32()) + + hex = NewHex(uint32(4294967295)) + assert.Equal(t, Hex("ffffffff"), hex) + + hex = NewHex(uint64(18446744073709551615)) + assert.Equal(t, Hex("ffffffffffffffff"), hex) + assert.Equal(t, uint64(18446744073709551615), hex.Uint64()) +} diff --git a/pkg/kevent/ktypes/category.go b/pkg/kevent/ktypes/category.go new file mode 100644 index 000000000..02a11f9a5 --- /dev/null +++ b/pkg/kevent/ktypes/category.go @@ -0,0 +1,43 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ktypes + +// Category is the type alias for kernel event categories +type Category string + +const ( + // Registry is the category for registry related kernel events + Registry Category = "registry" + // File is the category for file system events + File Category = "file" + // Net is the category for network events + Net Category = "net" + // Process is the category for process events + Process Category = "process" + // Thread is the category for thread events + Thread Category = "thread" + // Image is the category for image events + Image Category = "image" + // Handle is the category for handle events + Handle Category = "handle" + // Other is the category for uncategorized events + Other Category = "other" + // Unknown is the category for events that couldn't match any of the previous categories + Unknown Category = "unknown" +) diff --git a/pkg/kevent/ktypes/ktypes.go b/pkg/kevent/ktypes/ktypes.go new file mode 100644 index 000000000..10141aef8 --- /dev/null +++ b/pkg/kevent/ktypes/ktypes.go @@ -0,0 +1,290 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ktypes + +import ( + "hash/fnv" + "syscall" +) + +// Ktype identifies a kernel event type. It comprises the kernel event GUID + one extra opcode byte to uniquely identify a kernel event +type Ktype [17]byte + +var ( + // CreateProcess identifies process creation kernel events + CreateProcess = Pack(syscall.GUID{Data1: 0x3d6fa8d0, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}}, 1) + // TerminateProcess identifies process termination kernel events + TerminateProcess = Pack(syscall.GUID{Data1: 0x3d6fa8d0, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}}, 2) + // EnumProcess represents the start data collection process event that enumerates processes that are currently running at the time the kernel session starts + EnumProcess = Pack(syscall.GUID{Data1: 0x3d6fa8d0, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}}, 3) + + // CreateThread identifies thread creation kernel events + CreateThread = Pack(syscall.GUID{Data1: 0x3d6fa8d1, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}}, 1) + // TerminateThread identifies thread termination kernel events + TerminateThread = Pack(syscall.GUID{Data1: 0x3d6fa8d1, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}}, 2) + // EnumThread represents the start data collection thread event that enumerates threads that are currently running at the time the kernel session starts + EnumThread = Pack(syscall.GUID{Data1: 0x3d6fa8d1, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}}, 3) + + // FileRundown events are generated by kernel rundown logger to enumerate all open files on the start of the kernel session + FileRundown = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 36) + // CreateFile represents events that create/open a file or I/O device + CreateFile = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 64) + // ReleaseFile represents events that occur when the last file handle is disposed + ReleaseFile = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 65) + // CloseFile represents events that dispose existing kernel file objects + CloseFile = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 66) + // ReadFile represents events that read data from the file or I/O device + ReadFile = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 67) + // WriteFile represents events that write data to the file or I/O device + WriteFile = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 68) + // SetFileInformation represents events that set file information + SetFileInformation = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 69) + // DeleteFile identifies file deletion events + DeleteFile = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 70) + // RenameFile identifies events that are responsible for renaming files + RenameFile = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 71) + // EnumDirectory identifies enumerate directory and directory notification events + EnumDirectory = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 72) + // FileOpEnd signals the finalization of the file operation + FileOpEnd = Pack(syscall.GUID{Data1: 0x90cbdc39, Data2: 0x4a3e, Data3: 0x11d1, Data4: [8]byte{0x84, 0xf4, 0x0, 0x0, 0xf8, 0x04, 0x64, 0xe3}}, 76) + + // RegCreateKey represents registry key creation kernel events + RegCreateKey = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 10) + // RegOpenKey represents registry open key kernel events + RegOpenKey = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 11) + // RegDeleteKey represents registry key deletion kernel events + RegDeleteKey = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 12) + // RegQueryValue represents registry query key kernel events + RegQueryKey = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 13) + // RegSetValue represents registry set value kernel events + RegSetValue = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 14) + // RegDeleteValue are kernel events for registry value removals + RegDeleteValue = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 15) + // RegQueryValue are kernel events for registry value queries + RegQueryValue = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 16) + // RegCreateKCB represents kernel events for KCB (Key Control Block) creation requests + RegCreateKCB = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 22) + // RegDeleteKCB represents kernel events for KCB(Key Control Block) closures + RegDeleteKCB = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 23) + // RegKCBRundown enumerates the registry keys open at the start of the kernel session. + RegKCBRundown = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 25) + // RegOpenKeyV1 represents registry open key kernel event. It looks like this event type defines identical kernel event type as RegOpenKey + RegOpenKeyV1 = Pack(syscall.GUID{Data1: 0xae53722e, Data2: 0xc863, Data3: 0x11d2, Data4: [8]byte{0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1}}, 27) + + // UnloadImage represents unload image kernel events + UnloadImage = Pack(syscall.GUID{Data1: 0x2cb15d1d, Data2: 0x5fc1, Data3: 0x11d2, Data4: [8]byte{0xab, 0xe1, 0x0, 0xa0, 0xc9, 0x11, 0xf5, 0x18}}, 2) + // EnumImage represents kernel events that is triggered to enumerate all loaded images + EnumImage = Pack(syscall.GUID{Data1: 0x2cb15d1d, Data2: 0x5fc1, Data3: 0x11d2, Data4: [8]byte{0xab, 0xe1, 0x0, 0xa0, 0xc9, 0x11, 0xf5, 0x18}}, 3) + // LoadImage represents load image kernel events that are triggered when a DLL or executable file is loaded + LoadImage = Pack(syscall.GUID{Data1: 0x2cb15d1d, Data2: 0x5fc1, Data3: 0x11d2, Data4: [8]byte{0xab, 0xe1, 0x0, 0xa0, 0xc9, 0x11, 0xf5, 0x18}}, 10) + + // AcceptTCPv4 represents the TCPv4 kernel events for accepting connection requests from the socket queue. + AcceptTCPv4 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 15) + // AcceptTCPv6 represents the TCPv6 kernel events for accepting connection requests from the socket queue. + AcceptTCPv6 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 31) + // SendTCPv4 represents the TCPv4 kernel events for sending data to the connected socket. + SendTCPv4 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 10) + // SendTCPv6 represents the TCPv6 kernel events for sending data to the connected socket. + SendTCPv6 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 26) + // SendUDPv4 represents the UDPv4 kernel events for sending datagrams to connectionless sockets. + SendUDPv4 = Pack(syscall.GUID{Data1: 0xbf3a50c5, Data2: 0xa9c9, Data3: 0x4988, Data4: [8]byte{0xa0, 0x05, 0x2d, 0xc0, 0xb7, 0xc8, 0x0f, 0x80}}, 10) + // SendUDPv6 represents the UDPv6 kernel events for sending datagrams to connectionless sockets. + SendUDPv6 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 26) + + RecvTCPv4 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 11) + RecvTCPv6 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 27) + RecvUDPv4 = Pack(syscall.GUID{Data1: 0xbf3a50c5, Data2: 0xa9c9, Data3: 0x4988, Data4: [8]byte{0xa0, 0x05, 0x2d, 0xc0, 0xb7, 0xc8, 0x0f, 0x80}}, 10) + RecvUDPv6 = Pack(syscall.GUID{Data1: 0xbf3a50c5, Data2: 0xa9c9, Data3: 0x4988, Data4: [8]byte{0xa0, 0x05, 0x2d, 0xc0, 0xb7, 0xc8, 0x0f, 0x80}}, 27) + + ConnectTCPv4 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 12) + ConnectTCPv6 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 28) + + DisconnectTCPv4 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 13) + DisconnectTCPv6 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 29) + Disconnect = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 42) + + ReconnectTCPv4 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 16) + ReconnectTCPv6 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 32) + + RetransmitTCPv4 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 14) + RetransmitTCPv6 = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 30) + + // Accept represents the global kernel event type for both TCP v4/v6 connections. Note this is an artificial kernel event that is never published by the provider. + Accept = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 46) + // Send represents the global kernel event for all variants of sending data to sockets. Note this is an artificial kernel event that is never published by the provider. + Send = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xa9c9, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 72) + Recv = Pack(syscall.GUID{Data1: 0xbf3a50c5, Data2: 0xc8e0, Data3: 0x4988, Data4: [8]byte{0xa0, 0x05, 0x2d, 0xc0, 0xb7, 0xc8, 0x0f, 0x80}}, 75) + Connect = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 40) + Reconnect = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 47) + Retransmit = Pack(syscall.GUID{Data1: 0x9a280ac0, Data2: 0xc8e0, Data3: 0x11d1, Data4: [8]byte{0x84, 0xe2, 0x0, 0xc0, 0x4f, 0xb9, 0x98, 0xa2}}, 44) + + // CreateHandle represents handle creation kernel event + CreateHandle = Pack(syscall.GUID{Data1: 0x89497f50, Data2: 0xeffe, Data3: 0x4440, Data4: [8]byte{0x8c, 0xf2, 0xce, 0x6b, 0x1c, 0xdc, 0xac, 0xa7}}, 32) + // CloseHandle represents handle closure kernel event + CloseHandle = Pack(syscall.GUID{Data1: 0x89497f50, Data2: 0xeffe, Data3: 0x4440, Data4: [8]byte{0x8c, 0xf2, 0xce, 0x6b, 0x1c, 0xdc, 0xac, 0xa7}}, 33) + + // UnknownKtype designates unknown kernel event type + UnknownKtype = Pack(syscall.GUID{}, 0) +) + +// String returns the string representation of the kernel event type. If event is unknown a GUID representation that includes the GUID of the event's provider + the opcode type is presented. +func (k Ktype) String() string { + switch k { + case CreateProcess: + return "CreateProcess" + case TerminateProcess: + return "TerminateProcess" + case CreateThread: + return "CreateThread" + case TerminateThread: + return "TerminateThread" + case CreateFile: + return "CreateFile" + case CloseFile: + return "CloseFile" + case ReleaseFile: + return "ReleaseFile" + case ReadFile: + return "ReadFile" + case WriteFile: + return "WriteFile" + case SetFileInformation: + return "SetFileInformation" + case DeleteFile: + return "DeleteFile" + case RenameFile: + return "RenameFile" + case EnumDirectory: + return "EnumDirectory" + case FileOpEnd: + return "FileOpEnd" + case FileRundown: + return "FileRundown" + case CreateHandle: + return "CreateHandle" + case CloseHandle: + return "CloseHandle" + case RegKCBRundown: + return "RegKCBRundown" + case RegOpenKey, RegOpenKeyV1: + return "RegOpenKey" + case RegCreateKey: + return "RegCreateKey" + case RegDeleteKey: + return "RegDeleteKey" + case RegDeleteValue: + return "RegDeleteValue" + case RegQueryKey: + return "RegQueryKey" + case RegQueryValue: + return "RegQueryValue" + case RegCreateKCB: + return "RegCreateKCB" + case LoadImage: + return "LoadImage" + case UnloadImage: + return "UnloadImage" + case Accept: + return "Accept" + case Send: + return "Send" + case Recv: + return "Recv" + case Connect: + return "Connect" + case Reconnect: + return "Reconnect" + case Disconnect: + return "Disconnect" + case Retransmit: + return "Retransmit" + default: + return string(k[:]) + } +} + +// Hash calculates the hash number of the ktype. +func (k Ktype) Hash() uint32 { + h := fnv.New32() + _, err := h.Write([]byte(k.String())) + if err != nil { + return 0 + } + return h.Sum32() +} + +// Exists determines whether particular ktype exists. +func (k Ktype) Exists() bool { + switch k { + case EnumProcess, EnumThread, FileRundown, FileOpEnd, ReleaseFile, EnumImage, RegCreateKCB, RegKCBRundown: + return true + default: + // for composite kernel events we match against a single global ktype. This way + // we use a unique kernel type to group several kernel events. For example, `Send` + // designates all network Send regardless of transport protocol or IP version + if k == AcceptTCPv4 || k == AcceptTCPv6 { + return true + } + if k == ConnectTCPv4 || k == ConnectTCPv6 { + return true + } + if k == ReconnectTCPv4 || k == ReconnectTCPv6 { + return true + } + if k == RetransmitTCPv4 || k == RetransmitTCPv6 { + return true + } + if k == DisconnectTCPv4 || k == DisconnectTCPv6 { + return true + } + if k == SendTCPv4 || k == SendTCPv6 || k == SendUDPv4 || k == SendUDPv6 { + return true + } + if k == RecvTCPv4 || k == RecvTCPv6 || k == RecvUDPv4 || k == RecvUDPv6 { + return true + } + _, ok := kevents[k] + return ok + } +} + +// Dropped determines whether certain events responsible for building the internal state are kept or dropped before hitting +// the output channel. +func (k Ktype) Dropped(capture bool) bool { + switch k { + case EnumProcess, EnumThread, FileRundown, FileOpEnd, ReleaseFile, EnumImage, RegCreateKCB, RegKCBRundown: + if capture { + return false + } + return true + default: + return false + } +} + +// Pack transforms event provider GUID and the op code into `Ktype` type. The type provides a convenient way +// to compare different kernel event types. +func Pack(g syscall.GUID, opcode uint8) Ktype { + return Ktype([17]byte{ + byte(g.Data1 >> 24), byte(g.Data1 >> 16), byte(g.Data1 >> 8), byte(g.Data1), + byte(g.Data2 >> 8), byte(g.Data2), byte(g.Data3 >> 8), byte(g.Data3), + g.Data4[0], g.Data4[1], g.Data4[2], g.Data4[3], g.Data4[4], g.Data4[5], g.Data4[6], g.Data4[7], + byte(opcode), + }) +} diff --git a/pkg/kevent/ktypes/ktypes_test.go b/pkg/kevent/ktypes/ktypes_test.go new file mode 100644 index 000000000..6a92e7206 --- /dev/null +++ b/pkg/kevent/ktypes/ktypes_test.go @@ -0,0 +1,69 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ktypes + +import ( + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "syscall" + "testing" +) + +func TestPack(t *testing.T) { + assert.Equal(t, byte(0x3d), CreateProcess[0]) + assert.Equal(t, byte(0x6f), CreateProcess[1]) + assert.Equal(t, byte(0xa8), CreateProcess[2]) + assert.Equal(t, byte(0xd0), CreateProcess[3]) + + assert.Equal(t, byte(0xfe), CreateProcess[4]) + assert.Equal(t, byte(0x05), CreateProcess[5]) + + assert.Equal(t, byte(0x11), CreateProcess[6]) + assert.Equal(t, byte(0xd0), CreateProcess[7]) + + assert.Equal(t, byte(0x9d), CreateProcess[8]) + assert.Equal(t, byte(0xda), CreateProcess[9]) + assert.Equal(t, byte(0x0), CreateProcess[10]) + assert.Equal(t, byte(0xc0), CreateProcess[11]) + assert.Equal(t, byte(0x4f), CreateProcess[12]) + assert.Equal(t, byte(0xd7), CreateProcess[13]) + assert.Equal(t, byte(0xba), CreateProcess[14]) + assert.Equal(t, byte(0x7c), CreateProcess[15]) + + assert.Equal(t, byte(0x1), CreateProcess[16]) + + kt := Pack(syscall.GUID{Data1: 0x3d6fa8d0, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}}, 1) + assert.Equal(t, CreateProcess, kt) + + kt = Pack(syscall.GUID{Data1: 0x3d6fa8d0, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x0, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}}, 2) + assert.NotEqual(t, CreateProcess, kt) + assert.Equal(t, TerminateProcess, kt) + + switch kt { + case TerminateProcess: + default: + t.Fatal("expected TerminateProcess kernel event") + } +} + +func TestKtypeExists(t *testing.T) { + require.True(t, Accept.Exists()) + require.True(t, AcceptTCPv4.Exists()) + require.True(t, AcceptTCPv6.Exists()) +} diff --git a/pkg/kevent/ktypes/metainfo.go b/pkg/kevent/ktypes/metainfo.go new file mode 100644 index 000000000..f5a88d41e --- /dev/null +++ b/pkg/kevent/ktypes/metainfo.go @@ -0,0 +1,149 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ktypes + +import "sort" + +// KeventInfo describes the kernel event meta info such as human readable name, category +// and event's description. +type KeventInfo struct { + // Name is the human-readable representation of the kernel event (e.g. CreateProcess, DeleteFile). + Name string + // Category designates the category to which kernel event pertains. (e.g. process, net) + Category Category + // Description is the short explanation that describes the purpose of the kernel event. + Description string +} + +var kevents = map[Ktype]KeventInfo{ + CreateProcess: {"CreateProcess", Process, "Creates a new process and its primary thread"}, + TerminateProcess: {"TerminateProcess", Process, "Terminates the process and all of its threads"}, + CreateThread: {"CreateThread", Thread, "Creates a thread to execute within the virtual address space of the calling process"}, + TerminateThread: {"TerminateThread", Thread, "Terminates a thread within the process"}, + ReadFile: {"ReadFile", File, "Reads data from the file or I/O device"}, + WriteFile: {"WriteFile", File, "Writes data to the file or I/O device"}, + CreateFile: {"CreateFile", File, "Creates or opens a file or I/O device"}, + CloseFile: {"CloseFile", File, "Closes the file handle"}, + DeleteFile: {"DeleteFile", File, "Removes the file from the file system"}, + RenameFile: {"RenameFile", File, "Changes the file name"}, + SetFileInformation: {"SetFileInformation", File, "Sets the file meta information"}, + EnumDirectory: {"EnumDirectory", File, "Enumerates a directory or dispatches a directory change notification to registered listeners"}, + RegCreateKey: {"RegCreateKey", Registry, "Creates a registry key or opens it if the key already exists"}, + RegOpenKey: {"RegOpenKey", Registry, "Opens the registry key"}, + RegSetValue: {"RegSetValue", Registry, "Sets the data for the value of a registry key"}, + RegQueryValue: {"RegQueryValue", Registry, "Reads the data for the value of a registry key"}, + RegQueryKey: {"RegQueryKey", Registry, "Enumerates subkeys of the parent key"}, + RegDeleteKey: {"RegDeleteKey", Registry, "Removes the registry key"}, + RegDeleteValue: {"RegDeleteValue", Registry, "Removes the registry value"}, + Accept: {"Accept", Net, "Accepts the connection request from the socket queue"}, + Send: {"Send", Net, "Sends data over the wire"}, + Recv: {"Recv", Net, "Receives data from the socket"}, + Connect: {"Connect", Net, "Connects establishes a connection to the socket"}, + Disconnect: {"Disconnect", Net, "Terminates data reception on the socket"}, + Reconnect: {"Reconnect", Net, "Reconnects to the socket"}, + Retransmit: {"Retransmit", Net, "Retransmits unacknowledged TCP segments"}, + LoadImage: {"LoadImage", Image, "Loads the module into the address space of the calling process"}, + UnloadImage: {"UnloadImage", Image, "Unloads the module from the address space of the calling process"}, + CreateHandle: {"CreateHandle", Handle, "Creates a new handle"}, + CloseHandle: {"CloseHandle", Handle, "Closes the handle"}, +} + +var ktypes = map[string]Ktype{ + "CreateProcess": CreateProcess, + "TerminateProcess": TerminateProcess, + "CreateThread": CreateThread, + "TerminateThread": TerminateThread, + "LoadImage": LoadImage, + "UnloadImage": UnloadImage, + "CreateFile": CreateFile, + "CloseFile": CloseFile, + "ReadFile": ReadFile, + "WriteFile": WriteFile, + "SetFileInformation": SetFileInformation, + "DeleteFile": DeleteFile, + "RenameFile": RenameFile, + "EnumDirectory": EnumDirectory, + "RegCreateKey": RegCreateKey, + "RegOpenKey": RegOpenKey, + "RegSetValue": RegSetValue, + "RegQueryValue": RegQueryValue, + "RegQueryKey": RegQueryKey, + "RegDeleteKey": RegDeleteKey, + "RegDeleteValue": RegDeleteValue, + "Accept": Accept, + "Send": Send, + "Recv": Recv, + "Connect": Connect, + "Reconnect": Reconnect, + "Disconnect": Disconnect, + "Retransmit": Retransmit, + "CreateHandle": CreateHandle, + "CloseHandle": CloseHandle, +} + +// KtypeToKeventInfo maps the kernel event type to a structure that stores detailed information about the event. +func KtypeToKeventInfo(ktype Ktype) KeventInfo { + if ktype == RegOpenKeyV1 { + return kevents[RegOpenKey] + } + if ktype == AcceptTCPv4 || ktype == AcceptTCPv6 { + return kevents[Accept] + } + if ktype == ConnectTCPv4 || ktype == ConnectTCPv6 { + return kevents[Connect] + } + if ktype == ReconnectTCPv4 || ktype == ReconnectTCPv6 { + return kevents[Reconnect] + } + if ktype == RetransmitTCPv4 || ktype == RetransmitTCPv6 { + return kevents[Retransmit] + } + if ktype == DisconnectTCPv4 || ktype == DisconnectTCPv6 { + return kevents[Disconnect] + } + if ktype == SendTCPv4 || ktype == SendTCPv6 || ktype == SendUDPv4 || ktype == SendUDPv6 { + return kevents[Send] + } + if ktype == RecvTCPv4 || ktype == RecvTCPv6 || ktype == RecvUDPv4 || ktype == RecvUDPv6 { + return kevents[Recv] + } + + if kinfo, ok := kevents[ktype]; ok { + return kinfo + } + return KeventInfo{Name: "N/A", Category: Unknown} +} + +// KeventNameToKtype converts a human-readable kernel event name to its internal kernel type representation. +func KeventNameToKtype(name string) Ktype { + if ktype, ok := ktypes[name]; ok { + return ktype + } + return UnknownKtype +} + +// GetKtypesMeta returns kernel event types metadata. +func GetKtypesMeta() []KeventInfo { + ktypes := make([]KeventInfo, 0, len(kevents)) + for _, ktyp := range kevents { + ktypes = append(ktypes, ktyp) + } + sort.Slice(ktypes, func(i, j int) bool { return ktypes[i].Category < ktypes[j].Category }) + return ktypes +} diff --git a/pkg/kevent/ktypes/metainfo_test.go b/pkg/kevent/ktypes/metainfo_test.go new file mode 100644 index 000000000..7750174fa --- /dev/null +++ b/pkg/kevent/ktypes/metainfo_test.go @@ -0,0 +1,46 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ktypes + +import ( + "github.com/stretchr/testify/assert" + "testing" +) + +func TestKeventNameToKtype(t *testing.T) { + ktype := KeventNameToKtype("CreateProcess") + + assert.Equal(t, CreateProcess, ktype) + + ktype = KeventNameToKtype("CreateRemoteThread") + assert.Equal(t, UnknownKtype, ktype) +} + +func TestKtypeToKeventInfo(t *testing.T) { + kinfo := KtypeToKeventInfo(CreateProcess) + + assert.Equal(t, "CreateProcess", kinfo.Name) + assert.Equal(t, Process, kinfo.Category) + assert.Equal(t, "Creates a new process and its primary thread", kinfo.Description) + + kinfo = KtypeToKeventInfo(UnknownKtype) + assert.Equal(t, "N/A", kinfo.Name) + assert.Equal(t, Unknown, kinfo.Category) + assert.Empty(t, kinfo.Description) +} diff --git a/pkg/kevent/marshaller.go b/pkg/kevent/marshaller.go new file mode 100644 index 000000000..722f3e1ba --- /dev/null +++ b/pkg/kevent/marshaller.go @@ -0,0 +1,1213 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/fs" + "github.com/rabbitstack/fibratus/pkg/kcap/section" + kcapver "github.com/rabbitstack/fibratus/pkg/kcap/version" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + knet "github.com/rabbitstack/fibratus/pkg/net" + ptypes "github.com/rabbitstack/fibratus/pkg/ps/types" + "github.com/rabbitstack/fibratus/pkg/util/bytes" + "github.com/rabbitstack/fibratus/pkg/util/ip" + "math" + "net" + "strconv" + "time" + "unicode/utf8" + "unsafe" +) + +var ( + // SerializeHandles indicates if handles are serialized as part of the process' state + SerializeHandles bool + // SerializeThreads indicates if threads are serialized as part of the process' state + SerializeThreads bool + // SerializeImages indicates if images are serialized as part of the process' state + SerializeImages bool + // SerializePE indicates if PE metadata are serialized as part of the process' state + SerializePE bool + // SerializeEnvs indicates if the environment variables are serialized as part of the process's state + SerializeEnvs bool +) + +// unmarshalTimestampErrors counts timestamp unmarshal errors +var unmarshalTimestampErrors = expvar.NewInt("kevent.timestamp.unmarshal.errors") + +// Marshal produces a byte stream of the kernel event suitable for writing to disk. +func (kevt *Kevent) MarshalRaw() []byte { + b := make([]byte, 0) + + // write seq, pid, tid fields + b = append(b, bytes.WriteUint64(kevt.Seq)...) + b = append(b, bytes.WriteUint32(kevt.PID)...) + b = append(b, bytes.WriteUint32(kevt.Tid)...) + + // write ktype and CPU + b = append(b, kevt.Type[:]...) + b = append(b, kevt.CPU) + + // for the string fields we have to write the length prior to + // the string buffer itself so we can decode the string correctly + // + // write event name + b = append(b, bytes.WriteUint16(uint16(len(kevt.Name)))...) + b = append(b, kevt.Name...) + // write category + b = append(b, bytes.WriteUint16(uint16(len(kevt.Category)))...) + b = append(b, kevt.Category...) + // write description + b = append(b, bytes.WriteUint16(uint16(len(kevt.Description)))...) + b = append(b, kevt.Description...) + // write host name + b = append(b, bytes.WriteUint16(uint16(len(kevt.Host)))...) + b = append(b, kevt.Host...) + + // write event's timestamp + timestamp := make([]byte, 0) + timestamp = kevt.Timestamp.AppendFormat(timestamp, time.RFC3339Nano) + b = append(b, bytes.WriteUint16(uint16(len(timestamp)))...) + b = append(b, timestamp...) + + // write the number of kernel parameters followed by each parameter + b = append(b, bytes.WriteUint16(uint16(len(kevt.Kparams)))...) + for _, kpar := range kevt.Kparams { + // append the type, parameter size and name + b = append(b, bytes.WriteUint16(uint16(kpar.Type))...) + b = append(b, bytes.WriteUint16(uint16(len(kpar.Name)))...) + b = append(b, kpar.Name...) + switch kpar.Type { + case kparams.AnsiString, kparams.UnicodeString, kparams.SID, kparams.WbemSID: + b = append(b, bytes.WriteUint16(uint16(len(kpar.Value.(string))))...) + b = append(b, kpar.Value.(string)...) + case kparams.Uint8: + b = append(b, kpar.Value.(uint8)) + case kparams.Int8: + b = append(b, byte(kpar.Value.(int8))) + case kparams.HexInt8: + b = append(b, kpar.Value.(kparams.Hex).Uint8()) + case kparams.HexInt16: + b = append(b, bytes.WriteUint16(kpar.Value.(kparams.Hex).Uint16())...) + case kparams.HexInt32: + b = append(b, bytes.WriteUint32(kpar.Value.(kparams.Hex).Uint32())...) + case kparams.HexInt64: + b = append(b, bytes.WriteUint64(kpar.Value.(kparams.Hex).Uint64())...) + case kparams.Uint16, kparams.Port: + b = append(b, bytes.WriteUint16(kpar.Value.(uint16))...) + case kparams.Int16: + b = append(b, bytes.WriteUint16(uint16(kpar.Value.(int16)))...) + case kparams.Uint32: + b = append(b, bytes.WriteUint32(kpar.Value.(uint32))...) + case kparams.Int32: + b = append(b, bytes.WriteUint32(uint32(kpar.Value.(int32)))...) + case kparams.Uint64: + b = append(b, bytes.WriteUint64(kpar.Value.(uint64))...) + case kparams.Int64: + b = append(b, bytes.WriteUint64(uint64(kpar.Value.(int64)))...) + case kparams.Double: + b = append(b, bytes.WriteUint32(math.Float32bits(kpar.Value.(float32)))...) + case kparams.Float: + b = append(b, bytes.WriteUint64(math.Float64bits(kpar.Value.(float64)))...) + case kparams.IPv4: + b = append(b, kpar.Value.(net.IP).To4()...) + case kparams.IPv6: + b = append(b, kpar.Value.(net.IP).To16()...) + case kparams.PID, kparams.TID: + b = append(b, bytes.WriteUint32(kpar.Value.(uint32))...) + case kparams.Bool: + v := kpar.Value.(bool) + if v { + b = append(b, 1) + } else { + b = append(b, 0) + } + case kparams.Time: + v := kpar.Value.(time.Time) + ts := make([]byte, 0) + ts = v.AppendFormat(ts, time.RFC3339Nano) + b = append(b, bytes.WriteUint16(uint16(len(ts)))...) + b = append(b, ts...) + case kparams.Enum: + switch e := kpar.Value.(type) { + case fs.FileDisposition: + b = append(b, uint8(e)) + case fs.FileShareMode: + b = append(b, uint8(e)) + case knet.L4Proto: + b = append(b, uint8(e)) + } + } + } + // write metadata key/value pairs + b = append(b, bytes.WriteUint16(uint16(len(kevt.Metadata)))...) + for key, value := range kevt.Metadata { + b = append(b, bytes.WriteUint16(uint16(len(key)))...) + b = append(b, key...) + b = append(b, bytes.WriteUint16(uint16(len(value)))...) + b = append(b, value...) + } + + // write process state + if kevt.PS != nil && (kevt.Type == ktypes.CreateProcess || kevt.Type == ktypes.EnumProcess) { + buf := kevt.PS.Marshal() + sec := section.New(section.Process, kcapver.ProcessSecV1, 0, uint32(len(buf))) + b = append(b, sec[:]...) + b = append(b, buf...) + } else { + sec := section.New(section.Process, kcapver.ProcessSecV1, 0, 0) + b = append(b, sec[:]...) + } + + return b +} + +// Unmarshal recovers the state of the kernel event from the byte stream. +func (kevt *Kevent) UnmarshalRaw(b []byte, ver kcapver.Version) error { + if len(b) < 34 { + return fmt.Errorf("expected at least 34 bytes but got %d bytes", len(b)) + } + + // read seq, pid, tid + kevt.Seq = bytes.ReadUint64(b[0:]) + kevt.PID = bytes.ReadUint32(b[8:]) + kevt.Tid = bytes.ReadUint32(b[12:]) + + // read ktype and CPU + var ktype ktypes.Ktype + copy(ktype[:], b[16:33]) + kevt.Type = ktype + kevt.CPU = uint8(b[33:34][0]) + + // read event name + l := bytes.ReadUint16(b[34:]) + buf := b[36:] + offset := l + kevt.Name = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // read category + l = bytes.ReadUint16(b[36+offset:]) + buf = b[38+offset:] + offset += l + kevt.Category = ktypes.Category(string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + + // read description + l = bytes.ReadUint16(b[38+offset:]) + buf = b[40+offset:] + offset += l + kevt.Description = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // read host name + l = bytes.ReadUint16(b[40+offset:]) + buf = b[42+offset:] + offset += l + kevt.Host = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // read timestamp + l = bytes.ReadUint16(b[42+offset:]) + buf = b[44+offset:] + offset += l + if len(buf) > 0 { + var err error + kevt.Timestamp, err = time.Parse(time.RFC3339Nano, string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + if err != nil { + unmarshalTimestampErrors.Add(1) + } + } + + // read parameters + nbKparams := bytes.ReadUint16(b[44+offset:]) + var poffset uint16 + + for i := 0; i < int(nbKparams); i++ { + // read kparam type + typ := bytes.ReadUint16(b[46+offset+poffset:]) + // read kparam name + kparamNameLength := bytes.ReadUint16(b[48+offset+poffset:]) + buf = b[50+offset+poffset:] + kparamName := string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:kparamNameLength:kparamNameLength]) + + var kval kparams.Value + switch kparams.Type(typ) { + case kparams.AnsiString, kparams.UnicodeString, kparams.SID, kparams.WbemSID: + // read string parameter + l := bytes.ReadUint16(b[50+offset+kparamNameLength+poffset:]) + buf = b[52+offset+kparamNameLength+poffset:] + if len(buf) > 0 { + kval = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + } + // increment parameter offset by string by type length + name length bytes + length of + // the string parameter + string parameter size + poffset += kparamNameLength + 6 + l + case kparams.Uint64: + kval = bytes.ReadUint64(b[50+offset+kparamNameLength+poffset:]) + // increment parameter offset by type length + name length sizes + size of uint64 + poffset += kparamNameLength + 4 + 8 + case kparams.Int64: + kval = int64(bytes.ReadUint64(b[50+offset+kparamNameLength+poffset:])) + // increment parameter offset by type length + name length sizes + size of int64 + poffset += kparamNameLength + 4 + 8 + case kparams.Double: + kval = float64(bytes.ReadUint64(b[50+offset+kparamNameLength+poffset:])) + poffset += kparamNameLength + 4 + 8 + case kparams.Float: + kval = float32(bytes.ReadUint32(b[50+offset+kparamNameLength+poffset:])) + poffset += kparamNameLength + 4 + 4 + case kparams.IPv4: + kval = ip.ToIPv4(bytes.ReadUint32(b[50+offset+kparamNameLength+poffset:])) + // // increment by IPv4 length + poffset += kparamNameLength + 4 + 4 + case kparams.IPv6: + kval = ip.ToIPv6(b[50+offset+kparamNameLength+poffset : 50+offset+kparamNameLength+poffset+16]) + // increment by IPv6 length + poffset += kparamNameLength + 4 + 16 + case kparams.PID, kparams.TID: + kval = bytes.ReadUint32(b[50+offset+kparamNameLength+poffset:]) + poffset += kparamNameLength + 4 + 4 + case kparams.Int32: + kval = int32(bytes.ReadUint32(b[50+offset+kparamNameLength+poffset:])) + poffset += kparamNameLength + 4 + 4 + case kparams.Uint32: + kval = bytes.ReadUint32(b[50+offset+kparamNameLength+poffset:]) + poffset += kparamNameLength + 4 + 4 + case kparams.Uint16, kparams.Port: + kval = bytes.ReadUint16(b[50+offset+kparamNameLength+poffset:]) + poffset += kparamNameLength + 4 + 2 + case kparams.Int16: + kval = int16(bytes.ReadUint16(b[50+offset+kparamNameLength+poffset:])) + poffset += kparamNameLength + 4 + 2 + case kparams.Uint8, kparams.Enum: + switch kparamName { + case kparams.FileOperation: + kval = fs.FileDisposition(uint8(b[50+offset+kparamNameLength+poffset : 50+offset+kparamNameLength+poffset+1][0])) + case kparams.FileShareMask: + kval = fs.FileShareMode(uint8(b[50+offset+kparamNameLength+poffset : 50+offset+kparamNameLength+poffset+1][0])) + case kparams.NetL4Proto: + kval = knet.L4Proto(uint8(b[50+offset+kparamNameLength+poffset : 50+offset+kparamNameLength+poffset+1][0])) + default: + kval = uint8(b[50+offset+kparamNameLength+poffset : 50+offset+kparamNameLength+poffset+1][0]) + } + poffset += kparamNameLength + 4 + 1 + case kparams.Int8: + kval = int8(b[50+offset+kparamNameLength+poffset : 50+offset+kparamNameLength+poffset+1][0]) + poffset += kparamNameLength + 4 + 1 + case kparams.HexInt8: + v := uint8(b[50+offset+kparamNameLength+poffset : 50+offset+kparamNameLength+poffset+1][0]) + kval = kparams.NewHex(v) + poffset += kparamNameLength + 4 + 1 + case kparams.HexInt16: + v := bytes.ReadUint16(b[50+offset+kparamNameLength+poffset:]) + kval = kparams.NewHex(v) + poffset += kparamNameLength + 4 + 2 + case kparams.HexInt32: + v := bytes.ReadUint32(b[50+offset+kparamNameLength+poffset:]) + kval = kparams.NewHex(v) + poffset += kparamNameLength + 4 + 4 + case kparams.HexInt64: + v := bytes.ReadUint64(b[50+offset+kparamNameLength+poffset:]) + kval = kparams.NewHex(v) + poffset += kparamNameLength + 4 + 8 + case kparams.Bool: + v := uint8(b[50+offset+kparamNameLength+poffset : 50+offset+kparamNameLength+poffset+1][0]) + if v == 1 { + kval = true + } else { + kval = false + } + poffset += kparamNameLength + 4 + 1 + case kparams.Time: + // read ts length + l := bytes.ReadUint16(b[50+offset+kparamNameLength+poffset:]) + buf = b[52+offset+kparamNameLength+poffset:] + if len(buf) > 0 { + var err error + kval, err = time.Parse(time.RFC3339Nano, string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + if err != nil { + unmarshalTimestampErrors.Add(1) + } + } + poffset += kparamNameLength + 6 + l + } + if kval != nil { + kevt.Kparams.AppendFromKcap(kparamName, kparams.Type(typ), kval) + } + } + + offset += poffset + + // read metadata tags + nbTags := bytes.ReadUint16(b[46+offset:]) + var moffset uint16 + for i := 0; i < int(nbTags); i++ { + // read key + klen := bytes.ReadUint16(b[48+offset+moffset:]) + buf = b[50+offset+moffset:] + key := string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:klen:klen]) + // read value + vlen := bytes.ReadUint16(b[50+offset+klen+moffset:]) + buf = b[52+offset+klen+moffset:] + value := string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:vlen:vlen]) + // increment the offset by the length of the key + length value + size of uint16 * 2 + // that corresponds to bytes storing the lengths of keys/values + moffset += klen + vlen + 4 + if key != "" { + kevt.AddMeta(key, value) + } + } + + offset += moffset + + // read process state + sec := section.Read(b[48+offset:]) + if sec.Size() != 0 { + ps, err := ptypes.NewFromKcap(b[58+offset:]) + if err != nil { + return err + } + kevt.PS = ps + } + + return nil +} + +var js = newJSONStream() + +func writePsResources() bool { + return SerializeHandles || SerializeThreads || SerializeImages || SerializePE +} + +// MarshalJSON produces a JSON payload for this kevent. +func (kevt *Kevent) MarshalJSON() []byte { + if kevt == nil { + return []byte{} + } + + // start of JSON + js.writeObjectStart() + + js.writeObjectField("seq").writeUint64(kevt.Seq).writeMore() + js.writeObjectField("pid").writeUint32(kevt.PID).writeMore() + js.writeObjectField("tid").writeUint32(kevt.Tid).writeMore() + js.writeObjectField("cpu").writeUint8(kevt.CPU).writeMore() + + js.writeObjectField("name").writeString(kevt.Name).writeMore() + js.writeObjectField("category").writeString(string(kevt.Category)).writeMore() + js.writeObjectField("description").writeString(kevt.Description).writeMore() + js.writeObjectField("host").writeString(kevt.Host).writeMore() + + timestamp := make([]byte, 0) + timestamp = kevt.Timestamp.AppendFormat(timestamp, time.RFC3339Nano) + js.writeObjectField("timestamp").writeString(string(timestamp)).writeMore() + + // start kparams + js.writeObjectField("kparams") + js.writeObjectStart() + + pars := make([]*Kparam, 0, len(kevt.Kparams)) + for _, kpar := range kevt.Kparams { + pars = append(pars, kpar) + } + for i, kpar := range pars { + writeMore := js.shouldWriteMore(i, len(pars)) + js.writeObjectField(kpar.Name) + switch kpar.Type { + case kparams.AnsiString, kparams.UnicodeString, kparams.SID, kparams.WbemSID: + js.writeEscapeString(kpar.Value.(string)) + case kparams.Int64: + js.writeInt64(kpar.Value.(int64)) + case kparams.Uint64: + js.writeUint64(kpar.Value.(uint64)) + case kparams.Int32: + js.writeInt32(kpar.Value.(int32)) + case kparams.Uint32: + js.writeUint32(kpar.Value.(uint32)) + case kparams.Int16: + js.writeInt16(kpar.Value.(int16)) + case kparams.Uint16, kparams.Port: + js.writeUint16(kpar.Value.(uint16)) + case kparams.Int8: + js.writeInt8(kpar.Value.(int8)) + case kparams.Uint8: + js.writeUint8(kpar.Value.(uint8)) + case kparams.Float: + js.writeFloat32(kpar.Value.(float32)) + case kparams.Double: + js.writeFloat64(kpar.Value.(float64)) + case kparams.PID, kparams.TID: + js.writeUint32(kpar.Value.(uint32)) + case kparams.IPv4, kparams.IPv6: + js.writeString(kpar.Value.(net.IP).String()) + case kparams.HexInt8, kparams.HexInt16, kparams.HexInt32, kparams.HexInt64: + js.writeString(kpar.Value.(kparams.Hex).String()) + case kparams.Enum: + switch kpar.Name { + case kparams.FileOperation: + js.writeString(kpar.Value.(fs.FileDisposition).String()) + case kparams.FileShareMask: + js.writeString(kpar.Value.(fs.FileShareMode).String()) + case kparams.NetL4Proto: + js.writeString(kpar.Value.(knet.L4Proto).String()) + default: + val, ok := kpar.Value.(uint8) + if !ok { + continue + } + js.writeUint8(val) + } + case kparams.Bool: + js.writeBool(kpar.Value.(bool)) + case kparams.Time: + js.writeString(kpar.Value.(time.Time).String()) + } + if writeMore { + js.writeMore() + } + } + // end kparams + js.writeObjectEnd().writeMore() + + // start metadata + js.writeObjectField("meta") + js.writeObjectStart() + var i int + for k, v := range kevt.Metadata { + writeMore := js.shouldWriteMore(i, len(kevt.Metadata)) + js.writeObjectField(k).writeEscapeString(v) + if writeMore { + js.writeMore() + } + i++ + } + + // end metadata + js.writeObjectEnd() + ps := kevt.PS + if ps != nil { + js.writeMore() + } + + // start process state + if ps != nil { + js.writeObjectField("ps") + js.writeObjectStart() + + js.writeObjectField("pid").writeUint32(ps.PID).writeMore() + js.writeObjectField("ppid").writeUint32(ps.Ppid).writeMore() + js.writeObjectField("name").writeString(ps.Name).writeMore() + js.writeObjectField("comm").writeEscapeString(ps.Comm).writeMore() + js.writeObjectField("exe").writeEscapeString(ps.Exe).writeMore() + js.writeObjectField("cwd").writeEscapeString(ps.Cwd).writeMore() + js.writeObjectField("sid").writeEscapeString(ps.SID).writeMore() + + js.writeObjectField("args") + js.writeArrayStart() + for i, arg := range ps.Args { + writeMore := js.shouldWriteMore(i, len(ps.Args)) + js.writeEscapeString(arg) + if writeMore { + js.writeMore() + } + } + js.writeArrayEnd().writeMore() + + js.writeObjectField("sessionid").writeUint8(ps.SessionID) + + if SerializeEnvs { + js.writeMore() + js.writeObjectField("envs") + js.writeObjectStart() + var i int + for k, v := range ps.Envs { + writeMore := js.shouldWriteMore(i, len(ps.Envs)) + js.writeObjectField(k).writeEscapeString(v) + if writeMore { + js.writeMore() + } + i++ + } + js.writeObjectEnd() + } + + if writePsResources() { + js.writeMore() + } + + if SerializeThreads { + // start threads + js.writeObjectField("threads") + js.writeArrayStart() + var i int + ps.RLock() + for _, thread := range ps.Threads { + writeMore := js.shouldWriteMore(i, len(ps.Threads)) + js.writeObjectStart() + js.writeObjectField("tid").writeUint32(thread.Tid).writeMore() + js.writeObjectField("ioprio").writeUint8(thread.IOPrio).writeMore() + js.writeObjectField("baseprio").writeUint8(thread.BasePrio).writeMore() + js.writeObjectField("pageprio").writeUint8(thread.PagePrio).writeMore() + js.writeObjectField("entrypoint").writeString(thread.Entrypoint.String()).writeMore() + js.writeObjectField("ustack_base").writeString(thread.UstackBase.String()).writeMore() + js.writeObjectField("ustack_limit").writeString(thread.UstackLimit.String()).writeMore() + js.writeObjectField("kstack_base").writeString(thread.KstackBase.String()).writeMore() + js.writeObjectField("kstack_limit").writeString(thread.KstackLimit.String()) + js.writeObjectEnd() + if writeMore { + js.writeMore() + } + i++ + } + ps.RUnlock() + // end threads + js.writeArrayEnd() + if SerializeImages || SerializeHandles { + js.writeMore() + } + } + + if SerializeImages { + // start modules + js.writeObjectField("modules") + js.writeArrayStart() + + for i, m := range ps.Modules { + writeMore := js.shouldWriteMore(i, len(ps.Modules)) + js.writeObjectStart() + js.writeObjectField("name").writeEscapeString(m.Name).writeMore() + js.writeObjectField("size").writeUint32(m.Size) + js.writeObjectEnd() + if writeMore { + js.writeMore() + } + } + + // end modules + js.writeArrayEnd() + if SerializeHandles { + js.writeMore() + } + } + + if SerializeHandles { + // start handles + js.writeObjectField("handles") + js.writeArrayStart() + + for i, handle := range ps.Handles { + writeMore := js.shouldWriteMore(i, len(ps.Handles)) + js.writeObjectStart() + js.writeObjectField("name").writeEscapeString(handle.Name).writeMore() + js.writeObjectField("type").writeString(handle.Type).writeMore() + js.writeObjectField("id").writeUint64(uint64(handle.Num)).writeMore() + js.writeObjectField("object").writeUint64(uint64(handle.Object)) + js.writeObjectEnd() + + if writeMore { + js.writeMore() + } + } + // end handles + js.writeArrayEnd() + if SerializePE && ps.PE != nil { + js.writeMore() + } + } + + pe := ps.PE + if SerializePE && pe != nil { + // start PE + js.writeObjectField("pe") + js.writeObjectStart() + + js.writeObjectField("nsections").writeUint16(pe.NumberOfSections).writeMore() + js.writeObjectField("nsymbols").writeUint32(pe.NumberOfSymbols).writeMore() + js.writeObjectField("image_base").writeString(pe.ImageBase).writeMore() + js.writeObjectField("entrypoint").writeString(pe.EntryPoint).writeMore() + + timestamp := make([]byte, 0) + timestamp = kevt.Timestamp.AppendFormat(timestamp, time.RFC3339Nano) + js.writeObjectField("link_time").writeString(string(timestamp)).writeMore() + + // sections + if len(pe.Sections) > 0 { + js.writeObjectField("sections") + js.writeArrayStart() + + for i, sec := range pe.Sections { + writeMore := js.shouldWriteMore(i, len(pe.Sections)) + js.writeObjectStart() + js.writeObjectField("name").writeEscapeString(sec.Name).writeMore() + js.writeObjectField("size").writeUint32(sec.Size).writeMore() + js.writeObjectField("entropy").writeFloat64(sec.Entropy).writeMore() + js.writeObjectField("md5").writeString(sec.Md5) + + js.writeObjectEnd() + if writeMore { + js.writeMore() + } + } + + js.writeArrayEnd() + if len(pe.Symbols) > 0 { + js.writeMore() + } + } + + // imported symbols + if len(pe.Symbols) > 0 { + js.writeObjectField("symbols") + js.writeArrayStart() + + for i, sym := range pe.Symbols { + writeMore := js.shouldWriteMore(i, len(pe.Symbols)) + js.writeEscapeString(sym) + + if writeMore { + js.writeMore() + } + } + + js.writeArrayEnd() + if len(pe.Imports) > 0 { + js.writeMore() + } + } + + // imports + if len(pe.Imports) > 0 { + js.writeObjectField("imports") + js.writeArrayStart() + + for i, imp := range pe.Imports { + writeMore := js.shouldWriteMore(i, len(pe.Imports)) + js.writeEscapeString(imp) + + if writeMore { + js.writeMore() + } + } + + js.writeArrayEnd() + if len(pe.VersionResources) > 0 { + js.writeMore() + } + } + + // version resources + if len(pe.VersionResources) > 0 { + js.writeObjectField("resources") + js.writeObjectStart() + + var i int + for k, v := range pe.VersionResources { + writeMore := js.shouldWriteMore(i, len(pe.VersionResources)) + js.writeObjectField(k).writeEscapeString(v) + + if writeMore { + js.writeMore() + } + i++ + } + js.writeObjectEnd() + + } + + // end PE + js.writeObjectEnd() + + } + + // end process state + js.writeObjectEnd() + } + + // end of JSON + js.writeObjectEnd() + + return js.flush() +} + +type jsonStream struct { + buf []byte +} + +func newJSONStream() *jsonStream { + return &jsonStream{buf: make([]byte, 0)} +} + +func (js *jsonStream) flush() []byte { + buf := js.buf + js.buf = nil + return buf +} + +func (js *jsonStream) writeByte(c byte) { + js.buf = append(js.buf, c) +} + +func (js *jsonStream) writeNewline() { + js.buf = append(js.buf, '\n') +} + +func (js *jsonStream) writeTwoBytes(c1, c2 byte) { + js.buf = append(js.buf, c1, c2) +} + +func (js *jsonStream) writeBytes(b []byte) *jsonStream { + js.buf = append(js.buf, b...) + return js +} + +func (js *jsonStream) writeString(s string) *jsonStream { + js.writeByte('"') + js.buf = append(js.buf, s...) + js.writeByte('"') + return js +} + +func (js *jsonStream) writeRaw(s string) { + js.buf = append(js.buf, s...) +} + +func (js *jsonStream) writeEscapeString(s string) *jsonStream { + valLen := len(s) + js.buf = append(js.buf, '"') + // write string, the fast path, without utf8 and escape support + i := 0 + for ; i < valLen; i++ { + c := s[i] + if c > 31 && c != '"' && c != '\\' { + js.buf = append(js.buf, c) + } else { + break + } + } + if i == valLen { + js.buf = append(js.buf, '"') + return js + } + + // write remaining part of the string with escape support + writeStringSlowPath(js, i, s, valLen) + return js +} + +func (js *jsonStream) writeObjectStart() *jsonStream { + js.writeByte('{') + return js +} + +func (js *jsonStream) writeArrayStart() *jsonStream { + js.writeByte('[') + return js +} + +func (js *jsonStream) writeArrayEnd() *jsonStream { + js.writeByte(']') + return js +} + +func (js *jsonStream) writeObjectField(f string) *jsonStream { + js.writeString(f) + js.writeTwoBytes(':', ' ') + return js +} + +func (js *jsonStream) writeBool(b bool) *jsonStream { + if b { + js.writeString("true") + return js + } + js.writeString("false") + return js +} + +func (js *jsonStream) writeObjectEnd() *jsonStream { + js.writeByte('}') + return js +} + +func (js *jsonStream) writeMore() *jsonStream { + js.writeByte(',') + return js +} + +func (js *jsonStream) shouldWriteMore(i, l int) bool { + return !(i == l-1) +} + +// borrowed from jsointer: https://github.com/json-iterator/go/blob/2fbdfbb5951116fb8bede4fd8b919a19e4a6b647/stream_int.go and https://github.com/json-iterator/go/blob/2fbdfbb5951116fb8bede4fd8b919a19e4a6b647/stream_float.go + +var digits []uint32 + +// safeSet holds the value true if the ASCII character with the given array +// position can be represented inside a JSON string without any further +// escaping. +// +// All values are true except for the ASCII control characters (0-31), the +// double quote ("), and the backslash character ("\"). +var safeSet = [utf8.RuneSelf]bool{ + ' ': true, + '!': true, + '"': false, + '#': true, + '$': true, + '%': true, + '&': true, + '\'': true, + '(': true, + ')': true, + '*': true, + '+': true, + ',': true, + '-': true, + '.': true, + '/': true, + '0': true, + '1': true, + '2': true, + '3': true, + '4': true, + '5': true, + '6': true, + '7': true, + '8': true, + '9': true, + ':': true, + ';': true, + '<': true, + '=': true, + '>': true, + '?': true, + '@': true, + 'A': true, + 'B': true, + 'C': true, + 'D': true, + 'E': true, + 'F': true, + 'G': true, + 'H': true, + 'I': true, + 'J': true, + 'K': true, + 'L': true, + 'M': true, + 'N': true, + 'O': true, + 'P': true, + 'Q': true, + 'R': true, + 'S': true, + 'T': true, + 'U': true, + 'V': true, + 'W': true, + 'X': true, + 'Y': true, + 'Z': true, + '[': true, + '\\': false, + ']': true, + '^': true, + '_': true, + '`': true, + 'a': true, + 'b': true, + 'c': true, + 'd': true, + 'e': true, + 'f': true, + 'g': true, + 'h': true, + 'i': true, + 'j': true, + 'k': true, + 'l': true, + 'm': true, + 'n': true, + 'o': true, + 'p': true, + 'q': true, + 'r': true, + 's': true, + 't': true, + 'u': true, + 'v': true, + 'w': true, + 'x': true, + 'y': true, + 'z': true, + '{': true, + '|': true, + '}': true, + '~': true, + '\u007f': true, +} + +var hex = "0123456789abcdef" + +func init() { + digits = make([]uint32, 1000) + for i := uint32(0); i < 1000; i++ { + digits[i] = (((i / 100) + '0') << 16) + ((((i / 10) % 10) + '0') << 8) + i%10 + '0' + if i < 10 { + digits[i] += 2 << 24 + } else if i < 100 { + digits[i] += 1 << 24 + } + } +} + +func writeStringSlowPath(stream *jsonStream, i int, s string, valLen int) { + start := i + // for the remaining parts, we process them char by char + for i < valLen { + if b := s[i]; b < utf8.RuneSelf { + if safeSet[b] { + i++ + continue + } + if start < i { + stream.writeRaw(s[start:i]) + } + switch b { + case '\\', '"': + stream.writeTwoBytes('\\', b) + case '\n': + stream.writeTwoBytes('\\', 'n') + case '\r': + stream.writeTwoBytes('\\', 'r') + case '\t': + stream.writeTwoBytes('\\', 't') + default: + // This encodes bytes < 0x20 except for \t, \n and \r. + // If escapeHTML is set, it also escapes <, >, and & + // because they can lead to security holes when + // user-controlled strings are rendered into JSON + // and served to some browsers. + stream.writeRaw(`\u00`) + stream.writeTwoBytes(hex[b>>4], hex[b&0xF]) + } + i++ + start = i + continue + } + i++ + continue + } + if start < len(s) { + stream.writeRaw(s[start:]) + } + stream.writeByte('"') +} + +func writeFirstBuf(space []byte, v uint32) []byte { + start := v >> 24 + if start == 0 { + space = append(space, byte(v>>16), byte(v>>8)) + } else if start == 1 { + space = append(space, byte(v>>8)) + } + space = append(space, byte(v)) + return space +} + +func writeBuf(buf []byte, v uint32) []byte { + return append(buf, byte(v>>16), byte(v>>8), byte(v)) +} + +func (js *jsonStream) writeUint8(val uint8) *jsonStream { + js.buf = writeFirstBuf(js.buf, digits[val]) + return js +} + +func (js *jsonStream) writeInt8(nval int8) *jsonStream { + var val uint8 + if nval < 0 { + val = uint8(-nval) + js.buf = append(js.buf, '-') + } else { + val = uint8(nval) + } + js.buf = writeFirstBuf(js.buf, digits[val]) + return js +} + +func (js *jsonStream) writeUint16(val uint16) *jsonStream { + q1 := val / 1000 + if q1 == 0 { + js.buf = writeFirstBuf(js.buf, digits[val]) + return js + } + r1 := val - q1*1000 + js.buf = writeFirstBuf(js.buf, digits[q1]) + js.buf = writeBuf(js.buf, digits[r1]) + return js +} + +func (js *jsonStream) writeInt16(nval int16) *jsonStream { + var val uint16 + if nval < 0 { + val = uint16(-nval) + js.buf = append(js.buf, '-') + } else { + val = uint16(nval) + } + js.writeUint16(val) + return js +} + +func (js *jsonStream) writeUint32(val uint32) *jsonStream { + q1 := val / 1000 + if q1 == 0 { + js.buf = writeFirstBuf(js.buf, digits[val]) + return js + } + r1 := val - q1*1000 + q2 := q1 / 1000 + if q2 == 0 { + js.buf = writeFirstBuf(js.buf, digits[q1]) + js.buf = writeBuf(js.buf, digits[r1]) + return js + } + r2 := q1 - q2*1000 + q3 := q2 / 1000 + if q3 == 0 { + js.buf = writeFirstBuf(js.buf, digits[q2]) + } else { + r3 := q2 - q3*1000 + js.buf = append(js.buf, byte(q3+'0')) + js.buf = writeBuf(js.buf, digits[r3]) + } + js.buf = writeBuf(js.buf, digits[r2]) + js.buf = writeBuf(js.buf, digits[r1]) + return js +} + +func (js *jsonStream) writeInt32(nval int32) *jsonStream { + var val uint32 + if nval < 0 { + val = uint32(-nval) + js.buf = append(js.buf, '-') + } else { + val = uint32(nval) + } + js.writeUint32(val) + return js +} + +func (js *jsonStream) writeUint64(val uint64) *jsonStream { + q1 := val / 1000 + if q1 == 0 { + js.buf = writeFirstBuf(js.buf, digits[val]) + return js + } + r1 := val - q1*1000 + q2 := q1 / 1000 + if q2 == 0 { + js.buf = writeFirstBuf(js.buf, digits[q1]) + js.buf = writeBuf(js.buf, digits[r1]) + return js + } + r2 := q1 - q2*1000 + q3 := q2 / 1000 + if q3 == 0 { + js.buf = writeFirstBuf(js.buf, digits[q2]) + js.buf = writeBuf(js.buf, digits[r2]) + js.buf = writeBuf(js.buf, digits[r1]) + return js + } + r3 := q2 - q3*1000 + q4 := q3 / 1000 + if q4 == 0 { + js.buf = writeFirstBuf(js.buf, digits[q3]) + js.buf = writeBuf(js.buf, digits[r3]) + js.buf = writeBuf(js.buf, digits[r2]) + js.buf = writeBuf(js.buf, digits[r1]) + return js + } + r4 := q3 - q4*1000 + q5 := q4 / 1000 + if q5 == 0 { + js.buf = writeFirstBuf(js.buf, digits[q4]) + js.buf = writeBuf(js.buf, digits[r4]) + js.buf = writeBuf(js.buf, digits[r3]) + js.buf = writeBuf(js.buf, digits[r2]) + js.buf = writeBuf(js.buf, digits[r1]) + return js + } + r5 := q4 - q5*1000 + q6 := q5 / 1000 + if q6 == 0 { + js.buf = writeFirstBuf(js.buf, digits[q5]) + } else { + js.buf = writeFirstBuf(js.buf, digits[q6]) + r6 := q5 - q6*1000 + js.buf = writeBuf(js.buf, digits[r6]) + } + js.buf = writeBuf(js.buf, digits[r5]) + js.buf = writeBuf(js.buf, digits[r4]) + js.buf = writeBuf(js.buf, digits[r3]) + js.buf = writeBuf(js.buf, digits[r2]) + js.buf = writeBuf(js.buf, digits[r1]) + return js +} + +func (js *jsonStream) writeInt64(nval int64) *jsonStream { + var val uint64 + if nval < 0 { + val = uint64(-nval) + js.buf = append(js.buf, '-') + } else { + val = uint64(nval) + } + js.writeUint64(val) + return js +} + +// writeFloat32 write float32 to stream +func (js *jsonStream) writeFloat32(val float32) *jsonStream { + abs := math.Abs(float64(val)) + format := byte('f') + // Note: Must use float32 comparisons for underlying float32 value to get precise cutoffs right. + if abs != 0 { + if float32(abs) < 1e-6 || float32(abs) >= 1e21 { + format = 'e' + } + } + js.buf = strconv.AppendFloat(js.buf, float64(val), format, -1, 32) + return js +} + +// writeFloat64 write float64 to stream +func (js *jsonStream) writeFloat64(val float64) *jsonStream { + abs := math.Abs(val) + format := byte('f') + // Note: Must use float32 comparisons for underlying float32 value to get precise cutoffs right. + if abs != 0 { + if abs < 1e-6 || abs >= 1e21 { + format = 'e' + } + } + js.buf = strconv.AppendFloat(js.buf, float64(val), format, -1, 64) + return js +} diff --git a/pkg/kevent/marshaller_test.go b/pkg/kevent/marshaller_test.go new file mode 100644 index 000000000..4496a3a24 --- /dev/null +++ b/pkg/kevent/marshaller_test.go @@ -0,0 +1,581 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + "encoding/json" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + pex "github.com/rabbitstack/fibratus/pkg/pe" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + shandle "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "io/ioutil" + "testing" + "time" +) + +func init() { + SerializeThreads = true + SerializeImages = true + SerializeHandles = true + SerializePE = true + SerializeEnvs = true +} + +func TestMarshaller(t *testing.T) { + now, err := time.Parse(time.RFC3339Nano, time.Now().Format(time.RFC3339Nano)) + require.NoError(t, err) + + kevt := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: now, + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.HexInt8, Value: kparams.Hex("ff")}, + kparams.StartTime: {Name: kparams.StartTime, Type: kparams.Time, Value: time.Now()}, + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(1204)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "barzz"}, + } + + b := kevt.MarshalRaw() + require.NotEmpty(t, b) + + clone, err := NewFromKcap(b) + + assert.Equal(t, uint64(2), clone.Seq) + assert.Equal(t, uint32(859), clone.PID) + assert.Equal(t, uint32(2484), clone.Tid) + assert.Equal(t, ktypes.CreateFile, clone.Type) + assert.Equal(t, uint8(1), clone.CPU) + assert.Equal(t, "CreateFile", clone.Name) + assert.Equal(t, ktypes.File, clone.Category) + assert.Equal(t, "Creates or opens a new file, directory, I/O device, pipe, console", clone.Description) + assert.Equal(t, "archrabbit", clone.Host) + assert.Equal(t, now, clone.Timestamp) + + assert.Len(t, clone.Kparams, 9) + + filename, err := clone.Kparams.GetString(kparams.FileName) + require.NoError(t, err) + assert.Equal(t, "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll", filename) + fileobject, err := clone.Kparams.GetUint64(kparams.FileObject) + require.NoError(t, err) + assert.Equal(t, uint64(12456738026482168384), fileobject) + + assert.Len(t, clone.Metadata, 2) + + assert.Equal(t, "bar", clone.Metadata["foo"]) + assert.Equal(t, "barzz", clone.Metadata["fooz"]) +} + +func TestKeventMarshalJSON(t *testing.T) { + kevt := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + PE: &pex.PE{ + NumberOfSections: 2, + NumberOfSymbols: 10, + EntryPoint: "0x20110", + ImageBase: "0x140000000", + LinkTime: time.Now(), + Sections: []pex.Sec{ + {Name: ".text", Size: 132608, Entropy: 6.368381, Md5: "db23dce3911a42e987041d98abd4f7cd"}, + {Name: ".rdata", Size: 35840, Entropy: 5.996976, Md5: "ffa5c960b421ca9887e54966588e97e8"}, + }, + Symbols: []string{"SelectObject", "GetTextFaceW", "EnumFontsW", "TextOutW", "GetProcessHeap"}, + Imports: []string{"GDI32.dll", "USER32.dll", "msvcrt.dll", "api-ms-win-core-libraryloader-l1-2-0.dl"}, + VersionResources: map[string]string{"CompanyName": "Microsoft Corporation", "FileDescription": "Notepad", "FileVersion": "10.0.18362.693"}, + }, + }, + } + s := kevt.MarshalJSON() + var newKevt Kevent + err := json.Unmarshal(s, &newKevt) + require.NoError(t, err) + + assert.Equal(t, uint32(2484), newKevt.Tid) + assert.Equal(t, uint32(859), newKevt.PID) + assert.Equal(t, "archrabbit\\SYSTEM", newKevt.PS.SID) + assert.Len(t, newKevt.PS.Envs, 2) + assert.Len(t, newKevt.PS.Handles, 3) + + assert.NotNil(t, newKevt.PS.PE) + assert.Equal(t, uint32(10), newKevt.PS.PE.NumberOfSymbols) + assert.Equal(t, uint16(2), newKevt.PS.PE.NumberOfSections) + assert.Len(t, newKevt.PS.PE.Sections, 2) + assert.Len(t, newKevt.PS.PE.Symbols, 5) + assert.Len(t, newKevt.PS.PE.Imports, 4) + assert.Len(t, newKevt.PS.PE.VersionResources, 3) +} + +func TestUnmarshalHugeHandles(t *testing.T) { + b, err := ioutil.ReadFile("C:\\handles.json") + require.NoError(t, err) + handles := make([]htypes.Handle, 0) + err = json.Unmarshal(b, &handles) + require.NoError(t, err) + + kevt := &Kevent{ + Type: ktypes.CreateProcess, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateProcess", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates a new process", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: handles, + PE: &pex.PE{ + NumberOfSections: 7, + NumberOfSymbols: 10, + EntryPoint: "0x20110", + ImageBase: "0x140000000", + LinkTime: time.Now(), + Sections: []pex.Sec{ + {Name: ".text", Size: 132608, Entropy: 6.368381, Md5: "db23dce3911a42e987041d98abd4f7cd"}, + {Name: ".rdata", Size: 35840, Entropy: 5.996976, Md5: "ffa5c960b421ca9887e54966588e97e8"}, + }, + Symbols: []string{"SelectObject", "GetTextFaceW", "EnumFontsW", "TextOutW", "GetProcessHeap"}, + Imports: []string{"GDI32.dll", "USER32.dll", "msvcrt.dll", "api-ms-win-core-libraryloader-l1-2-0.dl"}, + VersionResources: map[string]string{"CompanyName": "Microsoft Corporation", "FileDescription": "Notepad", "FileVersion": "10.0.18362.693"}, + }, + }, + } + + s := kevt.MarshalRaw() + clone, err := NewFromKcap(s) + require.NoError(t, err) + require.NotNil(t, clone) +} + +func TestKeventMarshalJSONMultiple(t *testing.T) { + for i := 0; i < 10; i++ { + seq := uint64(i + 1) + kevt := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: seq, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + s := kevt.MarshalJSON() + var newKevt Kevent + err := json.Unmarshal(s, &newKevt) + require.NoError(t, err) + + assert.Equal(t, uint32(2484), newKevt.Tid) + assert.Equal(t, uint32(859), newKevt.PID) + assert.Equal(t, seq, newKevt.Seq) + assert.Len(t, newKevt.PS.Handles, 3) + } +} + +func BenchmarkKeventMarshalJSON(b *testing.B) { + kevt := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + PE: &pex.PE{ + NumberOfSections: 2, + NumberOfSymbols: 10, + EntryPoint: "0x20110", + ImageBase: "0x140000000", + LinkTime: time.Now(), + Sections: []pex.Sec{ + {Name: ".text", Size: 132608, Entropy: 6.368381, Md5: "db23dce3911a42e987041d98abd4f7cd"}, + {Name: ".rdata", Size: 35840, Entropy: 5.996976, Md5: "ffa5c960b421ca9887e54966588e97e8"}, + }, + Symbols: []string{"SelectObject", "GetTextFaceW", "EnumFontsW", "TextOutW", "GetProcessHeap"}, + Imports: []string{"GDI32.dll", "USER32.dll", "msvcrt.dll", "api-ms-win-core-libraryloader-l1-2-0.dl"}, + VersionResources: map[string]string{"CompanyName": "Microsoft Corporation", "FileDescription": "Notepad", "FileVersion": "10.0.18362.693"}, + }, + }, + } + b.ReportAllocs() + for i := 0; i < b.N; i++ { + kevt.MarshalJSON() + } +} + +func BenchmarkKeventMarshalJSONStdlib(b *testing.B) { + kevt := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + PE: &pex.PE{ + NumberOfSections: 2, + NumberOfSymbols: 10, + EntryPoint: "0x20110", + ImageBase: "0x140000000", + LinkTime: time.Now(), + Sections: []pex.Sec{ + {Name: ".text", Size: 132608, Entropy: 6.368381, Md5: "db23dce3911a42e987041d98abd4f7cd"}, + {Name: ".rdata", Size: 35840, Entropy: 5.996976, Md5: "ffa5c960b421ca9887e54966588e97e8"}, + }, + Symbols: []string{"SelectObject", "GetTextFaceW", "EnumFontsW", "TextOutW", "GetProcessHeap"}, + Imports: []string{"GDI32.dll", "USER32.dll", "msvcrt.dll", "api-ms-win-core-libraryloader-l1-2-0.dl"}, + VersionResources: map[string]string{"CompanyName": "Microsoft Corporation", "FileDescription": "Notepad", "FileVersion": "10.0.18362.693"}, + }, + }, + } + b.ReportAllocs() + for i := 0; i < b.N; i++ { + json.Marshal(kevt) + } +} + +func BenchmarkMarshal(b *testing.B) { + kevt := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "barz"}, + } + b.ReportAllocs() + for i := 0; i < b.N; i++ { + if buf := kevt.MarshalRaw(); len(buf) == 0 { + b.Fatal("empty buffer") + } + } +} + +func BenchmarkUnmarshal(b *testing.B) { + kevt := &Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "barz"}, + } + buf := kevt.MarshalRaw() + b.ReportAllocs() + for i := 0; i < b.N; i++ { + ke, err := NewFromKcap(buf) + if err != nil { + b.Fatal(err) + } + if ke.Name == "" { + b.Fatal("invalid unmarshal byte slice") + } + } +} diff --git a/pkg/kevent/sequencer.go b/pkg/kevent/sequencer.go new file mode 100644 index 000000000..73422c55d --- /dev/null +++ b/pkg/kevent/sequencer.go @@ -0,0 +1,128 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + "errors" + "expvar" + "fmt" + "golang.org/x/sys/windows/registry" + "sync/atomic" + "syscall" + "time" +) + +const ( + // seqVName is the name of the registry value that stores the QWORD sequence. + seqVName = "KeventSeq" + invalidKey = registry.Key(syscall.InvalidHandle) +) + +var seqStoreErrors = expvar.NewInt("kevent.seq.store.errors") +var seqInitErrors = expvar.NewMap("kevent.seq.init.errors") +var errInvalidVolatileKey = errors.New("couldn't open HKCU/Volatile Environment key") + +const flags = uint32(registry.QUERY_VALUE | registry.SET_VALUE) + +// Sequencer is responsible for incrementing, getting and persisting the kevent sequence number in the Windows registry. +type Sequencer struct { + key registry.Key + quit chan struct{} + seq uint64 +} + +// NewSequencer creates a fresh kevent sequencer. If the `KeventSeq` value is present under the volatile key, the current +// sequence number is initialized to the last stored sequence. The sequencer schedules a ticker that periodically dumps +// the current sequence number into the registry value. +func NewSequencer() *Sequencer { + key, err := registry.OpenKey(registry.CURRENT_USER, "Volatile Environment", flags) + if err != nil { + seqInitErrors.Add(err.Error(), 1) + return &Sequencer{key: invalidKey, quit: make(chan struct{}, 1)} + } + s := &Sequencer{ + key: key, + quit: make(chan struct{}, 1), + seq: uint64(0), + } + s.seq, _, _ = key.GetIntegerValue(seqVName) + + go s.store() + + return s +} + +// Store saves the current sequence value in the registry. +func (s *Sequencer) Store() error { + if s.key == invalidKey { + // try to open the key again + var err error + s.key, err = registry.OpenKey(registry.CURRENT_USER, "Volatile Environment", flags) + if err != nil { + return errInvalidVolatileKey + } + } + nextSeq := s.Get() + prevSeq, _, err := s.key.GetIntegerValue(seqVName) + if err == nil && nextSeq < prevSeq { + return fmt.Errorf("current sequence number %d is lower than registry value %d", nextSeq, prevSeq) + } + return s.key.SetQWordValue(seqVName, nextSeq) +} + +// Increment increments the sequence number atomically. +func (s *Sequencer) Increment() { + atomic.AddUint64(&s.seq, 1) +} + +// Get returns the current sequence number. +func (s *Sequencer) Get() uint64 { + return atomic.LoadUint64(&s.seq) +} + +// Reset removes the sequence value from the registry and sets the sequence number to zero. +func (s *Sequencer) Reset() error { + atomic.StoreUint64(&s.seq, 0) + if s.key == invalidKey { + return errInvalidVolatileKey + } + return s.key.DeleteValue(seqVName) +} + +// Close shutdowns the event sequencer. +func (s *Sequencer) Close() error { + s.quit <- struct{}{} + return s.key.Close() +} + +// store periodically dumps the sequence number into registry value. +func (s *Sequencer) store() { + ticker := time.NewTicker(time.Second * 5) + for { + select { + case <-ticker.C: + if err := s.Store(); err != nil { + seqStoreErrors.Add(1) + } + case <-s.quit: + ticker.Stop() + return + } + } +} diff --git a/pkg/kevent/sequencer_test.go b/pkg/kevent/sequencer_test.go new file mode 100644 index 000000000..bb17ab64c --- /dev/null +++ b/pkg/kevent/sequencer_test.go @@ -0,0 +1,60 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kevent + +import ( + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" +) + +func TestSequencer(t *testing.T) { + sequencer := NewSequencer() + defer sequencer.Close() + + for i := 0; i < 10; i++ { + sequencer.Increment() + } + assert.Equal(t, uint64(10), sequencer.Get()) + require.NoError(t, sequencer.Store()) + + sequencer = NewSequencer() + defer sequencer.Close() + assert.Equal(t, uint64(10), sequencer.Get()) + + require.NoError(t, sequencer.Reset()) + assert.Equal(t, uint64(0), sequencer.Get()) +} + +func TestSequencerMonotonic(t *testing.T) { + sequencer := NewSequencer() + defer sequencer.Close() + + for i := 0; i < 10; i++ { + sequencer.Increment() + } + require.NoError(t, sequencer.Store()) + + sequencer = NewSequencer() + defer sequencer.Close() + sequencer.seq = uint64(0) + + require.Error(t, sequencer.Store()) + require.NoError(t, sequencer.Reset()) +} diff --git a/pkg/kstream/README.md b/pkg/kstream/README.md new file mode 100644 index 000000000..8b73224ce --- /dev/null +++ b/pkg/kstream/README.md @@ -0,0 +1 @@ +### package `kstream` \ No newline at end of file diff --git a/pkg/kstream/_fixtures/snapshots/create-process.gob b/pkg/kstream/_fixtures/snapshots/create-process.gob new file mode 100644 index 000000000..bf4a1b39c Binary files /dev/null and b/pkg/kstream/_fixtures/snapshots/create-process.gob differ diff --git a/pkg/kstream/controller.go b/pkg/kstream/controller.go new file mode 100644 index 000000000..032dda6dd --- /dev/null +++ b/pkg/kstream/controller.go @@ -0,0 +1,347 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kstream + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/config" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/syscall/etw" + log "github.com/sirupsen/logrus" + "golang.org/x/sys/windows/registry" + "runtime" + "time" + "unsafe" +) + +const ( + ktraceSession = etw.KernelLoggerSession + krundownSession = etw.KernelLoggerRundownSession + // maxBufferSize specifies the maximum buffer size for event tracing session buffer + maxBufferSize = 1024 + // etwMaxLoggersPath is the registry subkey that contains ETW logger preferences + etwMaxLoggersPath = `SYSTEM\CurrentControlSet\Control\WMI` + // etwMaxLoggersValue is the registry value that dictates the maximum number of loggers. Default value is 64 on most systems + etwMaxLoggersValue = "EtwMaxLoggers" + maxStringLen = 1024 +) + +// for testing purposes +var ( + startTrace = etw.StartTrace + controlTrace = etw.ControlTrace + enableTrace = etw.EnableTrace +) + +// KtraceController is responsible for managing the life cycle of the kernel traces. +type KtraceController interface { + // StartKtrace starts a new kernel tracing session. + StartKtrace() error + // CloseKtrace stops currently running kernel trace session. + CloseKtrace() error + // StartKtraceRundown initiates the kernel logger rundown session that will enumerate open file objects + // we can use to match file names in file system kernel events. + StartKtraceRundown() error + // IsKRundownStarted indicates if kernel logger rundown session is started. + IsKRundownStarted() bool + // GetTraceHandle returns the handle of the kernel trace session. + GetTraceHandle() etw.TraceHandle +} + +// ktraceController implements KtraceController. +type ktraceController struct { + // kstreamConfig stores kernel stream specific settings + kstreamConfig config.KstreamConfig + // handle is the pointer to kernel trace handle + handle etw.TraceHandle + rundownHandle etw.TraceHandle + // props is the pointer to event trace properties descriptor + props *etw.EventTraceProperties + rundownProps *etw.EventTraceProperties + krundownStarted bool +} + +// NewKtraceController spins up a new instance of kernel trace controller. +func NewKtraceController(kstreamConfig config.KstreamConfig) KtraceController { + return &ktraceController{kstreamConfig: kstreamConfig} +} + +// StartKtrace starts a new kernel tracing session. User has the ability to disable +// a specific subset of collected kernel events, even though by default most events +// are forwarded from the provider. +func (k *ktraceController) StartKtrace() error { + // at least process events have to be enabled + // for the purpose of building the state machine + flags := etw.Process + if k.kstreamConfig.EnableThreadKevents { + flags |= etw.Thread + } + if k.kstreamConfig.EnableImageKevents { + flags |= etw.ImageLoad + } + if k.kstreamConfig.EnableNetKevents { + flags |= etw.NetTCPIP + } + if k.kstreamConfig.EnableRegistryKevents { + flags |= etw.Registry + } + if k.kstreamConfig.EnableFileIOKevents { + flags |= etw.DiskFileIO | etw.FileIO | etw.FileIOInit + } + + bufferSize := k.kstreamConfig.BufferSize + if bufferSize > maxBufferSize { + bufferSize = maxBufferSize + } + // validate min/max buffers. The minimal + // number of buffers is 2 per CPU logical core + minBuffers := k.kstreamConfig.MinBuffers + if minBuffers < uint32(runtime.NumCPU()*2) { + minBuffers = uint32(runtime.NumCPU() * 2) + } + maxBuffers := k.kstreamConfig.MaxBuffers + maxBuffersAllowed := minBuffers + 20 + if maxBuffers > maxBuffersAllowed { + maxBuffers = maxBuffersAllowed + } + if minBuffers > maxBuffers { + minBuffers = maxBuffers + } + + flushTimer := k.kstreamConfig.FlushTimer + if flushTimer < time.Second { + flushTimer = time.Second + } + + props := &etw.EventTraceProperties{ + Wnode: etw.WnodeHeader{ + BufferSize: uint32(unsafe.Sizeof(etw.EventTraceProperties{})) + 2*maxStringLen, + Flags: etw.WnodeTraceFlagGUID, + GUID: etw.KernelTraceControlGUID, + }, + LoggerNameOffset: uint32(unsafe.Sizeof(etw.EventTraceProperties{})), + LogFileNameOffset: 0, + EnableFlags: flags, + BufferSize: bufferSize, + LogFileMode: etw.ProcessTraceModeRealtime, + MinimumBuffers: minBuffers, + MaximumBuffers: maxBuffers, + FlushTimer: uint32(flushTimer.Seconds()), + } + log.Debugf("starting kernel trace with %q event flags", flags) + handle, err := startTrace( + ktraceSession, + props, + ) + + if err == nil { + if !handle.IsValid() { + return kerrors.ErrInvalidTrace + } + handleCopy := handle + // poorly documented ETW feature that allows for enabling an extended set of + // kernel event tracing flags. According to the MSDN documentation, aside from + // invoking `EventTraceProperties` function to enable object manager tracking + // the `EventTraceProperties` structure's `EnableFlags` member needs to be set to PERF_OB_HANDLE (0x80000040). + // This actually results in an erroneous trace start. The documentation neither specifies how the function + // should be called (group mask array with its 4th element set to 0x80000040). + sysTraceFlags := make([]etw.EventTraceFlags, 8) + // when we call the`TraceSetInformation` with event empty group mask reserved for the + // flags that are bitvectored into `EventTraceProperties` structure's `EnableFlags` field, + // it will trigger the arrival of rundown events including open file objects and + // registry keys that are very valuable for us to construct the initial snapshot of + // these system resources and let us build the event's context + if err := etw.SetTraceInformation(handle, etw.TraceSystemTraceEnableFlagsInfo, sysTraceFlags); err != nil { + // enable rundown kernel logger to at least enumerate open file objects + if err := k.StartKtraceRundown(); err != nil { + log.Warn(err) + } + } + sysTraceFlags[0] = flags + // enable object manager tracking + if k.kstreamConfig.EnableHandleKevents { + sysTraceFlags[4] = etw.Handle + } + // call again to enable all kernel events. Just to recap. The first call to `TraceSetInformation` with empty + // group masks activates rundown events, while this second call enables the rest of the kernel events specified in flags. + if err := etw.SetTraceInformation(handle, etw.TraceSystemTraceEnableFlagsInfo, sysTraceFlags); err != nil { + log.Warnf("unable to set trace information: %v", err) + } + + k.handle = handleCopy + k.props = props + + return nil + } + + switch err { + case kerrors.ErrTraceAlreadyRunning: + if err := controlTrace(etw.TraceHandle(0), ktraceSession, props, etw.Query); err == kerrors.ErrKsessionNotRunning { + return kerrors.ErrCannotUpdateTrace + } + if err := controlTrace(etw.TraceHandle(0), ktraceSession, props, etw.Stop); err != nil { + return kerrors.ErrStopTrace + } + + time.Sleep(time.Millisecond * 100) + props := &etw.EventTraceProperties{ + Wnode: etw.WnodeHeader{ + BufferSize: uint32(unsafe.Sizeof(etw.EventTraceProperties{})) + 2*maxStringLen, + Flags: etw.WnodeTraceFlagGUID, + GUID: etw.KernelTraceControlGUID, + }, + LoggerNameOffset: uint32(unsafe.Sizeof(etw.EventTraceProperties{})), + LogFileNameOffset: 0, + EnableFlags: flags, + BufferSize: bufferSize, + LogFileMode: etw.ProcessTraceModeRealtime, + MinimumBuffers: minBuffers, + MaximumBuffers: maxBuffers, + FlushTimer: uint32(flushTimer.Seconds()), + } + handle, err := startTrace( + ktraceSession, + props, + ) + if err != nil { + return kerrors.ErrRestartTrace + } + if !handle.IsValid() { + return kerrors.ErrInvalidTrace + } + handleCopy := handle + + sysTraceFlags := make([]etw.EventTraceFlags, 8) + if err := etw.SetTraceInformation(handle, etw.TraceSystemTraceEnableFlagsInfo, sysTraceFlags); err != nil { + if err := k.StartKtraceRundown(); err != nil { + log.Warn(err) + } + } + sysTraceFlags[0] = flags + // enable object manager tracking + if k.kstreamConfig.EnableHandleKevents { + sysTraceFlags[4] = etw.Handle + } + // call again to enable all kernel events. Just to recap. The first call to `TraceSetInformation` with empty + // group masks activates rundown events, while this second call enables the rest of the kernel events specified in flags. + if err := etw.SetTraceInformation(handle, etw.TraceSystemTraceEnableFlagsInfo, sysTraceFlags); err != nil { + log.Warnf("unable to set trace information: %v", err) + } + + k.handle = handleCopy + k.props = props + return nil + + case kerrors.ErrTraceNoSysResources: + // get the number of maximum allowed loggers from registry + key, err := registry.OpenKey(registry.LOCAL_MACHINE, etwMaxLoggersPath, registry.QUERY_VALUE) + if err != nil { + return err + } + defer key.Close() + v, _, err := key.GetIntegerValue(etwMaxLoggersValue) + if err != nil { + return err + } + return fmt.Errorf(`the limit for logging sessions on your system is %d. Please consider increasing this number `+ + `by editing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\EtwMaxLoggers key in registry. `+ + `Permissible values are 32 through 256 inclusive, and a reboot is required for any change to take effect`, v) + + default: + return err + } +} + +// StartKtraceRundown initiates the kernel logger rundown session that will enumerate open file objects +// we can use to match file names in file system kernel events. +func (k *ktraceController) StartKtraceRundown() error { + props := &etw.EventTraceProperties{ + Wnode: etw.WnodeHeader{ + BufferSize: uint32(unsafe.Sizeof(etw.EventTraceProperties{})) + 2*maxStringLen, + Flags: etw.WnodeTraceFlagGUID, + }, + LoggerNameOffset: uint32(unsafe.Sizeof(etw.EventTraceProperties{})), + LogFileNameOffset: 0, + BufferSize: maxBufferSize, + LogFileMode: etw.ProcessTraceModeRealtime, + } + k.rundownProps = props + handle, err := startTrace( + krundownSession, + props, + ) + if err == kerrors.ErrTraceAlreadyRunning { + if err := controlTrace(handle, krundownSession, props, etw.Stop); err != nil { + return kerrors.ErrStopTrace + } + props := &etw.EventTraceProperties{ + Wnode: etw.WnodeHeader{ + BufferSize: uint32(unsafe.Sizeof(etw.EventTraceProperties{})) + 2*maxStringLen, + Flags: etw.WnodeTraceFlagGUID, + }, + LoggerNameOffset: uint32(unsafe.Sizeof(etw.EventTraceProperties{})), + LogFileNameOffset: 0, + BufferSize: maxBufferSize, + LogFileMode: etw.ProcessTraceModeRealtime, + } + handle, err = startTrace( + krundownSession, + props, + ) + if err != nil { + return kerrors.ErrRestartTrace + } + } + if err := enableTrace(etw.KernelRundownGUID, handle, 0x10); err != nil { + return fmt.Errorf("couldn't activate kernel rundown logger: %v", err) + } + k.rundownHandle = handle + k.krundownStarted = true + + return nil +} + +// IsKRundownStarted indicates if kernel logger rundown session is started. +func (k *ktraceController) IsKRundownStarted() bool { + return k.krundownStarted +} + +// CloseKtrace stops currently running kernel trace session. +func (k *ktraceController) CloseKtrace() error { + // flush pending event buffers + if err := controlTrace(k.handle, ktraceSession, k.props, etw.Flush); err != nil { + log.Warnf("couldn't flush kernel trace session: %v", err) + } + time.Sleep(time.Millisecond * 100) + if err := controlTrace(k.handle, ktraceSession, k.props, etw.Stop); err != nil { + return fmt.Errorf("couldn't stop kernel trace session: %v", err) + } + if k.rundownHandle.IsValid() { + if err := controlTrace(k.rundownHandle, krundownSession, k.rundownProps, etw.Stop); err != nil { + log.Warn(err) + } + } + k.krundownStarted = false + return nil +} + +// GetTraceHandle returns the handle of the kernel trace session. +func (k *ktraceController) GetTraceHandle() etw.TraceHandle { + return k.handle +} diff --git a/pkg/kstream/controller_test.go b/pkg/kstream/controller_test.go new file mode 100644 index 000000000..28acd8870 --- /dev/null +++ b/pkg/kstream/controller_test.go @@ -0,0 +1,77 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kstream + +import ( + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/syscall/etw" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" + "time" +) + +func TestStartKtraceSuccess(t *testing.T) { + startTrace = func(name string, flags *etw.EventTraceProperties) (etw.TraceHandle, error) { + return etw.TraceHandle(1), nil + } + + ktracec := NewKtraceController(config.KstreamConfig{ + EnableThreadKevents: true, + EnableNetKevents: true, + BufferSize: 1024, + FlushTimer: time.Millisecond * 2300, + }) + + err := ktracec.StartKtrace() + + require.NoError(t, err) + assert.Equal(t, etw.TraceHandle(1), ktracec.(*ktraceController).handle) + assert.Equal(t, etw.EventTraceFlags(0x10003), ktracec.(*ktraceController).props.EnableFlags) + assert.Equal(t, "TCPIP, Process, Thread", ktracec.(*ktraceController).props.EnableFlags.String()) + +} + +func TestStartKtraceNoSysResources(t *testing.T) { + + startTrace = func(name string, props *etw.EventTraceProperties) (etw.TraceHandle, error) { + return etw.TraceHandle(0), errors.ErrTraceNoSysResources + } + + ktracec := NewKtraceController(config.KstreamConfig{EnableThreadKevents: true, BufferSize: 1024}) + + err := ktracec.StartKtrace() + + require.Error(t, err) +} + +func TestStartKtraceBufferTooSmall(t *testing.T) { + + startTrace = func(name string, props *etw.EventTraceProperties) (etw.TraceHandle, error) { + return etw.TraceHandle(0), nil + } + + ktracec := NewKtraceController(config.KstreamConfig{EnableThreadKevents: true, BufferSize: 124}) + + err := ktracec.StartKtrace() + + require.Error(t, err) + assert.EqualError(t, err, "buffer size of 124 KB is too small") +} diff --git a/pkg/kstream/doc.go b/pkg/kstream/doc.go new file mode 100644 index 000000000..56cb2d362 --- /dev/null +++ b/pkg/kstream/doc.go @@ -0,0 +1,21 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// Package kstream contains facilities for controlling the kernel logger session and opening kernel event stream +// for the purpose of collecting and processing kernel events. +package kstream diff --git a/pkg/kstream/interceptors/chain.go b/pkg/kstream/interceptors/chain.go new file mode 100644 index 000000000..7c8d4c552 --- /dev/null +++ b/pkg/kstream/interceptors/chain.go @@ -0,0 +1,128 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/config" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/fs" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/util/multierror" + "github.com/rabbitstack/fibratus/pkg/yara" + log "github.com/sirupsen/logrus" +) + +// interceptorFailures counts the number of failures caused by interceptors while processing kernel events +var interceptorFailures = expvar.NewInt("kevent.interceptor.failures") + +// Chain defines the method that all chan interceptors have to satisfy. +type Chain interface { + // Dispatch pushes a kernel event into interceptor chain. Interceptors are applied sequentially, so we have to make + // sure that any interceptor providing additional context to the next interceptor is defined first in the chain. If + // one interceptor fails, the next interceptor in chain is invoked. + Dispatch(kevt *kevent.Kevent) (*kevent.Kevent, error) +} + +type chain struct { + interceptors []KstreamInterceptor +} + +// NewChain constructs the interceptor chain. It arranges all the interceptors according to enabled kernel event categories. +func NewChain(psnap ps.Snapshotter, hsnap handle.Snapshotter, rundownFn func() error, config *config.Config) Chain { + var ( + chain = &chain{interceptors: make([]KstreamInterceptor, 0)} + devMapper = fs.NewDevMapper() + scanner yara.Scanner + ) + + if config.Yara.Enabled { + var err error + scanner, err = yara.NewScanner(psnap, config.Yara) + if err != nil { + log.Warnf("unable to start YARA scanner: %v", err) + } + } + + chain.addInterceptor(newPsInterceptor(psnap, scanner)) + + if config.Kstream.EnableFileIOKevents { + chain.addInterceptor(newFsInterceptor(devMapper, hsnap, config, rundownFn)) + } + if config.Kstream.EnableRegistryKevents { + chain.addInterceptor(newRegistryInterceptor(hsnap)) + } + if config.Kstream.EnableImageKevents { + chain.addInterceptor(newImageInterceptor(psnap, devMapper, scanner)) + } + if config.Kstream.EnableNetKevents { + chain.addInterceptor(newNetInterceptor()) + } + if config.Kstream.EnableHandleKevents { + chain.addInterceptor(newHandleInterceptor(hsnap, handle.NewObjectTypeStore(), devMapper)) + } + + return chain +} + +func (c *chain) addInterceptor(interceptor KstreamInterceptor) { + if interceptor == nil { + return + } + c.interceptors = append(c.interceptors, interceptor) +} + +// Dispatch pushes a kernel event into interceptor chain. Interceptors are applied sequentially, so we have to make +// sure that any interceptor providing additional context to the next interceptor is defined first in the chain. If +// one interceptor fails, the next interceptor in chain is invoked. +func (c chain) Dispatch(kevt *kevent.Kevent) (*kevent.Kevent, error) { + var errs = make([]error, 0) + var cukerr error + + for _, interceptor := range c.interceptors { + var err error + var next bool + kevt, next, err = interceptor.Intercept(kevt) + if err != nil { + if !kerrors.IsCancelUpstreamKevent(err) { + interceptorFailures.Add(1) + errs = append(errs, fmt.Errorf("%q interceptor failed with error: %v", interceptor.Name(), err)) + continue + } else { + cukerr = err + } + } + if !next { + break + } + } + + if len(errs) > 0 { + return kevt, multierror.Wrap(errs) + } + + if cukerr != nil { + return kevt, cukerr + } + + return kevt, nil +} diff --git a/pkg/kstream/interceptors/fs.go b/pkg/kstream/interceptors/fs.go new file mode 100644 index 000000000..778243fd5 --- /dev/null +++ b/pkg/kstream/interceptors/fs.go @@ -0,0 +1,450 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/config" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/fs" + "github.com/rabbitstack/fibratus/pkg/handle" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + log "github.com/sirupsen/logrus" + "sync" + "time" +) + +var ( + // totalRundownFiles counts the number of opened files + totalRundownFiles = expvar.NewInt("fs.total.rundown.files") + // fileObjectMisses computes file object cache misses + fileObjectMisses = expvar.NewInt("fs.file.objects.misses") + fileObjectHandleHits = expvar.NewInt("fs.file.object.handle.hits") + fileReleaseCount = expvar.NewInt("fs.file.releases") + rundownDeadlinePeriod = time.Minute + once sync.Once +) + +type fsInterceptor struct { + // files stores the file metadata indexed by file object + files map[uint64]*fileInfo + // devMapper translates DOS device names to regular drive letters + devMapper fs.DevMapper + rundownDeadline *time.Timer + hsnap handle.Snapshotter + config *config.Config + + pendingKevents map[uint64]*kevent.Kevent +} + +type fileInfo struct { + name string + typ fs.FileType +} + +// fileInfoClass contains the values that specify which structure to use to query or set information for a file object. +// For more information see https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ne-wdm-_file_information_class +var fileInfoClasses = map[uint32]string{ + 1: "Directory", + 2: "Full Directory", + 3: "Both Directory", + 4: "Basic", + 5: "Standard", + 6: "Internal", + 7: "EA", + 8: "Access", + 9: "Name", + 10: "Rename", + 11: "Link", + 12: "Names", + 13: "Disposition", + 14: "Position", + 15: "Full EA", + 16: "Mode", + 17: "Alignment", + 18: "All", + 19: "Allocation", + 20: "EOF", + 21: "Alternative Name", + 22: "Stream", + 23: "Pipe", + 24: "Pipe Local", + 25: "Pipe Remote", + 26: "Mailslot Query", + 27: "Mailslot Set", + 28: "Compression", + 29: "Object ID", + 30: "Completion", + 31: "Move Cluster", + 32: "Quota", + 33: "Reparse Point", + 34: "Network Open", + 35: "Attribute Tag", + 36: "Tracking", + 37: "ID Both Directory", + 38: "ID Full Directory", + 39: "Valid Data Length", + 40: "Short Name", + 41: "IO Completion Notification", + 42: "IO Status Block Range", + 43: "IO Priority Hint", + 44: "Sfio Reserve", + 45: "Sfio Volume", + 46: "Hard Link", + 47: "Process IDS Using File", + 48: "Normalized Name", + 49: "Network Physical Name", + 50: "ID Global Tx Directory", + 51: "Is Remote Device", + 52: "Unused", + 53: "Numa Node", + 54: "Standard Link", + 55: "Remote Protocol", + 56: "Rename Bypass Access Check", + 57: "Link Bypass Access Check", + 58: "Volume Name", + 59: "ID", + 60: "ID Extended Directory", + 61: "Replace Completion", + 62: "Hard Link Full ID", + 63: "ID Extended Both Directory", + 64: "Disposition Extended", + 65: "Rename Extended", + 66: "Rename Extended Bypass Access Check", + 67: "Desired Storage", + 68: "Stat", + 69: "Memory Partition", + 70: "Stat LX", + 71: "Case Sensitive", + 72: "Link Extended", + 73: "Link Extended Bypass Access Check", + 74: "Storage Reserve ID", + 75: "Case Sensitive Force Access Check", +} + +func infoClassFromID(klass uint32) string { + class, ok := fileInfoClasses[klass] + if !ok { + return "Unknown" + } + return class +} + +func newFsInterceptor(devMapper fs.DevMapper, hsnap handle.Snapshotter, config *config.Config, fn func() error) KstreamInterceptor { + interceptor := &fsInterceptor{ + files: make(map[uint64]*fileInfo, 0), + pendingKevents: make(map[uint64]*kevent.Kevent, 0), + devMapper: devMapper, + rundownDeadline: time.NewTimer(rundownDeadlinePeriod), + hsnap: hsnap, + config: config, + } + + // define a rundown deadline timer that will call into provided + // function if we didn't receive any rundown within the deadline + go func() { + <-interceptor.rundownDeadline.C + if fn != nil { + if err := fn(); err != nil { + log.Errorf("couldn't start kernel rundown session after deadline: %v", err) + } + } + }() + + return interceptor +} + +func (f *fsInterceptor) Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, error) { + switch kevt.Type { + case ktypes.FileRundown, + ktypes.FileOpEnd, + ktypes.CreateFile, + ktypes.DeleteFile, + ktypes.CloseFile, + ktypes.WriteFile, + ktypes.ReadFile, + ktypes.RenameFile, + ktypes.ReleaseFile, + ktypes.SetFileInformation, + ktypes.EnumDirectory: + + fobj, err := kevt.Kparams.GetHexAsUint64(kparams.FileObject) + if err != nil && kevt.Type != ktypes.FileOpEnd { + return kevt, true, err + } + // when the file rundown event comes in we store the file info + // in the map in order to augment the rest of file events + // that lack the file name field + if kevt.Type == ktypes.FileRundown { + // cancel rundown deadline timer + once.Do(func() { + f.rundownDeadline.Stop() + }) + filename, err := kevt.Kparams.GetString(kparams.FileName) + if err != nil { + return kevt, true, err + } + totalRundownFiles.Add(1) + filename = f.devMapper.Convert(filename) + + f.files[fobj] = &fileInfo{name: filename, typ: fs.GetFileType(filename, 0)} + + return kevt, false, nil + } + // we'll update event's thread identifier with the one + // that's involved in the file system operation + kevt.Tid, err = kevt.Kparams.GetUint32(kparams.ThreadID) + if err != nil { + // tid is sometimes represented in hex format + kevt.Tid, err = kevt.Kparams.GetHexAsUint32(kparams.ThreadID) + } + + switch kevt.Type { + case ktypes.CreateFile: + // we defer the processing of the CreateFile event until we get + // the matching FileOpEnd event. This event contains the operation + // that was done on behalf of the file, e.g. create or open. + irp, err := kevt.Kparams.GetHexAsUint64(kparams.FileIrpPtr) + if err != nil { + return kevt, true, err + } + f.pendingKevents[irp] = kevt + return kevt, false, kerrors.ErrCancelUpstreamKevent + + case ktypes.FileOpEnd: + // get the CreateFile pending event by IRP identifier + irp, err := kevt.Kparams.GetHexAsUint64(kparams.FileIrpPtr) + if err != nil { + return kevt, true, err + } + fkevt, ok := f.pendingKevents[irp] + if !ok { + return kevt, true, kerrors.ErrCancelUpstreamKevent + } + extraInfo, err := kevt.Kparams.GetHexAsUint8(kparams.FileExtraInfo) + if err != nil { + return kevt, true, err + } + fkevt.Kparams.Append(kparams.FileExtraInfo, kparams.Uint8, extraInfo) + + delete(f.pendingKevents, irp) + + if err := f.processCreateFile(fkevt); err != nil { + return kevt, true, err + } + return fkevt, false, nil + + case ktypes.ReleaseFile: + fileReleaseCount.Add(1) + // delete both, the file object and the file key from files map + fileKey, err := kevt.Kparams.GetHexAsUint64(kparams.FileKey) + if err == nil { + delete(f.files, fileKey) + } + delete(f.files, fobj) + + case ktypes.DeleteFile, ktypes.RenameFile, + ktypes.CloseFile, ktypes.ReadFile, + ktypes.WriteFile, ktypes.SetFileInformation, ktypes.EnumDirectory: + + fileKey, err := kevt.Kparams.GetHexAsUint64(kparams.FileKey) + if err != nil { + return kevt, true, err + } + + // attempt to get the file by file key. If there is no such file referenced + // by the file key, then try to fetch it by file object. Even if file object + // references fails, we search in the file handles for such file + fileinfo, ok := f.files[fileKey] + if !ok { + fileinfo, ok = f.files[fobj] + if !ok { + // look in the system handles for file objects + var h htypes.Handle + h, ok = f.hsnap.FindByObject(fobj) + if ok && h.Type == handle.File { + fileObjectHandleHits.Add(1) + f.files[fobj] = &fileInfo{name: h.Name, typ: fs.GetFileType(h.Name, 0)} + } + } + } + + // ignore object misses that are produced by CloseFile + if !ok && kevt.Type != ktypes.CloseFile { + fileObjectMisses.Add(1) + } + + if kevt.Type == ktypes.DeleteFile { + delete(f.files, fobj) + } + + if kevt.Type == ktypes.SetFileInformation || kevt.Type == ktypes.EnumDirectory || kevt.Type == ktypes.RenameFile || kevt.Type == ktypes.DeleteFile { + // assign a human-readable information class from the class ID + infoClassID, err := kevt.Kparams.GetUint32(kparams.FileInfoClass) + if err == nil { + kevt.Kparams.Remove(kparams.FileInfoClass) + kevt.Kparams.Append(kparams.FileInfoClass, kparams.AnsiString, infoClassFromID(infoClassID)) + } + kevt.Kparams.Remove(kparams.FileExtraInfo) + } + + if kevt.Type == ktypes.EnumDirectory { + // the file key kparam contains the reference to the directory name + fileKey, err := kevt.Kparams.GetHexAsUint64(kparams.FileKey) + if err != nil { + kevt.Kparams.Remove(kparams.FileKey) + removeKparams(kevt) + return kevt, true, nil + } + kevt.Kparams.Remove(kparams.FileKey) + fileinfo, ok := f.files[fileKey] + if ok && fileinfo != nil { + kevt.Kparams.Append(kparams.FileDirectory, kparams.UnicodeString, fileinfo.name) + } + } + + removeKparams(kevt) + + if err := f.appendKparams(fileinfo, kevt); err != nil { + return kevt, true, err + } + } + default: + return kevt, true, nil + } + + return kevt, true, nil +} + +// removeKparams removes unwanted kparams, either because they are already present in kevent +// canonical attributes or are not very useful. +func removeKparams(kevt *kevent.Kevent) { + if kevt.Kparams.Contains(kparams.ProcessID) { + kevt.Kparams.Remove(kparams.ProcessID) + } + if kevt.Kparams.Contains(kparams.ThreadID) { + kevt.Kparams.Remove(kparams.ThreadID) + } + if kevt.Kparams.Contains(kparams.FileCreateOptions) { + kevt.Kparams.Remove(kparams.FileCreateOptions) + } + if kevt.Kparams.Contains(kparams.FileKey) { + kevt.Kparams.Remove(kparams.FileKey) + } +} + +func (fsInterceptor) Name() InterceptorType { return Fs } +func (f *fsInterceptor) getFileInfo(name string, opts uint32) *fileInfo { + return &fileInfo{name: name, typ: fs.GetFileType(name, opts)} +} + +func (f *fsInterceptor) processCreateFile(kevt *kevent.Kevent) error { + fobj, err := kevt.Kparams.GetHexAsUint64(kparams.FileObject) + if err != nil { + return err + } + + extraInfo, err := kevt.Kparams.GetUint8(kparams.FileExtraInfo) + if err != nil { + return err + } + + // delete raw event parameters + kevt.Kparams.Remove(kparams.FileExtraInfo) + // append human-readable file operation param + kevt.Kparams.Append(kparams.FileOperation, kparams.Enum, fs.FileDisposition(extraInfo)) + + filename, err := kevt.Kparams.GetString(kparams.FileName) + if err != nil { + return err + } + filename = f.devMapper.Convert(filename) + if err := kevt.Kparams.Set(kparams.FileName, filename, kparams.UnicodeString); err != nil { + return err + } + // figure out the file share mask that determines + // the type of share access that the caller thread + // would like to grant to other threads + mask, err := kevt.Kparams.GetUint32(kparams.FileShareMask) + if err != nil { + return err + } + if err := kevt.Kparams.Set(kparams.FileShareMask, fs.FileShareMode(mask), kparams.Enum); err != nil { + return err + } + // try to get extended file info. If the file object is already + // present in the map, we'll reuse the existing file information + fileinfo, ok := f.files[fobj] + if !ok { + opts, _ := kevt.Kparams.GetUint32(kparams.FileCreateOptions) + opts &= 0xFFFFFF + + fileinfo = f.getFileInfo(filename, opts) + // file type couldn't be resolved so we perform the lookup + // in system handles to determine whether file object is + // a directory + if fileinfo.typ == fs.Unknown { + fileinfo.typ = f.findDirHandle(fobj) + } + kevt.Kparams.Append(kparams.FileType, kparams.AnsiString, fileinfo.typ.String()) + + f.files[fobj] = fileinfo + } + + removeKparams(kevt) + + return f.appendKparams(fileinfo, kevt) +} + +func (f *fsInterceptor) findDirHandle(fobj uint64) fs.FileType { + fhandle, ok := f.hsnap.FindByObject(fobj) + if !ok || fhandle.Type != handle.File { + return fs.Unknown + } + if fhandle.MD == nil { + return fs.Unknown + } + md, ok := fhandle.MD.(*htypes.FileInfo) + if md.IsDirectory { + return fs.Directory + } + return fs.Unknown +} + +func (f *fsInterceptor) appendKparams(fileinfo *fileInfo, kevt *kevent.Kevent) error { + if kevt.Type == ktypes.EnumDirectory { + return nil + } + if fileinfo == nil { + if kevt.Type != ktypes.CreateFile { + kevt.Kparams.Append(kparams.FileName, kparams.UnicodeString, kparams.NA) + } + return nil + } + if fileinfo.typ != fs.Unknown { + kevt.Kparams.Append(kparams.FileType, kparams.AnsiString, fileinfo.typ.String()) + } + if kevt.Type != ktypes.CreateFile { + kevt.Kparams.Append(kparams.FileName, kparams.UnicodeString, fileinfo.name) + } + return nil +} diff --git a/pkg/kstream/interceptors/fs_test.go b/pkg/kstream/interceptors/fs_test.go new file mode 100644 index 000000000..2e2aa418e --- /dev/null +++ b/pkg/kstream/interceptors/fs_test.go @@ -0,0 +1,211 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/fs" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" + "github.com/stretchr/testify/require" + "os" + "testing" + "time" +) + +type devMapperMock struct { + mock.Mock +} + +func (dm *devMapperMock) Convert(filename string) string { + args := dm.Called(filename) + return args.String(0) +} + +func init() { + rundownDeadlinePeriod = time.Millisecond * 200 +} + +func TestCreateFile(t *testing.T) { + devMapper := new(devMapperMock) + hsnapMock := new(handle.SnapshotterMock) + + sysRoot := os.Getenv("SystemRoot") + devMapper.On("Convert", "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll").Return(fmt.Sprintf("%s\\system32\\user32.dll", sysRoot)) + + fsi := newFsInterceptor(devMapper, hsnapMock, &config.Config{}, nil) + + _, _, err := fsi.Intercept(&kevent.Kevent{ + Type: ktypes.FileRundown, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + }, + }) + require.NoError(t, err) + + kevt1 := &kevent.Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(18446738026482168384)}, + kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.Uint32, Value: uint32(1484)}, + kparams.FileCreateOptions: {Name: kparams.FileCreateOptions, Type: kparams.Uint32, Value: uint32(1223456)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll"}, + kparams.FileShareMask: {Name: kparams.FileShareMask, Type: kparams.Uint32, Value: uint32(5)}, + }, + } + devMapper.On("Convert", "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll").Return(fmt.Sprintf("%s\\system32\\kernel32.dll", sysRoot)) + + _, _, err = fsi.Intercept(kevt1) + require.NoError(t, err) + dispo, err := kevt1.Kparams.Get(kparams.FileOperation) + require.NoError(t, err) + assert.Equal(t, fs.Supersede, dispo.(fs.FileDisposition)) + filename, err := kevt1.Kparams.GetString(kparams.FileName) + require.NoError(t, err) + assert.Equal(t, fmt.Sprintf("%s\\system32\\kernel32.dll", sysRoot), filename) + assert.True(t, kevt1.Kparams.Contains(kparams.FileCreated)) + mask, err := kevt1.Kparams.GetString(kparams.FileShareMask) + assert.Equal(t, "r-d", mask) + + files := fsi.(*fsInterceptor).files + + require.Len(t, files, 2) + + fileinfo := files[18446738026482168384] + require.NotNil(t, fileinfo) + + assert.True(t, kevt1.Kparams.Contains(kparams.FileCreated)) + assert.Equal(t, fmt.Sprintf("%s\\system32\\kernel32.dll", sysRoot), fileinfo.name) + assert.Equal(t, fs.Regular, fileinfo.typ) + + typ, err := kevt1.Kparams.GetString(kparams.FileType) + require.NoError(t, err) + assert.Equal(t, "file", typ) +} + +func TestRundownFile(t *testing.T) { + devMapper := new(devMapperMock) + hsnapMock := new(handle.SnapshotterMock) + + sysRoot := os.Getenv("SystemRoot") + devMapper.On("Convert", "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll").Return(fmt.Sprintf("%s\\system32\\user32.dll", sysRoot)) + + fsi := newFsInterceptor(devMapper, hsnapMock, &config.Config{}, nil) + + _, _, err := fsi.Intercept(&kevent.Kevent{ + Type: ktypes.FileRundown, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + }, + }) + require.NoError(t, err) + + files := fsi.(*fsInterceptor).files + + require.Len(t, files, 1) + + fileinfo := files[12456738026482168384] + require.NotNil(t, fileinfo) + + assert.Equal(t, fmt.Sprintf("%s\\system32\\user32.dll", sysRoot), fileinfo.name) + assert.Equal(t, fs.Regular, fileinfo.typ) +} + +func TestDeleteFile(t *testing.T) { + devMapper := new(devMapperMock) + hsnapMock := new(handle.SnapshotterMock) + + sysRoot := os.Getenv("SystemRoot") + devMapper.On("Convert", "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll").Return(fmt.Sprintf("%s\\system32\\user32.dll", sysRoot)) + + fsi := newFsInterceptor(devMapper, hsnapMock, &config.Config{}, nil) + + _, _, err := fsi.Intercept(&kevent.Kevent{ + Type: ktypes.FileRundown, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + }, + }) + require.NoError(t, err) + + kevt := &kevent.Kevent{ + Type: ktypes.DeleteFile, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.Uint32, Value: uint32(1484)}, + }, + } + + files := fsi.(*fsInterceptor).files + require.Len(t, files, 1) + + _, _, err = fsi.Intercept(kevt) + require.NoError(t, err) + + require.Empty(t, files) + + filename, err := kevt.Kparams.GetString(kparams.FileName) + require.NoError(t, err) + + assert.Equal(t, fmt.Sprintf("%s\\system32\\user32.dll", sysRoot), filename) + typ, err := kevt.Kparams.GetString(kparams.FileType) + assert.Equal(t, "file", typ) + created, err := kevt.Kparams.GetTime(kparams.FileCreated) + require.NoError(t, err) + assert.NotEmpty(t, created) + attrs, err := kevt.Kparams.GetSlice(kparams.FileAttributes) + require.NoError(t, err) + require.Contains(t, attrs.([]fs.FileAttr), fs.FileArchive) +} + +func TestRundownFileDeadline(t *testing.T) { + devMapper := new(devMapperMock) + hsnapMock := new(handle.SnapshotterMock) + + sysRoot := os.Getenv("SystemRoot") + devMapper.On("Convert", "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll").Return(fmt.Sprintf("%s\\system32\\user32.dll", sysRoot)) + + ch := make(chan bool, 1) + fn := func() error { + ch <- true + return nil + } + + newFsInterceptor(devMapper, hsnapMock, &config.Config{}, fn) + + <-ch +} diff --git a/pkg/kstream/interceptors/handle.go b/pkg/kstream/interceptors/handle.go new file mode 100644 index 000000000..c8d9e4b5c --- /dev/null +++ b/pkg/kstream/interceptors/handle.go @@ -0,0 +1,162 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "expvar" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/fs" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + syshandle "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/registry" + "time" +) + +var ( + handleDeferEvictions = expvar.NewInt("handle.deferred.evictions") +) + +var joinElapsingPeriod = time.Second * 2 + +type handleInterceptor struct { + hsnap handle.Snapshotter + typeStore handle.ObjectTypeStore + devMapper fs.DevMapper + defers map[uint64]*kevent.Kevent + enqueue func(*kevent.Kevent) +} + +func newHandleInterceptor(hsnap handle.Snapshotter, typeStore handle.ObjectTypeStore, devMapper fs.DevMapper) KstreamInterceptor { + return &handleInterceptor{ + hsnap: hsnap, + typeStore: typeStore, + devMapper: devMapper, + defers: make(map[uint64]*kevent.Kevent), + } +} + +func (h *handleInterceptor) Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, error) { + if kevt.Type == ktypes.CreateHandle || kevt.Type == ktypes.CloseHandle { + handleID, err := kevt.Kparams.GetHexAsUint32(kparams.HandleID) + if err == nil { + _ = kevt.Kparams.Set(kparams.HandleID, handleID, kparams.Uint32) + } + typeID, err := kevt.Kparams.GetUint16(kparams.HandleObjectTypeID) + if err != nil { + return kevt, true, err + } + object, err := kevt.Kparams.GetHexAsUint64(kparams.HandleObject) + if err != nil { + return kevt, true, err + } + // map object type identifier to its name. Query for object type if + // we didn't find in the object store + typeName := h.typeStore.FindByID(uint8(typeID)) + if typeName == "" { + rawHandle, err := kevt.Kparams.GetHexAsUint32(kparams.HandleID) + if err != nil { + return kevt, true, err + } + dup, err := handle.Duplicate(syshandle.Handle(rawHandle), kevt.PID, syshandle.AllAccess) + if err != nil { + return kevt, true, err + } + defer dup.Close() + typeName, err = handle.QueryType(dup) + if err != nil { + return kevt, true, err + } + h.typeStore.RegisterType(uint8(typeID), typeName) + } + + kevt.Kparams.Append(kparams.HandleObjectTypeName, kparams.AnsiString, typeName) + kevt.Kparams.Remove(kparams.HandleObjectTypeID) + // get the best possible object name according to its type + name, err := kevt.Kparams.GetString(kparams.HandleObjectName) + if err != nil { + return kevt, true, err + } + + switch typeName { + case handle.Key: + rootKey, keyName := handle.FormatKey(name) + if rootKey == registry.InvalidKey { + break + } + name = rootKey.String() + if keyName != "" { + name += "\\" + keyName + } + case handle.File: + name = h.devMapper.Convert(name) + } + + if kevt.Type == ktypes.CreateHandle { + // for some handle objects, the CreateHandle usually lacks the handle name + // but its counterpart CloseHandle kevent ships with the handle name. We'll + // defer emitting the CreateHandle kevent until we receive a CloseHandle targeting + // the same object + if name == "" && (typeName == handle.Key || typeName == handle.File || typeName == handle.Desktop) { + h.defers[object] = kevt + return kevt, false, kerrors.ErrCancelUpstreamKevent + } + return kevt, false, h.hsnap.Write(kevt) + } + if err := kevt.Kparams.Set(kparams.HandleObjectName, name, kparams.AnsiString); err != nil { + return kevt, true, err + } + + // at this point we hit CloseHandle kernel event and have waiting CreateHandle + // event reference. So we set handle object name to the name of its CloseHandle counterpart + if hkevt, ok := h.defers[object]; ok { + if err := hkevt.Kparams.Set(kparams.HandleObjectName, name, kparams.AnsiString); err != nil { + return kevt, true, err + } + kevt = hkevt + delete(h.defers, object) + err := h.hsnap.Write(hkevt) + if err != nil { + err = h.hsnap.Remove(kevt) + if err != nil { + return hkevt, false, err + } + } + return hkevt, false, h.hsnap.Remove(kevt) + } + // push pending CreateHandle kevents if they remained longer then expected. Possible + // cause could be that we lost the corresponding CloseHandle kernel event + for kobj, hkevt := range h.defers { + evict := kevt.Timestamp.Before(time.Now().Add(joinElapsingPeriod)) + if evict { + handleDeferEvictions.Add(1) + _ = kevt.Kparams.Set(kparams.HandleObjectName, kparams.NA, kparams.AnsiString) + kevt = hkevt + delete(h.defers, kobj) + } + } + return kevt, false, h.hsnap.Remove(kevt) + } + + return kevt, true, nil +} + +func (handleInterceptor) Name() InterceptorType { return Handle } diff --git a/pkg/kstream/interceptors/handle_test.go b/pkg/kstream/interceptors/handle_test.go new file mode 100644 index 000000000..15b8240af --- /dev/null +++ b/pkg/kstream/interceptors/handle_test.go @@ -0,0 +1,194 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" + "github.com/stretchr/testify/require" + "testing" + "time" +) + +type objectTypeStoreMock struct { + mock.Mock +} + +func (s *objectTypeStoreMock) FindByID(id uint8) string { + args := s.Called(id) + return args.String(0) +} + +func (s *objectTypeStoreMock) TypeNames() []string { + args := s.Called() + return args.Get(0).([]string) +} + +func (s *objectTypeStoreMock) RegisterType(id uint8, typ string) {} + +func TestCloseHandle(t *testing.T) { + objectTypeStore := new(objectTypeStoreMock) + hsnapMock := new(handle.SnapshotterMock) + devMapper := new(devMapperMock) + + kevt := &kevent.Kevent{ + Type: ktypes.CloseHandle, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.HandleObjectTypeID: {Name: kparams.HandleObjectTypeID, Type: kparams.Uint16, Value: uint16(23)}, + kparams.HandleObject: {Name: kparams.HandleObject, Type: kparams.HexInt64, Value: kparams.Hex("ffffd105e9baaf70")}, + kparams.HandleObjectName: {Name: kparams.HandleObjectName, Type: kparams.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`}, + }, + } + + hsnapMock.On("Remove", kevt).Return(nil) + + hi := newHandleInterceptor(hsnapMock, objectTypeStore, devMapper) + + objectTypeStore.On("FindByID", uint8(23)).Return(handle.Key) + + assert.Len(t, hi.(*handleInterceptor).defers, 0) + + _, _, err := hi.Intercept(kevt) + require.NoError(t, err) + + keyName, err := kevt.Kparams.GetString(kparams.HandleObjectName) + require.NoError(t, err) + typ, err := kevt.Kparams.GetString(kparams.HandleObjectTypeName) + require.NoError(t, err) + assert.Equal(t, handle.Key, typ) + assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, keyName) + +} + +func TestHandleCoalescing(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.CreateHandle, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.HandleObjectTypeID: {Name: kparams.HandleObjectTypeID, Type: kparams.Uint16, Value: uint16(23)}, + kparams.HandleObject: {Name: kparams.HandleObject, Type: kparams.HexInt64, Value: kparams.Hex("ffffd105e9baaf70")}, + kparams.HandleObjectName: {Name: kparams.HandleObjectName, Type: kparams.UnicodeString, Value: ""}, + }, + } + kevtsc := make(chan *kevent.Kevent, 1) + devMapper := new(devMapperMock) + + hsnapMock := new(handle.SnapshotterMock) + objectTypeStore := new(objectTypeStoreMock) + + hsnapMock.On("Write", mock.Anything).Return(nil) + hsnapMock.On("Remove", mock.Anything).Return(nil) + + hi := newHandleInterceptor(hsnapMock, objectTypeStore, devMapper) + + objectTypeStore.On("FindByID", uint8(23)).Return(handle.Key) + + _, _, err := hi.Intercept(kevt) + require.Error(t, err) + require.True(t, kerrors.IsCancelUpstreamKevent(err)) + + assert.Len(t, hi.(*handleInterceptor).defers, 1) + + kevt1 := &kevent.Kevent{ + Type: ktypes.CloseHandle, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.HandleObjectTypeID: {Name: kparams.HandleObjectTypeID, Type: kparams.Uint16, Value: uint16(23)}, + kparams.HandleObject: {Name: kparams.HandleObject, Type: kparams.HexInt64, Value: kparams.Hex("ffffd105e9baaf70")}, + kparams.HandleObjectName: {Name: kparams.HandleObjectName, Type: kparams.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`}, + }, + } + + _, _, err = hi.Intercept(kevt1) + require.NoError(t, err) + + ckevt := <-kevtsc + keyName, err := ckevt.Kparams.GetString(kparams.HandleObjectName) + require.NoError(t, err) + assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, keyName) + + assert.Len(t, hi.(*handleInterceptor).defers, 0) +} + +func init() { + joinElapsingPeriod = time.Millisecond * 500 +} + +func TestHandleCoalescingWaiting(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.CreateHandle, + Tid: 2484, + PID: 859, + Timestamp: time.Now(), + Kparams: kevent.Kparams{ + kparams.HandleObjectTypeID: {Name: kparams.HandleObjectTypeID, Type: kparams.Uint16, Value: uint16(23)}, + kparams.HandleObject: {Name: kparams.HandleObject, Type: kparams.HexInt64, Value: kparams.Hex("ffffd105e9baaf70")}, + kparams.HandleObjectName: {Name: kparams.HandleObjectName, Type: kparams.UnicodeString, Value: ""}, + }, + } + kevtsc := make(chan *kevent.Kevent, 1) + devMapper := new(devMapperMock) + objectTypeStore := new(objectTypeStoreMock) + hsnapMock := new(handle.SnapshotterMock) + + hsnapMock.On("Write", mock.Anything).Return(nil) + hsnapMock.On("Remove", mock.Anything).Return(nil) + + hi := newHandleInterceptor(hsnapMock, objectTypeStore, devMapper) + + objectTypeStore.On("FindByID", uint8(23)).Return(handle.Key) + + _, _, err := hi.Intercept(kevt) + require.Error(t, err) + require.True(t, kerrors.IsCancelUpstreamKevent(err)) + + assert.Len(t, hi.(*handleInterceptor).defers, 1) + + kevt1 := &kevent.Kevent{ + Type: ktypes.CloseHandle, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.HandleObjectTypeID: {Name: kparams.HandleObjectTypeID, Type: kparams.Uint16, Value: uint16(23)}, + kparams.HandleObject: {Name: kparams.HandleObject, Type: kparams.HexInt64, Value: kparams.Hex("affdd155e9baaf70")}, + kparams.HandleObjectName: {Name: kparams.HandleObjectName, Type: kparams.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`}, + }, + } + + time.Sleep(time.Millisecond * 510) + + _, _, err = hi.Intercept(kevt1) + require.NoError(t, err) + + ckevt := <-kevtsc + keyName, err := ckevt.Kparams.GetString(kparams.HandleObjectName) + require.NoError(t, err) + assert.Equal(t, kparams.NA, keyName) + + assert.Len(t, hi.(*handleInterceptor).defers, 0) +} diff --git a/pkg/kstream/interceptors/image.go b/pkg/kstream/interceptors/image.go new file mode 100644 index 000000000..3a247360e --- /dev/null +++ b/pkg/kstream/interceptors/image.go @@ -0,0 +1,83 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/fs" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/yara" + log "github.com/sirupsen/logrus" +) + +// imageYaraScans stores the total count of yara image scans +var imageYaraScans = expvar.NewInt("yara.image.scans") + +type imageInterceptor struct { + devMapper fs.DevMapper + snap ps.Snapshotter + yara yara.Scanner +} + +func newImageInterceptor(snap ps.Snapshotter, devMapper fs.DevMapper, yara yara.Scanner) KstreamInterceptor { + return &imageInterceptor{snap: snap, devMapper: devMapper, yara: yara} +} + +func (imageInterceptor) Name() InterceptorType { return Image } + +func (i *imageInterceptor) Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, error) { + if kevt.Type == ktypes.LoadImage || kevt.Type == ktypes.UnloadImage || kevt.Type == ktypes.EnumImage { + // normalize image parameters to convert the size of hex to decimal representation + // and replace the DOS image path to regular drive-based file path + pid, err := kevt.Kparams.GetUint32(kparams.ProcessID) + if err != nil { + return kevt, true, err + } + if err := kevt.Kparams.Set(kparams.ProcessID, pid, kparams.PID); err != nil { + return kevt, true, err + } + size, _ := kevt.Kparams.GetHexAsUint32(kparams.ImageSize) + if err := kevt.Kparams.Set(kparams.ImageSize, size, kparams.Uint32); err != nil { + return kevt, true, err + } + filename, _ := kevt.Kparams.GetString(kparams.ImageFilename) + if err := kevt.Kparams.Set(kparams.ImageFilename, i.devMapper.Convert(filename), kparams.UnicodeString); err != nil { + return kevt, true, err + } + if i.yara != nil && kevt.Type == ktypes.LoadImage { + // scan the the target filename + go func() { + imageYaraScans.Add(1) + err := i.yara.ScanFile(filename) + if err != nil { + log.Warnf("unable to run yara scanner on %s image: %v", filename, err) + } + }() + } + if kevt.Type != ktypes.UnloadImage { + return kevt, false, i.snap.Write(kevt) + } + return kevt, false, i.snap.Remove(kevt) + } + + return kevt, true, nil +} diff --git a/pkg/kstream/interceptors/image_test.go b/pkg/kstream/interceptors/image_test.go new file mode 100644 index 000000000..64596f338 --- /dev/null +++ b/pkg/kstream/interceptors/image_test.go @@ -0,0 +1,19 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors diff --git a/pkg/kstream/interceptors/interceptor.go b/pkg/kstream/interceptors/interceptor.go new file mode 100644 index 000000000..8564886e3 --- /dev/null +++ b/pkg/kstream/interceptors/interceptor.go @@ -0,0 +1,66 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import "github.com/rabbitstack/fibratus/pkg/kevent" + +// InterceptorType is an alias for the interceptor type +type InterceptorType uint8 + +const ( + Ps InterceptorType = iota + Fs + Registry + Image + Net + Handle +) + +// KstreamInterceptor is the minimal interface that each kernel stream interceptor has to satisfy. Kernel stream interceptor +// has the ability to augment kernel event with additional parameters. It is also capable of building a state machine +// from the flow of kernel events going through it. The interceptor can also decide to drop the inbound kernel event by +// returning an error via its `Intercept` method. +type KstreamInterceptor interface { + // Intercept receives an existing kernel event possibly mutating its state. The event is filtered out if + // this method returns an error. If it returns true, the next interceptor in the chain is evaluated. + Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, error) + + // Name returns a human-readable name of this interceptor. + Name() InterceptorType +} + +// String returns a human-friendly interceptor name. +func (typ InterceptorType) String() string { + switch typ { + case Ps: + return "process" + case Fs: + return "file" + case Registry: + return "registry" + case Image: + return "image" + case Net: + return "net" + case Handle: + return "handle" + default: + return "unknown" + } +} diff --git a/pkg/kstream/interceptors/net.go b/pkg/kstream/interceptors/net.go new file mode 100644 index 000000000..c426e3031 --- /dev/null +++ b/pkg/kstream/interceptors/net.go @@ -0,0 +1,116 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/net" + "github.com/rabbitstack/fibratus/pkg/util/ports" +) + +type netInterceptor struct{} + +// newNetInterceptor creates a new instance of the network kernel stream interceptor. +func newNetInterceptor() KstreamInterceptor { + return &netInterceptor{} +} + +func (netInterceptor) Name() InterceptorType { + return Net +} + +// Intercpet overrides the kernel event type according to the transport layer +// and/or IP protocol version. At this point we also append the port names for all +// network kernel events. +func (n *netInterceptor) Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, error) { + switch kevt.Type { + case ktypes.AcceptTCPv4, ktypes.AcceptTCPv6: + appendPortKparam(kevt, true) + kevt.Type = ktypes.Accept + return kevt, false, nil + + case ktypes.ConnectTCPv4, ktypes.ConnectTCPv6: + appendPortKparam(kevt, true) + kevt.Type = ktypes.Connect + return kevt, false, nil + + case ktypes.ReconnectTCPv4, ktypes.ReconnectTCPv6: + appendPortKparam(kevt, true) + kevt.Type = ktypes.Reconnect + return kevt, false, nil + + case ktypes.RetransmitTCPv4, ktypes.RetransmitTCPv6: + appendPortKparam(kevt, true) + kevt.Type = ktypes.Retransmit + return kevt, false, nil + + case ktypes.DisconnectTCPv4, ktypes.DisconnectTCPv6: + appendPortKparam(kevt, true) + kevt.Type = ktypes.Disconnect + return kevt, false, nil + + case ktypes.SendTCPv4, ktypes.SendTCPv6, ktypes.SendUDPv4, ktypes.SendUDPv6: + // append Layer 4 protocol name to Send events + if kevt.Type == ktypes.SendTCPv4 || kevt.Type == ktypes.SendTCPv6 { + kevt.Kparams.Append(kparams.NetL4Proto, kparams.Enum, net.TCP) + } else { + kevt.Kparams.Append(kparams.NetL4Proto, kparams.Enum, net.UDP) + } + appendPortKparam(kevt, kevt.Type == ktypes.SendTCPv4 || kevt.Type == ktypes.SendTCPv6) + kevt.Type = ktypes.Send + return kevt, false, nil + + case ktypes.RecvTCPv4, ktypes.RecvTCPv6, ktypes.RecvUDPv4, ktypes.RecvUDPv6: + // append Layer 4 protocol name to Recv events + if kevt.Type == ktypes.RecvTCPv4 || kevt.Type == ktypes.RecvTCPv6 { + kevt.Kparams.Append(kparams.NetL4Proto, kparams.Enum, net.TCP) + } else { + kevt.Kparams.Append(kparams.NetL4Proto, kparams.Enum, net.UDP) + } + appendPortKparam(kevt, kevt.Type == ktypes.RecvTCPv4 || kevt.Type == ktypes.RecvTCPv6) + kevt.Type = ktypes.Recv + return kevt, false, nil + } + + return kevt, true, nil +} + +// appendPortKparam resolves the IANA (https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml) +// service name for the particular port and transport protocol. +func appendPortKparam(kevt *kevent.Kevent, isTCP bool) { + dport, _ := kevt.Kparams.GetUint16(kparams.NetDport) + sport, _ := kevt.Kparams.GetUint16(kparams.NetSport) + if isTCP { + if name, ok := ports.TCPPortNames[dport]; ok { + kevt.Kparams.Append(kparams.NetDportName, kparams.AnsiString, name) + } + if name, ok := ports.TCPPortNames[sport]; ok { + kevt.Kparams.Append(kparams.NetSportName, kparams.AnsiString, name) + } + return + } + if name, ok := ports.UDPPortNames[dport]; ok { + kevt.Kparams.Append(kparams.NetDportName, kparams.AnsiString, name) + } + if name, ok := ports.UDPPortNames[sport]; ok { + kevt.Kparams.Append(kparams.NetSportName, kparams.AnsiString, name) + } +} diff --git a/pkg/kstream/interceptors/net_test.go b/pkg/kstream/interceptors/net_test.go new file mode 100644 index 000000000..eb0ad3731 --- /dev/null +++ b/pkg/kstream/interceptors/net_test.go @@ -0,0 +1,68 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + knet "github.com/rabbitstack/fibratus/pkg/net" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "net" + "testing" +) + +func TestNetInterceptorSend(t *testing.T) { + kevt := &kevent.Kevent{ + Type: ktypes.SendTCPv4, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.NetDport: {Name: kparams.NetDport, Type: kparams.Uint16, Value: uint16(443)}, + kparams.NetSport: {Name: kparams.NetSport, Type: kparams.Uint16, Value: uint16(43123)}, + kparams.NetSIP: {Name: kparams.NetSIP, Type: kparams.IPv4, Value: net.ParseIP("127.0.0.1")}, + kparams.NetDIP: {Name: kparams.NetDIP, Type: kparams.IPv4, Value: net.ParseIP("216.58.201.174")}, + }, + } + ni := newNetInterceptor() + + _, _, err := ni.Intercept(kevt) + require.NoError(t, err) + + assert.Equal(t, ktypes.Send, kevt.Type) + + assert.Contains(t, kevt.Kparams, kparams.NetDportName) + dportName, err := kevt.Kparams.GetString(kparams.NetDportName) + require.NoError(t, err) + assert.Equal(t, "https", dportName) + + v, err := kevt.Kparams.Get(kparams.NetL4Proto) + require.NoError(t, err) + assert.IsType(t, knet.L4Proto(1), v) + assert.Equal(t, "tcp", v.(knet.L4Proto).String()) + + sip, err := kevt.Kparams.GetIPv4(kparams.NetSIP) + require.NoError(t, err) + assert.Equal(t, "127.0.0.1", sip.String()) + + dip, err := kevt.Kparams.GetIPv4(kparams.NetDIP) + require.NoError(t, err) + assert.Equal(t, "216.58.201.174", dip.String()) +} diff --git a/pkg/kstream/interceptors/ps.go b/pkg/kstream/interceptors/ps.go new file mode 100644 index 000000000..59d7ef405 --- /dev/null +++ b/pkg/kstream/interceptors/ps.go @@ -0,0 +1,171 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/syscall/process" + "github.com/rabbitstack/fibratus/pkg/yara" + log "github.com/sirupsen/logrus" + "os" + "path/filepath" + "regexp" + "strings" + "time" +) + +// systemRootRegexp is the regular expression for detecting path with unexpanded SystemRoot environment variable +var systemRootRegexp = regexp.MustCompile(`%SystemRoot%|\\SystemRoot`) + +// procYaraScans stores the total count of yara process scans +var procYaraScans = expvar.NewInt("yara.proc.scans") + +type psInterceptor struct { + snap ps.Snapshotter + yara yara.Scanner +} + +var sysProcs = []string{ + "dwm.exe", + "wininit.exe", + "winlogon.exe", + "fontdrvhost.exe", + "sihost.exe", + "taskhostw.exe", + "dashost.exe", + "ctfmon.exe", +} + +// newPsInterceptor creates a new kstream interceptor for process events. +func newPsInterceptor(snap ps.Snapshotter, yara yara.Scanner) KstreamInterceptor { + return psInterceptor{snap: snap, yara: yara} +} + +func (ps psInterceptor) Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, error) { + typ := kevt.Type + switch typ { + case ktypes.CreateProcess, ktypes.TerminateProcess, ktypes.EnumProcess: + comm, err := kevt.Kparams.GetString(kparams.Comm) + if err != nil { + return kevt, true, err + } + // some system processes are reported without the path in command line + if !strings.Contains(comm, `\\:`) { + for _, proc := range sysProcs { + if proc == comm { + _ = kevt.Kparams.Set(kparams.Comm, filepath.Join(os.Getenv("SystemRoot"), comm), kparams.UnicodeString) + } + } + } + // to compose the full executable string we extract the path + // from the process's command line by expanding the `SystemRoot` + // env variable accordingly and also removing rubbish characters + i := strings.Index(comm, "exe") + if i > 0 { + exe := strings.Replace(comm[0:i+3], "\"", "", -1) + if strings.Contains(exe, "SystemRoot") { + exe = systemRootRegexp.ReplaceAllString(exe, os.Getenv("SystemRoot")) + } + kevt.Kparams.Append(kparams.Exe, kparams.UnicodeString, exe) + } + // convert hexadecimal PID values to integers + pid, err := kevt.Kparams.GetHexAsUint32(kparams.ProcessID) + if err != nil { + return kevt, true, err + } + if err := kevt.Kparams.Set(kparams.ProcessID, pid, kparams.PID); err != nil { + return kevt, true, err + } + ppid, err := kevt.Kparams.GetHexAsUint32(kparams.ProcessParentID) + if err != nil { + return kevt, true, err + } + if err := kevt.Kparams.Set(kparams.ProcessParentID, ppid, kparams.PID); err != nil { + return kevt, true, err + } + + if typ != ktypes.TerminateProcess { + if pid != 0 { + // get the process's start time and append it to the parameters + started, err := getStartTime(pid) + if err != nil { + log.Warnf("couldn't get process (%d) start time: %v", pid, err) + } else { + _ = kevt.Kparams.Append(kparams.StartTime, kparams.Time, started) + } + } + if ps.yara != nil && typ == ktypes.CreateProcess { + // run yara scanner on the target process + go func() { + procYaraScans.Add(1) + err := ps.yara.ScanProc(pid) + if err != nil { + log.Warnf("unable to run yara scanner on pid %d: %v", pid, err) + } + }() + } + return kevt, false, ps.snap.Write(kevt) + } + + return kevt, false, ps.snap.Remove(kevt) + + case ktypes.CreateThread, ktypes.TerminateThread, ktypes.EnumThread: + pid, err := kevt.Kparams.GetHexAsUint32(kparams.ProcessID) + if err != nil { + return kevt, true, err + } + if err := kevt.Kparams.Set(kparams.ProcessID, pid, kparams.PID); err != nil { + return kevt, true, err + } + tid, err := kevt.Kparams.GetHexAsUint32(kparams.ThreadID) + if err != nil { + return kevt, true, err + } + if err := kevt.Kparams.Set(kparams.ThreadID, tid, kparams.TID); err != nil { + return kevt, true, err + } + + if typ != ktypes.TerminateThread { + return kevt, false, ps.snap.Write(kevt) + } + + return kevt, false, ps.snap.Remove(kevt) + } + + return kevt, true, nil +} + +func (psInterceptor) Name() InterceptorType { return Ps } + +func getStartTime(pid uint32) (time.Time, error) { + handle, err := process.Open(process.QueryLimitedInformation, false, pid) + if err != nil { + return time.Now(), err + } + defer handle.Close() + started, err := process.GetStartTime(handle) + if err != nil { + return time.Now(), err + } + return started, nil +} diff --git a/pkg/kstream/interceptors/ps_test.go b/pkg/kstream/interceptors/ps_test.go new file mode 100644 index 000000000..b417ed396 --- /dev/null +++ b/pkg/kstream/interceptors/ps_test.go @@ -0,0 +1,92 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "os" + "testing" +) + +func TestPsInterceptorIntercept(t *testing.T) { + psnap := new(ps.SnapshotterMock) + psi := newPsInterceptor(psnap, nil) + + kpars := kevent.Kparams{ + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: "C:\\Windows\\system32\\svchost.exe -k RPCSS"}, + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.HexInt32, Value: kparams.Hex("36c")}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.HexInt32, Value: kparams.Hex("26c")}, + } + + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kpars, + } + _, _, err := psi.Intercept(kevt) + require.NoError(t, err) + + require.True(t, kevt.Kparams.Contains(kparams.Exe)) + exe, _ := kevt.Kparams.GetString(kparams.Exe) + assert.Equal(t, "C:\\Windows\\system32\\svchost.exe", exe) + pid, _ := kpars.GetPid() + assert.Equal(t, uint32(876), pid) + ppid, _ := kpars.GetPpid() + assert.Equal(t, uint32(620), ppid) + + kpars1 := kevent.Kparams{ + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: "C:\\Windows\\System32\\smss.exe"}, + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.HexInt32, Value: kparams.Hex("36c")}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.HexInt32, Value: kparams.Hex("26c")}, + } + + kevt1 := &kevent.Kevent{ + Type: ktypes.EnumProcess, + Kparams: kpars1, + } + err = os.Setenv("SystemRoot", "C:\\Windows") + if err != nil { + t.Fatal(err) + } + _, _, err = psi.Intercept(kevt1) + require.NoError(t, err) + exe, _ = kpars1.GetString(kparams.Exe) + assert.Equal(t, "C:\\Windows\\System32\\smss.exe", exe) + + tpid := fmt.Sprintf("%x", os.Getpid()) + kpars2 := kevent.Kparams{ + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: "C:\\Windows\\System32\\smss.exe"}, + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.HexInt32, Value: kparams.Hex(tpid)}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.HexInt32, Value: kparams.Hex("26c")}, + } + + kevt2 := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kpars2, + } + _, _, err = psi.Intercept(kevt2) + require.NoError(t, err) + + require.True(t, kevt2.Kparams.Contains(kparams.StartTime)) +} diff --git a/pkg/kstream/interceptors/registry.go b/pkg/kstream/interceptors/registry.go new file mode 100644 index 000000000..9a8d97fb1 --- /dev/null +++ b/pkg/kstream/interceptors/registry.go @@ -0,0 +1,276 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/syscall/registry" + "github.com/rabbitstack/fibratus/pkg/syscall/sys" + "golang.org/x/sys/windows" + reg "golang.org/x/sys/windows/registry" + "path/filepath" + "strings" + "sync/atomic" + "syscall" + "time" + "unicode/utf16" +) + +var ( + // kcbCount counts the total KCBs found during the duration of the kernel session + kcbCount = expvar.NewInt("registry.kcb.count") + kcbMissCount = expvar.NewInt("registry.kcb.misses") + unknownKeysCount = expvar.NewInt("registry.unknown.keys.count") + keyHandleHits = expvar.NewInt("registry.key.handle.hits") + + handleThrottleCount uint32 +) + +const ( + notFoundNTStatus = 3221225524 + maxHandleQueries = 200 +) + +type registryInterceptor struct { + // keys stores the mapping between the KCB (Key Control Block) and the key name. + keys map[uint64]string + hsnap handle.Snapshotter +} + +func newRegistryInterceptor(hsnap handle.Snapshotter) KstreamInterceptor { + // schedule a ticker that resets the throttle count every minute + tick := time.NewTicker(time.Minute) + go func() { + for { + <-tick.C + atomic.StoreUint32(&handleThrottleCount, 0) + } + }() + return ®istryInterceptor{keys: make(map[uint64]string), hsnap: hsnap} +} + +func (r *registryInterceptor) Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, error) { + typ := kevt.Type + switch typ { + case ktypes.RegKCBRundown, ktypes.RegCreateKCB: + khandle, err := kevt.Kparams.GetHexAsUint64(kparams.RegKeyHandle) + if err != nil { + return kevt, true, err + } + if _, ok := r.keys[khandle]; !ok { + r.keys[khandle], _ = kevt.Kparams.GetString(kparams.RegKeyName) + } + kcbCount.Add(1) + return kevt, false, nil + + case ktypes.RegDeleteKCB: + khandle, err := kevt.Kparams.GetHexAsUint64(kparams.RegKeyHandle) + if err != nil { + return kevt, true, err + } + delete(r.keys, khandle) + kcbCount.Add(-1) + return kevt, false, nil + + case ktypes.RegCreateKey, + ktypes.RegDeleteKey, + ktypes.RegOpenKey, ktypes.RegOpenKeyV1, + ktypes.RegQueryKey, + ktypes.RegQueryValue, + ktypes.RegSetValue, + ktypes.RegDeleteValue: + khandle, err := kevt.Kparams.GetHexAsUint64(kparams.RegKeyHandle) + if err != nil { + return kevt, true, err + } + // we have to obey a straightforward algorithm to connect relative + // key names to their root keys. If key handle is equal to zero we + // have a full key name and don't have to go further resolving the + // missing part. Otherwise, we have to lookup existing KCBs to try + // find the matching base key name and concatenate to its relative + // path. If none of the aforementioned checks are successful, our + // last resort is to scan process' handles and check if any of the + // key handles contain the partial key name. In this case we assume + // the correct key is encountered. + var rootKey registry.Key + keyName, err := kevt.Kparams.GetString(kparams.RegKeyName) + if err != nil { + return kevt, true, err + } + if khandle != 0 { + if baseKey, ok := r.keys[khandle]; ok { + keyName = baseKey + "\\" + keyName + } else { + kcbMissCount.Add(1) + keyName = r.findMatchingKey(kevt.PID, keyName) + } + } + + if keyName != "" { + rootKey, keyName = handle.FormatKey(keyName) + k := rootKey.String() + if keyName != "" && rootKey != registry.InvalidKey { + k += "\\" + keyName + } + if rootKey == registry.InvalidKey { + unknownKeysCount.Add(1) + k = keyName + } + if err := kevt.Kparams.Set(kparams.RegKeyName, k, kparams.UnicodeString); err != nil { + return kevt, true, err + } + } + + // format registry operation status code + status, err := kevt.Kparams.GetUint32(kparams.NTStatus) + if err == nil { + _ = kevt.Kparams.Set(kparams.NTStatus, formatStatus(status), kparams.UnicodeString) + } + + // get the type/value of the registry key and append to parameters + if typ == ktypes.RegSetValue { + if rootKey != registry.InvalidKey { + subkey, value := filepath.Split(keyName) + key, err := reg.OpenKey(reg.Key(rootKey), subkey, reg.QUERY_VALUE) + if err != nil { + return kevt, true, nil + } + defer key.Close() + b := make([]byte, 0) + _, typ, err := key.GetValue(value, b) + if err != nil { + return kevt, true, nil + } + kevt.Kparams.Append(kparams.RegValueType, kparams.AnsiString, typToString(typ)) + switch typ { + case reg.SZ, reg.EXPAND_SZ: + v, _, err := key.GetStringValue(value) + if err != nil { + return kevt, true, nil + } + kevt.Kparams.Append(kparams.RegValue, kparams.UnicodeString, v) + + case reg.DWORD, reg.QWORD: + v, _, err := key.GetIntegerValue(value) + if err != nil { + return kevt, true, nil + } + kevt.Kparams.Append(kparams.RegValue, kparams.Uint64, v) + + case reg.MULTI_SZ: + v, _, err := key.GetStringsValue(value) + if err != nil { + return kevt, true, nil + } + kevt.Kparams.Append(kparams.RegValue, kparams.UnicodeString, strings.Join(v, "\n\r")) + + case reg.BINARY: + v, _, err := key.GetBinaryValue(value) + if err != nil { + return kevt, true, nil + } + kevt.Kparams.Append(kparams.RegValue, kparams.UnicodeString, string(v)) + } + return kevt, false, nil + } + } + } + + return kevt, true, nil +} + +func (registryInterceptor) Name() InterceptorType { return Registry } + +func typToString(typ uint32) string { + switch typ { + case reg.DWORD: + return "REG_DWORD" + case reg.QWORD: + return "REG_QWORD" + case reg.SZ: + return "REG_SZ" + case reg.EXPAND_SZ: + return "REG_EXPAND_SZ" + case reg.MULTI_SZ: + return "REG_MULTI_SZ" + case reg.BINARY: + return "REG_BINARY" + default: + return "UNKNOWN" + } +} + +var resolvedStatuses = map[uint32]string{} + +func formatStatus(status uint32) string { + if status == 0 { + return "success" + } + // this status code is return quite often so we can offload the FormatMessage call + if status == notFoundNTStatus { + return "key not found" + } + // pick resolved status + if s, ok := resolvedStatuses[status]; ok { + return s + } + var flags uint32 = syscall.FORMAT_MESSAGE_FROM_SYSTEM + b := make([]uint16, 300) + n, err := windows.FormatMessage(flags, 0, uint32(sys.CodeFromNtStatus(status)), 0, b, nil) + if err != nil { + return "unknown" + } + // trim terminating \r and \n + for ; n > 0 && (b[n-1] == '\n' || b[n-1] == '\r'); n-- { + } + + s := strings.ToLower(string(utf16.Decode(b[:n]))) + resolvedStatuses[status] = s + + return s +} + +func (r *registryInterceptor) findMatchingKey(pid uint32, relativeKeyName string) string { + // we want to prevent too frequent queries on the process' handles + // since that can cause significant performance overhead. When throttle + // count is greater than the max permitted value we'll just return the partial key + // and hold on querying the handles of target process + atomic.AddUint32(&handleThrottleCount, 1) + if handleThrottleCount > maxHandleQueries { + return relativeKeyName + } + handles, err := r.hsnap.FindHandles(pid) + if err != nil { + return relativeKeyName + } + for _, h := range handles { + if h.Type != handle.Key { + continue + } + if strings.HasSuffix(h.Name, relativeKeyName) { + keyHandleHits.Add(1) + return h.Name + } + } + return relativeKeyName +} diff --git a/pkg/kstream/interceptors/registry_test.go b/pkg/kstream/interceptors/registry_test.go new file mode 100644 index 000000000..46e8abeb3 --- /dev/null +++ b/pkg/kstream/interceptors/registry_test.go @@ -0,0 +1,72 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package interceptors + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" +) + +func TestRegistryInterceptor(t *testing.T) { + r := newRegistryInterceptor(nil) + + _, _, err := r.Intercept(&kevent.Kevent{ + Type: ktypes.RegKCBRundown, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bthserv\Parameters`}, + kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.HexInt64, Value: kparams.NewHex(uint64(18446666033549154696))}, + }, + }) + require.NoError(t, err) + assert.Equal(t, int64(1), kcbCount.Value()) + + _, _, err = r.Intercept(&kevent.Kevent{ + Type: ktypes.RegCreateKCB, + Tid: 1484, + PID: 259, + Kparams: kevent.Kparams{ + kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `\REGISTRY\MACHINE\SYSTEM\Setup`}, + kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.HexInt64, Value: kparams.NewHex(uint64(18446666033449935464))}, + }, + }) + require.NoError(t, err) + assert.Equal(t, int64(2), kcbCount.Value()) + + kevt := &kevent.Kevent{ + Type: ktypes.RegCreateKey, + Tid: 2484, + PID: 859, + Kparams: kevent.Kparams{ + kparams.RegKeyName: {Name: kparams.RegKeyName, Type: kparams.UnicodeString, Value: `Pid`}, + kparams.RegKeyHandle: {Name: kparams.RegKeyHandle, Type: kparams.HexInt64, Value: kparams.NewHex(uint64(18446666033449935464))}, + }, + } + _, _, err = r.Intercept(kevt) + require.NoError(t, err) + + keyName, err := kevt.Kparams.GetString(kparams.RegKeyName) + require.NoError(t, err) + assert.Equal(t, `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`, keyName) +} diff --git a/pkg/kstream/kstream_rundownc.go b/pkg/kstream/kstream_rundownc.go new file mode 100644 index 000000000..62f614c7a --- /dev/null +++ b/pkg/kstream/kstream_rundownc.go @@ -0,0 +1,176 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kstream + +import ( + "fmt" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/filter" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/syscall/etw" + "github.com/rabbitstack/fibratus/pkg/syscall/tdh" + "github.com/rabbitstack/fibratus/pkg/syscall/utf16" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + log "github.com/sirupsen/logrus" + "syscall" + "unsafe" +) + +// kstreamRundownConsumer publishes opened file objects as encountered at the beginning of the trace session. +type kstreamRundownConsumer struct { + handle etw.TraceHandle + errs chan error + krundowns chan *kevent.Kevent +} + +func newRundownConsumer() Consumer { + return &kstreamRundownConsumer{ + errs: make(chan error), + krundowns: make(chan *kevent.Kevent, 1000), + } +} + +func (k *kstreamRundownConsumer) OpenKstream() error { + ktrace := etw.EventTraceLogfile{ + LoggerName: utf16.StringToUTF16Ptr(etw.KernelLoggerRundownSession), + } + cb := syscall.NewCallback(k.processRundownCallback) + modes := uint32(etw.ProcessTraceModeRealtime | etw.ProcessTraceModeEventRecord) + *(*uint32)(unsafe.Pointer(&ktrace.LogFileMode[0])) = modes + *(*uintptr)(unsafe.Pointer(&ktrace.EventCallback[4])) = cb + + handle := openTrace(ktrace) + if uint64(handle) == winerrno.InvalidProcessTraceHandle { + return fmt.Errorf("unable to open kernel rundown logger trace: %v", syscall.GetLastError()) + } + k.handle = handle + go func() { + err := processTrace(handle) + if err != nil { + k.errs <- err + return + } + log.Info("successfully stopped kernel rundown session") + }() + return nil +} + +// SetFilter initializes the filter that's applied on the kernel events. +func (k *kstreamRundownConsumer) SetFilter(filter filter.Filter) {} + +// CloseKstream shutdowns the currently running kernel rundown consumer by closing the corresponding +// session. +func (k *kstreamRundownConsumer) CloseKstream() error { + return etw.CloseTrace(k.handle) +} + +// Errors returns a channel where errors are pushed. +func (k *kstreamRundownConsumer) Errors() chan error { + return k.errs +} + +// Events returns the buffered channel where enumerated system resources are pushed. +func (k *kstreamRundownConsumer) Events() chan *kevent.Kevent { + return k.krundowns +} + +func (k *kstreamRundownConsumer) processRundownCallback(evt *etw.EventRecord) uintptr { + if err := k.processRundown(evt); err != nil { + k.errs <- err + } + return callbackNext +} + +func (k *kstreamRundownConsumer) processRundown(evt *etw.EventRecord) error { + bufferSize := evtBufferSize + buffer := make([]byte, bufferSize) + + ktype := ktypes.Pack(evt.Header.ProviderID, evt.Header.EventDescriptor.Opcode) + + err := tdh.GetEventInformation(evt, buffer, bufferSize) + if err == kerrors.ErrInsufficentBuffer { + // not enough space to store the event, so we retry with bigger buffer + buffer = make([]byte, bufferSize) + if err = tdh.GetEventInformation(evt, buffer, bufferSize); err != nil { + return fmt.Errorf("failed to get rundown event after reallocating buffer size to %d KB: %v", bufferSize, err) + } + } + trace := (*tdh.TraceEventInfo)(unsafe.Pointer(&buffer[0])) + kpars := kevent.Kparams(produceParams(evt, trace)) + + krundown := &kevent.Kevent{ + Type: ktype, + Kparams: kpars, + } + + select { + case k.krundowns <- krundown: + default: + log.Warn("kernel rundown logger event queue is full") + } + + return nil +} + +// produceParams extracts event's parameters from the event descriptor. +func produceParams(evt *etw.EventRecord, trace *tdh.TraceEventInfo) map[string]*kevent.Kparam { + var ( + count = trace.PropertyCount + kpars = make(map[string]*kevent.Kparam, count) + // this yields a property array from unsized array + props = (*[1 << 30]tdh.EventPropertyInfo)(unsafe.Pointer(&trace.EventPropertyInfoArray[0]))[:count:count] + ) + + for _, property := range props { + // compute the pointer to each property name and get the size of the buffer + // that we'll allocate to accommodate the property value + propp := unsafe.Pointer(uintptr(unsafe.Pointer(trace)) + uintptr(property.NameOffset)) + kparName := syscall.UTF16ToString((*[1 << 20]uint16)(propp)[:]) + + descriptor := &tdh.PropertyDataDescriptor{ + PropertyName: propp, + ArrayIndex: 0xFFFFFFFF, + } + size, err := getPropertySize(evt, descriptor) + if err != nil || size == 0 { + continue + } + + buffer := make([]byte, size) + if err := getProperty(evt, descriptor, size, buffer); err != nil { + continue + } + + kparName = kparams.Canonicalize(kparName) + // discard unknown canonical names + if kparName == "" { + continue + } + nst := *(*tdh.NonStructType)(unsafe.Pointer(&property.Types[0])) + // obtain the parameter value from byte buffer + kpar, err := getParam(kparName, buffer, size, nst) + if err != nil { + continue + } + kpars[kparName] = kpar + } + return kpars +} diff --git a/pkg/kstream/kstreamc.go b/pkg/kstream/kstreamc.go new file mode 100644 index 000000000..aaec79769 --- /dev/null +++ b/pkg/kstream/kstreamc.go @@ -0,0 +1,611 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kstream + +import ( + "errors" + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/config" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/filter" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/kstream/interceptors" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/syscall/etw" + "github.com/rabbitstack/fibratus/pkg/syscall/process" + "github.com/rabbitstack/fibratus/pkg/syscall/tdh" + "github.com/rabbitstack/fibratus/pkg/syscall/thread" + "github.com/rabbitstack/fibratus/pkg/syscall/utf16" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + "github.com/rabbitstack/fibratus/pkg/util/filetime" + log "github.com/sirupsen/logrus" + "os" + "strings" + "syscall" + "unsafe" +) + +const ( + // callbackNext is the return callback value which designates that callback execution should progress + callbackNext = uintptr(1) + // evtBufferSize determines the default buffer size in kilobytes for the`TraceEventInfo` structure + evtBufferSize = uint32(4096) +) + +var ( + // failedKevents counts the number of kevents that failed to process + failedKevents = expvar.NewMap("kstream.kevents.failures") + failedKeventsByMissingSchema = expvar.NewMap("kstream.kevents.missing.schema.errors") + // keventsEnqueued counts the number of events that are pushed to the queue + keventsEnqueued = expvar.NewInt("kstream.kevents.enqueued") + // failedKparams counts the number of kernel event parameters that failed to process + failedKparams = expvar.NewInt("kstream.kevent.param.failures") + blacklistedKevents = expvar.NewMap("kstream.blacklist.dropped.kevents") + blacklistedProcs = expvar.NewMap("kstream.blacklist.dropped.procs") + + upstreamCancellations = expvar.NewInt("kstream.upstream.cancellations") + + buffersRead = expvar.NewInt("kstream.kbuffers.read") +) + +var ( + openTrace = etw.OpenTrace + processTrace = etw.ProcessTrace + getPropertySize = tdh.GetPropertySize + getProperty = tdh.GetProperty + + currentPid = uint32(os.Getpid()) +) + +// Consumer is the interface for the kernel event stream consumer. +type Consumer interface { + // OpenKstream initializes the kernel event stream by setting the event record callback and instructing it + // to consume events from log buffers. This operation can fail if opening the kernel logger session results + // in an invalid trace handler. Errors returned by `ProcessTrace` are sent to the channel since this function + // blocks the current thread and we schedule its execution in a separate goroutine. + OpenKstream() error + // CloseKstream shutdowns the currently running kernel event stream consumer by closing the corresponding + // session. + CloseKstream() error + // Errors returns the channel where errors are pushed. + Errors() chan error + // Events returns the buffered channel for pulling collected kernel events. + Events() chan *kevent.Kevent + // SetFilter initializes the filter that's applied on the kernel events. + SetFilter(filter filter.Filter) +} + +type blacklist map[ktypes.Ktype]string + +func (b blacklist) has(ktype ktypes.Ktype) bool { return b[ktype] != "" } + +type kstreamConsumer struct { + handle etw.TraceHandle + errs chan error + kevts chan *kevent.Kevent + interceptorChain interceptors.Chain + ignoredKparams map[string]bool + config *config.Config + + keventsBlacklist blacklist + procsBlacklist []string + + kstreamRundownConsumer Consumer + + ktraceController KtraceController + + psnapshotter ps.Snapshotter + sequencer *kevent.Sequencer + + filter filter.Filter + capture bool +} + +// NewConsumer constructs a new kernel event stream consumer. +func NewConsumer(ktraceController KtraceController, psnap ps.Snapshotter, hsnap handle.Snapshotter, config *config.Config) Consumer { + kconsumer := &kstreamConsumer{ + errs: make(chan error, 1000), + ignoredKparams: kparams.Ignored(), + config: config, + psnapshotter: psnap, + kstreamRundownConsumer: newRundownConsumer(), + ktraceController: ktraceController, + procsBlacklist: make([]string, len(config.Kstream.BlacklistImages)), + keventsBlacklist: make(map[ktypes.Ktype]string), + capture: config.KcapFile != "", + sequencer: kevent.NewSequencer(), + kevts: make(chan *kevent.Kevent), + } + + kconsumer.interceptorChain = interceptors.NewChain(psnap, hsnap, kconsumer.startRundown, config) + + return kconsumer +} + +func (k *kstreamConsumer) startRundown() error { + if err := k.ktraceController.StartKtraceRundown(); err != nil { + return err + } + go k.openRundownConsumer() + return nil +} + +func (k *kstreamConsumer) init() { + if k.ktraceController.IsKRundownStarted() { + go k.openRundownConsumer() + } + + for _, name := range k.config.Kstream.BlacklistKevents { + if ktype := ktypes.KeventNameToKtype(name); ktype != ktypes.UnknownKtype { + k.keventsBlacklist[ktype] = name + } + } + + for i, name := range k.config.Kstream.BlacklistImages { + k.procsBlacklist[i] = strings.ToLower(name) + } +} + +// SetFilter initializes the filter that's applied on the kernel events. +func (k *kstreamConsumer) SetFilter(filter filter.Filter) { k.filter = filter } + +// OpenKstream initializes the kernel event stream by setting the event record callback and instructing it +// to consume events from log buffers. This operation can fail if opening the kernel logger session results +// in an invalid trace handler. Errors returned by `ProcessTrace` are sent to the channel since this function +// blocks the current thread and we schedule its execution in a separate goroutine. +func (k *kstreamConsumer) OpenKstream() error { + ktrace := etw.EventTraceLogfile{ + LoggerName: utf16.StringToUTF16Ptr(etw.KernelLoggerSession), + BufferCallback: syscall.NewCallback(k.bufferStatsCallback), + } + cb := syscall.NewCallback(k.processKeventCallback) + modes := uint32(etw.ProcessTraceModeRealtime | etw.ProcessTraceModeEventRecord) + // initialize real time trace mode and event callback functions + // via these nasty pointer accesses to unions inside the structure + *(*uint32)(unsafe.Pointer(&ktrace.LogFileMode[0])) = modes + *(*uintptr)(unsafe.Pointer(&ktrace.EventCallback[4])) = cb + + h := openTrace(ktrace) + if uint64(h) == winerrno.InvalidProcessTraceHandle { + return fmt.Errorf("unable to open kernel trace: %v", syscall.GetLastError()) + } + k.handle = h + k.init() + // since `ProcessTrace` blocks the current thread + // we invoke it in a separate goroutine but send + // any possible errors to the channel + go func() { + err := processTrace(h) + log.Info("stopping kernel trace processing") + if err == nil { + log.Info("kernel trace processing successfully stopped") + return + } + switch err { + case kerrors.ErrTraceCancelled: + if uint64(h) != winerrno.InvalidProcessTraceHandle { + if err := etw.CloseTrace(h); err != nil { + k.errs <- err + } + } + default: + k.errs <- err + } + }() + return nil +} + +func (k *kstreamConsumer) openRundownConsumer() { + if err := k.kstreamRundownConsumer.OpenKstream(); err != nil { + log.Error(err) + return + } + for { + select { + case kevt := <-k.kstreamRundownConsumer.Events(): + if _, err := k.interceptorChain.Dispatch(kevt); err != nil { + log.Errorf("unable to dispatch rundown event to interceptors: %v", err) + } + case err := <-k.kstreamRundownConsumer.Errors(): + log.Errorf("got kernel rundown error: %v", err) + } + } +} + +// CloseKstream shutdowns the currently running kernel event stream consumer by closing the corresponding +// session. +func (k *kstreamConsumer) CloseKstream() error { + if err := etw.CloseTrace(k.handle); err != nil { + return err + } + if err := k.sequencer.Store(); err != nil { + log.Warn(err) + } + if err := k.sequencer.Close(); err != nil { + log.Warn(err) + } + if k.ktraceController.IsKRundownStarted() { + if err := k.kstreamRundownConsumer.CloseKstream(); err != nil { + return err + } + } + return nil +} + +// Errors returns a channel where errors are pushed. +func (k *kstreamConsumer) Errors() chan error { + return k.errs +} + +// Events returns the buffered channel for pulling collected kernel events. +func (k *kstreamConsumer) Events() chan *kevent.Kevent { + return k.kevts +} + +// bufferStatsCallback is periodically triggered by ETW subsystem for the purpose of reporting +// buffer statistics, such as the number of buffers processed. +func (k *kstreamConsumer) bufferStatsCallback(logfile *etw.EventTraceLogfile) uintptr { + buffersRead.Add(int64(logfile.BuffersRead)) + return callbackNext +} + +// processKeventCallback is the event callback function signature that delegates event processing +// to `processKevent`. +func (k *kstreamConsumer) processKeventCallback(evt *etw.EventRecord) uintptr { + if err := k.processKevent(evt); err != nil { + failedKevents.Add(err.Error(), 1) + k.errs <- err + } + return callbackNext +} + +// processKevent is the backbone of the kernel stream consumer. It does the heavy lifting of parsing inbound ETW events, +// iterating through event properties and pushing kernel events to the channel. +func (k *kstreamConsumer) processKevent(evt *etw.EventRecord) error { + var ( + pid = evt.Header.ProcessID + tid = evt.Header.ThreadID + // get the CPU core on which the event was generated + cpu = *(*uint8)(unsafe.Pointer(&evt.BufferContext.ProcessorIndex[0])) + ktype = ktypes.Pack(evt.Header.ProviderID, evt.Header.EventDescriptor.Opcode) + ) + + // drop any blacklisted process or unknown kernel event as earliest as possible + if k.dropBlacklistProc(pid) || !ktype.Exists() { + return nil + } + // it as required to initialize the size of the + // event trace buffer that we'll have to reallocate + // in case there's no enough room to store the whole trace + bufferSize := evtBufferSize + buffer := make([]byte, bufferSize) + + err := tdh.GetEventInformation(evt, buffer, bufferSize) + if err == kerrors.ErrInsufficentBuffer { + // not enough space to store the event, so we retry with bigger buffer + buffer = make([]byte, bufferSize) + if err = tdh.GetEventInformation(evt, buffer, bufferSize); err != nil { + return fmt.Errorf("failed to get event metadata after reallocating buffer size to %d KB: %v", bufferSize, err) + } + } + + if err != nil { + if err == kerrors.ErrEventSchemaNotFound { + // increment error count for events that lack the schema + failedKeventsByMissingSchema.Add(ktype.String(), 1) + return fmt.Errorf("schema not found for event %q", ktype) + } + return fmt.Errorf("unable to retrieve kernel event metadata for :%q: %v", ktype, err) + } + + trace := (*tdh.TraceEventInfo)(unsafe.Pointer(&buffer[0])) + kpars := kevent.Kparams(k.produceParams(ktype, evt, trace)) + ts := filetime.ToEpoch(evt.Header.Timestamp) + category := ktypes.KtypeToKeventInfo(ktype).Category + + switch category { + case ktypes.Image: + // sometimes the pid present in event header is invalid + // but we can get the valid one from the event parameters + if pid == winerrno.InvalidPID { + pid, _ = kpars.GetUint32(kparams.ProcessID) + } + + case ktypes.File: + // on some Windows versions the value of + // the PID attribute is invalid for the + // file system kernel events + if pid == winerrno.InvalidPID { + // try to resolve a valid pid from thread ID + threadID, err := kpars.GetHexAsUint32(kparams.ThreadID) + if err != nil { + break + } + h, err := thread.Open(thread.QueryLimitedInformation, false, threadID) + if err != nil { + break + } + defer h.Close() + pid, err = process.GetPIDFromThread(h) + } + if pid != winerrno.InvalidPID { + kpars.Append(kparams.ProcessID, kparams.PID, pid) + } + + case ktypes.Process: + // process and thread start events may be logged in the context of the parent process or thread. + // As a result, the ProcessId and ThreadId members of EVENT_TRACE_HEADER may not correspond to the + // process and thread being created so we set the event pid to be the one of the parent process + pid, _ = kpars.GetHexAsUint32(kparams.ProcessParentID) + + case ktypes.Net: + pid, _ = kpars.GetUint32(kparams.ProcessID) + kpars.Remove(kparams.ProcessID) + } + + // try to drop blacklist processes after pid readjustment + if k.dropBlacklistProc(pid) { + return nil + } + + // build a new kernel event with all required fields. Kevent is the fundamental data structure + // for propagating events to outputs sinks. + kevt := kevent.New( + k.sequencer.Get(), + pid, + tid, + cpu, + ktype, + ts, + kpars, + ) + + // dispatch each event to the interceptor chain that will further augment the kernel + // event with useful fields, route events to corresponding snapshotters or initialize + // open files/registry control blocks at the beginning of the kernel trace session + kevt, err = k.interceptorChain.Dispatch(kevt) + if err != nil { + if kerrors.IsCancelUpstreamKevent(err) { + upstreamCancellations.Add(1) + return nil + } + log.Errorf("interceptor chain error(s) occurred: %v", err) + } + // associate process' state with the kernel event. We only override the process' + // state if it hasn't been set previously like in the situation where captures + // are being taken. The kernel events that construct the process' snapshot also + // have attached process state, so simply by replaying the flow of these events + // we are able to reconstruct system-wide process state. + if kevt.PS == nil { + kevt.PS = k.psnapshotter.Find(kevt.PID) + } + if k.isDropped(kevt) { + kevt.Release() + return nil + } + + k.kevts <- kevt + + keventsEnqueued.Add(1) + if !kevt.Type.Dropped(false) { + k.sequencer.Increment() + } + + return nil +} + +var offsets = map[uint32]string{} + +// produceParams traverses ETW event's properties, gets the underlying property buffer and produces a kernel event +// parameter for the particular event. +func (k *kstreamConsumer) produceParams(ktype ktypes.Ktype, evt *etw.EventRecord, trace *tdh.TraceEventInfo) map[string]*kevent.Kparam { + var ( + count = trace.PropertyCount + kpars = make(map[string]*kevent.Kparam, count) + // this yields a property array from the unsized array + props = (*[1 << 30]tdh.EventPropertyInfo)(unsafe.Pointer(&trace.EventPropertyInfoArray[0]))[:count:count] + ) + + for _, property := range props { + hashKey := ktype.Hash() + property.NameOffset + // lookup resolved kparam names if the hash key is not located in offsets cache + kparName, ok := offsets[hashKey] + // compute the pointer to each property name and get the size of the buffer + // that we'll allocate to accommodate the property value + propp := unsafe.Pointer(uintptr(unsafe.Pointer(trace)) + uintptr(property.NameOffset)) + if !ok { + kparName = utf16.UTF16PtrToString(propp) + offsets[hashKey] = kparName + } + + // skip ignored parameters + if _, ok := k.ignoredKparams[kparName]; ok { + continue + } + + descriptor := &tdh.PropertyDataDescriptor{ + PropertyName: propp, + ArrayIndex: 0xFFFFFFFF, + } + size, err := getPropertySize(evt, descriptor) + if err != nil || size == 0 { + continue + } + + buffer := make([]byte, size) + if err := getProperty(evt, descriptor, size, buffer); err != nil { + continue + } + + kparName = kparams.Canonicalize(kparName) + // discard unknown canonical names + if kparName == "" { + continue + } + + nst := *(*tdh.NonStructType)(unsafe.Pointer(&property.Types[0])) + // obtain parameter value from the byte buffer + kpar, err := getParam(kparName, buffer, size, nst) + if err != nil { + failedKparams.Add(1) + continue + } + kpars[kparName] = kpar + } + + return kpars +} + +// getParam extracts parameter value from the property buffer and builds the kparam structure. +func getParam(name string, buffer []byte, size uint32, nonStructType tdh.NonStructType) (*kevent.Kparam, error) { + if buffer == nil || len(buffer) == 0 { + return nil, errors.New("property buffer is empty") + } + + var ( + typ kparams.Type + value kparams.Value + ) + + switch nonStructType.InType { + case tdh.IntypeUnicodeString: + typ, value = kparams.UnicodeString, utf16.UTF16PtrToString(unsafe.Pointer(&buffer[0])) + case tdh.IntypeAnsiString: + typ, value = kparams.AnsiString, string((*[1<<30 - 1]byte)(unsafe.Pointer(&buffer[0]))[:size-1:size-1]) + + case tdh.IntypeInt8: + typ, value = kparams.Int8, *(*int8)(unsafe.Pointer(&buffer[0])) + case tdh.IntypeUint8: + typ, value = kparams.Uint8, *(*uint8)(unsafe.Pointer(&buffer[0])) + if nonStructType.OutType == tdh.OutypeHexInt8 { + typ = kparams.HexInt8 + } + case tdh.IntypeBoolean: + typ, value = kparams.Bool, *(*bool)(unsafe.Pointer(&buffer[0])) + + case tdh.IntypeInt16: + typ, value = kparams.Int16, *(*int16)(unsafe.Pointer(&buffer[0])) + case tdh.IntypeUint16: + typ, value = kparams.Uint16, *(*uint16)(unsafe.Pointer(&buffer[0])) + switch nonStructType.OutType { + case tdh.OutypeHexInt16: + typ = kparams.HexInt16 + case tdh.OutypePort: + typ = kparams.Port + } + + case tdh.IntypeInt32: + typ, value = kparams.Int32, *(*int32)(unsafe.Pointer(&buffer[0])) + case tdh.IntypeUint32: + typ, value = kparams.Uint32, *(*uint32)(unsafe.Pointer(&buffer[0])) + switch nonStructType.OutType { + case tdh.OutypeHexInt32: + typ = kparams.HexInt32 + case tdh.OutypeIPv4: + typ = kparams.IPv4 + } + + case tdh.IntypeInt64: + typ, value = kparams.Int64, *(*int64)(unsafe.Pointer(&buffer[0])) + case tdh.IntypeUint64: + typ, value = kparams.Uint64, *(*uint64)(unsafe.Pointer(&buffer[0])) + if nonStructType.OutType == tdh.OutypeHexInt64 { + typ = kparams.HexInt64 + } + + case tdh.IntypeFloat: + typ, value = kparams.Float, *(*float32)(unsafe.Pointer(&buffer[0])) + case tdh.IntypeDouble: + typ, value = kparams.Double, *(*float64)(unsafe.Pointer(&buffer[0])) + + case tdh.IntypeHexInt32: + typ, value = kparams.HexInt32, *(*int32)(unsafe.Pointer(&buffer[0])) + case tdh.IntypeHexInt64: + typ, value = kparams.HexInt64, *(*int64)(unsafe.Pointer(&buffer[0])) + case tdh.IntypePointer, tdh.IntypeSizet: + typ, value = kparams.HexInt64, *(*uint64)(unsafe.Pointer(&buffer[0])) + case tdh.IntypeSID: + typ, value = kparams.SID, buffer + case tdh.IntypeWbemSID: + typ, value = kparams.WbemSID, buffer + case tdh.IntypeBinary: + if nonStructType.OutType == tdh.OutypeIPv6 { + typ, value = kparams.IPv6, buffer + } else { + typ, value = kparams.Binary, buffer + } + default: + return nil, fmt.Errorf("unknown type for %q parameter", name) + } + + return kevent.NewKparam(name, typ, value), nil +} + +// isDropped discards the kernel event before it hits the output channel. +// Dropping a kernel event occurs if any of the following conditions +// are met: +// +// - kernel event is used solely for building internal state of either +// needs to be stored in the capture file for the purpose of restoring +// the state +// - process that produced the kernel event is fibratus itself +// - kernel event is present in the blacklist, and thus it is always dropped +// - finally, the event is dropped by the filter engine +func (k *kstreamConsumer) isDropped(kevt *kevent.Kevent) bool { + if kevt.Type.Dropped(k.capture) { + return true + } + if kevt.PID == currentPid { + return true + } + if k.keventsBlacklist.has(kevt.Type) { + blacklistedKevents.Add(kevt.Name, 1) + return true + } + if k.filter == nil { + return false + } + filtered := k.filter.Run(kevt) + if !filtered { + return true + } + return false +} + +// dropBlacklistProc drops the events from the blacklist if it is linked to particular process name. +func (k *kstreamConsumer) dropBlacklistProc(pid uint32) bool { + if len(k.procsBlacklist) == 0 { + return false + } + proc := k.psnapshotter.Find(pid) + if proc == nil { + return false + } + for _, blacklistProc := range k.procsBlacklist { + if strings.ToLower(proc.Name) == blacklistProc { + blacklistedProcs.Add(proc.Name, int64(1)) + return true + } + } + return false +} diff --git a/pkg/kstream/kstreamc_test.go b/pkg/kstream/kstreamc_test.go new file mode 100644 index 000000000..4021f83b3 --- /dev/null +++ b/pkg/kstream/kstreamc_test.go @@ -0,0 +1,242 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package kstream + +import ( + "encoding/gob" + "github.com/rabbitstack/fibratus/pkg/config" + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/ps/types" + "github.com/rabbitstack/fibratus/pkg/syscall/etw" + "github.com/rabbitstack/fibratus/pkg/syscall/tdh" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" + "github.com/stretchr/testify/require" + "net" + "os" + "testing" + "time" +) + +func TestOpenKstream(t *testing.T) { + psnap := new(ps.SnapshotterMock) + hsnap := new(handle.SnapshotterMock) + ktraceController := NewKtraceController(config.KstreamConfig{}) + kstreamc := NewConsumer(ktraceController, psnap, hsnap, &config.Config{}) + openTrace = func(ktrace etw.EventTraceLogfile) etw.TraceHandle { + return etw.TraceHandle(2) + } + processTrace = func(handle etw.TraceHandle) error { + return nil + } + err := kstreamc.OpenKstream() + require.NoError(t, err) +} + +func TestOpenKstreamInvalidHandle(t *testing.T) { + psnap := new(ps.SnapshotterMock) + hsnap := new(handle.SnapshotterMock) + ktraceController := NewKtraceController(config.KstreamConfig{}) + kstreamc := NewConsumer(ktraceController, psnap, hsnap, &config.Config{}) + openTrace = func(ktrace etw.EventTraceLogfile) etw.TraceHandle { + return etw.TraceHandle(0xffffffffffffffff) + } + err := kstreamc.OpenKstream() + require.Error(t, err) +} + +func TestOpenKstreamKsessionNotRunning(t *testing.T) { + psnap := new(ps.SnapshotterMock) + hsnap := new(handle.SnapshotterMock) + ktraceController := NewKtraceController(config.KstreamConfig{}) + kstreamc := NewConsumer(ktraceController, psnap, hsnap, &config.Config{}) + openTrace = func(ktrace etw.EventTraceLogfile) etw.TraceHandle { + return etw.TraceHandle(2) + } + processTrace = func(handle etw.TraceHandle) error { + return kerrors.ErrKsessionNotRunning + } + err := kstreamc.OpenKstream() + require.NoError(t, err) + err = <-kstreamc.Errors() + assert.EqualError(t, err, "kernel session from which you are trying to consume events in real time is not running") +} + +func TestProcessKevent(t *testing.T) { + psnap := new(ps.SnapshotterMock) + hsnap := new(handle.SnapshotterMock) + ktraceController := NewKtraceController(config.KstreamConfig{}) + kstreamc := NewConsumer(ktraceController, psnap, hsnap, &config.Config{}) + + psnap.On("Find", mock.Anything).Return(&types.PS{Name: "cmd.exe"}) + + openTrace = func(ktrace etw.EventTraceLogfile) etw.TraceHandle { + return etw.TraceHandle(2) + } + processTrace = func(handle etw.TraceHandle) error { + return nil + } + getPropertySize = func(evt *etw.EventRecord, descriptor *tdh.PropertyDataDescriptor) (uint32, error) { + return uint32(10), nil + } + getProperty = func(evt *etw.EventRecord, descriptor *tdh.PropertyDataDescriptor, size uint32, buffer []byte) error { + return nil + } + + psnap.On("Write", mock.Anything).Return(nil) + + f, err := os.Open("./_fixtures/snapshots/create-process.gob") + if err != nil { + t.Fatal(err) + } + + dec := gob.NewDecoder(f) + var evt etw.EventRecord + err = dec.Decode(&evt) + if err != nil { + t.Fatal(err) + } + err = kstreamc.(*kstreamConsumer).processKevent(&evt) + require.NoError(t, err) + + kevt := <-kstreamc.Events() + + assert.Equal(t, ktypes.Process, kevt.Category) + assert.Equal(t, uint32(9828), kevt.Tid) + assert.Equal(t, uint8(5), kevt.CPU) + assert.Equal(t, ktypes.CreateProcess, kevt.Type) + assert.Equal(t, "CreateProcess", kevt.Name) + assert.Equal(t, "Creates a new process and its primary thread", kevt.Description) + + ts, err := time.Parse("2006-01-02 15:04:05.0000000 -0700 CEST", "2019-04-05 16:10:36.5225778 +0200 CEST") + assert.Equal(t, ts, kevt.Timestamp) + assert.Len(t, kevt.Kparams, 9) + + assert.True(t, kevt.Kparams.Contains(kparams.DTB)) + assert.True(t, kevt.Kparams.Contains(kparams.ProcessName)) +} + +func TestGetParamEmptyBuffer(t *testing.T) { + _, err := getParam("sip", nil, 16, tdh.NonStructType{InType: tdh.IntypeBinary, OutType: tdh.OutypeIPv6}) + require.Error(t, err) + + _, err = getParam("sip", []byte{}, 16, tdh.NonStructType{InType: tdh.IntypeBinary, OutType: tdh.OutypeIPv6}) + require.Error(t, err) +} + +func TestGetParam(t *testing.T) { + kpar, err := getParam("comm", []byte{99, 0, 109, 0, 100, 0, 92, 0, 102, 0, 105, 0, 98, 0, 114, 0, 97, 0, 116, 0, 117, 0, 115, 0, 92, 0, 102, 0, 105, 0, 98, 0, 114, 0, 97, 0, 116, 0, 117, 0, 115, 0, 46, 0, 101, 0, 120, 0, 101, 0, 32, 0, 32, 0, 0, 0}, 16, tdh.NonStructType{InType: tdh.IntypeUnicodeString}) + require.NoError(t, err) + assert.Equal(t, kparams.UnicodeString, kpar.Type) + assert.Equal(t, "cmd\\fibratus\\fibratus.exe ", kpar.Value) + + kpar, err = getParam("exe", []byte{77, 105, 99, 114, 111, 115, 111, 102, 116, 46, 80, 104, 111, 116, 111, 115, 46, 101, 120, 101, 0}, 21, tdh.NonStructType{InType: tdh.IntypeAnsiString}) + assert.Equal(t, kparams.AnsiString, kpar.Type) + assert.Equal(t, "Microsoft.Photos.exe", kpar.Value) + + kpar, err = getParam("flag", []byte{127}, 1, tdh.NonStructType{InType: tdh.IntypeInt8}) + assert.Equal(t, kparams.Int8, kpar.Type) + assert.Equal(t, int8(127), kpar.Value) + + kpar, err = getParam("flag", []byte{255}, 1, tdh.NonStructType{InType: tdh.IntypeUint8}) + assert.Equal(t, kparams.Uint8, kpar.Type) + assert.Equal(t, uint8(255), kpar.Value) + + kpar, err = getParam("flag", []byte{255}, 1, tdh.NonStructType{InType: tdh.IntypeUint8, OutType: tdh.OutypeHexInt8}) + assert.Equal(t, kparams.HexInt8, kpar.Type) + assert.Equal(t, kparams.Hex("ff"), kpar.Value) + + kpar, err = getParam("enabled", []byte{1}, 1, tdh.NonStructType{InType: tdh.IntypeBoolean}) + assert.Equal(t, kparams.Bool, kpar.Type) + assert.Equal(t, true, kpar.Value) + + kpar, err = getParam("enabled", []byte{0}, 1, tdh.NonStructType{InType: tdh.IntypeBoolean}) + assert.Equal(t, kparams.Bool, kpar.Type) + assert.Equal(t, false, kpar.Value) + + kpar, err = getParam("addr", []byte{255, 169}, 2, tdh.NonStructType{InType: tdh.IntypeUint16, OutType: tdh.OutypeHexInt16}) + assert.Equal(t, kparams.HexInt16, kpar.Type) + assert.Equal(t, kparams.Hex("a9ff"), kpar.Value) + + kpar, err = getParam("sport", []byte{255, 169}, 2, tdh.NonStructType{InType: tdh.IntypeUint16, OutType: tdh.OutypePort}) + assert.Equal(t, kparams.Port, kpar.Type) + assert.Equal(t, uint16(65449), kpar.Value) + + kpar, err = getParam("pid", []byte{252, 26, 0, 0}, 4, tdh.NonStructType{InType: tdh.IntypeInt32}) + assert.Equal(t, kparams.Int32, kpar.Type) + assert.Equal(t, int32(6908), kpar.Value) + + kpar, err = getParam("kproc", []byte{108, 3, 0, 0}, 4, tdh.NonStructType{InType: tdh.IntypeUint32}) + assert.Equal(t, kparams.Uint32, kpar.Type) + assert.Equal(t, uint32(876), kpar.Value) + + kpar, err = getParam("kproc", []byte{108, 3, 0, 0}, 4, tdh.NonStructType{InType: tdh.IntypeUint32, OutType: tdh.OutypeHexInt32}) + assert.Equal(t, kparams.HexInt32, kpar.Type) + assert.Equal(t, kparams.Hex("36c"), kpar.Value) + + kpar, err = getParam("dip", []byte{192, 168, 1, 210}, 4, tdh.NonStructType{InType: tdh.IntypeUint32, OutType: tdh.OutypeIPv4}) + assert.Equal(t, kparams.IPv4, kpar.Type) + assert.Equal(t, net.ParseIP("192.168.1.210"), kpar.Value) + + kpar, err = getParam("syscall.addr", []byte{192, 168, 1, 210, 8, 1, 1, 1}, 8, tdh.NonStructType{InType: tdh.IntypeInt64}) + assert.Equal(t, kparams.Int64, kpar.Type) + assert.Equal(t, int64(72340206409328832), kpar.Value) + + kpar, err = getParam("syscall.addr", []byte{192, 168, 1, 210, 199, 100, 100, 100}, 8, tdh.NonStructType{InType: tdh.IntypeUint64}) + assert.Equal(t, kparams.Uint64, kpar.Type) + assert.Equal(t, uint64(7234017710848452800), kpar.Value) + + kpar, err = getParam("syscall.addr", []byte{192, 168, 1, 210, 199, 100, 100, 100}, 8, tdh.NonStructType{InType: tdh.IntypeUint64, OutType: tdh.OutypeHexInt64}) + assert.Equal(t, kparams.HexInt64, kpar.Type) + assert.Equal(t, kparams.Hex("646464c7d201a8c0"), kpar.Value) + + kpar, err = getParam("currency", []byte{0, 0, 0, 1}, 4, tdh.NonStructType{InType: tdh.IntypeFloat}) + assert.Equal(t, kparams.Float, kpar.Type) + assert.Equal(t, float32(2.3509887e-38), kpar.Value) + + kpar, err = getParam("currency", []byte{0, 0, 0, 0, 0, 0, 0, 1}, 8, tdh.NonStructType{InType: tdh.IntypeDouble}) + assert.Equal(t, kparams.Double, kpar.Type) + assert.Equal(t, float64(7.291122019556398e-304), kpar.Value) + + kpar, err = getParam("kproc", []byte{108, 3, 0, 0}, 4, tdh.NonStructType{InType: tdh.IntypeHexInt32}) + assert.Equal(t, kparams.HexInt32, kpar.Type) + assert.Equal(t, kparams.Hex("36c"), kpar.Value) + + kpar, err = getParam("syscall.addr", []byte{192, 168, 1, 210, 199, 100, 100, 100}, 8, tdh.NonStructType{InType: tdh.IntypeHexInt64}) + assert.Equal(t, kparams.HexInt64, kpar.Type) + assert.Equal(t, kparams.Hex("646464c7d201a8c0"), kpar.Value) + + kpar, err = getParam("sid", []byte{96, 12, 161, 104, 133, 219, 255, 255, 0, 0, 0, 0, 3, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}, 8, tdh.NonStructType{InType: tdh.IntypeWbemSID}) + assert.Equal(t, kparams.WbemSID, kpar.Type) + assert.Equal(t, "NT AUTHORITY\\SYSTEM", kpar.Value) + + kpar, err = getParam("sip", []byte{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 16, tdh.NonStructType{InType: tdh.IntypeBinary, OutType: tdh.OutypeIPv6}) + assert.Equal(t, kparams.IPv6, kpar.Type) + assert.Equal(t, net.ParseIP("::1"), kpar.Value) +} + +func TestGetParamUnknownType(t *testing.T) { + kpar, err := getParam("comm", []byte{99, 0, 109, 0, 100, 0, 92, 0, 102, 0, 105, 0, 98, 0, 114, 0, 97, 0, 116, 0, 117, 0, 115, 0, 92, 0, 102, 0, 105, 0, 98, 0, 114, 0, 97, 0, 116, 0, 117, 0, 115, 0, 46, 0, 101, 0, 120, 0, 101, 0, 32, 0, 32, 0, 0, 0}, 16, tdh.NonStructType{InType: tdh.IntypeFiletime}) + require.Error(t, err) + assert.Equal(t, kparams.Unknown, kpar.Type) +} diff --git a/pkg/net/types.go b/pkg/net/types.go new file mode 100644 index 000000000..6b97af19e --- /dev/null +++ b/pkg/net/types.go @@ -0,0 +1,41 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package net + +// L4Proto is the type alias for the Layer 4 protocol. +type L4Proto uint8 + +const ( + // TCP identifies TCP Layer 4 protocol. + TCP L4Proto = iota + 1 + // UDP identifies UDP Layer 4 protocol. + UDP +) + +// String returns the string representation of the Layer 4 protocol. +func (proto L4Proto) String() string { + switch proto { + case TCP: + return "tcp" + case UDP: + return "udp" + default: + return "unknown" + } +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/README.md b/pkg/outputs/amqp/_fixtures/garagemq/README.md new file mode 100644 index 000000000..9574f5d10 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/README.md @@ -0,0 +1 @@ +This is the minimal [GarageMQ](https://github.com/valinurovam/garagemq) server merely used for testing the AMQP output. \ No newline at end of file diff --git a/pkg/outputs/amqp/_fixtures/garagemq/amqp/constants_generated.go b/pkg/outputs/amqp/_fixtures/garagemq/amqp/constants_generated.go new file mode 100644 index 000000000..d39cd4e6a --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/amqp/constants_generated.go @@ -0,0 +1,356 @@ +// Package amqp for read, write, parse amqp frames +// Autogenerated code. Do not edit. +package amqp + +// FrameMethod identifier +const FrameMethod = 1 + +// FrameHeader identifier +const FrameHeader = 2 + +// FrameBody identifier +const FrameBody = 3 + +// FrameHeartbeat identifier +const FrameHeartbeat = 8 + +// FrameMinSize identifier +const FrameMinSize = 4096 + +// FrameEnd identifier +const FrameEnd = 206 + +// ReplySuccess identifier Indicates that the method completed successfully. This reply code is +// reserved for future use - the current protocol design does not use positive +// confirmation and reply codes are sent only in case of an error. +const ReplySuccess = 200 + +// ContentTooLarge identifier The client attempted to transfer content larger than the server could accept +// at the present time. The client may retry at a later time. +const ContentTooLarge = 311 + +// NoConsumers identifier When the exchange cannot deliver to a consumer when the immediate flag is +// set. As a result of pending data on the queue or the absence of any +// consumers of the queue. +const NoConsumers = 313 + +// ConnectionForced identifier An operator intervened to close the connection for some reason. The client +// may retry at some later date. +const ConnectionForced = 320 + +// InvalidPath identifier The client tried to work with an unknown virtual host. +const InvalidPath = 402 + +// AccessRefused identifier The client attempted to work with a server entity to which it has no +// access due to security settings. +const AccessRefused = 403 + +// NotFound identifier The client attempted to work with a server entity that does not exist. +const NotFound = 404 + +// ResourceLocked identifier The client attempted to work with a server entity to which it has no +// access because another client is working with it. +const ResourceLocked = 405 + +// PreconditionFailed identifier The client requested a method that was not allowed because some precondition +// failed. +const PreconditionFailed = 406 + +// FrameError identifier The sender sent a malformed frame that the recipient could not decode. +// This strongly implies a programming error in the sending peer. +const FrameError = 501 + +// SyntaxError identifier The sender sent a frame that contained illegal values for one or more +// fields. This strongly implies a programming error in the sending peer. +const SyntaxError = 502 + +// CommandInvalid identifier The client sent an invalid sequence of frames, attempting to perform an +// operation that was considered invalid by the server. This usually implies +// a programming error in the client. +const CommandInvalid = 503 + +// ChannelError identifier The client attempted to work with a channel that had not been correctly +// opened. This most likely indicates a fault in the client layer. +const ChannelError = 504 + +// UnexpectedFrame identifier The peer sent a frame that was not expected, usually in the context of +// a content header and body. This strongly indicates a fault in the peer's +// content processing. +const UnexpectedFrame = 505 + +// ResourceError identifier The server could not complete the method because it lacked sufficient +// resources. This may be due to the client creating too many of some type +// of entity. +const ResourceError = 506 + +// NotAllowed identifier The client tried to work with some entity in a manner that is prohibited +// by the server, due to security settings or by some other criteria. +const NotAllowed = 530 + +// NotImplemented identifier The client tried to use functionality that is not implemented in the +// server. +const NotImplemented = 540 + +// InternalError identifier The server could not complete the method because of an internal error. +// The server may require intervention by an operator in order to resume +// normal operations. +const InternalError = 541 + +// ClassConnection identifier +const ClassConnection = 10 + +// MethodConnectionStart identifier +const MethodConnectionStart = 10 + +// MethodConnectionStartOk identifier +const MethodConnectionStartOk = 11 + +// MethodConnectionSecure identifier +const MethodConnectionSecure = 20 + +// MethodConnectionSecureOk identifier +const MethodConnectionSecureOk = 21 + +// MethodConnectionTune identifier +const MethodConnectionTune = 30 + +// MethodConnectionTuneOk identifier +const MethodConnectionTuneOk = 31 + +// MethodConnectionOpen identifier +const MethodConnectionOpen = 40 + +// MethodConnectionOpenOk identifier +const MethodConnectionOpenOk = 41 + +// MethodConnectionClose identifier +const MethodConnectionClose = 50 + +// MethodConnectionCloseOk identifier +const MethodConnectionCloseOk = 51 + +// MethodConnectionBlocked identifier +const MethodConnectionBlocked = 60 + +// MethodConnectionUnblocked identifier +const MethodConnectionUnblocked = 61 + +// ClassChannel identifier +const ClassChannel = 20 + +// MethodChannelOpen identifier +const MethodChannelOpen = 10 + +// MethodChannelOpenOk identifier +const MethodChannelOpenOk = 11 + +// MethodChannelFlow identifier +const MethodChannelFlow = 20 + +// MethodChannelFlowOk identifier +const MethodChannelFlowOk = 21 + +// MethodChannelClose identifier +const MethodChannelClose = 40 + +// MethodChannelCloseOk identifier +const MethodChannelCloseOk = 41 + +// ClassExchange identifier +const ClassExchange = 40 + +// MethodExchangeDeclare identifier +const MethodExchangeDeclare = 10 + +// MethodExchangeDeclareOk identifier +const MethodExchangeDeclareOk = 11 + +// MethodExchangeDelete identifier +const MethodExchangeDelete = 20 + +// MethodExchangeDeleteOk identifier +const MethodExchangeDeleteOk = 21 + +// MethodExchangeBind identifier +const MethodExchangeBind = 30 + +// MethodExchangeBindOk identifier +const MethodExchangeBindOk = 31 + +// MethodExchangeUnbind identifier +const MethodExchangeUnbind = 40 + +// MethodExchangeUnbindOk identifier +const MethodExchangeUnbindOk = 51 + +// ClassQueue identifier +const ClassQueue = 50 + +// MethodQueueDeclare identifier +const MethodQueueDeclare = 10 + +// MethodQueueDeclareOk identifier +const MethodQueueDeclareOk = 11 + +// MethodQueueBind identifier +const MethodQueueBind = 20 + +// MethodQueueBindOk identifier +const MethodQueueBindOk = 21 + +// MethodQueueUnbind identifier +const MethodQueueUnbind = 50 + +// MethodQueueUnbindOk identifier +const MethodQueueUnbindOk = 51 + +// MethodQueuePurge identifier +const MethodQueuePurge = 30 + +// MethodQueuePurgeOk identifier +const MethodQueuePurgeOk = 31 + +// MethodQueueDelete identifier +const MethodQueueDelete = 40 + +// MethodQueueDeleteOk identifier +const MethodQueueDeleteOk = 41 + +// ClassBasic identifier +const ClassBasic = 60 + +// MethodBasicQos identifier +const MethodBasicQos = 10 + +// MethodBasicQosOk identifier +const MethodBasicQosOk = 11 + +// MethodBasicConsume identifier +const MethodBasicConsume = 20 + +// MethodBasicConsumeOk identifier +const MethodBasicConsumeOk = 21 + +// MethodBasicCancel identifier +const MethodBasicCancel = 30 + +// MethodBasicCancelOk identifier +const MethodBasicCancelOk = 31 + +// MethodBasicPublish identifier +const MethodBasicPublish = 40 + +// MethodBasicReturn identifier +const MethodBasicReturn = 50 + +// MethodBasicDeliver identifier +const MethodBasicDeliver = 60 + +// MethodBasicGet identifier +const MethodBasicGet = 70 + +// MethodBasicGetOk identifier +const MethodBasicGetOk = 71 + +// MethodBasicGetEmpty identifier +const MethodBasicGetEmpty = 72 + +// MethodBasicAck identifier +const MethodBasicAck = 80 + +// MethodBasicReject identifier +const MethodBasicReject = 90 + +// MethodBasicRecoverAsync identifier +const MethodBasicRecoverAsync = 100 + +// MethodBasicRecover identifier +const MethodBasicRecover = 110 + +// MethodBasicRecoverOk identifier +const MethodBasicRecoverOk = 111 + +// MethodBasicNack identifier +const MethodBasicNack = 120 + +// ClassTx identifier +const ClassTx = 90 + +// MethodTxSelect identifier +const MethodTxSelect = 10 + +// MethodTxSelectOk identifier +const MethodTxSelectOk = 11 + +// MethodTxCommit identifier +const MethodTxCommit = 20 + +// MethodTxCommitOk identifier +const MethodTxCommitOk = 21 + +// MethodTxRollback identifier +const MethodTxRollback = 30 + +// MethodTxRollbackOk identifier +const MethodTxRollbackOk = 31 + +// ClassConfirm identifier +const ClassConfirm = 85 + +// MethodConfirmSelect identifier +const MethodConfirmSelect = 10 + +// MethodConfirmSelectOk identifier +const MethodConfirmSelectOk = 11 + +// ConstantsNameMap map for mapping error codes into error messages +var ConstantsNameMap = map[uint16]string{ + + 1: "FRAME_METHOD", + + 2: "FRAME_HEADER", + + 3: "FRAME_BODY", + + 8: "FRAME_HEARTBEAT", + + 4096: "FRAME_MIN_SIZE", + + 206: "FRAME_END", + + 200: "REPLY_SUCCESS", + + 311: "CONTENT_TOO_LARGE", + + 313: "NO_CONSUMERS", + + 320: "CONNECTION_FORCED", + + 402: "INVALID_PATH", + + 403: "ACCESS_REFUSED", + + 404: "NOT_FOUND", + + 405: "RESOURCE_LOCKED", + + 406: "PRECONDITION_FAILED", + + 501: "FRAME_ERROR", + + 502: "SYNTAX_ERROR", + + 503: "COMMAND_INVALID", + + 504: "CHANNEL_ERROR", + + 505: "UNEXPECTED_FRAME", + + 506: "RESOURCE_ERROR", + + 530: "NOT_ALLOWED", + + 540: "NOT_IMPLEMENTED", + + 541: "INTERNAL_ERROR", +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/amqp/extended_constants.go b/pkg/outputs/amqp/_fixtures/garagemq/amqp/extended_constants.go new file mode 100644 index 000000000..89656a626 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/amqp/extended_constants.go @@ -0,0 +1,5 @@ +package amqp + +// NoRoute returns when a 'mandatory' message cannot be delivered to any queue. +// @see https://www.rabbitmq.com/amqp-0-9-1-errata.html#section_17 +const NoRoute = 312 diff --git a/pkg/outputs/amqp/_fixtures/garagemq/amqp/methods_generated.go b/pkg/outputs/amqp/_fixtures/garagemq/amqp/methods_generated.go new file mode 100644 index 000000000..ae563d707 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/amqp/methods_generated.go @@ -0,0 +1,4899 @@ +// Package amqp for read, write, parse amqp frames +// Autogenerated code. Do not edit. +package amqp + +import ( + "fmt" + "io" + "time" +) + +// Method represents base method interface +type Method interface { + Name() string + FrameType() byte + ClassIdentifier() uint16 + MethodIdentifier() uint16 + Read(reader io.Reader, protoVersion string) (err error) + Write(writer io.Writer, protoVersion string) (err error) + Sync() bool +} + +// Connection methods + +// ConnectionStart This method starts the connection negotiation process by telling the client the +// protocol version that the server proposes, along with a list of security mechanisms +// which the client can use for authentication. +type ConnectionStart struct { + VersionMajor byte + VersionMinor byte + ServerProperties *Table + Mechanisms []byte + Locales []byte +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionStart) Name() string { + return "ConnectionStart" +} + +// FrameType returns method frame type +func (method *ConnectionStart) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionStart) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionStart) MethodIdentifier() uint16 { + return 10 +} + +// Sync is method should me sent synchronous +func (method *ConnectionStart) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionStart) Read(reader io.Reader, protoVersion string) (err error) { + + method.VersionMajor, err = ReadOctet(reader) + if err != nil { + return err + } + + method.VersionMinor, err = ReadOctet(reader) + if err != nil { + return err + } + + method.ServerProperties, err = ReadTable(reader, protoVersion) + if err != nil { + return err + } + + method.Mechanisms, err = ReadLongstr(reader) + if err != nil { + return err + } + + method.Locales, err = ReadLongstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ConnectionStart) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteOctet(writer, method.VersionMajor); err != nil { + return err + } + + if err = WriteOctet(writer, method.VersionMinor); err != nil { + return err + } + + if err = WriteTable(writer, method.ServerProperties, protoVersion); err != nil { + return err + } + + if err = WriteLongstr(writer, method.Mechanisms); err != nil { + return err + } + + if err = WriteLongstr(writer, method.Locales); err != nil { + return err + } + + return +} + +// ConnectionStartOk This method selects a SASL security mechanism. +type ConnectionStartOk struct { + ClientProperties *Table + Mechanism string + Response []byte + Locale string +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionStartOk) Name() string { + return "ConnectionStartOk" +} + +// FrameType returns method frame type +func (method *ConnectionStartOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionStartOk) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionStartOk) MethodIdentifier() uint16 { + return 11 +} + +// Sync is method should me sent synchronous +func (method *ConnectionStartOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionStartOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.ClientProperties, err = ReadTable(reader, protoVersion) + if err != nil { + return err + } + + method.Mechanism, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.Response, err = ReadLongstr(reader) + if err != nil { + return err + } + + method.Locale, err = ReadShortstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ConnectionStartOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteTable(writer, method.ClientProperties, protoVersion); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Mechanism); err != nil { + return err + } + + if err = WriteLongstr(writer, method.Response); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Locale); err != nil { + return err + } + + return +} + +// ConnectionSecure The SASL protocol works by exchanging challenges and responses until both peers have +// received sufficient information to authenticate each other. This method challenges +// the client to provide more information. +type ConnectionSecure struct { + Challenge []byte +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionSecure) Name() string { + return "ConnectionSecure" +} + +// FrameType returns method frame type +func (method *ConnectionSecure) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionSecure) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionSecure) MethodIdentifier() uint16 { + return 20 +} + +// Sync is method should me sent synchronous +func (method *ConnectionSecure) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionSecure) Read(reader io.Reader, protoVersion string) (err error) { + + method.Challenge, err = ReadLongstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ConnectionSecure) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLongstr(writer, method.Challenge); err != nil { + return err + } + + return +} + +// ConnectionSecureOk This method attempts to authenticate, passing a block of SASL data for the security +// mechanism at the server side. +type ConnectionSecureOk struct { + Response []byte +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionSecureOk) Name() string { + return "ConnectionSecureOk" +} + +// FrameType returns method frame type +func (method *ConnectionSecureOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionSecureOk) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionSecureOk) MethodIdentifier() uint16 { + return 21 +} + +// Sync is method should me sent synchronous +func (method *ConnectionSecureOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionSecureOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.Response, err = ReadLongstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ConnectionSecureOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLongstr(writer, method.Response); err != nil { + return err + } + + return +} + +// ConnectionTune This method proposes a set of connection configuration values to the client. The +// client can accept and/or adjust these. +type ConnectionTune struct { + ChannelMax uint16 + FrameMax uint32 + Heartbeat uint16 +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionTune) Name() string { + return "ConnectionTune" +} + +// FrameType returns method frame type +func (method *ConnectionTune) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionTune) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionTune) MethodIdentifier() uint16 { + return 30 +} + +// Sync is method should me sent synchronous +func (method *ConnectionTune) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionTune) Read(reader io.Reader, protoVersion string) (err error) { + + method.ChannelMax, err = ReadShort(reader) + if err != nil { + return err + } + + method.FrameMax, err = ReadLong(reader) + if err != nil { + return err + } + + method.Heartbeat, err = ReadShort(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ConnectionTune) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.ChannelMax); err != nil { + return err + } + + if err = WriteLong(writer, method.FrameMax); err != nil { + return err + } + + if err = WriteShort(writer, method.Heartbeat); err != nil { + return err + } + + return +} + +// ConnectionTuneOk This method sends the client's connection tuning parameters to the server. +// Certain fields are negotiated, others provide capability information. +type ConnectionTuneOk struct { + ChannelMax uint16 + FrameMax uint32 + Heartbeat uint16 +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionTuneOk) Name() string { + return "ConnectionTuneOk" +} + +// FrameType returns method frame type +func (method *ConnectionTuneOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionTuneOk) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionTuneOk) MethodIdentifier() uint16 { + return 31 +} + +// Sync is method should me sent synchronous +func (method *ConnectionTuneOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionTuneOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.ChannelMax, err = ReadShort(reader) + if err != nil { + return err + } + + method.FrameMax, err = ReadLong(reader) + if err != nil { + return err + } + + method.Heartbeat, err = ReadShort(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ConnectionTuneOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.ChannelMax); err != nil { + return err + } + + if err = WriteLong(writer, method.FrameMax); err != nil { + return err + } + + if err = WriteShort(writer, method.Heartbeat); err != nil { + return err + } + + return +} + +// ConnectionOpen This method opens a connection to a virtual host, which is a collection of +// resources, and acts to separate multiple application domains within a server. +// The server may apply arbitrary limits per virtual host, such as the number +// of each type of entity that may be used, per connection and/or in total. +type ConnectionOpen struct { + VirtualHost string + Reserved1 string + Reserved2 bool +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionOpen) Name() string { + return "ConnectionOpen" +} + +// FrameType returns method frame type +func (method *ConnectionOpen) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionOpen) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionOpen) MethodIdentifier() uint16 { + return 40 +} + +// Sync is method should me sent synchronous +func (method *ConnectionOpen) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionOpen) Read(reader io.Reader, protoVersion string) (err error) { + + method.VirtualHost, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.Reserved1, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Reserved2 = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *ConnectionOpen) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.VirtualHost); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Reserved1); err != nil { + return err + } + + var bits byte + + if method.Reserved2 { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// ConnectionOpenOk This method signals to the client that the connection is ready for use. +type ConnectionOpenOk struct { + Reserved1 string +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionOpenOk) Name() string { + return "ConnectionOpenOk" +} + +// FrameType returns method frame type +func (method *ConnectionOpenOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionOpenOk) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionOpenOk) MethodIdentifier() uint16 { + return 41 +} + +// Sync is method should me sent synchronous +func (method *ConnectionOpenOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionOpenOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShortstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ConnectionOpenOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.Reserved1); err != nil { + return err + } + + return +} + +// ConnectionClose This method indicates that the sender wants to close the connection. This may be +// due to internal conditions (e.g. a forced shut-down) or due to an error handling +// a specific method, i.e. an exception. When a close is due to an exception, the +// sender provides the class and method id of the method which caused the exception. +type ConnectionClose struct { + ReplyCode uint16 + ReplyText string + ClassID uint16 + MethodID uint16 +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionClose) Name() string { + return "ConnectionClose" +} + +// FrameType returns method frame type +func (method *ConnectionClose) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionClose) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionClose) MethodIdentifier() uint16 { + return 50 +} + +// Sync is method should me sent synchronous +func (method *ConnectionClose) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionClose) Read(reader io.Reader, protoVersion string) (err error) { + + method.ReplyCode, err = ReadShort(reader) + if err != nil { + return err + } + + method.ReplyText, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.ClassID, err = ReadShort(reader) + if err != nil { + return err + } + + method.MethodID, err = ReadShort(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ConnectionClose) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.ReplyCode); err != nil { + return err + } + + if err = WriteShortstr(writer, method.ReplyText); err != nil { + return err + } + + if err = WriteShort(writer, method.ClassID); err != nil { + return err + } + + if err = WriteShort(writer, method.MethodID); err != nil { + return err + } + + return +} + +// ConnectionCloseOk This method confirms a Connection.Close method and tells the recipient that it is +// safe to release resources for the connection and close the socket. +type ConnectionCloseOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionCloseOk) Name() string { + return "ConnectionCloseOk" +} + +// FrameType returns method frame type +func (method *ConnectionCloseOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionCloseOk) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionCloseOk) MethodIdentifier() uint16 { + return 51 +} + +// Sync is method should me sent synchronous +func (method *ConnectionCloseOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConnectionCloseOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *ConnectionCloseOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// ConnectionBlocked This method indicates that a connection has been blocked +// and does not accept new publishes. +type ConnectionBlocked struct { + Reason string +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionBlocked) Name() string { + return "ConnectionBlocked" +} + +// FrameType returns method frame type +func (method *ConnectionBlocked) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionBlocked) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionBlocked) MethodIdentifier() uint16 { + return 60 +} + +// Sync is method should me sent synchronous +func (method *ConnectionBlocked) Sync() bool { + return false +} + +// Read method from io reader +func (method *ConnectionBlocked) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reason, err = ReadShortstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ConnectionBlocked) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.Reason); err != nil { + return err + } + + return +} + +// ConnectionUnblocked This method indicates that a connection has been unblocked +// and now accepts publishes. +type ConnectionUnblocked struct { +} + +// Name returns method name as string, usefully for logging +func (method *ConnectionUnblocked) Name() string { + return "ConnectionUnblocked" +} + +// FrameType returns method frame type +func (method *ConnectionUnblocked) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConnectionUnblocked) ClassIdentifier() uint16 { + return 10 +} + +// MethodIdentifier returns method methodID +func (method *ConnectionUnblocked) MethodIdentifier() uint16 { + return 61 +} + +// Sync is method should me sent synchronous +func (method *ConnectionUnblocked) Sync() bool { + return false +} + +// Read method from io reader +func (method *ConnectionUnblocked) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *ConnectionUnblocked) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// Channel methods + +// ChannelOpen This method opens a channel to the server. +type ChannelOpen struct { + Reserved1 string +} + +// Name returns method name as string, usefully for logging +func (method *ChannelOpen) Name() string { + return "ChannelOpen" +} + +// FrameType returns method frame type +func (method *ChannelOpen) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ChannelOpen) ClassIdentifier() uint16 { + return 20 +} + +// MethodIdentifier returns method methodID +func (method *ChannelOpen) MethodIdentifier() uint16 { + return 10 +} + +// Sync is method should me sent synchronous +func (method *ChannelOpen) Sync() bool { + return true +} + +// Read method from io reader +func (method *ChannelOpen) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShortstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ChannelOpen) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.Reserved1); err != nil { + return err + } + + return +} + +// ChannelOpenOk This method signals to the client that the channel is ready for use. +type ChannelOpenOk struct { + Reserved1 []byte +} + +// Name returns method name as string, usefully for logging +func (method *ChannelOpenOk) Name() string { + return "ChannelOpenOk" +} + +// FrameType returns method frame type +func (method *ChannelOpenOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ChannelOpenOk) ClassIdentifier() uint16 { + return 20 +} + +// MethodIdentifier returns method methodID +func (method *ChannelOpenOk) MethodIdentifier() uint16 { + return 11 +} + +// Sync is method should me sent synchronous +func (method *ChannelOpenOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ChannelOpenOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadLongstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ChannelOpenOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLongstr(writer, method.Reserved1); err != nil { + return err + } + + return +} + +// ChannelFlow This method asks the peer to pause or restart the flow of content data sent by +// a consumer. This is a simple flow-control mechanism that a peer can use to avoid +// overflowing its queues or otherwise finding itself receiving more messages than +// it can process. Note that this method is not intended for window control. It does +// not affect contents returned by Basic.Get-Ok methods. +type ChannelFlow struct { + Active bool +} + +// Name returns method name as string, usefully for logging +func (method *ChannelFlow) Name() string { + return "ChannelFlow" +} + +// FrameType returns method frame type +func (method *ChannelFlow) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ChannelFlow) ClassIdentifier() uint16 { + return 20 +} + +// MethodIdentifier returns method methodID +func (method *ChannelFlow) MethodIdentifier() uint16 { + return 20 +} + +// Sync is method should me sent synchronous +func (method *ChannelFlow) Sync() bool { + return true +} + +// Read method from io reader +func (method *ChannelFlow) Read(reader io.Reader, protoVersion string) (err error) { + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Active = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *ChannelFlow) Write(writer io.Writer, protoVersion string) (err error) { + + var bits byte + + if method.Active { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// ChannelFlowOk Confirms to the peer that a flow command was received and processed. +type ChannelFlowOk struct { + Active bool +} + +// Name returns method name as string, usefully for logging +func (method *ChannelFlowOk) Name() string { + return "ChannelFlowOk" +} + +// FrameType returns method frame type +func (method *ChannelFlowOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ChannelFlowOk) ClassIdentifier() uint16 { + return 20 +} + +// MethodIdentifier returns method methodID +func (method *ChannelFlowOk) MethodIdentifier() uint16 { + return 21 +} + +// Sync is method should me sent synchronous +func (method *ChannelFlowOk) Sync() bool { + return false +} + +// Read method from io reader +func (method *ChannelFlowOk) Read(reader io.Reader, protoVersion string) (err error) { + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Active = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *ChannelFlowOk) Write(writer io.Writer, protoVersion string) (err error) { + + var bits byte + + if method.Active { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// ChannelClose This method indicates that the sender wants to close the channel. This may be due to +// internal conditions (e.g. a forced shut-down) or due to an error handling a specific +// method, i.e. an exception. When a close is due to an exception, the sender provides +// the class and method id of the method which caused the exception. +type ChannelClose struct { + ReplyCode uint16 + ReplyText string + ClassID uint16 + MethodID uint16 +} + +// Name returns method name as string, usefully for logging +func (method *ChannelClose) Name() string { + return "ChannelClose" +} + +// FrameType returns method frame type +func (method *ChannelClose) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ChannelClose) ClassIdentifier() uint16 { + return 20 +} + +// MethodIdentifier returns method methodID +func (method *ChannelClose) MethodIdentifier() uint16 { + return 40 +} + +// Sync is method should me sent synchronous +func (method *ChannelClose) Sync() bool { + return true +} + +// Read method from io reader +func (method *ChannelClose) Read(reader io.Reader, protoVersion string) (err error) { + + method.ReplyCode, err = ReadShort(reader) + if err != nil { + return err + } + + method.ReplyText, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.ClassID, err = ReadShort(reader) + if err != nil { + return err + } + + method.MethodID, err = ReadShort(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ChannelClose) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.ReplyCode); err != nil { + return err + } + + if err = WriteShortstr(writer, method.ReplyText); err != nil { + return err + } + + if err = WriteShort(writer, method.ClassID); err != nil { + return err + } + + if err = WriteShort(writer, method.MethodID); err != nil { + return err + } + + return +} + +// ChannelCloseOk This method confirms a Channel.Close method and tells the recipient that it is safe +// to release resources for the channel. +type ChannelCloseOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *ChannelCloseOk) Name() string { + return "ChannelCloseOk" +} + +// FrameType returns method frame type +func (method *ChannelCloseOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ChannelCloseOk) ClassIdentifier() uint16 { + return 20 +} + +// MethodIdentifier returns method methodID +func (method *ChannelCloseOk) MethodIdentifier() uint16 { + return 41 +} + +// Sync is method should me sent synchronous +func (method *ChannelCloseOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ChannelCloseOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *ChannelCloseOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// Exchange methods + +// ExchangeDeclare This method creates an exchange if it does not already exist, and if the exchange +// exists, verifies that it is of the correct and expected class. +type ExchangeDeclare struct { + Reserved1 uint16 + Exchange string + Type string + Passive bool + Durable bool + AutoDelete bool + Internal bool + NoWait bool + Arguments *Table +} + +// Name returns method name as string, usefully for logging +func (method *ExchangeDeclare) Name() string { + return "ExchangeDeclare" +} + +// FrameType returns method frame type +func (method *ExchangeDeclare) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ExchangeDeclare) ClassIdentifier() uint16 { + return 40 +} + +// MethodIdentifier returns method methodID +func (method *ExchangeDeclare) MethodIdentifier() uint16 { + return 10 +} + +// Sync is method should me sent synchronous +func (method *ExchangeDeclare) Sync() bool { + return true +} + +// Read method from io reader +func (method *ExchangeDeclare) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Exchange, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.Type, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Passive = bits&(1<<0) != 0 + + method.Durable = bits&(1<<1) != 0 + + method.AutoDelete = bits&(1<<2) != 0 + + method.Internal = bits&(1<<3) != 0 + + method.NoWait = bits&(1<<4) != 0 + + method.Arguments, err = ReadTable(reader, protoVersion) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ExchangeDeclare) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Exchange); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Type); err != nil { + return err + } + + var bits byte + + if method.Passive { + bits |= 1 << 0 + } + + if method.Durable { + bits |= 1 << 1 + } + + if method.AutoDelete { + bits |= 1 << 2 + } + + if method.Internal { + bits |= 1 << 3 + } + + if method.NoWait { + bits |= 1 << 4 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + if err = WriteTable(writer, method.Arguments, protoVersion); err != nil { + return err + } + + return +} + +// ExchangeDeclareOk This method confirms a Declare method and confirms the name of the exchange, +// essential for automatically-named exchanges. +type ExchangeDeclareOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *ExchangeDeclareOk) Name() string { + return "ExchangeDeclareOk" +} + +// FrameType returns method frame type +func (method *ExchangeDeclareOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ExchangeDeclareOk) ClassIdentifier() uint16 { + return 40 +} + +// MethodIdentifier returns method methodID +func (method *ExchangeDeclareOk) MethodIdentifier() uint16 { + return 11 +} + +// Sync is method should me sent synchronous +func (method *ExchangeDeclareOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ExchangeDeclareOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *ExchangeDeclareOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// ExchangeDelete This method deletes an exchange. When an exchange is deleted all queue bindings on +// the exchange are cancelled. +type ExchangeDelete struct { + Reserved1 uint16 + Exchange string + IfUnused bool + NoWait bool +} + +// Name returns method name as string, usefully for logging +func (method *ExchangeDelete) Name() string { + return "ExchangeDelete" +} + +// FrameType returns method frame type +func (method *ExchangeDelete) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ExchangeDelete) ClassIdentifier() uint16 { + return 40 +} + +// MethodIdentifier returns method methodID +func (method *ExchangeDelete) MethodIdentifier() uint16 { + return 20 +} + +// Sync is method should me sent synchronous +func (method *ExchangeDelete) Sync() bool { + return true +} + +// Read method from io reader +func (method *ExchangeDelete) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Exchange, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.IfUnused = bits&(1<<0) != 0 + + method.NoWait = bits&(1<<1) != 0 + + return +} + +// Write method from io reader +func (method *ExchangeDelete) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Exchange); err != nil { + return err + } + + var bits byte + + if method.IfUnused { + bits |= 1 << 0 + } + + if method.NoWait { + bits |= 1 << 1 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// ExchangeDeleteOk This method confirms the deletion of an exchange. +type ExchangeDeleteOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *ExchangeDeleteOk) Name() string { + return "ExchangeDeleteOk" +} + +// FrameType returns method frame type +func (method *ExchangeDeleteOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ExchangeDeleteOk) ClassIdentifier() uint16 { + return 40 +} + +// MethodIdentifier returns method methodID +func (method *ExchangeDeleteOk) MethodIdentifier() uint16 { + return 21 +} + +// Sync is method should me sent synchronous +func (method *ExchangeDeleteOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ExchangeDeleteOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *ExchangeDeleteOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// ExchangeBind This method binds an exchange to an exchange. +type ExchangeBind struct { + Reserved1 uint16 + Destination string + Source string + RoutingKey string + NoWait bool + Arguments *Table +} + +// Name returns method name as string, usefully for logging +func (method *ExchangeBind) Name() string { + return "ExchangeBind" +} + +// FrameType returns method frame type +func (method *ExchangeBind) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ExchangeBind) ClassIdentifier() uint16 { + return 40 +} + +// MethodIdentifier returns method methodID +func (method *ExchangeBind) MethodIdentifier() uint16 { + return 30 +} + +// Sync is method should me sent synchronous +func (method *ExchangeBind) Sync() bool { + return true +} + +// Read method from io reader +func (method *ExchangeBind) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Destination, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.Source, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.RoutingKey, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.NoWait = bits&(1<<0) != 0 + + method.Arguments, err = ReadTable(reader, protoVersion) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ExchangeBind) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Destination); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Source); err != nil { + return err + } + + if err = WriteShortstr(writer, method.RoutingKey); err != nil { + return err + } + + var bits byte + + if method.NoWait { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + if err = WriteTable(writer, method.Arguments, protoVersion); err != nil { + return err + } + + return +} + +// ExchangeBindOk This method confirms that the bind was successful. +type ExchangeBindOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *ExchangeBindOk) Name() string { + return "ExchangeBindOk" +} + +// FrameType returns method frame type +func (method *ExchangeBindOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ExchangeBindOk) ClassIdentifier() uint16 { + return 40 +} + +// MethodIdentifier returns method methodID +func (method *ExchangeBindOk) MethodIdentifier() uint16 { + return 31 +} + +// Sync is method should me sent synchronous +func (method *ExchangeBindOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ExchangeBindOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *ExchangeBindOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// ExchangeUnbind This method unbinds an exchange from an exchange. +type ExchangeUnbind struct { + Reserved1 uint16 + Destination string + Source string + RoutingKey string + NoWait bool + Arguments *Table +} + +// Name returns method name as string, usefully for logging +func (method *ExchangeUnbind) Name() string { + return "ExchangeUnbind" +} + +// FrameType returns method frame type +func (method *ExchangeUnbind) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ExchangeUnbind) ClassIdentifier() uint16 { + return 40 +} + +// MethodIdentifier returns method methodID +func (method *ExchangeUnbind) MethodIdentifier() uint16 { + return 40 +} + +// Sync is method should me sent synchronous +func (method *ExchangeUnbind) Sync() bool { + return true +} + +// Read method from io reader +func (method *ExchangeUnbind) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Destination, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.Source, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.RoutingKey, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.NoWait = bits&(1<<0) != 0 + + method.Arguments, err = ReadTable(reader, protoVersion) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *ExchangeUnbind) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Destination); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Source); err != nil { + return err + } + + if err = WriteShortstr(writer, method.RoutingKey); err != nil { + return err + } + + var bits byte + + if method.NoWait { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + if err = WriteTable(writer, method.Arguments, protoVersion); err != nil { + return err + } + + return +} + +// ExchangeUnbindOk This method confirms that the unbind was successful. +type ExchangeUnbindOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *ExchangeUnbindOk) Name() string { + return "ExchangeUnbindOk" +} + +// FrameType returns method frame type +func (method *ExchangeUnbindOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ExchangeUnbindOk) ClassIdentifier() uint16 { + return 40 +} + +// MethodIdentifier returns method methodID +func (method *ExchangeUnbindOk) MethodIdentifier() uint16 { + return 51 +} + +// Sync is method should me sent synchronous +func (method *ExchangeUnbindOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ExchangeUnbindOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *ExchangeUnbindOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// Queue methods + +// QueueDeclare This method creates or checks a queue. When creating a new queue the client can +// specify various properties that control the durability of the queue and its +// contents, and the level of sharing for the queue. +type QueueDeclare struct { + Reserved1 uint16 + Queue string + Passive bool + Durable bool + Exclusive bool + AutoDelete bool + NoWait bool + Arguments *Table +} + +// Name returns method name as string, usefully for logging +func (method *QueueDeclare) Name() string { + return "QueueDeclare" +} + +// FrameType returns method frame type +func (method *QueueDeclare) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueueDeclare) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueueDeclare) MethodIdentifier() uint16 { + return 10 +} + +// Sync is method should me sent synchronous +func (method *QueueDeclare) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueueDeclare) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Queue, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Passive = bits&(1<<0) != 0 + + method.Durable = bits&(1<<1) != 0 + + method.Exclusive = bits&(1<<2) != 0 + + method.AutoDelete = bits&(1<<3) != 0 + + method.NoWait = bits&(1<<4) != 0 + + method.Arguments, err = ReadTable(reader, protoVersion) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *QueueDeclare) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Queue); err != nil { + return err + } + + var bits byte + + if method.Passive { + bits |= 1 << 0 + } + + if method.Durable { + bits |= 1 << 1 + } + + if method.Exclusive { + bits |= 1 << 2 + } + + if method.AutoDelete { + bits |= 1 << 3 + } + + if method.NoWait { + bits |= 1 << 4 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + if err = WriteTable(writer, method.Arguments, protoVersion); err != nil { + return err + } + + return +} + +// QueueDeclareOk This method confirms a Declare method and confirms the name of the queue, essential +// for automatically-named queues. +type QueueDeclareOk struct { + Queue string + MessageCount uint32 + ConsumerCount uint32 +} + +// Name returns method name as string, usefully for logging +func (method *QueueDeclareOk) Name() string { + return "QueueDeclareOk" +} + +// FrameType returns method frame type +func (method *QueueDeclareOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueueDeclareOk) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueueDeclareOk) MethodIdentifier() uint16 { + return 11 +} + +// Sync is method should me sent synchronous +func (method *QueueDeclareOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueueDeclareOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.Queue, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.MessageCount, err = ReadLong(reader) + if err != nil { + return err + } + + method.ConsumerCount, err = ReadLong(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *QueueDeclareOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.Queue); err != nil { + return err + } + + if err = WriteLong(writer, method.MessageCount); err != nil { + return err + } + + if err = WriteLong(writer, method.ConsumerCount); err != nil { + return err + } + + return +} + +// QueueBind This method binds a queue to an exchange. Until a queue is bound it will not +// receive any messages. In a classic messaging model, store-and-forward queues +// are bound to a direct exchange and subscription queues are bound to a topic +// exchange. +type QueueBind struct { + Reserved1 uint16 + Queue string + Exchange string + RoutingKey string + NoWait bool + Arguments *Table +} + +// Name returns method name as string, usefully for logging +func (method *QueueBind) Name() string { + return "QueueBind" +} + +// FrameType returns method frame type +func (method *QueueBind) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueueBind) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueueBind) MethodIdentifier() uint16 { + return 20 +} + +// Sync is method should me sent synchronous +func (method *QueueBind) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueueBind) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Queue, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.Exchange, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.RoutingKey, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.NoWait = bits&(1<<0) != 0 + + method.Arguments, err = ReadTable(reader, protoVersion) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *QueueBind) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Queue); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Exchange); err != nil { + return err + } + + if err = WriteShortstr(writer, method.RoutingKey); err != nil { + return err + } + + var bits byte + + if method.NoWait { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + if err = WriteTable(writer, method.Arguments, protoVersion); err != nil { + return err + } + + return +} + +// QueueBindOk This method confirms that the bind was successful. +type QueueBindOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *QueueBindOk) Name() string { + return "QueueBindOk" +} + +// FrameType returns method frame type +func (method *QueueBindOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueueBindOk) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueueBindOk) MethodIdentifier() uint16 { + return 21 +} + +// Sync is method should me sent synchronous +func (method *QueueBindOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueueBindOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *QueueBindOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// QueueUnbind This method unbinds a queue from an exchange. +type QueueUnbind struct { + Reserved1 uint16 + Queue string + Exchange string + RoutingKey string + Arguments *Table +} + +// Name returns method name as string, usefully for logging +func (method *QueueUnbind) Name() string { + return "QueueUnbind" +} + +// FrameType returns method frame type +func (method *QueueUnbind) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueueUnbind) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueueUnbind) MethodIdentifier() uint16 { + return 50 +} + +// Sync is method should me sent synchronous +func (method *QueueUnbind) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueueUnbind) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Queue, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.Exchange, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.RoutingKey, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.Arguments, err = ReadTable(reader, protoVersion) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *QueueUnbind) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Queue); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Exchange); err != nil { + return err + } + + if err = WriteShortstr(writer, method.RoutingKey); err != nil { + return err + } + + if err = WriteTable(writer, method.Arguments, protoVersion); err != nil { + return err + } + + return +} + +// QueueUnbindOk This method confirms that the unbind was successful. +type QueueUnbindOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *QueueUnbindOk) Name() string { + return "QueueUnbindOk" +} + +// FrameType returns method frame type +func (method *QueueUnbindOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueueUnbindOk) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueueUnbindOk) MethodIdentifier() uint16 { + return 51 +} + +// Sync is method should me sent synchronous +func (method *QueueUnbindOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueueUnbindOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *QueueUnbindOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// QueuePurge This method removes all messages from a queue which are not awaiting +// acknowledgment. +type QueuePurge struct { + Reserved1 uint16 + Queue string + NoWait bool +} + +// Name returns method name as string, usefully for logging +func (method *QueuePurge) Name() string { + return "QueuePurge" +} + +// FrameType returns method frame type +func (method *QueuePurge) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueuePurge) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueuePurge) MethodIdentifier() uint16 { + return 30 +} + +// Sync is method should me sent synchronous +func (method *QueuePurge) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueuePurge) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Queue, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.NoWait = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *QueuePurge) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Queue); err != nil { + return err + } + + var bits byte + + if method.NoWait { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// QueuePurgeOk This method confirms the purge of a queue. +type QueuePurgeOk struct { + MessageCount uint32 +} + +// Name returns method name as string, usefully for logging +func (method *QueuePurgeOk) Name() string { + return "QueuePurgeOk" +} + +// FrameType returns method frame type +func (method *QueuePurgeOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueuePurgeOk) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueuePurgeOk) MethodIdentifier() uint16 { + return 31 +} + +// Sync is method should me sent synchronous +func (method *QueuePurgeOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueuePurgeOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.MessageCount, err = ReadLong(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *QueuePurgeOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLong(writer, method.MessageCount); err != nil { + return err + } + + return +} + +// QueueDelete This method deletes a queue. When a queue is deleted any pending messages are sent +// to a dead-letter queue if this is defined in the server configuration, and all +// consumers on the queue are cancelled. +type QueueDelete struct { + Reserved1 uint16 + Queue string + IfUnused bool + IfEmpty bool + NoWait bool +} + +// Name returns method name as string, usefully for logging +func (method *QueueDelete) Name() string { + return "QueueDelete" +} + +// FrameType returns method frame type +func (method *QueueDelete) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueueDelete) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueueDelete) MethodIdentifier() uint16 { + return 40 +} + +// Sync is method should me sent synchronous +func (method *QueueDelete) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueueDelete) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Queue, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.IfUnused = bits&(1<<0) != 0 + + method.IfEmpty = bits&(1<<1) != 0 + + method.NoWait = bits&(1<<2) != 0 + + return +} + +// Write method from io reader +func (method *QueueDelete) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Queue); err != nil { + return err + } + + var bits byte + + if method.IfUnused { + bits |= 1 << 0 + } + + if method.IfEmpty { + bits |= 1 << 1 + } + + if method.NoWait { + bits |= 1 << 2 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// QueueDeleteOk This method confirms the deletion of a queue. +type QueueDeleteOk struct { + MessageCount uint32 +} + +// Name returns method name as string, usefully for logging +func (method *QueueDeleteOk) Name() string { + return "QueueDeleteOk" +} + +// FrameType returns method frame type +func (method *QueueDeleteOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *QueueDeleteOk) ClassIdentifier() uint16 { + return 50 +} + +// MethodIdentifier returns method methodID +func (method *QueueDeleteOk) MethodIdentifier() uint16 { + return 41 +} + +// Sync is method should me sent synchronous +func (method *QueueDeleteOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *QueueDeleteOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.MessageCount, err = ReadLong(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *QueueDeleteOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLong(writer, method.MessageCount); err != nil { + return err + } + + return +} + +// Basic methods + +// BasicPropertyList represents properties for Basic method +type BasicPropertyList struct { + ContentType *string + ContentEncoding *string + Headers *Table + DeliveryMode *byte + Priority *byte + CorrelationID *string + ReplyTo *string + Expiration *string + MessageID *string + Timestamp *time.Time + Type *string + UserID *string + AppID *string + Reserved *string +} + +// BasicPropertyList reads properties from io reader +func (pList *BasicPropertyList) Read(reader io.Reader, propertyFlags uint16, protoVersion string) (err error) { + + if propertyFlags&(1<<15) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.ContentType = &value + } + + if propertyFlags&(1<<14) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.ContentEncoding = &value + } + + if propertyFlags&(1<<13) != 0 { + value, err := ReadTable(reader, protoVersion) + if err != nil { + return err + } + pList.Headers = value + } + + if propertyFlags&(1<<12) != 0 { + value, err := ReadOctet(reader) + if err != nil { + return err + } + pList.DeliveryMode = &value + } + + if propertyFlags&(1<<11) != 0 { + value, err := ReadOctet(reader) + if err != nil { + return err + } + pList.Priority = &value + } + + if propertyFlags&(1<<10) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.CorrelationID = &value + } + + if propertyFlags&(1<<9) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.ReplyTo = &value + } + + if propertyFlags&(1<<8) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.Expiration = &value + } + + if propertyFlags&(1<<7) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.MessageID = &value + } + + if propertyFlags&(1<<6) != 0 { + value, err := ReadTimestamp(reader) + if err != nil { + return err + } + pList.Timestamp = &value + } + + if propertyFlags&(1<<5) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.Type = &value + } + + if propertyFlags&(1<<4) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.UserID = &value + } + + if propertyFlags&(1<<3) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.AppID = &value + } + + if propertyFlags&(1<<2) != 0 { + value, err := ReadShortstr(reader) + if err != nil { + return err + } + pList.Reserved = &value + } + + return +} + +// BasicPropertyList wiretes properties into io writer +func (pList *BasicPropertyList) Write(writer io.Writer, protoVersion string) (propertyFlags uint16, err error) { + + if pList.ContentType != nil { + propertyFlags |= 1 << 15 + if err = WriteShortstr(writer, *pList.ContentType); err != nil { + return + } + } + + if pList.ContentEncoding != nil { + propertyFlags |= 1 << 14 + if err = WriteShortstr(writer, *pList.ContentEncoding); err != nil { + return + } + } + + if pList.Headers != nil { + propertyFlags |= 1 << 13 + if err = WriteTable(writer, pList.Headers, protoVersion); err != nil { + return + } + } + + if pList.DeliveryMode != nil { + propertyFlags |= 1 << 12 + if err = WriteOctet(writer, *pList.DeliveryMode); err != nil { + return + } + } + + if pList.Priority != nil { + propertyFlags |= 1 << 11 + if err = WriteOctet(writer, *pList.Priority); err != nil { + return + } + } + + if pList.CorrelationID != nil { + propertyFlags |= 1 << 10 + if err = WriteShortstr(writer, *pList.CorrelationID); err != nil { + return + } + } + + if pList.ReplyTo != nil { + propertyFlags |= 1 << 9 + if err = WriteShortstr(writer, *pList.ReplyTo); err != nil { + return + } + } + + if pList.Expiration != nil { + propertyFlags |= 1 << 8 + if err = WriteShortstr(writer, *pList.Expiration); err != nil { + return + } + } + + if pList.MessageID != nil { + propertyFlags |= 1 << 7 + if err = WriteShortstr(writer, *pList.MessageID); err != nil { + return + } + } + + if pList.Timestamp != nil { + propertyFlags |= 1 << 6 + if err = WriteTimestamp(writer, *pList.Timestamp); err != nil { + return + } + } + + if pList.Type != nil { + propertyFlags |= 1 << 5 + if err = WriteShortstr(writer, *pList.Type); err != nil { + return + } + } + + if pList.UserID != nil { + propertyFlags |= 1 << 4 + if err = WriteShortstr(writer, *pList.UserID); err != nil { + return + } + } + + if pList.AppID != nil { + propertyFlags |= 1 << 3 + if err = WriteShortstr(writer, *pList.AppID); err != nil { + return + } + } + + if pList.Reserved != nil { + propertyFlags |= 1 << 2 + if err = WriteShortstr(writer, *pList.Reserved); err != nil { + return + } + } + + return +} + +// BasicQos This method requests a specific quality of service. The QoS can be specified for the +// current channel or for all channels on the connection. The particular properties and +// semantics of a qos method always depend on the content class semantics. Though the +// qos method could in principle apply to both peers, it is currently meaningful only +// for the server. +type BasicQos struct { + PrefetchSize uint32 + PrefetchCount uint16 + Global bool +} + +// Name returns method name as string, usefully for logging +func (method *BasicQos) Name() string { + return "BasicQos" +} + +// FrameType returns method frame type +func (method *BasicQos) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicQos) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicQos) MethodIdentifier() uint16 { + return 10 +} + +// Sync is method should me sent synchronous +func (method *BasicQos) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicQos) Read(reader io.Reader, protoVersion string) (err error) { + + method.PrefetchSize, err = ReadLong(reader) + if err != nil { + return err + } + + method.PrefetchCount, err = ReadShort(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Global = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *BasicQos) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLong(writer, method.PrefetchSize); err != nil { + return err + } + + if err = WriteShort(writer, method.PrefetchCount); err != nil { + return err + } + + var bits byte + + if method.Global { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// BasicQosOk This method tells the client that the requested QoS levels could be handled by the +// server. The requested QoS applies to all active consumers until a new QoS is +// defined. +type BasicQosOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *BasicQosOk) Name() string { + return "BasicQosOk" +} + +// FrameType returns method frame type +func (method *BasicQosOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicQosOk) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicQosOk) MethodIdentifier() uint16 { + return 11 +} + +// Sync is method should me sent synchronous +func (method *BasicQosOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicQosOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *BasicQosOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// BasicConsume This method asks the server to start a "consumer", which is a transient request for +// messages from a specific queue. Consumers last as long as the channel they were +// declared on, or until the client cancels them. +type BasicConsume struct { + Reserved1 uint16 + Queue string + ConsumerTag string + NoLocal bool + NoAck bool + Exclusive bool + NoWait bool + Arguments *Table +} + +// Name returns method name as string, usefully for logging +func (method *BasicConsume) Name() string { + return "BasicConsume" +} + +// FrameType returns method frame type +func (method *BasicConsume) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicConsume) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicConsume) MethodIdentifier() uint16 { + return 20 +} + +// Sync is method should me sent synchronous +func (method *BasicConsume) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicConsume) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Queue, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.ConsumerTag, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.NoLocal = bits&(1<<0) != 0 + + method.NoAck = bits&(1<<1) != 0 + + method.Exclusive = bits&(1<<2) != 0 + + method.NoWait = bits&(1<<3) != 0 + + method.Arguments, err = ReadTable(reader, protoVersion) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *BasicConsume) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Queue); err != nil { + return err + } + + if err = WriteShortstr(writer, method.ConsumerTag); err != nil { + return err + } + + var bits byte + + if method.NoLocal { + bits |= 1 << 0 + } + + if method.NoAck { + bits |= 1 << 1 + } + + if method.Exclusive { + bits |= 1 << 2 + } + + if method.NoWait { + bits |= 1 << 3 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + if err = WriteTable(writer, method.Arguments, protoVersion); err != nil { + return err + } + + return +} + +// BasicConsumeOk The server provides the client with a consumer tag, which is used by the client +// for methods called on the consumer at a later stage. +type BasicConsumeOk struct { + ConsumerTag string +} + +// Name returns method name as string, usefully for logging +func (method *BasicConsumeOk) Name() string { + return "BasicConsumeOk" +} + +// FrameType returns method frame type +func (method *BasicConsumeOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicConsumeOk) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicConsumeOk) MethodIdentifier() uint16 { + return 21 +} + +// Sync is method should me sent synchronous +func (method *BasicConsumeOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicConsumeOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.ConsumerTag, err = ReadShortstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *BasicConsumeOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.ConsumerTag); err != nil { + return err + } + + return +} + +// BasicCancel This method cancels a consumer. This does not affect already delivered +// messages, but it does mean the server will not send any more messages for +// that consumer. The client may receive an arbitrary number of messages in +// between sending the cancel method and receiving the cancel-ok reply. +// +// It may also be sent from the server to the client in the event +// of the consumer being unexpectedly cancelled (i.e. cancelled +// for any reason other than the server receiving the +// corresponding basic.cancel from the client). This allows +// clients to be notified of the loss of consumers due to events +// such as queue deletion. Note that as it is not a MUST for +// clients to accept this method from the client, it is advisable +// for the broker to be able to identify those clients that are +// capable of accepting the method, through some means of +// capability negotiation. +type BasicCancel struct { + ConsumerTag string + NoWait bool +} + +// Name returns method name as string, usefully for logging +func (method *BasicCancel) Name() string { + return "BasicCancel" +} + +// FrameType returns method frame type +func (method *BasicCancel) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicCancel) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicCancel) MethodIdentifier() uint16 { + return 30 +} + +// Sync is method should me sent synchronous +func (method *BasicCancel) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicCancel) Read(reader io.Reader, protoVersion string) (err error) { + + method.ConsumerTag, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.NoWait = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *BasicCancel) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.ConsumerTag); err != nil { + return err + } + + var bits byte + + if method.NoWait { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// BasicCancelOk This method confirms that the cancellation was completed. +type BasicCancelOk struct { + ConsumerTag string +} + +// Name returns method name as string, usefully for logging +func (method *BasicCancelOk) Name() string { + return "BasicCancelOk" +} + +// FrameType returns method frame type +func (method *BasicCancelOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicCancelOk) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicCancelOk) MethodIdentifier() uint16 { + return 31 +} + +// Sync is method should me sent synchronous +func (method *BasicCancelOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicCancelOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.ConsumerTag, err = ReadShortstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *BasicCancelOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.ConsumerTag); err != nil { + return err + } + + return +} + +// BasicPublish This method publishes a message to a specific exchange. The message will be routed +// to queues as defined by the exchange configuration and distributed to any active +// consumers when the transaction, if any, is committed. +type BasicPublish struct { + Reserved1 uint16 + Exchange string + RoutingKey string + Mandatory bool + Immediate bool +} + +// Name returns method name as string, usefully for logging +func (method *BasicPublish) Name() string { + return "BasicPublish" +} + +// FrameType returns method frame type +func (method *BasicPublish) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicPublish) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicPublish) MethodIdentifier() uint16 { + return 40 +} + +// Sync is method should me sent synchronous +func (method *BasicPublish) Sync() bool { + return false +} + +// Read method from io reader +func (method *BasicPublish) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Exchange, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.RoutingKey, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Mandatory = bits&(1<<0) != 0 + + method.Immediate = bits&(1<<1) != 0 + + return +} + +// Write method from io reader +func (method *BasicPublish) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Exchange); err != nil { + return err + } + + if err = WriteShortstr(writer, method.RoutingKey); err != nil { + return err + } + + var bits byte + + if method.Mandatory { + bits |= 1 << 0 + } + + if method.Immediate { + bits |= 1 << 1 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// BasicReturn This method returns an undeliverable message that was published with the "immediate" +// flag set, or an unroutable message published with the "mandatory" flag set. The +// reply code and text provide information about the reason that the message was +// undeliverable. +type BasicReturn struct { + ReplyCode uint16 + ReplyText string + Exchange string + RoutingKey string +} + +// Name returns method name as string, usefully for logging +func (method *BasicReturn) Name() string { + return "BasicReturn" +} + +// FrameType returns method frame type +func (method *BasicReturn) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicReturn) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicReturn) MethodIdentifier() uint16 { + return 50 +} + +// Sync is method should me sent synchronous +func (method *BasicReturn) Sync() bool { + return false +} + +// Read method from io reader +func (method *BasicReturn) Read(reader io.Reader, protoVersion string) (err error) { + + method.ReplyCode, err = ReadShort(reader) + if err != nil { + return err + } + + method.ReplyText, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.Exchange, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.RoutingKey, err = ReadShortstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *BasicReturn) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.ReplyCode); err != nil { + return err + } + + if err = WriteShortstr(writer, method.ReplyText); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Exchange); err != nil { + return err + } + + if err = WriteShortstr(writer, method.RoutingKey); err != nil { + return err + } + + return +} + +// BasicDeliver This method delivers a message to the client, via a consumer. In the asynchronous +// message delivery model, the client starts a consumer using the Consume method, then +// the server responds with Deliver methods as and when messages arrive for that +// consumer. +type BasicDeliver struct { + ConsumerTag string + DeliveryTag uint64 + Redelivered bool + Exchange string + RoutingKey string +} + +// Name returns method name as string, usefully for logging +func (method *BasicDeliver) Name() string { + return "BasicDeliver" +} + +// FrameType returns method frame type +func (method *BasicDeliver) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicDeliver) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicDeliver) MethodIdentifier() uint16 { + return 60 +} + +// Sync is method should me sent synchronous +func (method *BasicDeliver) Sync() bool { + return false +} + +// Read method from io reader +func (method *BasicDeliver) Read(reader io.Reader, protoVersion string) (err error) { + + method.ConsumerTag, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.DeliveryTag, err = ReadLonglong(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Redelivered = bits&(1<<0) != 0 + + method.Exchange, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.RoutingKey, err = ReadShortstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *BasicDeliver) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.ConsumerTag); err != nil { + return err + } + + if err = WriteLonglong(writer, method.DeliveryTag); err != nil { + return err + } + + var bits byte + + if method.Redelivered { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Exchange); err != nil { + return err + } + + if err = WriteShortstr(writer, method.RoutingKey); err != nil { + return err + } + + return +} + +// BasicGet This method provides a direct access to the messages in a queue using a synchronous +// dialogue that is designed for specific types of application where synchronous +// functionality is more important than performance. +type BasicGet struct { + Reserved1 uint16 + Queue string + NoAck bool +} + +// Name returns method name as string, usefully for logging +func (method *BasicGet) Name() string { + return "BasicGet" +} + +// FrameType returns method frame type +func (method *BasicGet) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicGet) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicGet) MethodIdentifier() uint16 { + return 70 +} + +// Sync is method should me sent synchronous +func (method *BasicGet) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicGet) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShort(reader) + if err != nil { + return err + } + + method.Queue, err = ReadShortstr(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.NoAck = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *BasicGet) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShort(writer, method.Reserved1); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Queue); err != nil { + return err + } + + var bits byte + + if method.NoAck { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// BasicGetOk This method delivers a message to the client following a get method. A message +// delivered by 'get-ok' must be acknowledged unless the no-ack option was set in the +// get method. +type BasicGetOk struct { + DeliveryTag uint64 + Redelivered bool + Exchange string + RoutingKey string + MessageCount uint32 +} + +// Name returns method name as string, usefully for logging +func (method *BasicGetOk) Name() string { + return "BasicGetOk" +} + +// FrameType returns method frame type +func (method *BasicGetOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicGetOk) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicGetOk) MethodIdentifier() uint16 { + return 71 +} + +// Sync is method should me sent synchronous +func (method *BasicGetOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicGetOk) Read(reader io.Reader, protoVersion string) (err error) { + + method.DeliveryTag, err = ReadLonglong(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Redelivered = bits&(1<<0) != 0 + + method.Exchange, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.RoutingKey, err = ReadShortstr(reader) + if err != nil { + return err + } + + method.MessageCount, err = ReadLong(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *BasicGetOk) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLonglong(writer, method.DeliveryTag); err != nil { + return err + } + + var bits byte + + if method.Redelivered { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + if err = WriteShortstr(writer, method.Exchange); err != nil { + return err + } + + if err = WriteShortstr(writer, method.RoutingKey); err != nil { + return err + } + + if err = WriteLong(writer, method.MessageCount); err != nil { + return err + } + + return +} + +// BasicGetEmpty This method tells the client that the queue has no messages available for the +// client. +type BasicGetEmpty struct { + Reserved1 string +} + +// Name returns method name as string, usefully for logging +func (method *BasicGetEmpty) Name() string { + return "BasicGetEmpty" +} + +// FrameType returns method frame type +func (method *BasicGetEmpty) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicGetEmpty) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicGetEmpty) MethodIdentifier() uint16 { + return 72 +} + +// Sync is method should me sent synchronous +func (method *BasicGetEmpty) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicGetEmpty) Read(reader io.Reader, protoVersion string) (err error) { + + method.Reserved1, err = ReadShortstr(reader) + if err != nil { + return err + } + + return +} + +// Write method from io reader +func (method *BasicGetEmpty) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteShortstr(writer, method.Reserved1); err != nil { + return err + } + + return +} + +// BasicAck When sent by the client, this method acknowledges one or more +// messages delivered via the Deliver or Get-Ok methods. +// +// When sent by server, this method acknowledges one or more +// messages published with the Publish method on a channel in +// confirm mode. +// +// The acknowledgement can be for a single message or a set of +// messages up to and including a specific message. +type BasicAck struct { + DeliveryTag uint64 + Multiple bool +} + +// Name returns method name as string, usefully for logging +func (method *BasicAck) Name() string { + return "BasicAck" +} + +// FrameType returns method frame type +func (method *BasicAck) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicAck) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicAck) MethodIdentifier() uint16 { + return 80 +} + +// Sync is method should me sent synchronous +func (method *BasicAck) Sync() bool { + return false +} + +// Read method from io reader +func (method *BasicAck) Read(reader io.Reader, protoVersion string) (err error) { + + method.DeliveryTag, err = ReadLonglong(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Multiple = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *BasicAck) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLonglong(writer, method.DeliveryTag); err != nil { + return err + } + + var bits byte + + if method.Multiple { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// BasicReject This method allows a client to reject a message. It can be used to interrupt and +// cancel large incoming messages, or return untreatable messages to their original +// queue. +type BasicReject struct { + DeliveryTag uint64 + Requeue bool +} + +// Name returns method name as string, usefully for logging +func (method *BasicReject) Name() string { + return "BasicReject" +} + +// FrameType returns method frame type +func (method *BasicReject) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicReject) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicReject) MethodIdentifier() uint16 { + return 90 +} + +// Sync is method should me sent synchronous +func (method *BasicReject) Sync() bool { + return false +} + +// Read method from io reader +func (method *BasicReject) Read(reader io.Reader, protoVersion string) (err error) { + + method.DeliveryTag, err = ReadLonglong(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Requeue = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *BasicReject) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLonglong(writer, method.DeliveryTag); err != nil { + return err + } + + var bits byte + + if method.Requeue { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// BasicRecoverAsync This method asks the server to redeliver all unacknowledged messages on a +// specified channel. Zero or more messages may be redelivered. This method +// is deprecated in favour of the synchronous Recover/Recover-Ok. +type BasicRecoverAsync struct { + Requeue bool +} + +// Name returns method name as string, usefully for logging +func (method *BasicRecoverAsync) Name() string { + return "BasicRecoverAsync" +} + +// FrameType returns method frame type +func (method *BasicRecoverAsync) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicRecoverAsync) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicRecoverAsync) MethodIdentifier() uint16 { + return 100 +} + +// Sync is method should me sent synchronous +func (method *BasicRecoverAsync) Sync() bool { + return false +} + +// Read method from io reader +func (method *BasicRecoverAsync) Read(reader io.Reader, protoVersion string) (err error) { + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Requeue = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *BasicRecoverAsync) Write(writer io.Writer, protoVersion string) (err error) { + + var bits byte + + if method.Requeue { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// BasicRecover This method asks the server to redeliver all unacknowledged messages on a +// specified channel. Zero or more messages may be redelivered. This method +// replaces the asynchronous Recover. +type BasicRecover struct { + Requeue bool +} + +// Name returns method name as string, usefully for logging +func (method *BasicRecover) Name() string { + return "BasicRecover" +} + +// FrameType returns method frame type +func (method *BasicRecover) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicRecover) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicRecover) MethodIdentifier() uint16 { + return 110 +} + +// Sync is method should me sent synchronous +func (method *BasicRecover) Sync() bool { + return false +} + +// Read method from io reader +func (method *BasicRecover) Read(reader io.Reader, protoVersion string) (err error) { + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Requeue = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *BasicRecover) Write(writer io.Writer, protoVersion string) (err error) { + + var bits byte + + if method.Requeue { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// BasicRecoverOk This method acknowledges a Basic.Recover method. +type BasicRecoverOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *BasicRecoverOk) Name() string { + return "BasicRecoverOk" +} + +// FrameType returns method frame type +func (method *BasicRecoverOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicRecoverOk) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicRecoverOk) MethodIdentifier() uint16 { + return 111 +} + +// Sync is method should me sent synchronous +func (method *BasicRecoverOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *BasicRecoverOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *BasicRecoverOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// BasicNack This method allows a client to reject one or more incoming messages. It can be +// used to interrupt and cancel large incoming messages, or return untreatable +// messages to their original queue. +// +// This method is also used by the server to inform publishers on channels in +// confirm mode of unhandled messages. If a publisher receives this method, it +// probably needs to republish the offending messages. +type BasicNack struct { + DeliveryTag uint64 + Multiple bool + Requeue bool +} + +// Name returns method name as string, usefully for logging +func (method *BasicNack) Name() string { + return "BasicNack" +} + +// FrameType returns method frame type +func (method *BasicNack) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *BasicNack) ClassIdentifier() uint16 { + return 60 +} + +// MethodIdentifier returns method methodID +func (method *BasicNack) MethodIdentifier() uint16 { + return 120 +} + +// Sync is method should me sent synchronous +func (method *BasicNack) Sync() bool { + return false +} + +// Read method from io reader +func (method *BasicNack) Read(reader io.Reader, protoVersion string) (err error) { + + method.DeliveryTag, err = ReadLonglong(reader) + if err != nil { + return err + } + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Multiple = bits&(1<<0) != 0 + + method.Requeue = bits&(1<<1) != 0 + + return +} + +// Write method from io reader +func (method *BasicNack) Write(writer io.Writer, protoVersion string) (err error) { + + if err = WriteLonglong(writer, method.DeliveryTag); err != nil { + return err + } + + var bits byte + + if method.Multiple { + bits |= 1 << 0 + } + + if method.Requeue { + bits |= 1 << 1 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// Tx methods + +// TxSelect This method sets the channel to use standard transactions. The client must use this +// method at least once on a channel before using the Commit or Rollback methods. +type TxSelect struct { +} + +// Name returns method name as string, usefully for logging +func (method *TxSelect) Name() string { + return "TxSelect" +} + +// FrameType returns method frame type +func (method *TxSelect) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *TxSelect) ClassIdentifier() uint16 { + return 90 +} + +// MethodIdentifier returns method methodID +func (method *TxSelect) MethodIdentifier() uint16 { + return 10 +} + +// Sync is method should me sent synchronous +func (method *TxSelect) Sync() bool { + return true +} + +// Read method from io reader +func (method *TxSelect) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *TxSelect) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// TxSelectOk This method confirms to the client that the channel was successfully set to use +// standard transactions. +type TxSelectOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *TxSelectOk) Name() string { + return "TxSelectOk" +} + +// FrameType returns method frame type +func (method *TxSelectOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *TxSelectOk) ClassIdentifier() uint16 { + return 90 +} + +// MethodIdentifier returns method methodID +func (method *TxSelectOk) MethodIdentifier() uint16 { + return 11 +} + +// Sync is method should me sent synchronous +func (method *TxSelectOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *TxSelectOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *TxSelectOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// TxCommit This method commits all message publications and acknowledgments performed in +// the current transaction. A new transaction starts immediately after a commit. +type TxCommit struct { +} + +// Name returns method name as string, usefully for logging +func (method *TxCommit) Name() string { + return "TxCommit" +} + +// FrameType returns method frame type +func (method *TxCommit) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *TxCommit) ClassIdentifier() uint16 { + return 90 +} + +// MethodIdentifier returns method methodID +func (method *TxCommit) MethodIdentifier() uint16 { + return 20 +} + +// Sync is method should me sent synchronous +func (method *TxCommit) Sync() bool { + return true +} + +// Read method from io reader +func (method *TxCommit) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *TxCommit) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// TxCommitOk This method confirms to the client that the commit succeeded. Note that if a commit +// fails, the server raises a channel exception. +type TxCommitOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *TxCommitOk) Name() string { + return "TxCommitOk" +} + +// FrameType returns method frame type +func (method *TxCommitOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *TxCommitOk) ClassIdentifier() uint16 { + return 90 +} + +// MethodIdentifier returns method methodID +func (method *TxCommitOk) MethodIdentifier() uint16 { + return 21 +} + +// Sync is method should me sent synchronous +func (method *TxCommitOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *TxCommitOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *TxCommitOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// TxRollback This method abandons all message publications and acknowledgments performed in +// the current transaction. A new transaction starts immediately after a rollback. +// Note that unacked messages will not be automatically redelivered by rollback; +// if that is required an explicit recover call should be issued. +type TxRollback struct { +} + +// Name returns method name as string, usefully for logging +func (method *TxRollback) Name() string { + return "TxRollback" +} + +// FrameType returns method frame type +func (method *TxRollback) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *TxRollback) ClassIdentifier() uint16 { + return 90 +} + +// MethodIdentifier returns method methodID +func (method *TxRollback) MethodIdentifier() uint16 { + return 30 +} + +// Sync is method should me sent synchronous +func (method *TxRollback) Sync() bool { + return true +} + +// Read method from io reader +func (method *TxRollback) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *TxRollback) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// TxRollbackOk This method confirms to the client that the rollback succeeded. Note that if an +// rollback fails, the server raises a channel exception. +type TxRollbackOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *TxRollbackOk) Name() string { + return "TxRollbackOk" +} + +// FrameType returns method frame type +func (method *TxRollbackOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *TxRollbackOk) ClassIdentifier() uint16 { + return 90 +} + +// MethodIdentifier returns method methodID +func (method *TxRollbackOk) MethodIdentifier() uint16 { + return 31 +} + +// Sync is method should me sent synchronous +func (method *TxRollbackOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *TxRollbackOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *TxRollbackOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +// Confirm methods + +// ConfirmSelect This method sets the channel to use publisher acknowledgements. +// The client can only use this method on a non-transactional +// channel. +type ConfirmSelect struct { + Nowait bool +} + +// Name returns method name as string, usefully for logging +func (method *ConfirmSelect) Name() string { + return "ConfirmSelect" +} + +// FrameType returns method frame type +func (method *ConfirmSelect) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConfirmSelect) ClassIdentifier() uint16 { + return 85 +} + +// MethodIdentifier returns method methodID +func (method *ConfirmSelect) MethodIdentifier() uint16 { + return 10 +} + +// Sync is method should me sent synchronous +func (method *ConfirmSelect) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConfirmSelect) Read(reader io.Reader, protoVersion string) (err error) { + + bits, err := ReadOctet(reader) + if err != nil { + return err + } + + method.Nowait = bits&(1<<0) != 0 + + return +} + +// Write method from io reader +func (method *ConfirmSelect) Write(writer io.Writer, protoVersion string) (err error) { + + var bits byte + + if method.Nowait { + bits |= 1 << 0 + } + + if err = WriteOctet(writer, bits); err != nil { + return err + } + + return +} + +// ConfirmSelectOk This method confirms to the client that the channel was successfully +// set to use publisher acknowledgements. +type ConfirmSelectOk struct { +} + +// Name returns method name as string, usefully for logging +func (method *ConfirmSelectOk) Name() string { + return "ConfirmSelectOk" +} + +// FrameType returns method frame type +func (method *ConfirmSelectOk) FrameType() byte { + return 1 +} + +// ClassIdentifier returns method classID +func (method *ConfirmSelectOk) ClassIdentifier() uint16 { + return 85 +} + +// MethodIdentifier returns method methodID +func (method *ConfirmSelectOk) MethodIdentifier() uint16 { + return 11 +} + +// Sync is method should me sent synchronous +func (method *ConfirmSelectOk) Sync() bool { + return true +} + +// Read method from io reader +func (method *ConfirmSelectOk) Read(reader io.Reader, protoVersion string) (err error) { + + return +} + +// Write method from io reader +func (method *ConfirmSelectOk) Write(writer io.Writer, protoVersion string) (err error) { + + return +} + +/* +ReadMethod reads method from frame's payload + +Method frames carry the high-level protocol commands (which we call "methods"). +One method frame carries one command. The method frame payload has this format: + + 0 2 4 + +----------+-----------+-------------- - - + | class-id | method-id | arguments... + +----------+-----------+-------------- - - + short short ... + +*/ +func ReadMethod(reader io.Reader, protoVersion string) (Method, error) { + classID, err := ReadShort(reader) + if err != nil { + return nil, err + } + + methodID, err := ReadShort(reader) + if err != nil { + return nil, err + } + switch classID { + + case 10: + switch methodID { + + case 10: + var method = &ConnectionStart{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 11: + var method = &ConnectionStartOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 20: + var method = &ConnectionSecure{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 21: + var method = &ConnectionSecureOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 30: + var method = &ConnectionTune{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 31: + var method = &ConnectionTuneOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 40: + var method = &ConnectionOpen{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 41: + var method = &ConnectionOpenOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 50: + var method = &ConnectionClose{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 51: + var method = &ConnectionCloseOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 60: + var method = &ConnectionBlocked{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 61: + var method = &ConnectionUnblocked{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + } + case 20: + switch methodID { + + case 10: + var method = &ChannelOpen{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 11: + var method = &ChannelOpenOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 20: + var method = &ChannelFlow{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 21: + var method = &ChannelFlowOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 40: + var method = &ChannelClose{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 41: + var method = &ChannelCloseOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + } + case 40: + switch methodID { + + case 10: + var method = &ExchangeDeclare{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 11: + var method = &ExchangeDeclareOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 20: + var method = &ExchangeDelete{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 21: + var method = &ExchangeDeleteOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 30: + var method = &ExchangeBind{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 31: + var method = &ExchangeBindOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 40: + var method = &ExchangeUnbind{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 51: + var method = &ExchangeUnbindOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + } + case 50: + switch methodID { + + case 10: + var method = &QueueDeclare{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 11: + var method = &QueueDeclareOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 20: + var method = &QueueBind{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 21: + var method = &QueueBindOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 50: + var method = &QueueUnbind{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 51: + var method = &QueueUnbindOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 30: + var method = &QueuePurge{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 31: + var method = &QueuePurgeOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 40: + var method = &QueueDelete{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 41: + var method = &QueueDeleteOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + } + case 60: + switch methodID { + + case 10: + var method = &BasicQos{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 11: + var method = &BasicQosOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 20: + var method = &BasicConsume{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 21: + var method = &BasicConsumeOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 30: + var method = &BasicCancel{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 31: + var method = &BasicCancelOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 40: + var method = &BasicPublish{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 50: + var method = &BasicReturn{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 60: + var method = &BasicDeliver{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 70: + var method = &BasicGet{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 71: + var method = &BasicGetOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 72: + var method = &BasicGetEmpty{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 80: + var method = &BasicAck{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 90: + var method = &BasicReject{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 100: + var method = &BasicRecoverAsync{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 110: + var method = &BasicRecover{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 111: + var method = &BasicRecoverOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 120: + var method = &BasicNack{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + } + case 90: + switch methodID { + + case 10: + var method = &TxSelect{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 11: + var method = &TxSelectOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 20: + var method = &TxCommit{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 21: + var method = &TxCommitOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 30: + var method = &TxRollback{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 31: + var method = &TxRollbackOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + } + case 85: + switch methodID { + + case 10: + var method = &ConfirmSelect{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + case 11: + var method = &ConfirmSelectOk{} + if err := method.Read(reader, protoVersion); err != nil { + return nil, err + } + return method, nil + } + } + + return nil, fmt.Errorf("unknown classID and methodID: [%d. %d]", classID, methodID) +} + +// WriteMethod writes method into frame's payload +func WriteMethod(writer io.Writer, method Method, protoVersion string) (err error) { + if err = WriteShort(writer, method.ClassIdentifier()); err != nil { + return err + } + if err = WriteShort(writer, method.MethodIdentifier()); err != nil { + return err + } + + if err = method.Write(writer, protoVersion); err != nil { + return err + } + + return +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/amqp/readers_writers.go b/pkg/outputs/amqp/_fixtures/garagemq/amqp/readers_writers.go new file mode 100644 index 000000000..22e8b2ddd --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/amqp/readers_writers.go @@ -0,0 +1,882 @@ +package amqp + +import ( + "bytes" + "encoding/binary" + "errors" + "fmt" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/pool" + "io" + "time" +) + +var emptyBufferPool = pool.NewBufferPool(0) + +// 14 bytes for class-id | weight | body size | property flags +var headerBufferPool = pool.NewBufferPool(14) + +// AmqpHeader standard AMQP header +var AmqpHeader = []byte{'A', 'M', 'Q', 'P', 0, 0, 9, 1} + +// supported protocol identifiers +const ( + Proto091 = "amqp-0-9-1" + ProtoRabbit = "amqp-rabbit" +) + +func writeSlice(wr io.Writer, data []byte) error { + _, err := wr.Write(data[:]) + return err +} + +/* +ReadFrame reads and parses raw data from conn reader and returns amqp frame + +@spec-note +All frames consist of a header (7 octets), a payload of arbitrary size, and a +'frame-end' octet that detects malformed frames: + + 0 1 3 7 size+7 size+8 + +------+---------+-------------+ +------------+ +-----------+ + | type | channel | size | | payload | | frame-end | + +------+---------+-------------+ +------------+ +-----------+ + octet short long size octets octet + +To read a frame, we: + 1. Read the header and check the frame type and channel. + 2. Depending on the frame size, we read the payload + 3. Read the frame-end octet. +*/ +func ReadFrame(r io.Reader) (frame *Frame, err error) { + // It does not matter that we call read methods 3 time + // Because net.TCPConn connection buffered by bufio.NewReader + frame = &Frame{} + if frame.Type, err = ReadOctet(r); err != nil { + return nil, err + } + if frame.ChannelID, err = ReadShort(r); err != nil { + return nil, err + } + var payloadSize uint32 + if payloadSize, err = ReadLong(r); err != nil { + return nil, err + } + + var payload = make([]byte, payloadSize+1) + if _, err := io.ReadFull(r, payload); err != nil { + return nil, err + } + frame.Payload = payload[0:payloadSize] + + // check frame end + if payload[payloadSize] != FrameEnd { + return nil, fmt.Errorf( + "the frame-end octet MUST always be the hexadecimal value 'xCE', %x given", + payload[payloadSize]) + } + + return frame, nil +} + +// WriteFrame pack amqp Frame as bytes and write to conn writer +func WriteFrame(wr io.Writer, frame *Frame) (err error) { + if err = WriteOctet(wr, frame.Type); err != nil { + return err + } + if err = WriteShort(wr, frame.ChannelID); err != nil { + return err + } + + // size + payload + if err = WriteLongstr(wr, frame.Payload); err != nil { + return err + } + // frame end + if err = WriteOctet(wr, FrameEnd); err != nil { + return err + } + + return nil +} + +// ReadOctet reads octet (byte) +func ReadOctet(r io.Reader) (data byte, err error) { + var b [1]byte + if _, err = io.ReadFull(r, b[:]); err != nil { + return + } + data = b[0] + return +} + +// WriteOctet writes octet (byte) +func WriteOctet(wr io.Writer, data byte) error { + var b [1]byte + b[0] = data + return writeSlice(wr, b[:]) +} + +// ReadShort reads 2 bytes +func ReadShort(r io.Reader) (data uint16, err error) { + err = binary.Read(r, binary.BigEndian, &data) + return +} + +// WriteShort writes 2 bytes +func WriteShort(wr io.Writer, data uint16) error { + var b [2]byte + binary.BigEndian.PutUint16(b[:], data) + return writeSlice(wr, b[:]) +} + +// ReadLong reads 4 bytes +func ReadLong(r io.Reader) (data uint32, err error) { + err = binary.Read(r, binary.BigEndian, &data) + return +} + +// WriteLong writes 4 bytes +func WriteLong(wr io.Writer, data uint32) error { + var b [4]byte + binary.BigEndian.PutUint32(b[:], data) + return writeSlice(wr, b[:]) +} + +// ReadLonglong reads 8 bytes +func ReadLonglong(r io.Reader) (data uint64, err error) { + err = binary.Read(r, binary.BigEndian, &data) + return +} + +// WriteLonglong writes 8 bytes +func WriteLonglong(wr io.Writer, data uint64) error { + var b [8]byte + binary.BigEndian.PutUint64(b[:], data) + return writeSlice(wr, b[:]) +} + +// ReadTimestamp reads timestamp +// amqp presents timestamp as 8byte int +func ReadTimestamp(r io.Reader) (data time.Time, err error) { + var seconds uint64 + if seconds, err = ReadLonglong(r); err != nil { + return + } + return time.Unix(int64(seconds), 0), nil +} + +// WriteTimestamp writes timestamp +func WriteTimestamp(wr io.Writer, data time.Time) error { + return WriteLonglong(wr, uint64(data.Unix())) +} + +// ReadShortstr reads string +func ReadShortstr(r io.Reader) (data string, err error) { + var length byte + + length, err = ReadOctet(r) + if err != nil { + return "", err + } + + strBytes := make([]byte, length) + + _, err = io.ReadFull(r, strBytes) + if err != nil { + return "", err + } + data = string(strBytes) + return +} + +// WriteShortstr writes string +func WriteShortstr(wr io.Writer, data string) error { + if err := WriteOctet(wr, byte(len(data))); err != nil { + return err + } + if _, err := wr.Write([]byte(data)); err != nil { + return err + } + + return nil +} + +// ReadLongstr reads long string +// Long string is just array of bytes +func ReadLongstr(r io.Reader) (data []byte, err error) { + var length uint32 + + length, err = ReadLong(r) + if err != nil { + return nil, err + } + + data = make([]byte, length) + + _, err = io.ReadFull(r, data) + if err != nil { + return nil, err + } + return +} + +// WriteLongstr writes long string +func WriteLongstr(wr io.Writer, data []byte) error { + err := WriteLong(wr, uint32(len(data))) + if err != nil { + return err + } + _, err = wr.Write(data) + if err != nil { + return err + } + return nil +} + +// ReadTable reads amqp table +// Standard amqp table and rabbitmq table are little different +// So we have second argument protoVersion to handle that issue +func ReadTable(r io.Reader, protoVersion string) (data *Table, err error) { + tmpData := Table{} + tableData, err := ReadLongstr(r) + if err != nil { + return nil, err + } + + tableReader := bytes.NewReader(tableData) + for tableReader.Len() > 0 { + var key string + var value interface{} + if key, err = ReadShortstr(tableReader); err != nil { + return nil, errors.New("Unable to read key from table: " + err.Error()) + } + + if value, err = readV(tableReader, protoVersion); err != nil { + return nil, errors.New("Unable to read value from table: " + err.Error()) + } + + tmpData[key] = value + } + + return &tmpData, nil +} + +func readV(r io.Reader, protoVersion string) (data interface{}, err error) { + switch protoVersion { + case Proto091: + return readValue091(r) + case ProtoRabbit: + return readValueRabbit(r) + } + + return nil, fmt.Errorf("unknown proto version [%s]", protoVersion) +} + +/* +Standard amqp-0-9-1 table fields + +'t' bool boolean +'b' int8 short-short-int +'B' uint8 short-short-uint +'U' int16 short-int +'u' uint16 short-uint +'I' int32 long-int +'i' uint32 long-uint +'L' int64 long-long-int +'l' uint64 long-long-uint +'f' float float +'d' double double +'D' Decimal decimal-value +'s' string short-string +'S' []byte long-string +'A' []interface{} field-array +'T' time.Time timestamp +'F' Table field-table +'V' nil no-field +*/ +func readValue091(r io.Reader) (data interface{}, err error) { + vType, err := ReadOctet(r) + if err != nil { + return nil, err + } + + switch vType { + case 't': + var rData byte + rData, err = ReadOctet(r) + if err != nil { + return nil, err + } + return rData != 0, nil + case 'b': + var rData int8 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'B': + var rData uint8 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'U': + var rData int16 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'u': + var rData uint16 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'I': + var rData int32 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'i': + var rData uint32 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'L': + var rData int64 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'l': + var rData uint64 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'f': + var rData float32 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'd': + var rData float64 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'D': + var rData = Decimal{0, 0} + + if err = binary.Read(r, binary.BigEndian, &rData.Scale); err != nil { + return nil, err + } + if err = binary.Read(r, binary.BigEndian, &rData.Value); err != nil { + return nil, err + } + return rData, nil + case 's': + var rData string + if rData, err = ReadShortstr(r); err == nil { + return nil, err + } + + return rData, nil + case 'S': + var rData []byte + if rData, err = ReadLongstr(r); err == nil { + return nil, err + } + + return rData, nil + case 'T': + var rData time.Time + if rData, err = ReadTimestamp(r); err == nil { + return nil, err + } + + return rData, nil + case 'A': + var rData []interface{} + if rData, err = readArray(r, Proto091); err == nil { + return nil, err + } + return rData, nil + case 'F': + var rData *Table + if rData, err = ReadTable(r, Proto091); err == nil { + return nil, err + } + return rData, nil + case 'V': + return nil, nil + } + + return nil, fmt.Errorf("unsupported type %c (%d) by %s protocol", vType, vType, Proto091) +} + +/* +Rabbitmq table fields + +'t' bool boolean +'b' int8 short-short-int +'s' int16 short-int +'I' int32 long-int +'l' int64 long-long-int +'f' float float +'d' double double +'D' Decimal decimal-value +'S' []byte long-string +'T' time.Time timestamp +'F' Table field-table +'V' nil no-field +'x' []interface{} field-array +*/ +func readValueRabbit(r io.Reader) (data interface{}, err error) { + vType, err := ReadOctet(r) + if err != nil { + return nil, err + } + + switch vType { + case 't': + var rData byte + rData, err = ReadOctet(r) + if err != nil { + return nil, err + } + return rData != 0, nil + case 'b': + var rData int8 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 's': + var rData int16 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'I': + var rData int32 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'l': + var rData int64 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'f': + var rData float32 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'd': + var rData float64 + if err = binary.Read(r, binary.BigEndian, &rData); err != nil { + return nil, err + } + return rData, nil + case 'D': + var rData = Decimal{0, 0} + + if err = binary.Read(r, binary.BigEndian, &rData.Scale); err != nil { + return nil, err + } + if err = binary.Read(r, binary.BigEndian, &rData.Value); err != nil { + return nil, err + } + return rData, nil + case 'S': + var rData []byte + if rData, err = ReadLongstr(r); err != nil { + return nil, err + } + + return string(rData), nil + case 'T': + var rData time.Time + if rData, err = ReadTimestamp(r); err != nil { + return nil, err + } + + return rData, nil + case 'x': + var rData []interface{} + if rData, err = readArray(r, ProtoRabbit); err != nil { + return nil, err + } + return rData, nil + case 'F': + var rData *Table + if rData, err = ReadTable(r, ProtoRabbit); err != nil { + return nil, err + } + return rData, nil + case 'V': + return nil, nil + } + + return nil, fmt.Errorf("unsupported type %c (%d) by %s protocol", vType, vType, ProtoRabbit) +} + +// WriteTable writes amqp table +// Standard amqp table and rabbitmq table are little different +// So we have second argument protoVersion to handle that issue +func WriteTable(writer io.Writer, table *Table, protoVersion string) (err error) { + var buf = emptyBufferPool.Get() + defer emptyBufferPool.Put(buf) + for key, v := range *table { + if err := WriteShortstr(buf, key); err != nil { + return err + } + if err := writeV(buf, v, protoVersion); err != nil { + return err + } + } + return WriteLongstr(writer, buf.Bytes()) +} + +func writeV(writer io.Writer, v interface{}, protoVersion string) (err error) { + switch protoVersion { + case Proto091: + return writeValue091(writer, v) + case ProtoRabbit: + return writeValueRabbit(writer, v) + } + + return fmt.Errorf("unknown proto version [%s]", protoVersion) +} + +/* +Standard amqp-0-9-1 table fields + +'t' bool boolean +'b' int8 short-short-int +'B' uint8 short-short-uint +'U' int16 short-int +'u' uint16 short-uint +'I' int32 long-int +'i' uint32 long-uint +'L' int64 long-long-int +'l' uint64 long-long-uint +'f' float float +'d' double double +'D' Decimal decimal-value +'s' string short-string +'S' []byte long-string +'A' []interface{} field-array +'T' time.Time timestamp +'F' Table field-table +'V' nil no-field +*/ +func writeValue091(writer io.Writer, v interface{}) (err error) { + switch value := v.(type) { + case bool: + if err = WriteOctet(writer, byte('t')); err == nil { + if value { + err = binary.Write(writer, binary.BigEndian, uint8(1)) + } else { + err = binary.Write(writer, binary.BigEndian, uint8(0)) + } + } + case int8: + if err = WriteOctet(writer, byte('b')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case uint8: + if err = WriteOctet(writer, byte('B')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case int16: + if err = WriteOctet(writer, byte('U')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case uint16: + if err = binary.Write(writer, binary.BigEndian, byte('u')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case int32: + if err = binary.Write(writer, binary.BigEndian, byte('I')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case uint32: + if err = binary.Write(writer, binary.BigEndian, byte('i')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case int64: + if err = binary.Write(writer, binary.BigEndian, byte('L')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case uint64: + if err = binary.Write(writer, binary.BigEndian, byte('l')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case float32: + if err = binary.Write(writer, binary.BigEndian, byte('f')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case float64: + if err = binary.Write(writer, binary.BigEndian, byte('d')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case Decimal: + if err = binary.Write(writer, binary.BigEndian, byte('D')); err == nil { + if err = binary.Write(writer, binary.BigEndian, byte(value.Scale)); err == nil { + err = binary.Write(writer, binary.BigEndian, uint32(value.Value)) + } + } + case string: + if err = WriteOctet(writer, byte('s')); err == nil { + err = WriteShortstr(writer, value) + } + case []byte: + if err = WriteOctet(writer, byte('S')); err == nil { + err = WriteLongstr(writer, value) + } + case time.Time: + if err = WriteOctet(writer, byte('T')); err == nil { + err = WriteTimestamp(writer, value) + } + case []interface{}: + if err = WriteOctet(writer, byte('A')); err == nil { + err = writeArray(writer, value, Proto091) + } + + case Table: + if err = WriteOctet(writer, byte('F')); err == nil { + err = WriteTable(writer, &value, Proto091) + } + case nil: + err = binary.Write(writer, binary.BigEndian, byte('V')) + default: + err = fmt.Errorf("unsupported type by %s protocol", Proto091) + } + + return +} + +/* +Rabbitmq table fields + +'t' bool boolean +'b' int8 short-short-int +'s' int16 short-int +'I' int32 long-int +'l' int64 long-long-int +'f' float float +'d' double double +'D' Decimal decimal-value +'S' []byte long-string +'T' time.Time timestamp +'F' Table field-table +'V' nil no-field +'x' []interface{} field-array +*/ +func writeValueRabbit(writer io.Writer, v interface{}) (err error) { + switch value := v.(type) { + case bool: + if err = WriteOctet(writer, byte('t')); err == nil { + if value { + err = binary.Write(writer, binary.BigEndian, uint8(1)) + } else { + err = binary.Write(writer, binary.BigEndian, uint8(0)) + } + } + case int8: + if err = WriteOctet(writer, byte('b')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case uint8: + if err = WriteOctet(writer, byte('b')); err == nil { + err = binary.Write(writer, binary.BigEndian, int8(value)) + } + case int16: + if err = WriteOctet(writer, byte('s')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case uint16: + if err = binary.Write(writer, binary.BigEndian, byte('s')); err == nil { + err = binary.Write(writer, binary.BigEndian, int16(value)) + } + case int32: + if err = binary.Write(writer, binary.BigEndian, byte('I')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case uint32: + if err = binary.Write(writer, binary.BigEndian, byte('I')); err == nil { + err = binary.Write(writer, binary.BigEndian, int32(value)) + } + case int64: + if err = binary.Write(writer, binary.BigEndian, byte('l')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case uint64: + if err = binary.Write(writer, binary.BigEndian, byte('l')); err == nil { + err = binary.Write(writer, binary.BigEndian, int64(value)) + } + case float32: + if err = binary.Write(writer, binary.BigEndian, byte('f')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case float64: + if err = binary.Write(writer, binary.BigEndian, byte('d')); err == nil { + err = binary.Write(writer, binary.BigEndian, value) + } + case Decimal: + if err = binary.Write(writer, binary.BigEndian, byte('D')); err == nil { + if err = binary.Write(writer, binary.BigEndian, byte(value.Scale)); err == nil { + err = binary.Write(writer, binary.BigEndian, uint32(value.Value)) + } + } + case []byte: + if err = WriteOctet(writer, byte('S')); err == nil { + err = WriteLongstr(writer, value) + } + case string: + if err = WriteOctet(writer, byte('S')); err == nil { + err = WriteLongstr(writer, []byte(value)) + } + case time.Time: + if err = WriteOctet(writer, byte('T')); err == nil { + err = WriteTimestamp(writer, value) + } + case []interface{}: + if err = WriteOctet(writer, byte('x')); err == nil { + err = writeArray(writer, value, ProtoRabbit) + } + case Table: + if err = WriteOctet(writer, byte('F')); err == nil { + err = WriteTable(writer, &value, ProtoRabbit) + } + case nil: + err = binary.Write(writer, binary.BigEndian, byte('V')) + default: + err = fmt.Errorf("unsupported type by %s protocol", Proto091) + } + + return +} + +func writeArray(writer io.Writer, array []interface{}, protoVersion string) error { + var buf = emptyBufferPool.Get() + defer emptyBufferPool.Put(buf) + + for _, v := range array { + if err := writeV(buf, v, protoVersion); err != nil { + return err + } + } + return WriteLongstr(writer, buf.Bytes()) +} + +func readArray(r io.Reader, protoVersion string) (data []interface{}, err error) { + data = make([]interface{}, 0) + var arrayData []byte + if arrayData, err = ReadLongstr(r); err != nil { + return nil, err + } + + arrayBuffer := bytes.NewBuffer(arrayData) + for arrayBuffer.Len() > 0 { + var itemV interface{} + if itemV, err = readV(arrayBuffer, protoVersion); err != nil { + return nil, err + } + + data = append(data, itemV) + } + + return data, nil +} + +/* +ReadContentHeader reads amqp content header + +Certain methods (such as Basic.Publish, Basic.Deliver, etc.) are formally +defined as carrying content. When a peer sends such a method frame, it always +follows it with a content header and zero or more content body frames. + +A content header frame has this format: + + 0 2 4 12 14 + +----------+--------+-----------+----------------+------------- - - + | class-id | weight | body size | property flags | property list... + +----------+--------+-----------+----------------+------------- - - + short short long long short remainder... +*/ +func ReadContentHeader(r io.Reader, protoVersion string) (*ContentHeader, error) { + var err error + // 14 bytes for class-id | weight | body size | property flags + headerBuf := headerBufferPool.Get() + defer headerBufferPool.Put(headerBuf) + + var header [14]byte + if _, err = io.ReadFull(r, header[:]); err != nil { + return nil, err + } + if _, err = headerBuf.Write(header[:]); err != nil { + return nil, err + } + + contentHeader := &ContentHeader{} + + if contentHeader.ClassID, err = ReadShort(headerBuf); err != nil { + return nil, err + } + if contentHeader.Weight, err = ReadShort(headerBuf); err != nil { + return nil, err + } + if contentHeader.BodySize, err = ReadLonglong(headerBuf); err != nil { + return nil, err + } + if contentHeader.propertyFlags, err = ReadShort(headerBuf); err != nil { + return nil, err + } + + contentHeader.PropertyList = &BasicPropertyList{} + if err = contentHeader.PropertyList.Read(r, contentHeader.propertyFlags, protoVersion); err != nil { + return nil, err + } + + return contentHeader, nil +} + +// WriteContentHeader writes amqp content header +func WriteContentHeader(writer io.Writer, header *ContentHeader, protoVersion string) (err error) { + if err = WriteShort(writer, header.ClassID); err != nil { + return err + } + if err = WriteShort(writer, header.Weight); err != nil { + return err + } + if err = WriteLonglong(writer, header.BodySize); err != nil { + return err + } + + var propertyBuf = emptyBufferPool.Get() + defer emptyBufferPool.Put(propertyBuf) + + properyFlags, err := header.PropertyList.Write(propertyBuf, protoVersion) + if err != nil { + return err + } + + header.propertyFlags = properyFlags + if err = WriteShort(writer, header.propertyFlags); err != nil { + return err + } + if _, err = writer.Write(propertyBuf.Bytes()); err != nil { + return err + } + + return +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/amqp/types.go b/pkg/outputs/amqp/_fixtures/garagemq/amqp/types.go new file mode 100644 index 000000000..3dd451d82 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/amqp/types.go @@ -0,0 +1,198 @@ +package amqp + +import ( + "bytes" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/pool" + "sync/atomic" + "time" +) + +var emptyMessageBufferPool = pool.NewBufferPool(0) + +// Table - simple amqp-table implementation +type Table map[string]interface{} + +// Decimal represents amqp-decimal data +type Decimal struct { + Scale uint8 + Value int32 +} + +// Frame is raw frame +type Frame struct { + ChannelID uint16 + Type byte + CloseAfter bool + Sync bool + Payload []byte +} + +// ContentHeader represents amqp-message content-header +type ContentHeader struct { + BodySize uint64 + ClassID uint16 + Weight uint16 + propertyFlags uint16 + PropertyList *BasicPropertyList +} + +// ConfirmMeta store information for check confirms and send confirm-acks +type ConfirmMeta struct { + ChanID uint16 + ConnID uint64 + DeliveryTag uint64 + ExpectedConfirms int + ActualConfirms int +} + +// CanConfirm returns is message can be confirmed +func (meta *ConfirmMeta) CanConfirm() bool { + return meta.ActualConfirms == meta.ExpectedConfirms +} + +// Message represents amqp-message and meta-data +type Message struct { + ID uint64 + BodySize uint64 + DeliveryCount uint32 + Mandatory bool + Immediate bool + Exchange string + RoutingKey string + ConfirmMeta *ConfirmMeta + Header *ContentHeader + Body []*Frame +} + +// when server restart we can't start again count messages from 0 +var msgID = uint64(time.Now().UnixNano()) + +// NewMessage returns new message instance +func NewMessage(method *BasicPublish) *Message { + return &Message{ + Exchange: method.Exchange, + RoutingKey: method.RoutingKey, + Mandatory: method.Mandatory, + Immediate: method.Immediate, + BodySize: 0, + DeliveryCount: 0, + } +} + +// IsPersistent check if message should be persisted +func (m *Message) IsPersistent() bool { + deliveryMode := m.Header.PropertyList.DeliveryMode + return deliveryMode != nil && *deliveryMode == 2 +} + +// GenerateSeq returns next message ID +func (m *Message) GenerateSeq() { + if m.ID == 0 { + m.ID = atomic.AddUint64(&msgID, 1) + } +} + +// Append appends new body-frame into message and increase bodySize +func (m *Message) Append(body *Frame) { + m.Body = append(m.Body, body) + m.BodySize += uint64(len(body.Payload)) +} + +// Marshal converts message into bytes to store into db +func (m *Message) Marshal(protoVersion string) (data []byte, err error) { + buffer := emptyMessageBufferPool.Get() + defer emptyMessageBufferPool.Put(buffer) + + if err = WriteLonglong(buffer, m.ID); err != nil { + return nil, err + } + + if err = WriteContentHeader(buffer, m.Header, protoVersion); err != nil { + return nil, err + } + if err = WriteShortstr(buffer, m.Exchange); err != nil { + return nil, err + } + if err = WriteShortstr(buffer, m.RoutingKey); err != nil { + return nil, err + } + + for _, frame := range m.Body { + if err = WriteFrame(buffer, frame); err != nil { + return nil, err + } + } + + data = make([]byte, buffer.Len()) + copy(data, buffer.Bytes()) + return +} + +// Unmarshal restore message entity from bytes +func (m *Message) Unmarshal(buffer []byte, protoVersion string) (err error) { + reader := bytes.NewReader(buffer) + if m.ID, err = ReadLonglong(reader); err != nil { + return err + } + + if m.Header, err = ReadContentHeader(reader, protoVersion); err != nil { + return err + } + if m.Exchange, err = ReadShortstr(reader); err != nil { + return err + } + if m.RoutingKey, err = ReadShortstr(reader); err != nil { + return err + } + + for m.BodySize < m.Header.BodySize { + body, errFrame := ReadFrame(reader) + if errFrame != nil { + return errFrame + } + m.Append(body) + } + + return nil +} + +// Constants to detect connection or channel error thrown +const ( + ErrorOnConnection = iota + ErrorOnChannel +) + +// Error represents AMQP-error data +type Error struct { + ReplyCode uint16 + ReplyText string + ClassID uint16 + MethodID uint16 + ErrorType int +} + +// NewConnectionError returns new connection error. If caused - connection should be closed +func NewConnectionError(code uint16, text string, classID uint16, methodID uint16) *Error { + err := &Error{ + ReplyCode: code, + ReplyText: ConstantsNameMap[code] + " - " + text, + ClassID: classID, + MethodID: methodID, + ErrorType: ErrorOnConnection, + } + + return err +} + +// NewChannelError returns new channel error& If caused - channel should be closed +func NewChannelError(code uint16, text string, classID uint16, methodID uint16) *Error { + err := &Error{ + ReplyCode: code, + ReplyText: ConstantsNameMap[code] + " - " + text, + ClassID: classID, + MethodID: methodID, + ErrorType: ErrorOnChannel, + } + + return err +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/auth/auth.go b/pkg/outputs/amqp/_fixtures/garagemq/auth/auth.go new file mode 100644 index 000000000..97216eb93 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/auth/auth.go @@ -0,0 +1,51 @@ +package auth + +import ( + "bytes" + "crypto/md5" + "encoding/hex" + "errors" +) + +// SaslPlain method +const SaslPlain = "PLAIN" + +// SaslData represents standard SASL properties +type SaslData struct { + Identity string + Username string + Password string +} + +// ParsePlain check and parse SASL-raw data and return SaslData structure +func ParsePlain(response []byte) (SaslData, error) { + parts := bytes.Split(response, []byte{0}) + if len(parts) != 3 { + return SaslData{}, errors.New("Unable to parse PLAIN SALS response") + } + + saslData := SaslData{} + saslData.Identity = string(parts[0]) + saslData.Username = string(parts[1]) + saslData.Password = string(parts[2]) + + return saslData, nil +} + +// HashPassword hash raw password and return hash for check +func HashPassword(password string, isMd5 bool) (string, error) { + h := md5.New() + h.Write([]byte(password)) + return hex.EncodeToString(h.Sum(nil)), nil +} + +// CheckPasswordHash check given password and hash +func CheckPasswordHash(password, hash string, isMd5 bool) bool { + + h := md5.New() + // digest.Write never return any error, so skip error ckeck + h.Write([]byte(password)) + + return hash == hex.EncodeToString(h.Sum(nil)) + +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/binding/binding.go b/pkg/outputs/amqp/_fixtures/garagemq/binding/binding.go new file mode 100644 index 000000000..9236d326a --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/binding/binding.go @@ -0,0 +1,311 @@ +package binding + +import ( + "bytes" + "fmt" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "reflect" + "regexp" + "strings" +) + +// MatchType is the x-match attribute in a binding argument table +type MatchType int + +const ( + // MatchAll requires all registered arguments to match for routing + MatchAll MatchType = iota + // MatchAny requires any registered arguments to match for routing + MatchAny +) + +// Binding represents AMQP-binding +type Binding struct { + Queue string + Exchange string + RoutingKey string + Arguments *amqp.Table + regexp *regexp.Regexp + topic bool + MatchType MatchType +} + +// NewBinding returns new instance of Binding +func NewBinding(queue string, exchange string, routingKey string, arguments *amqp.Table, topic bool) (*Binding, error) { + binding := &Binding{ + Queue: queue, + Exchange: exchange, + RoutingKey: routingKey, + Arguments: arguments, + topic: topic, + } + + if topic { + var err error + if binding.regexp, err = buildRegexp(routingKey); err != nil { + return nil, fmt.Errorf("bad topic routing key %s -- %s", + routingKey, + err.Error()) + } + } + + if arguments == nil { + return binding, nil + } + + // @spec-note AMQP 0.9.1 + // + // Any field starting with 'x-' other than 'x-match' is + // reserved for future use and will be ignored. + // + // * 'all' implies that all the other pairs must match the headers + // property of a message for that message to be routed (i.e. and AND match) + // * 'any' implies that the message should be routed if any of the + // fields in the headers property match one of the fields in the + // arguments table (i.e. an OR match) + // + // We arbitrarily choose `all` as the default if none was provided + // at binding time. + xmatch, ok := (*arguments)["x-match"] + if ok { + if xmatch == "all" { + binding.MatchType = MatchAll + } else if xmatch == "any" { + binding.MatchType = MatchAny + } else { + return nil, fmt.Errorf("Invalid x-match field value %s, expected all or any", + xmatch) + } + } else { + binding.MatchType = MatchAll + } + + return binding, nil +} + +// @todo may be better will be trie or dfa than regexp +// @see http://www.rabbitmq.com/blog/2010/09/14/very-fast-and-scalable-topic-routing-part-1/ +// @see http://www.rabbitmq.com/blog/2011/03/28/very-fast-and-scalable-topic-routing-part-2/ +// +// buildRegexp generate regexp from topic-match string +func buildRegexp(routingKey string) (*regexp.Regexp, error) { + routingKey = strings.TrimSpace(routingKey) + routingParts := strings.Split(routingKey, ".") + + for idx, routingPart := range routingParts { + if routingPart == "*" { + routingParts[idx] = "*" + } else if routingPart == "#" { + routingParts[idx] = "#" + } else { + routingParts[idx] = regexp.QuoteMeta(routingPart) + } + } + + routingKey = strings.Join(routingParts, "\\.") + routingKey = strings.Replace(routingKey, "*", `([^\.]+)`, -1) + + for strings.HasPrefix(routingKey, "#\\.") { + routingKey = strings.TrimPrefix(routingKey, "#\\.") + if strings.HasPrefix(routingKey, "#\\.") { + continue + } + routingKey = `(.*\.?)+` + routingKey + } + + for strings.HasSuffix(routingKey, "\\.#") { + routingKey = strings.TrimSuffix(routingKey, "\\.#") + if strings.HasSuffix(routingKey, "\\.#") { + continue + } + routingKey = routingKey + `(.*\.?)+` + } + routingKey = strings.Replace(routingKey, "\\.#\\.", `(.*\.?)+`, -1) + routingKey = strings.Replace(routingKey, "#", `(.*\.?)+`, -1) + pattern := "^" + routingKey + "$" + + return regexp.Compile(pattern) +} + +// MatchDirect check is message can be routed from direct-exchange to queue +// with compare exchange and routing key +func (b *Binding) MatchDirect(exchange string, routingKey string) bool { + return b.Exchange == exchange && b.RoutingKey == routingKey +} + +// MatchFanout check is message can be routed from fanout-exchange to queue +// with compare only exchange +func (b *Binding) MatchFanout(exchange string) bool { + return b.Exchange == exchange +} + +// MatchTopic check is message can be routed from topic-exchange to queue +// with compare exchange and match topic-pattern with routing key +func (b *Binding) MatchTopic(exchange string, routingKey string) bool { + return b.Exchange == exchange && b.regexp.MatchString(routingKey) +} + +// MatchHeader checks whether the message can be routed on `b` for a +// header exchange type. +func (b *Binding) MatchHeader(exchange string, headers *amqp.Table) bool { + if b.Exchange != exchange { + return false + } + + // If no arguments were declared by the exchange, + // consider it is an always true route. + if b.Arguments == nil { + return true + } + + if headers == nil { + return false + } + + bindingArgTable := *b.Arguments + cliHeaders := *headers + + matchType := b.MatchType + + // Fallback solution for the x-match any case, and no other + // argument in the table + // + // If no match is found in the loop, and arguments other than + // x-match were specified, it should not return a positive + // value in the end. + hasNonXArgs := false + + for key, value := range bindingArgTable { + // Any field starting with 'x-' shall be ignored + if strings.HasPrefix(key, "x-") { + continue + } + + hasNonXArgs = true + + val, ok := cliHeaders[key] + + if !ok { + if matchType == MatchAll { + return false + } + continue + } + + // @spec-note AMQP 0.9.1 + // + // A message queue is bound to the exchange with a table of + // arguments containing the headers to be matched for that + // binding and optionally the values they should hold + if value == nil { + if matchType == MatchAny { + return true + } + continue + } + + if value == val { + if matchType == MatchAny { + return true + } + continue + } + + if matchType == MatchAll { + return false + } + } + + return matchType == MatchAll || + !hasNonXArgs && matchType == MatchAny +} + +// GetExchange returns binding's exchange +func (b *Binding) GetExchange() string { + return b.Exchange +} + +// GetRoutingKey returns binding's routing key +func (b *Binding) GetRoutingKey() string { + return b.RoutingKey +} + +// GetQueue returns binding's queue +func (b *Binding) GetQueue() string { + return b.Queue +} + +// Equal returns is given binding equal to current +// with compare exchange, routing key and queue +func (b *Binding) Equal(bind *Binding) bool { + return b.Exchange == bind.GetExchange() && + b.Queue == bind.GetQueue() && + b.RoutingKey == bind.GetRoutingKey() && + reflect.DeepEqual(b.Arguments, bind.Arguments) +} + +// GetName generate binding name by concatenating its params +func (b *Binding) GetName() string { + return strings.Join( + []string{b.Queue, b.Exchange, b.RoutingKey}, + "_", + ) +} + +// Marshal returns raw representation of binding to store into storage +func (b *Binding) Marshal(protoVersion string) (data []byte, err error) { + buf := bytes.NewBuffer(make([]byte, 0)) + if err = amqp.WriteShortstr(buf, b.Queue); err != nil { + return nil, err + } + if err = amqp.WriteShortstr(buf, b.Exchange); err != nil { + return nil, err + } + if err = amqp.WriteShortstr(buf, b.RoutingKey); err != nil { + return nil, err + } + // Since marshalling is used for storage only, we can + // simplify the Marshal/Unmarshal of arguments by + // writing them in Rabbit format, and reading them as such + if err = amqp.WriteTable(buf, b.Arguments, protoVersion); err != nil { + return nil, err + } + var topic byte + if b.topic { + topic = 1 + } + if err = amqp.WriteOctet(buf, topic); err != nil { + return nil, err + } + return buf.Bytes(), nil +} + +// Unmarshal returns binding from storage raw bytes data +func (b *Binding) Unmarshal(data []byte, protoVersion string) (err error) { + buf := bytes.NewReader(data) + if b.Queue, err = amqp.ReadShortstr(buf); err != nil { + return err + } + if b.Exchange, err = amqp.ReadShortstr(buf); err != nil { + return err + } + if b.RoutingKey, err = amqp.ReadShortstr(buf); err != nil { + return err + } + if b.Arguments, err = amqp.ReadTable(buf, protoVersion); err != nil { + return err + } + var topic byte + if topic, err = amqp.ReadOctet(buf); err != nil { + return err + } + b.topic = topic == 1 + + if b.topic { + if b.regexp, err = buildRegexp(b.RoutingKey); err != nil { + return err + } + } + + return +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/config/config.go b/pkg/outputs/amqp/_fixtures/garagemq/config/config.go new file mode 100644 index 000000000..3f232a216 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/config/config.go @@ -0,0 +1,89 @@ +package config + +import ( + "io/ioutil" + + "gopkg.in/yaml.v2" +) + +// Config represents server changeable se +type Config struct { + Proto string + Users []User + TCP TCPConfig + Queue Queue + Db Db + Vhost Vhost + Security Security + Connection Connection + Admin AdminConfig +} + +// User for auth check +type User struct { + Username string + Password string +} + +// TCPConfig represents properties for tune network connections +type TCPConfig struct { + IP string `yaml:"ip"` + Port string + Nodelay bool + ReadBufSize int `yaml:"readBufSize"` + WriteBufSize int `yaml:"writeBufSize"` +} + +// AdminConfig represents properties for admin server +type AdminConfig struct { + IP string `yaml:"ip"` + Port string +} + +// Queue settings +type Queue struct { + ShardSize int `yaml:"shardSize"` + MaxMessagesInRAM uint64 `yaml:"maxMessagesInRam"` +} + +// Db settings, such as path to load/save and engine +type Db struct { + DefaultPath string `yaml:"defaultPath"` + Engine string `yaml:"engine"` +} + +// Vhost settings +type Vhost struct { + DefaultPath string `yaml:"defaultPath"` +} + +// Security settings +type Security struct { + PasswordCheck string `yaml:"passwordCheck"` +} + +// Connection settings for AMQP-connection +type Connection struct { + ChannelsMax uint16 `yaml:"channelsMax"` + FrameMaxSize uint32 `yaml:"frameMaxSize"` +} + +// CreateFromFile creates config from file +func CreateFromFile(path string) (*Config, error) { + cfg := &Config{} + file, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + err = yaml.Unmarshal(file, &cfg) + if err != nil { + return nil, err + } + + return cfg, nil +} + +// CreateDefault creates config from default values +func CreateDefault() (*Config, error) { + return Default(), nil +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/config/default.go b/pkg/outputs/amqp/_fixtures/garagemq/config/default.go new file mode 100644 index 000000000..6a85930da --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/config/default.go @@ -0,0 +1,47 @@ +package config + +const ( + dbBuntDB = "buntdb" + dbBadger = "badger" +) + +func Default() *Config { + return &Config{ + Proto: "amqp-rabbit", + Users: []User{ + { + Username: "guest", + Password: "084e0343a0486ff05530df6c705c8bb4", // guest md5 hash + }, + }, + TCP: TCPConfig{ + IP: "0.0.0.0", + Port: "5672", + Nodelay: false, + ReadBufSize: 128 << 10, // 128Kb + WriteBufSize: 128 << 10, // 128Kb + }, + Admin: AdminConfig{ + IP: "0.0.0.0", + Port: "15672", + }, + Queue: Queue{ + ShardSize: 8 << 10, // 8k + MaxMessagesInRAM: 10 * 8 << 10, // 10 buckets + }, + Db: Db{ + DefaultPath: "db", + Engine: dbBadger, + }, + Vhost: Vhost{ + DefaultPath: "/", + }, + Security: Security{ + PasswordCheck: "md5", + }, + Connection: Connection{ + ChannelsMax: 4096, + FrameMaxSize: 65536, + }, + } +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/consumer/consumer.go b/pkg/outputs/amqp/_fixtures/garagemq/consumer/consumer.go new file mode 100644 index 000000000..68a8a4b58 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/consumer/consumer.go @@ -0,0 +1,171 @@ +package consumer + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/interfaces" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/qos" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/queue" + "sync" + "sync/atomic" + "time" +) + +const ( + started = iota + stopped + paused +) + +var cid uint64 + +// Consumer implements AMQP consumer +type Consumer struct { + ID uint64 + Queue string + ConsumerTag string + noAck bool + channel interfaces.Channel + queue *queue.Queue + statusLock sync.RWMutex + status int + qos []*qos.AmqpQos + consume chan struct{} +} + +// NewConsumer returns new instance of Consumer +func NewConsumer(queueName string, consumerTag string, noAck bool, channel interfaces.Channel, queue *queue.Queue, qos []*qos.AmqpQos) *Consumer { + id := atomic.AddUint64(&cid, 1) + if consumerTag == "" { + consumerTag = generateTag(id) + } + return &Consumer{ + ID: id, + Queue: queueName, + ConsumerTag: consumerTag, + noAck: noAck, + channel: channel, + queue: queue, + qos: qos, + consume: make(chan struct{}, 1), + } +} + +func generateTag(id uint64) string { + return fmt.Sprintf("%d_%d", time.Now().Unix(), id) +} + +// Start starting consumer to fetch messages from queue +func (consumer *Consumer) Start() { + consumer.status = started + go consumer.startConsume() + consumer.Consume() +} + +// startConsume waiting a signal from consume channel and try to pop message from queue +// if not set noAck consumer pop message with qos rules and add message to unacked message queue +func (consumer *Consumer) startConsume() { + for range consumer.consume { + consumer.retrieveAndSendMessage() + } +} + +func (consumer *Consumer) retrieveAndSendMessage() { + var message *amqp.Message + consumer.statusLock.RLock() + defer consumer.statusLock.RUnlock() + if consumer.status == stopped { + return + } + + if consumer.noAck { + message = consumer.queue.Pop() + } else { + message = consumer.queue.PopQos(consumer.qos) + } + + if message == nil { + return + } + + dTag := consumer.channel.NextDeliveryTag() + if !consumer.noAck { + consumer.channel.AddUnackedMessage(dTag, consumer.ConsumerTag, consumer.queue.GetName(), message) + } + + consumer.channel.SendContent(&amqp.BasicDeliver{ + ConsumerTag: consumer.ConsumerTag, + DeliveryTag: dTag, + Redelivered: message.DeliveryCount > 1, + Exchange: message.Exchange, + RoutingKey: message.RoutingKey, + }, message) + + consumer.consumeMsg() + + return +} + +// Pause pause consumer, used by channel.flow change +func (consumer *Consumer) Pause() { + consumer.statusLock.Lock() + defer consumer.statusLock.Unlock() + consumer.status = paused +} + +// UnPause unpause consumer, used by channel.flow change +func (consumer *Consumer) UnPause() { + consumer.statusLock.Lock() + defer consumer.statusLock.Unlock() + consumer.status = started +} + +// Consume send signal into consumer channel, than consumer can try to pop message from queue +func (consumer *Consumer) Consume() bool { + consumer.statusLock.RLock() + defer consumer.statusLock.RUnlock() + + return consumer.consumeMsg() +} + +func (consumer *Consumer) consumeMsg() bool { + if consumer.status == stopped || consumer.status == paused { + return false + } + + select { + case consumer.consume <- struct{}{}: + return true + default: + return false + } +} + +// Stop stops consumer and remove it from queue consumers list +func (consumer *Consumer) Stop() { + consumer.statusLock.Lock() + if consumer.status == stopped { + consumer.statusLock.Unlock() + return + } + consumer.status = stopped + consumer.statusLock.Unlock() + consumer.queue.RemoveConsumer(consumer.ConsumerTag) + close(consumer.consume) +} + +// Cancel stops consumer and send basic.cancel method to the client +func (consumer *Consumer) Cancel() { + consumer.Stop() + consumer.channel.SendMethod(&amqp.BasicCancel{ConsumerTag: consumer.ConsumerTag, NoWait: true}) +} + +// Tag returns consumer tag +func (consumer *Consumer) Tag() string { + return consumer.ConsumerTag +} + +// Qos returns consumer qos rules +func (consumer *Consumer) Qos() []*qos.AmqpQos { + return consumer.qos +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/exchange/exchange.go b/pkg/outputs/amqp/_fixtures/garagemq/exchange/exchange.go new file mode 100644 index 000000000..ee412d478 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/exchange/exchange.go @@ -0,0 +1,270 @@ +package exchange + +import ( + "bytes" + "fmt" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/binding" + "sync" +) + +// available exchange types +const ( + ExTypeDirect = iota + 1 + ExTypeFanout + ExTypeTopic + ExTypeHeaders +) + +var exchangeTypeIDAliasMap = map[byte]string{ + ExTypeDirect: "direct", + ExTypeFanout: "fanout", + ExTypeTopic: "topic", + ExTypeHeaders: "headers", +} + +var exchangeTypeAliasIDMap = map[string]byte{ + "direct": ExTypeDirect, + "fanout": ExTypeFanout, + "topic": ExTypeTopic, + "headers": ExTypeHeaders, +} + +// MetricsState implements exchange's metrics state +type MetricsState struct { +} + +// Exchange implements AMQP-exchange +type Exchange struct { + Name string + exType byte + durable bool + autoDelete bool + internal bool + system bool + bindLock sync.Mutex + bindings []*binding.Binding +} + +// NewExchange returns new instance of Exchange +func NewExchange(name string, exType byte, durable bool, autoDelete bool, internal bool, system bool) *Exchange { + return &Exchange{ + Name: name, + exType: exType, + durable: durable, + autoDelete: autoDelete, + internal: internal, + system: system, + } +} + +// GetExchangeTypeAlias returns exchange type alias by id +func GetExchangeTypeAlias(id byte) (alias string, err error) { + if alias, ok := exchangeTypeIDAliasMap[id]; ok { + return alias, nil + } + return "", fmt.Errorf("undefined exchange type '%d'", id) +} + +// GetExchangeTypeID returns exchange type id by alias +func GetExchangeTypeID(alias string) (id byte, err error) { + if id, ok := exchangeTypeAliasIDMap[alias]; ok { + return id, nil + } + return 0, fmt.Errorf("undefined exchange alias '%s'", alias) +} + +// GetTypeAlias returns exchange type alias by id +func (ex *Exchange) GetTypeAlias() string { + alias, _ := GetExchangeTypeAlias(ex.exType) + + return alias +} + +// AppendBinding check and append binding +// method check if binding already exists and ignore it +func (ex *Exchange) AppendBinding(newBind *binding.Binding) { + ex.bindLock.Lock() + defer ex.bindLock.Unlock() + + // @spec-note + // A server MUST allow ignore duplicate bindings ­ that is, two or more bind methods for a specific queue, + // with identical arguments ­ without treating these as an error. + for _, bind := range ex.bindings { + if bind.Equal(newBind) { + return + } + } + ex.bindings = append(ex.bindings, newBind) +} + +// RemoveBinding remove binding +func (ex *Exchange) RemoveBinding(rmBind *binding.Binding) { + ex.bindLock.Lock() + defer ex.bindLock.Unlock() + for i, bind := range ex.bindings { + if bind.Equal(rmBind) { + ex.bindings = append(ex.bindings[:i], ex.bindings[i+1:]...) + return + } + } +} + +// RemoveQueueBindings remove bindings for queue and return removed bindings +func (ex *Exchange) RemoveQueueBindings(queueName string) []*binding.Binding { + var newBindings []*binding.Binding + var removedBindings []*binding.Binding + ex.bindLock.Lock() + defer ex.bindLock.Unlock() + for _, bind := range ex.bindings { + if bind.GetQueue() != queueName { + newBindings = append(newBindings, bind) + } else { + removedBindings = append(removedBindings, bind) + } + } + + ex.bindings = newBindings + return removedBindings +} + +// GetMatchedQueues returns queues matched for message routing key +func (ex *Exchange) GetMatchedQueues(message *amqp.Message) (matchedQueues map[string]bool) { + // @spec-note + // The server MUST implement these standard exchange types: fanout, direct. + // The server SHOULD implement these standard exchange types: topic, headers. + + // TODO implement "headers" exchange + matchedQueues = make(map[string]bool) + switch ex.exType { + case ExTypeDirect: + for _, bind := range ex.bindings { + if bind.MatchDirect(message.Exchange, message.RoutingKey) { + matchedQueues[bind.GetQueue()] = true + return + } + } + case ExTypeFanout: + for _, bind := range ex.bindings { + if bind.MatchFanout(message.Exchange) { + matchedQueues[bind.GetQueue()] = true + } + } + case ExTypeTopic: + for _, bind := range ex.bindings { + if bind.MatchTopic(message.Exchange, message.RoutingKey) { + matchedQueues[bind.GetQueue()] = true + } + } + case ExTypeHeaders: + if message.Header == nil { + return + } + props := message.Header.PropertyList + if props == nil { + return + } + header := props.Headers + for _, bind := range ex.bindings { + if bind.MatchHeader(message.Exchange, header) { + matchedQueues[bind.GetQueue()] = true + } + } + } + return +} + +// EqualWithErr returns is given exchange equal to current +func (ex *Exchange) EqualWithErr(exB *Exchange) error { + errTemplate := "inequivalent arg '%s' for exchange '%s': received '%s' but current is '%s'" + if ex.exType != exB.ExType() { + aliasA, err := GetExchangeTypeAlias(ex.exType) + if err != nil { + return err + } + aliasB, err := GetExchangeTypeAlias(exB.ExType()) + if err != nil { + return err + } + return fmt.Errorf( + errTemplate, + "type", + ex.Name, + aliasB, + aliasA, + ) + } + if ex.durable != exB.IsDurable() { + return fmt.Errorf(errTemplate, "durable", ex.Name, exB.IsDurable(), ex.durable) + } + if ex.autoDelete != exB.IsAutoDelete() { + return fmt.Errorf(errTemplate, "autoDelete", ex.Name, exB.IsAutoDelete(), ex.autoDelete) + } + if ex.internal != exB.IsInternal() { + return fmt.Errorf(errTemplate, "internal", ex.Name, exB.IsInternal(), ex.internal) + } + return nil +} + +// GetBindings returns exchange's bindings +func (ex *Exchange) GetBindings() []*binding.Binding { + ex.bindLock.Lock() + defer ex.bindLock.Unlock() + return ex.bindings +} + +// IsDurable returns is exchange durable +func (ex *Exchange) IsDurable() bool { + return ex.durable +} + +// IsSystem returns is exchange system +func (ex *Exchange) IsSystem() bool { + return ex.system +} + +// IsAutoDelete returns should be exchange deleted when all queues have finished using it +func (ex *Exchange) IsAutoDelete() bool { + return ex.autoDelete +} + +// IsInternal returns that the exchange may not be used directly by publishers, +// but only when bound to other exchanges +func (ex *Exchange) IsInternal() bool { + return ex.internal +} + +// Marshal returns raw representation of exchange to store into storage +func (ex *Exchange) Marshal(protoVersion string) (data []byte, err error) { + buf := bytes.NewBuffer(make([]byte, 0)) + if err = amqp.WriteShortstr(buf, ex.Name); err != nil { + return nil, err + } + if err = amqp.WriteOctet(buf, ex.exType); err != nil { + return nil, err + } + return buf.Bytes(), nil +} + +// Unmarshal returns exchange from storage raw bytes data +func (ex *Exchange) Unmarshal(data []byte) (err error) { + buf := bytes.NewReader(data) + if ex.Name, err = amqp.ReadShortstr(buf); err != nil { + return err + } + if ex.exType, err = amqp.ReadOctet(buf); err != nil { + return err + } + ex.durable = true + return +} + +// GetName returns exchange name +func (ex *Exchange) GetName() string { + return ex.Name +} + +// ExType returns exchange type +func (ex *Exchange) ExType() byte { + return ex.exType +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/interfaces/interfaces.go b/pkg/outputs/amqp/_fixtures/garagemq/interfaces/interfaces.go new file mode 100644 index 000000000..b950c93d9 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/interfaces/interfaces.go @@ -0,0 +1,57 @@ +package interfaces + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" +) + +// Channel represents base channel public interface +type Channel interface { + SendContent(method amqp.Method, message *amqp.Message) + SendMethod(method amqp.Method) + NextDeliveryTag() uint64 + AddUnackedMessage(dTag uint64, cTag string, queue string, message *amqp.Message) +} + +// Consumer represents base consumer public interface +type Consumer interface { + Consume() bool + Tag() string + Cancel() +} + +// OpSet identifier for set data into storeage +const OpSet = 1 + +// OpDel identifier for delete data from storage +const OpDel = 2 + +// Operation represents structure to set/del from storage +type Operation struct { + Key string + Value []byte + Op byte +} + +// DbStorage represent base db storage interface +type DbStorage interface { + Set(key string, value []byte) (err error) + Del(key string) (err error) + Get(key string) (value []byte, err error) + Iterate(fn func(key []byte, value []byte)) + IterateByPrefix(prefix []byte, limit uint64, fn func(key []byte, value []byte)) uint64 + IterateByPrefixFrom(prefix []byte, from []byte, limit uint64, fn func(key []byte, value []byte)) uint64 + DeleteByPrefix(prefix []byte) + KeysByPrefixCount(prefix []byte) uint64 + ProcessBatch(batch []*Operation) (err error) + Close() error +} + +// MsgStorage represent interface for messages storage +type MsgStorage interface { + Del(message *amqp.Message, queue string) error + PurgeQueue(queue string) + Add(message *amqp.Message, queue string) error + Update(message *amqp.Message, queue string) error + IterateByQueueFromMsgID(queue string, msgID uint64, limit uint64, fn func(message *amqp.Message)) uint64 + GetQueueLength(queue string) uint64 +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/pool/pool.go b/pkg/outputs/amqp/_fixtures/garagemq/pool/pool.go new file mode 100644 index 000000000..b703cd8a2 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/pool/pool.go @@ -0,0 +1,51 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pool + +import ( + "bytes" + "sync" +) + +// BufferPool represents a thread safe buffer pool +type BufferPool struct { + sync.Pool +} + +// NewBufferPool returns a new BufferPool +func NewBufferPool(bufferSize int) *BufferPool { + return &BufferPool{ + sync.Pool{ + New: func() interface{} { + return bytes.NewBuffer(make([]byte, 0, bufferSize)) + }, + }, + } +} + +// Get gets a Buffer from the pool +func (bp *BufferPool) Get() *bytes.Buffer { + return bp.Pool.Get().(*bytes.Buffer) +} + +// Put returns the given Buffer to the pool. +func (bp *BufferPool) Put(b *bytes.Buffer) { + b.Reset() + bp.Pool.Put(b) +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/qos/qos.go b/pkg/outputs/amqp/_fixtures/garagemq/qos/qos.go new file mode 100644 index 000000000..9b87b95c8 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/qos/qos.go @@ -0,0 +1,101 @@ +package qos + +import "sync" + +// AmqpQos represents qos system +type AmqpQos struct { + sync.Mutex + prefetchCount uint16 + currentCount uint16 + prefetchSize uint32 + currentSize uint32 +} + +// NewAmqpQos returns new instance of AmqpQos +func NewAmqpQos(prefetchCount uint16, prefetchSize uint32) *AmqpQos { + return &AmqpQos{ + prefetchCount: prefetchCount, + prefetchSize: prefetchSize, + currentCount: 0, + currentSize: 0, + } +} + +// PrefetchCount returns prefetchCount +func (qos *AmqpQos) PrefetchCount() uint16 { + return qos.prefetchCount +} + +// PrefetchSize returns prefetchSize +func (qos *AmqpQos) PrefetchSize() uint32 { + return qos.prefetchSize +} + +// Update set new prefetchCount and prefetchSize +func (qos *AmqpQos) Update(prefetchCount uint16, prefetchSize uint32) { + qos.prefetchCount = prefetchCount + qos.prefetchSize = prefetchSize +} + +// IsActive check is qos rules are active +// both prefetchSize and prefetchCount must be 0 +func (qos *AmqpQos) IsActive() bool { + return qos.prefetchCount != 0 || qos.prefetchSize != 0 +} + +// Inc increment current count and size +// Returns true if increment success +// Returns false if after increment size or count will be more than prefetchCount or prefetchSize +func (qos *AmqpQos) Inc(count uint16, size uint32) bool { + qos.Lock() + defer qos.Unlock() + + newCount := qos.currentCount + count + newSize := qos.currentSize + size + + if (qos.prefetchCount == 0 || newCount <= qos.prefetchCount) && (qos.prefetchSize == 0 || newSize <= qos.prefetchSize) { + qos.currentCount = newCount + qos.currentSize = newSize + return true + } + + return false +} + +// Dec decrement current count and size +func (qos *AmqpQos) Dec(count uint16, size uint32) { + qos.Lock() + defer qos.Unlock() + + if qos.currentCount < count { + qos.currentCount = 0 + } else { + qos.currentCount = qos.currentCount - count + } + + if qos.currentSize < size { + qos.currentSize = 0 + } else { + qos.currentSize = qos.currentSize - size + } +} + +// Release reset current count and size +func (qos *AmqpQos) Release() { + qos.Lock() + defer qos.Unlock() + qos.currentCount = 0 + qos.currentSize = 0 +} + +// Copy safe copy current qos instance to new one +func (qos *AmqpQos) Copy() *AmqpQos { + qos.Lock() + defer qos.Unlock() + return &AmqpQos{ + prefetchCount: qos.prefetchCount, + prefetchSize: qos.prefetchSize, + currentCount: qos.currentCount, + currentSize: qos.currentSize, + } +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/queue/queue.go b/pkg/outputs/amqp/_fixtures/garagemq/queue/queue.go new file mode 100644 index 000000000..cc8c81440 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/queue/queue.go @@ -0,0 +1,529 @@ +package queue + +import ( + "bytes" + "errors" + "fmt" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/config" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/interfaces" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/qos" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/safequeue" + "sync" + "sync/atomic" +) + +// Queue is an implementation of the AMQP-queue entity +type Queue struct { + safequeue.SafeQueue + name string + connID uint64 + exclusive bool + autoDelete bool + durable bool + cmrLock sync.RWMutex + consumers []interfaces.Consumer + consumeExcl bool + call chan struct{} + wasConsumed bool + shardSize int + actLock sync.RWMutex + active bool + // persistent storage + // transient storage + currentConsumer int + autoDeleteQueue chan string + queueLength int64 + + // lock for sync load swapped-messages from disk + loadSwapLock sync.Mutex + maxMessagesInRAM uint64 + lastStoredMsgID uint64 + lastMemMsgID uint64 + swappedToDisk bool + maybeLoadFromStorageCh chan struct{} + wg *sync.WaitGroup +} + +// NewQueue returns new instance of Queue +func NewQueue(name string, connID uint64, exclusive bool, autoDelete bool, durable bool, config config.Queue, msgStorageP interfaces.MsgStorage, msgStorageT interfaces.MsgStorage, autoDeleteQueue chan string) *Queue { + return &Queue{ + SafeQueue: *safequeue.NewSafeQueue(config.ShardSize), + name: name, + connID: connID, + exclusive: exclusive, + autoDelete: autoDelete, + durable: durable, + call: make(chan struct{}, 1), + maybeLoadFromStorageCh: make(chan struct{}, 1), + wasConsumed: false, + active: false, + shardSize: 1, + maxMessagesInRAM: 1500, + currentConsumer: 0, + autoDeleteQueue: autoDeleteQueue, + swappedToDisk: false, + wg: &sync.WaitGroup{}, + } + +} + +// Start starts base queue loop to send events to consumers +// Current consumer to handle message from queue selected by round robin +func (queue *Queue) Start() error { + queue.actLock.Lock() + defer queue.actLock.Unlock() + + if queue.active { + return nil + } + + queue.active = true + queue.wg.Add(1) + go func() { + defer queue.wg.Done() + for range queue.call { + func() { + queue.cmrLock.RLock() + defer queue.cmrLock.RUnlock() + cmrCount := len(queue.consumers) + for i := 0; i < cmrCount; i++ { + if !queue.active { + return + } + queue.currentConsumer = (queue.currentConsumer + 1) % cmrCount + cmr := queue.consumers[queue.currentConsumer] + if cmr.Consume() { + return + } + } + }() + } + }() + + queue.wg.Add(1) + go func() { + defer queue.wg.Done() + for range queue.maybeLoadFromStorageCh { + queue.mayBeLoadFromStorage() + } + }() + + return nil +} + +// Stop stops main queue loop +// After stop no one can send or receive messages from queue +func (queue *Queue) Stop() error { + queue.actLock.Lock() + defer queue.actLock.Unlock() + + queue.active = false + close(queue.maybeLoadFromStorageCh) + close(queue.call) + queue.wg.Wait() + return nil +} + +// GetName returns queue name +func (queue *Queue) GetName() string { + return queue.name +} + +// Push append message into queue tail and put it into message storage +// if queue is durable and message's persistent flag is true +func (queue *Queue) Push(message *amqp.Message) { + queue.actLock.Lock() + defer queue.actLock.Unlock() + + if !queue.active { + return + } + + atomic.AddInt64(&queue.queueLength, 1) + + message.GenerateSeq() + + persisted := false + if queue.durable && message.IsPersistent() { + persisted = true + } else { + if queue.SafeQueue.Length() > queue.maxMessagesInRAM || queue.swappedToDisk { + persisted = true + } + + if message.ConfirmMeta != nil { + message.ConfirmMeta.ActualConfirms++ + } + } + + if persisted && !queue.swappedToDisk && queue.SafeQueue.Length() > queue.maxMessagesInRAM { + queue.swappedToDisk = true + queue.lastStoredMsgID = message.ID + } + + if queue.SafeQueue.Length() <= queue.maxMessagesInRAM && !queue.swappedToDisk { + queue.SafeQueue.Push(message) + queue.lastMemMsgID = message.ID + } + + queue.callConsumers() +} + +// Pop returns message from queue head without QOS check +func (queue *Queue) Pop() *amqp.Message { + return queue.PopQos([]*qos.AmqpQos{}) +} + +// PopQos returns message from queue head with QOS check +func (queue *Queue) PopQos(qosList []*qos.AmqpQos) *amqp.Message { + queue.actLock.RLock() + if !queue.active { + queue.actLock.RUnlock() + return nil + } + queue.actLock.RUnlock() + + select { + case queue.maybeLoadFromStorageCh <- struct{}{}: + default: + } + + queue.SafeQueue.Lock() + var message *amqp.Message + if message = queue.SafeQueue.HeadItem(); message != nil { + allowed := true + for _, q := range qosList { + if !q.IsActive() { + continue + } + if !q.Inc(1, uint32(message.BodySize)) { + allowed = false + break + } + } + + if allowed { + queue.SafeQueue.DirtyPop() + atomic.AddInt64(&queue.queueLength, -1) + } else { + message = nil + } + } + queue.SafeQueue.Unlock() + + return message +} + +func (queue *Queue) mayBeLoadFromStorage() { + swappedToPersistent := true + swappedToTransient := true + + currentLength := queue.SafeQueue.Length() + needle := queue.maxMessagesInRAM - currentLength + + if currentLength >= queue.maxMessagesInRAM/2 || needle <= 0 || !queue.swappedToDisk { + return + } + + pMessages := make([]*amqp.Message, 0, needle) + tMessages := make([]*amqp.Message, 0, needle) + + lastMemMsgID := queue.lastMemMsgID + + var wg sync.WaitGroup + // 2 - search for transient and persistent + wg.Add(2) + + go func() { + wg.Done() + }() + + go func() { + wg.Done() + }() + + wg.Wait() + + sortedMessages := queue.mergeSortedMessageSlices(pMessages, tMessages) + sortedMessageslength := uint64(len(sortedMessages)) + + var pos uint64 + if sortedMessageslength <= needle { + pos = sortedMessageslength + } else { + pos = needle + } + + for _, message := range sortedMessages[0:pos] { + if message.ID == lastMemMsgID { + continue + } + queue.SafeQueue.Push(message) + queue.lastMemMsgID = message.ID + queue.lastStoredMsgID = message.ID + queue.callConsumers() + } + + queue.swappedToDisk = swappedToPersistent || swappedToTransient +} + +func (queue *Queue) mergeSortedMessageSlices(A, B []*amqp.Message) []*amqp.Message { + result := make([]*amqp.Message, len(A)+len(B)) + + idxA, idxB := 0, 0 + + for i := 0; i < len(result); i++ { + if idxA >= len(A) { + result[i] = B[idxB] + idxB++ + continue + } else if idxB >= len(B) { + result[i] = A[idxA] + idxA++ + continue + } + + if A[idxA].ID < B[idxB].ID { + result[i] = A[idxA] + idxA++ + } else { + result[i] = B[idxB] + idxB++ + } + } + + return result +} + +// AckMsg accept ack event for message +func (queue *Queue) AckMsg(message *amqp.Message) { + queue.actLock.RLock() + if !queue.active { + queue.actLock.RUnlock() + return + } + queue.actLock.RUnlock() + + if queue.durable && message.IsPersistent() { + // TODO handle error + } + +} + +// Requeue add message into queue head +func (queue *Queue) Requeue(message *amqp.Message) { + queue.actLock.RLock() + if !queue.active { + queue.actLock.RUnlock() + return + } + queue.actLock.RUnlock() + + message.DeliveryCount++ + queue.SafeQueue.PushHead(message) + if queue.durable && message.IsPersistent() { + // TODO handle error + } + + atomic.AddInt64(&queue.queueLength, 1) + + queue.callConsumers() +} + +// Purge clean queue and message storage for durable queues +func (queue *Queue) Purge() (length uint64) { + queue.SafeQueue.Lock() + defer queue.SafeQueue.Unlock() + length = uint64(atomic.LoadInt64(&queue.queueLength)) + queue.SafeQueue.DirtyPurge() + + if queue.durable { + } + + atomic.StoreInt64(&queue.queueLength, 0) + return +} + +// Delete cancel consumers and delete its messages from storage +func (queue *Queue) Delete(ifUnused bool, ifEmpty bool) (uint64, error) { + queue.actLock.Lock() + queue.cmrLock.Lock() + queue.SafeQueue.Lock() + defer queue.actLock.Unlock() + defer queue.cmrLock.Unlock() + defer queue.SafeQueue.Unlock() + + queue.active = false + + if ifUnused && len(queue.consumers) != 0 { + return 0, errors.New("queue has consumers") + } + + if ifEmpty && queue.SafeQueue.DirtyLength() != 0 { + return 0, errors.New("queue has messages") + } + + queue.cancelConsumers() + length := uint64(atomic.LoadInt64(&queue.queueLength)) + + if queue.durable { + } + + return length, nil +} + +// AddConsumer add consumer to consumer messages with exclusive check +func (queue *Queue) AddConsumer(consumer interfaces.Consumer, exclusive bool) error { + queue.cmrLock.Lock() + defer queue.cmrLock.Unlock() + + if !queue.active { + return fmt.Errorf("queue is not active") + } + queue.wasConsumed = true + + if len(queue.consumers) != 0 && (queue.consumeExcl || exclusive) { + return fmt.Errorf("queue is busy by %d consumers", len(queue.consumers)) + } + + if exclusive { + queue.consumeExcl = true + } + + queue.consumers = append(queue.consumers, consumer) + + queue.callConsumers() + return nil +} + +// RemoveConsumer remove consumer +// If it was last consumer and queue is auto-delete - queue will be removed +func (queue *Queue) RemoveConsumer(cTag string) { + queue.cmrLock.Lock() + defer queue.cmrLock.Unlock() + + for i, cmr := range queue.consumers { + if cmr.Tag() == cTag { + queue.consumers = append(queue.consumers[:i], queue.consumers[i+1:]...) + break + } + } + cmrCount := len(queue.consumers) + if cmrCount == 0 { + queue.currentConsumer = 0 + queue.consumeExcl = false + } else { + queue.currentConsumer = (queue.currentConsumer + 1) % cmrCount + } + + if cmrCount == 0 && queue.wasConsumed && queue.autoDelete { + queue.autoDeleteQueue <- queue.name + } +} + +// Send event to call next consumer, that it can receive next message +func (queue *Queue) callConsumers() { + if !queue.active { + return + } + select { + case queue.call <- struct{}{}: + default: + } +} + +func (queue *Queue) cancelConsumers() { + for _, cmr := range queue.consumers { + cmr.Cancel() + } +} + +// Length returns queue length +func (queue *Queue) Length() uint64 { + return uint64(atomic.LoadInt64(&queue.queueLength)) +} + +// ConsumersCount returns consumers count +func (queue *Queue) ConsumersCount() int { + queue.cmrLock.RLock() + defer queue.cmrLock.RUnlock() + return len(queue.consumers) +} + +// EqualWithErr returns is given queue equal to current +func (queue *Queue) EqualWithErr(qB *Queue) error { + errTemplate := "inequivalent arg '%s' for queue '%s': received '%t' but current is '%t'" + if queue.durable != qB.IsDurable() { + return fmt.Errorf(errTemplate, "durable", queue.name, qB.IsDurable(), queue.durable) + } + if queue.autoDelete != qB.autoDelete { + return fmt.Errorf(errTemplate, "autoDelete", queue.name, qB.autoDelete, queue.autoDelete) + } + if queue.exclusive != qB.IsExclusive() { + return fmt.Errorf(errTemplate, "exclusive", queue.name, qB.IsExclusive(), queue.exclusive) + } + return nil +} + +// Marshal returns raw representation of queue to store into storage +func (queue *Queue) Marshal(protoVersion string) (data []byte, err error) { + buf := bytes.NewBuffer(make([]byte, 0)) + if err = amqp.WriteShortstr(buf, queue.name); err != nil { + return nil, err + } + + var autoDelete byte + if queue.autoDelete { + autoDelete = 1 + } else { + autoDelete = 0 + } + + if err = amqp.WriteOctet(buf, autoDelete); err != nil { + return nil, err + } + return buf.Bytes(), nil +} + +// Unmarshal returns queue from storage raw bytes data +func (queue *Queue) Unmarshal(data []byte, protoVersion string) (err error) { + buf := bytes.NewReader(data) + if queue.name, err = amqp.ReadShortstr(buf); err != nil { + return err + } + + var autoDelete byte + + if autoDelete, err = amqp.ReadOctet(buf); err != nil { + return err + } + queue.autoDelete = autoDelete > 0 + queue.durable = true + return +} + +// IsDurable returns is queue durable +func (queue *Queue) IsDurable() bool { + return queue.durable +} + +// IsExclusive returns is queue exclusive +func (queue *Queue) IsExclusive() bool { + return queue.exclusive +} + +// IsAutoDelete returns is queue should be deleted automatically +func (queue *Queue) IsAutoDelete() bool { + return queue.autoDelete +} + +// ConnID returns ID of connection that create this queue +func (queue *Queue) ConnID() uint64 { + return queue.connID +} + +// IsActive returns is queue's main loop is active +func (queue *Queue) IsActive() bool { + return queue.active +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/safequeue/safequeue.go b/pkg/outputs/amqp/_fixtures/garagemq/safequeue/safequeue.go new file mode 100644 index 000000000..31184aa6d --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/safequeue/safequeue.go @@ -0,0 +1,148 @@ +package safequeue + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "sync" +) + +// We change item's type from {}interface to *amqp.Message, cause we know that we use safequeue only in AMQP context +// TODO Move safe queue into amqp package + +// SafeQueue represents simple FIFO queue +// TODO Is that implementation faster? test simple slice queue +type SafeQueue struct { + sync.RWMutex + shards [][]*amqp.Message + shardSize int + tailIdx int + tail []*amqp.Message + tailPos int + headIdx int + head []*amqp.Message + headPos int + length uint64 +} + +// NewSafeQueue returns new instance of queue +func NewSafeQueue(shardSize int) *SafeQueue { + queue := &SafeQueue{ + shardSize: shardSize, + shards: [][]*amqp.Message{make([]*amqp.Message, shardSize)}, + } + + queue.tailIdx = 0 + queue.tail = queue.shards[queue.tailIdx] + queue.headIdx = 0 + queue.head = queue.shards[queue.headIdx] + return queue +} + +// Push adds message into queue tail +func (queue *SafeQueue) Push(item *amqp.Message) { + queue.Lock() + defer queue.Unlock() + + queue.tail[queue.tailPos] = item + queue.tailPos++ + queue.length++ + + if queue.tailPos == queue.shardSize { + queue.tailPos = 0 + queue.tailIdx = len(queue.shards) + + buffer := make([][]*amqp.Message, len(queue.shards)+1) + buffer[queue.tailIdx] = make([]*amqp.Message, queue.shardSize) + copy(buffer, queue.shards) + + queue.shards = buffer + queue.tail = queue.shards[queue.tailIdx] + } +} + +// PushHead adds message into queue head +func (queue *SafeQueue) PushHead(item *amqp.Message) { + queue.Lock() + defer queue.Unlock() + + if queue.headPos == 0 { + buffer := make([][]*amqp.Message, len(queue.shards)+1) + copy(buffer[1:], queue.shards) + buffer[queue.headIdx] = make([]*amqp.Message, queue.shardSize) + + queue.shards = buffer + queue.tailIdx++ + queue.headPos = queue.shardSize + queue.tail = queue.shards[queue.tailIdx] + queue.head = queue.shards[queue.headIdx] + } + queue.length++ + queue.headPos-- + queue.head[queue.headPos] = item +} + +// Pop retrieves message from head +func (queue *SafeQueue) Pop() (item *amqp.Message) { + queue.Lock() + item = queue.DirtyPop() + queue.Unlock() + return +} + +// DirtyPop retrieves message from head +// This method is not thread safe +func (queue *SafeQueue) DirtyPop() (item *amqp.Message) { + item, queue.head[queue.headPos] = queue.head[queue.headPos], nil + if item == nil { + return item + } + queue.headPos++ + queue.length-- + if queue.headPos == queue.shardSize { + buffer := make([][]*amqp.Message, len(queue.shards)-1) + copy(buffer, queue.shards[queue.headIdx+1:]) + + queue.shards = buffer + + queue.headPos = 0 + queue.tailIdx-- + queue.head = queue.shards[queue.headIdx] + } + return +} + +// Length returns queue length +func (queue *SafeQueue) Length() uint64 { + queue.RLock() + defer queue.RUnlock() + return queue.length +} + +// DirtyLength returns queue length +// This method is not thread safe +func (queue *SafeQueue) DirtyLength() uint64 { + return queue.length +} + +// HeadItem returns current head message +// This method is not thread safe +func (queue *SafeQueue) HeadItem() (res *amqp.Message) { + return queue.head[queue.headPos] +} + +// DirtyPurge clear queue +// This method is not thread safe +func (queue *SafeQueue) DirtyPurge() { + queue.shards = [][]*amqp.Message{make([]*amqp.Message, queue.shardSize)} + queue.tailIdx = 0 + queue.tail = queue.shards[queue.tailIdx] + queue.headIdx = 0 + queue.head = queue.shards[queue.headIdx] + queue.length = 0 +} + +// Purge clear queue +func (queue *SafeQueue) Purge() { + queue.Lock() + defer queue.Unlock() + queue.DirtyPurge() +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/basicMethods.go b/pkg/outputs/amqp/_fixtures/garagemq/server/basicMethods.go new file mode 100644 index 000000000..418f94d52 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/basicMethods.go @@ -0,0 +1,130 @@ +package server + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/consumer" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/qos" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/queue" +) + +func (channel *Channel) basicRoute(method amqp.Method) *amqp.Error { + switch method := method.(type) { + case *amqp.BasicQos: + return channel.basicQos(method) + case *amqp.BasicPublish: + return channel.basicPublish(method) + case *amqp.BasicConsume: + return channel.basicConsume(method) + case *amqp.BasicAck: + return channel.basicAck(method) + case *amqp.BasicNack: + return channel.basicNack(method) + case *amqp.BasicReject: + return channel.basicReject(method) + case *amqp.BasicCancel: + return channel.basicCancel(method) + case *amqp.BasicGet: + return channel.basicGet(method) + } + + return amqp.NewConnectionError(amqp.NotImplemented, "unable to route basic method "+method.Name(), method.ClassIdentifier(), method.MethodIdentifier()) +} + +func (channel *Channel) basicQos(method *amqp.BasicQos) (err *amqp.Error) { + channel.updateQos(method.PrefetchCount, method.PrefetchSize, method.Global) + channel.SendMethod(&amqp.BasicQosOk{}) + + return nil +} + +func (channel *Channel) basicAck(method *amqp.BasicAck) (err *amqp.Error) { + return channel.handleAck(method) +} + +func (channel *Channel) basicNack(method *amqp.BasicNack) (err *amqp.Error) { + return channel.handleReject(method.DeliveryTag, method.Multiple, method.Requeue, method) +} + +func (channel *Channel) basicReject(method *amqp.BasicReject) (err *amqp.Error) { + return channel.handleReject(method.DeliveryTag, false, method.Requeue, method) +} + +func (channel *Channel) basicPublish(method *amqp.BasicPublish) (err *amqp.Error) { + if method.Immediate { + return amqp.NewChannelError(amqp.NotImplemented, "Immediate = true", method.ClassIdentifier(), method.MethodIdentifier()) + } + + if _, err = channel.getExchangeWithError(method.Exchange, method); err != nil { + return err + } + + channel.currentMessage = amqp.NewMessage(method) + if channel.confirmMode { + channel.currentMessage.ConfirmMeta = &amqp.ConfirmMeta{ + ChanID: channel.id, + ConnID: channel.conn.id, + DeliveryTag: channel.nextConfirmDeliveryTag(), + } + } + return nil +} + +func (channel *Channel) basicConsume(method *amqp.BasicConsume) (err *amqp.Error) { + var cmr *consumer.Consumer + if cmr, err = channel.addConsumer(method); err != nil { + return err + } + + if !method.NoWait { + channel.SendMethod(&amqp.BasicConsumeOk{ConsumerTag: cmr.Tag()}) + } + + cmr.Start() + + return nil +} + +func (channel *Channel) basicCancel(method *amqp.BasicCancel) (err *amqp.Error) { + if _, ok := channel.consumers[method.ConsumerTag]; !ok { + return amqp.NewChannelError(amqp.NotFound, "Consumer not found", method.ClassIdentifier(), method.MethodIdentifier()) + } + channel.removeConsumer(method.ConsumerTag) + channel.SendMethod(&amqp.BasicCancelOk{ConsumerTag: method.ConsumerTag}) + return nil +} + +func (channel *Channel) basicGet(method *amqp.BasicGet) (err *amqp.Error) { + var qu *queue.Queue + var message *amqp.Message + if qu, err = channel.getQueueWithError(method.Queue, method); err != nil { + return err + } + + if method.NoAck { + message = qu.Pop() + } else { + message = qu.PopQos([]*qos.AmqpQos{channel.qos, channel.conn.qos}) + } + + // how to handle if queue is not empty, but qos triggered and message is nil + if message == nil { + channel.SendMethod(&amqp.BasicGetEmpty{}) + return nil + } + + dTag := channel.NextDeliveryTag() + if !method.NoAck { + channel.AddUnackedMessage(dTag, "", qu.GetName(), message) + } else { + } + + channel.SendContent(&amqp.BasicGetOk{ + DeliveryTag: dTag, + Redelivered: false, + Exchange: message.Exchange, + RoutingKey: message.RoutingKey, + MessageCount: 1, + }, message) + + return nil +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/channel.go b/pkg/outputs/amqp/_fixtures/garagemq/server/channel.go new file mode 100644 index 000000000..f8ebf6fff --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/channel.go @@ -0,0 +1,638 @@ +package server + +import ( + "bytes" + "fmt" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/consumer" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/exchange" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/pool" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/qos" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/queue" + "sort" + "sync" + "sync/atomic" + "time" + + "github.com/sirupsen/logrus" + log "github.com/sirupsen/logrus" +) + +const ( + channelNew = iota + channelOpen + channelClosing + channelClosed + channelDelete +) + +// Channel is an implementation of the AMQP-channel entity +// Within a single socket connection, there can be multiple +// independent threads of control, called "channels" +type Channel struct { + active bool + confirmMode bool + id uint16 + conn *Connection + server *Server + incoming chan *amqp.Frame + outgoing chan *amqp.Frame + logger *log.Entry + status int + protoVersion string + currentMessage *amqp.Message + cmrLock sync.RWMutex + consumers map[string]*consumer.Consumer + qos *qos.AmqpQos + consumerQos *qos.AmqpQos + deliveryTag uint64 + confirmDeliveryTag uint64 + confirmLock sync.Mutex + confirmQueue []*amqp.ConfirmMeta + ackLock sync.Mutex + ackStore map[uint64]*UnackedMessage + + bufferPool *pool.BufferPool + + closeCh chan bool +} + +// UnackedMessage represents the unacknowledged message +type UnackedMessage struct { + cTag string + msg *amqp.Message + queue string +} + +// NewChannel returns new instance of Channel +func NewChannel(id uint16, conn *Connection) *Channel { + channel := &Channel{ + active: true, + id: id, + conn: conn, + server: conn.server, + // for incoming channel much capacity is good for performance + // but it is difficult to implement processing already queued frames on shutdown or connection close + incoming: make(chan *amqp.Frame, 128), + outgoing: conn.outgoing, + status: channelNew, + protoVersion: conn.server.protoVersion, + consumers: make(map[string]*consumer.Consumer), + qos: qos.NewAmqpQos(0, 0), + consumerQos: qos.NewAmqpQos(0, 0), + ackStore: make(map[uint64]*UnackedMessage), + confirmQueue: make([]*amqp.ConfirmMeta, 0), + closeCh: make(chan bool), + bufferPool: pool.NewBufferPool(0), + } + + channel.logger = log.WithFields(log.Fields{ + "connectionId": conn.id, + "channelId": id, + }) + + return channel +} + +func (channel *Channel) start() { + if channel.id == 0 { + go channel.connectionStart() + } + + go channel.handleIncoming() +} + +func (channel *Channel) handleIncoming() { + buffer := bytes.NewReader([]byte{}) + + // TODO + // @spec-note + // After sending channel.close, any received methods except Close and Close­OK MUST be discarded. + // The response to receiving a Close after sending Close must be to send Close­Ok. + for { + select { + case <-channel.closeCh: + channel.close() + return + case frame := <-channel.incoming: + if frame == nil { + // channel.incoming closed by connection + return + } + + switch frame.Type { + case amqp.FrameMethod: + buffer.Reset(frame.Payload) + method, err := amqp.ReadMethod(buffer, channel.protoVersion) + channel.logger.Debug("Incoming method <- " + method.Name()) + if err != nil { + channel.logger.WithError(err).Error("Error on handling frame") + channel.sendError(amqp.NewConnectionError(amqp.FrameError, err.Error(), 0, 0)) + } + + if err := channel.handleMethod(method); err != nil { + channel.sendError(err) + } + case amqp.FrameHeader: + if err := channel.handleContentHeader(frame); err != nil { + channel.sendError(err) + } + case amqp.FrameBody: + if err := channel.handleContentBody(frame); err != nil { + channel.sendError(err) + } + } + } + } +} + +func (channel *Channel) sendError(err *amqp.Error) { + channel.logger.Error(err) + switch err.ErrorType { + case amqp.ErrorOnChannel: + channel.status = channelClosing + channel.SendMethod(&amqp.ChannelClose{ + ReplyCode: err.ReplyCode, + ReplyText: err.ReplyText, + ClassID: err.ClassID, + MethodID: err.MethodID, + }) + case amqp.ErrorOnConnection: + ch := channel.conn.getChannel(0) + if ch != nil { + ch.SendMethod(&amqp.ConnectionClose{ + ReplyCode: err.ReplyCode, + ReplyText: err.ReplyText, + ClassID: err.ClassID, + MethodID: err.MethodID, + }) + } + } +} + +func (channel *Channel) handleMethod(method amqp.Method) *amqp.Error { + switch method.ClassIdentifier() { + case amqp.ClassConnection: + return channel.connectionRoute(method) + case amqp.ClassChannel: + return channel.channelRoute(method) + case amqp.ClassBasic: + return channel.basicRoute(method) + case amqp.ClassExchange: + return channel.exchangeRoute(method) + case amqp.ClassQueue: + return channel.queueRoute(method) + case amqp.ClassConfirm: + return channel.confirmRoute(method) + } + + return nil +} + +func (channel *Channel) handleContentHeader(headerFrame *amqp.Frame) *amqp.Error { + reader := bytes.NewReader(headerFrame.Payload) + var err error + if channel.currentMessage == nil { + return amqp.NewConnectionError(amqp.FrameError, "unexpected content header frame", 0, 0) + } + + if channel.currentMessage.Header != nil { + return amqp.NewConnectionError(amqp.FrameError, "unexpected content header frame - header already exists", 0, 0) + } + + if channel.currentMessage.Header, err = amqp.ReadContentHeader(reader, channel.protoVersion); err != nil { + return amqp.NewConnectionError(amqp.FrameError, "error on parsing content header frame", 0, 0) + } + + return nil +} + +func (channel *Channel) handleContentBody(bodyFrame *amqp.Frame) *amqp.Error { + if channel.currentMessage == nil { + return amqp.NewConnectionError(amqp.FrameError, "unexpected content body frame", 0, 0) + } + + if channel.currentMessage.Header == nil { + return amqp.NewConnectionError(amqp.FrameError, "unexpected content body frame - no header yet", 0, 0) + } + + channel.currentMessage.Append(bodyFrame) + + if channel.currentMessage.BodySize < channel.currentMessage.Header.BodySize { + return nil + } + + vhost := channel.conn.GetVirtualHost() + message := channel.currentMessage + ex := vhost.GetExchange(message.Exchange) + if ex == nil { + channel.SendContent( + &amqp.BasicReturn{ReplyCode: amqp.NoRoute, ReplyText: "No route", Exchange: message.Exchange, RoutingKey: message.RoutingKey}, + message, + ) + + channel.addConfirm(message.ConfirmMeta) + + return nil + } + matchedQueues := ex.GetMatchedQueues(message) + + if len(matchedQueues) == 0 { + if message.Mandatory { + channel.SendContent( + &amqp.BasicReturn{ReplyCode: amqp.NoRoute, ReplyText: "No route", Exchange: message.Exchange, RoutingKey: message.RoutingKey}, + message, + ) + } + + channel.addConfirm(message.ConfirmMeta) + + return nil + } + + if channel.confirmMode { + message.ConfirmMeta.ExpectedConfirms = len(matchedQueues) + } + + for queueName := range matchedQueues { + qu := channel.conn.GetVirtualHost().GetQueue(queueName) + if qu == nil { + if message.Mandatory { + channel.SendContent( + &amqp.BasicReturn{ReplyCode: amqp.NoRoute, ReplyText: "No route", Exchange: message.Exchange, RoutingKey: message.RoutingKey}, + message, + ) + } + + channel.addConfirm(message.ConfirmMeta) + + return nil + } + + qu.Push(message) + + if channel.confirmMode && message.ConfirmMeta.CanConfirm() && !message.IsPersistent() { + channel.addConfirm(message.ConfirmMeta) + } + } + return nil +} + +// SendMethod send method to client +// Method will be packed into frame and send to outgoing channel +func (channel *Channel) SendMethod(method amqp.Method) { + var rawMethod = channel.bufferPool.Get() + if err := amqp.WriteMethod(rawMethod, method, channel.server.protoVersion); err != nil { + logrus.WithError(err).Error("Error") + } + + closeAfter := method.ClassIdentifier() == amqp.ClassConnection && method.MethodIdentifier() == amqp.MethodConnectionCloseOk + + channel.logger.Debug("Outgoing -> " + method.Name()) + + payload := make([]byte, rawMethod.Len()) + copy(payload, rawMethod.Bytes()) + channel.bufferPool.Put(rawMethod) + + channel.sendOutgoing(&amqp.Frame{Type: byte(amqp.FrameMethod), ChannelID: channel.id, Payload: payload, CloseAfter: closeAfter, Sync: method.Sync()}) +} + +func (channel *Channel) sendOutgoing(frame *amqp.Frame) { + select { + case <-channel.conn.ctx.Done(): + if channel.id == 0 { + close(channel.outgoing) + } + case channel.outgoing <- frame: + } +} + +// SendContent send message to consumers or returns to publishers +func (channel *Channel) SendContent(method amqp.Method, message *amqp.Message) { + channel.SendMethod(method) + + var rawHeader = channel.bufferPool.Get() + amqp.WriteContentHeader(rawHeader, message.Header, channel.server.protoVersion) + + payload := make([]byte, rawHeader.Len()) + copy(payload, rawHeader.Bytes()) + channel.bufferPool.Put(rawHeader) + + channel.sendOutgoing(&amqp.Frame{Type: byte(amqp.FrameHeader), ChannelID: channel.id, Payload: payload, CloseAfter: false}) + + for _, payload := range message.Body { + payload.ChannelID = channel.id + channel.sendOutgoing(payload) + } + + switch method.(type) { + case *amqp.BasicDeliver: + } +} + +func (channel *Channel) addConfirm(meta *amqp.ConfirmMeta) { + if !channel.confirmMode { + return + } + channel.confirmLock.Lock() + defer channel.confirmLock.Unlock() + + if channel.status == channelClosed { + return + } + channel.confirmQueue = append(channel.confirmQueue, meta) +} + +func (channel *Channel) sendConfirms() { + tick := time.Tick(20 * time.Millisecond) + for range tick { + if channel.status == channelClosed { + return + } + channel.confirmLock.Lock() + currentConfirms := channel.confirmQueue + channel.confirmQueue = make([]*amqp.ConfirmMeta, 0) + channel.confirmLock.Unlock() + + for _, confirm := range currentConfirms { + channel.SendMethod(&amqp.BasicAck{ + DeliveryTag: confirm.DeliveryTag, + Multiple: false, + }) + } + } +} + +func (channel *Channel) addConsumer(method *amqp.BasicConsume) (cmr *consumer.Consumer, err *amqp.Error) { + channel.cmrLock.Lock() + defer channel.cmrLock.Unlock() + + var qu *queue.Queue + if qu, err = channel.getQueueWithError(method.Queue, method); err != nil { + return nil, err + } + + var consumerQos []*qos.AmqpQos + if channel.server.protoVersion == amqp.Proto091 { + consumerQos = []*qos.AmqpQos{channel.qos, channel.conn.qos} + } else { + cmrQos := channel.consumerQos.Copy() + consumerQos = []*qos.AmqpQos{channel.qos, cmrQos} + } + + cmr = consumer.NewConsumer(method.Queue, method.ConsumerTag, method.NoAck, channel, qu, consumerQos) + if _, ok := channel.consumers[cmr.Tag()]; ok { + return nil, amqp.NewChannelError(amqp.NotAllowed, fmt.Sprintf("Consumer with tag '%s' already exists", cmr.Tag()), method.ClassIdentifier(), method.MethodIdentifier()) + } + + if quErr := qu.AddConsumer(cmr, method.Exclusive); quErr != nil { + return nil, amqp.NewChannelError(amqp.AccessRefused, quErr.Error(), method.ClassIdentifier(), method.MethodIdentifier()) + } + channel.consumers[cmr.Tag()] = cmr + + return cmr, nil +} + +func (channel *Channel) removeConsumer(cTag string) { + channel.cmrLock.Lock() + defer channel.cmrLock.Unlock() + if cmr, ok := channel.consumers[cTag]; ok { + cmr.Stop() + delete(channel.consumers, cmr.Tag()) + } +} + +func (channel *Channel) close() { + channel.cmrLock.Lock() + for _, cmr := range channel.consumers { + cmr.Stop() + delete(channel.consumers, cmr.Tag()) + channel.logger.WithFields(log.Fields{ + "consumerTag": cmr.Tag(), + }).Info("Consumer stopped") + } + channel.cmrLock.Unlock() + if channel.id > 0 { + channel.handleReject(0, true, true, &amqp.BasicNack{}) + } + channel.status = channelClosed + channel.logger.Info("Channel closed") +} + +func (channel *Channel) delete() { + channel.closeCh <- true + channel.status = channelDelete +} + +func (channel *Channel) updateQos(prefetchCount uint16, prefetchSize uint32, global bool) { + if channel.server.protoVersion == amqp.Proto091 { + if global { + channel.conn.qos.Update(prefetchCount, prefetchSize) + } else { + channel.qos.Update(prefetchCount, prefetchSize) + } + } else { + if global { + channel.qos.Update(prefetchCount, prefetchSize) + } else { + channel.consumerQos.Update(prefetchCount, prefetchSize) + } + } +} + +func (channel *Channel) GetQos() *qos.AmqpQos { + return channel.qos +} + +// NextDeliveryTag returns next delivery tag for current channel +func (channel *Channel) NextDeliveryTag() uint64 { + return atomic.AddUint64(&channel.deliveryTag, 1) +} + +func (channel *Channel) nextConfirmDeliveryTag() uint64 { + return atomic.AddUint64(&channel.confirmDeliveryTag, 1) +} + +// AddUnackedMessage add message to unacked queue +func (channel *Channel) AddUnackedMessage(dTag uint64, cTag string, queue string, message *amqp.Message) { + channel.ackLock.Lock() + defer channel.ackLock.Unlock() + channel.ackStore[dTag] = &UnackedMessage{ + cTag: cTag, + msg: message, + queue: queue, + } +} + +func (channel *Channel) handleAck(method *amqp.BasicAck) *amqp.Error { + channel.ackLock.Lock() + defer channel.ackLock.Unlock() + var uMsg *UnackedMessage + var msgFound bool + + if method.Multiple { + for tag, uMsg := range channel.ackStore { + if method.DeliveryTag == 0 || tag <= method.DeliveryTag { + channel.ackMsg(uMsg, tag) + } + } + + return nil + } + + if uMsg, msgFound = channel.ackStore[method.DeliveryTag]; !msgFound { + return amqp.NewChannelError(amqp.PreconditionFailed, fmt.Sprintf("Delivery tag [%d] not found", method.DeliveryTag), method.ClassIdentifier(), method.MethodIdentifier()) + } + + channel.ackMsg(uMsg, method.DeliveryTag) + + return nil +} + +func (channel *Channel) ackMsg(unackedMessage *UnackedMessage, deliveryTag uint64) { + delete(channel.ackStore, deliveryTag) + q := channel.conn.GetVirtualHost().GetQueue(unackedMessage.queue) + if q != nil { + q.AckMsg(unackedMessage.msg) + } + + channel.decQosAndConsumerNext(unackedMessage) +} + +func (channel *Channel) handleReject(deliveryTag uint64, multiple bool, requeue bool, method amqp.Method) *amqp.Error { + channel.ackLock.Lock() + defer channel.ackLock.Unlock() + var uMsg *UnackedMessage + var msgFound bool + + if multiple { + deliveryTags := make([]uint64, 0) + for dTag := range channel.ackStore { + deliveryTags = append(deliveryTags, dTag) + } + sort.Slice( + deliveryTags, + func(i, j int) bool { + return deliveryTags[i] > deliveryTags[j] + }, + ) + for _, tag := range deliveryTags { + if deliveryTag == 0 || tag <= deliveryTag { + channel.rejectMsg(channel.ackStore[tag], tag, requeue) + } + } + + return nil + } + + if uMsg, msgFound = channel.ackStore[deliveryTag]; !msgFound { + return amqp.NewChannelError(amqp.PreconditionFailed, fmt.Sprintf("Delivery tag [%d] not found", deliveryTag), method.ClassIdentifier(), method.MethodIdentifier()) + } + + channel.rejectMsg(uMsg, deliveryTag, requeue) + + return nil +} + +func (channel *Channel) rejectMsg(unackedMessage *UnackedMessage, deliveryTag uint64, requeue bool) { + delete(channel.ackStore, deliveryTag) + qu := channel.conn.GetVirtualHost().GetQueue(unackedMessage.queue) + + if qu != nil { + if requeue { + qu.Requeue(unackedMessage.msg) + } else { + qu.AckMsg(unackedMessage.msg) + } + } else { + // TODO When a queue is deleted any pending messages are sent to a dead­letter + } + + channel.decQosAndConsumerNext(unackedMessage) +} + +func (channel *Channel) decQosAndConsumerNext(unackedMessage *UnackedMessage) { + channel.cmrLock.RLock() + if cmr, ok := channel.consumers[unackedMessage.cTag]; ok { + cmr.Consume() + + for _, amqpQos := range cmr.Qos() { + amqpQos.Dec(1, uint32(unackedMessage.msg.BodySize)) + } + } else { + channel.qos.Dec(1, uint32(unackedMessage.msg.BodySize)) + channel.conn.qos.Dec(1, uint32(unackedMessage.msg.BodySize)) + } + channel.cmrLock.RUnlock() +} + +func (channel *Channel) getExchangeWithError(exchangeName string, method amqp.Method) (ex *exchange.Exchange, err *amqp.Error) { + ex = channel.conn.GetVirtualHost().GetExchange(exchangeName) + if ex == nil { + return nil, amqp.NewChannelError( + amqp.NotFound, + fmt.Sprintf("exchange '%s' not found", exchangeName), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + return ex, nil +} + +func (channel *Channel) getQueueWithError(queueName string, method amqp.Method) (queue *queue.Queue, err *amqp.Error) { + qu := channel.conn.GetVirtualHost().GetQueue(queueName) + if qu == nil || !qu.IsActive() { + return nil, amqp.NewChannelError( + amqp.NotFound, + fmt.Sprintf("queue '%s' not found", queueName), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + return qu, nil +} + +func (channel *Channel) checkQueueLockWithError(qu *queue.Queue, method amqp.Method) *amqp.Error { + if qu == nil { + return nil + } + if qu.IsExclusive() && qu.ConnID() != channel.conn.id { + return amqp.NewChannelError( + amqp.ResourceLocked, + fmt.Sprintf("queue '%s' is locked to another connection", qu.GetName()), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + + return nil +} + +func (channel *Channel) isActive() bool { + return channel.active +} + +func (channel *Channel) changeFlow(active bool) { + if channel.active == active { + return + } + channel.active = active + + channel.cmrLock.RLock() + if channel.active { + for _, cmr := range channel.consumers { + cmr.UnPause() + cmr.Consume() + } + } else { + for _, cmr := range channel.consumers { + cmr.Pause() + } + } + channel.cmrLock.RUnlock() +} + +// GetConsumersCount returns consumers count on channel +func (channel *Channel) GetConsumersCount() int { + return len(channel.consumers) +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/channelMethods.go b/pkg/outputs/amqp/_fixtures/garagemq/server/channelMethods.go new file mode 100644 index 000000000..86df8c798 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/channelMethods.go @@ -0,0 +1,51 @@ +package server + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" +) + +func (channel *Channel) channelRoute(method amqp.Method) *amqp.Error { + switch method := method.(type) { + case *amqp.ChannelOpen: + return channel.channelOpen(method) + case *amqp.ChannelClose: + return channel.channelClose(method) + case *amqp.ChannelCloseOk: + return channel.channelCloseOk(method) + case *amqp.ChannelFlow: + return channel.channelFlow(method) + } + + return amqp.NewConnectionError(amqp.NotImplemented, "unable to route channel method "+method.Name(), method.ClassIdentifier(), method.MethodIdentifier()) +} + +func (channel *Channel) channelOpen(method *amqp.ChannelOpen) (err *amqp.Error) { + // @spec-note + // The client MUST NOT use this method on an already­opened channel. + if channel.status == channelOpen { + return amqp.NewConnectionError(amqp.ChannelError, "channel already open", method.ClassIdentifier(), method.MethodIdentifier()) + } + + channel.SendMethod(&amqp.ChannelOpenOk{}) + channel.status = channelOpen + + return nil +} + +func (channel *Channel) channelClose(method *amqp.ChannelClose) (err *amqp.Error) { + channel.status = channelClosed + channel.SendMethod(&amqp.ChannelCloseOk{}) + channel.close() + return nil +} + +func (channel *Channel) channelCloseOk(method *amqp.ChannelCloseOk) (err *amqp.Error) { + channel.status = channelClosed + return nil +} + +func (channel *Channel) channelFlow(method *amqp.ChannelFlow) (err *amqp.Error) { + channel.changeFlow(method.Active) + channel.SendMethod(&amqp.ChannelFlowOk{Active: method.Active}) + return nil +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/confirmMethods.go b/pkg/outputs/amqp/_fixtures/garagemq/server/confirmMethods.go new file mode 100644 index 000000000..73af1a314 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/confirmMethods.go @@ -0,0 +1,23 @@ +package server + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" +) + +func (channel *Channel) confirmRoute(method amqp.Method) *amqp.Error { + switch method := method.(type) { + case *amqp.ConfirmSelect: + return channel.confirmSelect(method) + } + + return amqp.NewConnectionError(amqp.NotImplemented, "unable to route channel method "+method.Name(), method.ClassIdentifier(), method.MethodIdentifier()) +} + +func (channel *Channel) confirmSelect(method *amqp.ConfirmSelect) (err *amqp.Error) { + channel.confirmMode = true + go channel.sendConfirms() + if !method.Nowait { + channel.SendMethod(&amqp.ConfirmSelectOk{}) + } + return nil +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/connection.go b/pkg/outputs/amqp/_fixtures/garagemq/server/connection.go new file mode 100644 index 000000000..4b92bf0d4 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/connection.go @@ -0,0 +1,409 @@ +package server + +import ( + "bufio" + "bytes" + "context" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/qos" + "net" + "sort" + "strings" + "sync" + "sync/atomic" + "time" + + log "github.com/sirupsen/logrus" +) + +// connection status list +const ( + ConnStart = iota + ConnStartOK + ConnSecure + ConnSecureOK + ConnTune + ConnTuneOK + ConnOpen + ConnOpenOK + ConnCloseOK + ConnClosed +) + +// From https://github.com/rabbitmq/rabbitmq-common/blob/master/src/rabbit_writer.erl +// When the amount of protocol method data buffered exceeds +// this threshold, a socket flush is performed. +// +// This magic number is the tcp-over-ethernet MSS (1460) minus the +// minimum size of a AMQP 0-9-1 basic.deliver method frame (24) plus basic +// content header (22). The idea is that we want to flush just before +// exceeding the MSS. +const flushThreshold = 1414 + +// Connection represents AMQP-connection +type Connection struct { + id uint64 + server *Server + netConn *net.TCPConn + logger *log.Entry + channelsLock sync.RWMutex + channels map[uint16]*Channel + outgoing chan *amqp.Frame + clientProperties *amqp.Table + maxChannels uint16 + maxFrameSize uint32 + statusLock sync.RWMutex + status int + qos *qos.AmqpQos + virtualHost *VirtualHost + vhostName string + closeCh chan bool + userName string + + wg *sync.WaitGroup + ctx context.Context + cancelCtx context.CancelFunc + + heartbeatInterval uint16 + heartbeatTimeout uint16 + heartbeatTimer *time.Ticker + + lastOutgoingTS chan time.Time +} + +// NewConnection returns new instance of amqp Connection +func NewConnection(server *Server, netConn *net.TCPConn) (connection *Connection) { + connection = &Connection{ + id: atomic.AddUint64(&server.connSeq, 1), + server: server, + netConn: netConn, + channels: make(map[uint16]*Channel), + outgoing: make(chan *amqp.Frame, 128), + maxChannels: server.config.Connection.ChannelsMax, + maxFrameSize: server.config.Connection.FrameMaxSize, + qos: qos.NewAmqpQos(0, 0), + closeCh: make(chan bool, 2), + wg: &sync.WaitGroup{}, + lastOutgoingTS: make(chan time.Time), + heartbeatInterval: 10, + } + + connection.logger = log.WithFields(log.Fields{ + "connectionId": connection.id, + }) + + return +} + +func (conn *Connection) close() { + conn.statusLock.Lock() + if conn.status == ConnClosed { + conn.statusLock.Unlock() + return + } + + if conn.heartbeatTimer != nil { + conn.heartbeatTimer.Stop() + } + + conn.status = ConnClosed + conn.statusLock.Unlock() + + // @todo should we chech for errors here? And what should we do if error occur + _ = conn.netConn.Close() + + if conn.cancelCtx != nil { + conn.cancelCtx() + } + + conn.wg.Wait() + + // channel0 should we be closed at the end + channelIds := make([]int, 0) + conn.channelsLock.Lock() + for chID := range conn.channels { + channelIds = append(channelIds, int(chID)) + } + sort.Sort(sort.Reverse(sort.IntSlice(channelIds))) + for _, chID := range channelIds { + channel := conn.channels[uint16(chID)] + channel.delete() + delete(conn.channels, uint16(chID)) + } + conn.channelsLock.Unlock() + conn.clearQueues() + + conn.logger.WithFields(log.Fields{ + "vhost": conn.vhostName, + "from": conn.netConn.RemoteAddr(), + }).Info("Connection closed") + conn.server.removeConnection(conn.id) + + conn.closeCh <- true +} + +func (conn *Connection) getChannel(id uint16) *Channel { + conn.channelsLock.Lock() + channel := conn.channels[id] + conn.channelsLock.Unlock() + return channel +} + +func (conn *Connection) safeClose(wg *sync.WaitGroup) { + defer wg.Done() + + ch := conn.getChannel(0) + if ch == nil { + return + } + ch.SendMethod(&amqp.ConnectionClose{ + ReplyCode: amqp.ConnectionForced, + ReplyText: "Server shutdown", + ClassID: 0, + MethodID: 0, + }) + + // let clients proper handle connection closing in 10 sec + timeOut := time.After(10 * time.Second) + + select { + case <-timeOut: + conn.close() + return + case <-conn.closeCh: + return + } +} + +func (conn *Connection) clearQueues() { + virtualHost := conn.GetVirtualHost() + if virtualHost == nil { + // it is possible when conn close before open, for example login failure + return + } + for _, queue := range virtualHost.GetQueues() { + if queue.IsExclusive() && queue.ConnID() == conn.id { + virtualHost.DeleteQueue(queue.GetName(), false, false) + } + } +} + +func (conn *Connection) handleConnection() { + buf := make([]byte, 8) + _, err := conn.netConn.Read(buf) + if err != nil { + conn.logger.WithError(err).WithFields(log.Fields{ + "read buffer": buf, + }).Error("Error on read protocol header") + conn.close() + return + } + + // @spec-note + // If the server cannot support the protocol specified in the protocol header, + // it MUST respond with a valid protocol header and then close the socket connection. + // The client MUST start a new connection by sending a protocol header + if !bytes.Equal(buf, amqp.AmqpHeader) { + conn.logger.WithFields(log.Fields{ + "given": buf, + "supported": amqp.AmqpHeader, + }).Warn("Unsupported protocol") + _, _ = conn.netConn.Write(amqp.AmqpHeader) + conn.close() + return + } + + conn.ctx, conn.cancelCtx = context.WithCancel(context.Background()) + + channel := NewChannel(0, conn) + conn.channelsLock.Lock() + conn.channels[channel.id] = channel + conn.channelsLock.Unlock() + + channel.start() + conn.wg.Add(1) + go conn.handleOutgoing() + conn.wg.Add(1) + go conn.handleIncoming() +} + +func (conn *Connection) handleOutgoing() { + defer func() { + close(conn.lastOutgoingTS) + conn.wg.Done() + conn.close() + }() + + var err error + buffer := bufio.NewWriterSize(conn.netConn, 128<<10) + for { + select { + case <-conn.ctx.Done(): + return + case frame := <-conn.outgoing: + if frame == nil { + return + } + + if err = amqp.WriteFrame(buffer, frame); err != nil && !conn.isClosedError(err) { + conn.logger.WithError(err).Warn("writing frame") + return + } + + if frame.CloseAfter { + if err = buffer.Flush(); err != nil && !conn.isClosedError(err) { + conn.logger.WithError(err).Warn("writing frame") + } + return + } + + if frame.Sync { + if err = buffer.Flush(); err != nil && !conn.isClosedError(err) { + conn.logger.WithError(err).Warn("writing frame") + return + } + } else { + if err = conn.mayBeFlushBuffer(buffer); err != nil && !conn.isClosedError(err) { + conn.logger.WithError(err).Warn("writing frame") + return + } + } + + select { + case conn.lastOutgoingTS <- time.Now(): + default: + } + } + } +} + +func (conn *Connection) mayBeFlushBuffer(buffer *bufio.Writer) (err error) { + if buffer.Buffered() >= flushThreshold { + if err = buffer.Flush(); err != nil { + return err + } + } + + if len(conn.outgoing) == 0 { + // outgoing channel is buffered and we can check is here more messages for store into buffer + // if nothing to store into buffer - we flush + if err = buffer.Flush(); err != nil { + return err + } + } + return +} + +func (conn *Connection) handleIncoming() { + defer func() { + conn.wg.Done() + conn.close() + }() + + buffer := bufio.NewReaderSize(conn.netConn, 128<<10) + + for { + // TODO + // @spec-note + // After sending connection.close , any received methods except Close and Close­OK MUST be discarded. + // The response to receiving a Close after sending Close must be to send Close­Ok. + frame, err := amqp.ReadFrame(buffer) + if err != nil { + if err.Error() != "EOF" && !conn.isClosedError(err) { + conn.logger.WithError(err).Warn("reading frame") + } + return + } + + if conn.status < ConnOpen && frame.ChannelID != 0 { + conn.logger.WithError(err).Error("Frame not allowed for unopened connection") + return + } + + conn.channelsLock.RLock() + channel, ok := conn.channels[frame.ChannelID] + conn.channelsLock.RUnlock() + + if !ok { + channel = NewChannel(frame.ChannelID, conn) + + conn.channelsLock.Lock() + conn.channels[frame.ChannelID] = channel + conn.channelsLock.Unlock() + + channel.start() + } + + if conn.heartbeatTimeout > 0 { + if err = conn.netConn.SetReadDeadline(time.Now().Add(time.Duration(conn.heartbeatTimeout) * time.Second)); err != nil { + conn.logger.WithError(err).Warn("reading frame") + return + } + } + + if frame.Type == amqp.FrameHeartbeat && frame.ChannelID != 0 { + return + } + + select { + case <-conn.ctx.Done(): + close(channel.incoming) + return + case channel.incoming <- frame: + } + } +} + +func (conn *Connection) heartBeater() { + interval := time.Duration(conn.heartbeatInterval) * time.Second + conn.heartbeatTimer = time.NewTicker(interval) + + var ( + ok bool + lastTs = time.Now() + ) + + heartbeatFrame := &amqp.Frame{Type: byte(amqp.FrameHeartbeat), ChannelID: 0, Payload: []byte{}, CloseAfter: false, Sync: true} + + go func() { + for { + select { + case lastTs, ok = <-conn.lastOutgoingTS: + if !ok { + return + } + } + } + }() + + for tickTime := range conn.heartbeatTimer.C { + if tickTime.Sub(lastTs) >= interval-time.Second { + conn.outgoing <- heartbeatFrame + } + } +} + +func (conn *Connection) isClosedError(err error) bool { + // See: https://github.com/golang/go/issues/4373 + return err != nil && strings.Contains(err.Error(), "use of closed network connection") +} + +func (conn *Connection) GetVirtualHost() *VirtualHost { + return conn.virtualHost +} + +func (conn *Connection) GetRemoteAddr() net.Addr { + return conn.netConn.RemoteAddr() +} + +func (conn *Connection) GetChannels() map[uint16]*Channel { + return conn.channels +} + +func (conn *Connection) GetID() uint64 { + return conn.id +} + +func (conn *Connection) GetUsername() string { + return conn.userName +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/connectionMethods.go b/pkg/outputs/amqp/_fixtures/garagemq/server/connectionMethods.go new file mode 100644 index 000000000..869bebfd3 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/connectionMethods.go @@ -0,0 +1,134 @@ +package server + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/auth" + "os" + "runtime" +) + +func (channel *Channel) connectionRoute(method amqp.Method) *amqp.Error { + switch method := method.(type) { + case *amqp.ConnectionStartOk: + return channel.connectionStartOk(method) + case *amqp.ConnectionTuneOk: + return channel.connectionTuneOk(method) + case *amqp.ConnectionOpen: + return channel.connectionOpen(method) + case *amqp.ConnectionClose: + return channel.connectionClose(method) + case *amqp.ConnectionCloseOk: + return channel.connectionCloseOk(method) + } + + return amqp.NewConnectionError(amqp.NotImplemented, "unable to route connection method", method.ClassIdentifier(), method.MethodIdentifier()) +} + +func (channel *Channel) connectionStart() { + var capabilities = amqp.Table{} + capabilities["publisher_confirms"] = true + capabilities["exchange_exchange_bindings"] = false + capabilities["basic.nack"] = true + capabilities["consumer_cancel_notify"] = true + capabilities["connection.blocked"] = false + capabilities["consumer_priorities"] = false + capabilities["authentication_failure_close"] = true + capabilities["per_consumer_qos"] = true + + var serverProps = amqp.Table{} + serverProps["product"] = "garagemq" + serverProps["version"] = "0.1" + serverProps["copyright"] = "Alexander Valinurov, 2018" + serverProps["platform"] = runtime.GOARCH + serverProps["capabilities"] = capabilities + host, err := os.Hostname() + if err != nil { + serverProps["host"] = "UnknownHostError" + } else { + serverProps["host"] = host + } + + var method = amqp.ConnectionStart{VersionMajor: 0, VersionMinor: 9, ServerProperties: &serverProps, Mechanisms: []byte("PLAIN"), Locales: []byte("en_US")} + channel.SendMethod(&method) + + channel.conn.status = ConnStart +} + +func (channel *Channel) connectionStartOk(method *amqp.ConnectionStartOk) *amqp.Error { + channel.conn.status = ConnStartOK + + var saslData auth.SaslData + var err error + if saslData, err = auth.ParsePlain(method.Response); err != nil { + return amqp.NewConnectionError(amqp.NotAllowed, "login failure", method.ClassIdentifier(), method.MethodIdentifier()) + } + + if method.Mechanism != auth.SaslPlain { + channel.conn.close() + } + + if !channel.server.checkAuth(saslData) { + return amqp.NewConnectionError(amqp.NotAllowed, "login failure", method.ClassIdentifier(), method.MethodIdentifier()) + } + channel.conn.userName = saslData.Username + channel.conn.clientProperties = method.ClientProperties + + // @todo Send HeartBeat 0 cause not supported yet + channel.SendMethod(&amqp.ConnectionTune{ + ChannelMax: channel.conn.maxChannels, + FrameMax: channel.conn.maxFrameSize, + Heartbeat: channel.conn.heartbeatInterval, + }) + channel.conn.status = ConnTune + + return nil +} + +func (channel *Channel) connectionTuneOk(method *amqp.ConnectionTuneOk) *amqp.Error { + channel.conn.status = ConnTuneOK + + if method.ChannelMax > channel.conn.maxChannels || method.FrameMax > channel.conn.maxFrameSize { + channel.conn.close() + return nil + } + + channel.conn.maxChannels = method.ChannelMax + channel.conn.maxFrameSize = method.FrameMax + + if method.Heartbeat > 0 { + if method.Heartbeat < channel.conn.heartbeatInterval { + channel.conn.heartbeatInterval = method.Heartbeat + } + channel.conn.heartbeatTimeout = channel.conn.heartbeatInterval * 3 + go channel.conn.heartBeater() + } + + return nil +} + +func (channel *Channel) connectionOpen(method *amqp.ConnectionOpen) *amqp.Error { + channel.conn.status = ConnOpen + var vhostFound bool + if channel.conn.virtualHost, vhostFound = channel.server.vhosts[method.VirtualHost]; !vhostFound { + return amqp.NewConnectionError(amqp.InvalidPath, "virtualHost '"+method.VirtualHost+"' does not exist", method.ClassIdentifier(), method.MethodIdentifier()) + } + + channel.conn.vhostName = method.VirtualHost + + channel.SendMethod(&amqp.ConnectionOpenOk{}) + channel.conn.status = ConnOpenOK + + channel.logger.Info("AMQP connection open") + return nil +} + +func (channel *Channel) connectionClose(method *amqp.ConnectionClose) *amqp.Error { + channel.logger.Infof("Connection closed by client, reason - [%d] %s", method.ReplyCode, method.ReplyText) + channel.SendMethod(&amqp.ConnectionCloseOk{}) + return nil +} + +func (channel *Channel) connectionCloseOk(method *amqp.ConnectionCloseOk) *amqp.Error { + go channel.conn.close() + return nil +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/exchangeMethods.go b/pkg/outputs/amqp/_fixtures/garagemq/server/exchangeMethods.go new file mode 100644 index 000000000..89c145e41 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/exchangeMethods.go @@ -0,0 +1,97 @@ +package server + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/exchange" + "strings" +) + +func (channel *Channel) exchangeRoute(method amqp.Method) *amqp.Error { + switch method := method.(type) { + case *amqp.ExchangeDeclare: + return channel.exchangeDeclare(method) + case *amqp.ExchangeDelete: + return channel.exchangeDelete(method) + } + + return amqp.NewConnectionError(amqp.NotImplemented, "unable to route queue method "+method.Name(), method.ClassIdentifier(), method.MethodIdentifier()) +} + +func (channel *Channel) exchangeDeclare(method *amqp.ExchangeDeclare) *amqp.Error { + exTypeId, err := exchange.GetExchangeTypeID(method.Type) + if err != nil { + return amqp.NewChannelError(amqp.NotImplemented, err.Error(), method.ClassIdentifier(), method.MethodIdentifier()) + } + + if method.Exchange == "" { + return amqp.NewChannelError( + amqp.CommandInvalid, + "exchange name is required", + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + + existingExchange := channel.conn.GetVirtualHost().GetExchange(method.Exchange) + if method.Passive { + if method.NoWait { + return nil + } + + if existingExchange == nil { + return amqp.NewChannelError( + amqp.NotFound, + fmt.Sprintf("exchange '%s' not found", method.Exchange), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + + channel.SendMethod(&amqp.ExchangeDeclareOk{}) + + return nil + } + + if strings.HasPrefix(method.Exchange, "amq.") { + return amqp.NewChannelError( + amqp.AccessRefused, + fmt.Sprintf("exchange name '%s' contains reserved prefix 'amq.*'", method.Exchange), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + + newExchange := exchange.NewExchange( + method.Exchange, + exTypeId, + method.Durable, + method.AutoDelete, + method.Internal, + false, + ) + + if existingExchange != nil { + if err := existingExchange.EqualWithErr(newExchange); err != nil { + return amqp.NewChannelError( + amqp.PreconditionFailed, + err.Error(), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + channel.SendMethod(&amqp.ExchangeDeclareOk{}) + return nil + } + + channel.conn.GetVirtualHost().AppendExchange(newExchange) + if !method.NoWait { + channel.SendMethod(&amqp.ExchangeDeclareOk{}) + } + + return nil +} + +func (channel *Channel) exchangeDelete(method *amqp.ExchangeDelete) *amqp.Error { + return nil +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/queueMethods.go b/pkg/outputs/amqp/_fixtures/garagemq/server/queueMethods.go new file mode 100644 index 000000000..682f77a7b --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/queueMethods.go @@ -0,0 +1,244 @@ +package server + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/binding" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/exchange" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/queue" +) + +func (channel *Channel) queueRoute(method amqp.Method) *amqp.Error { + switch method := method.(type) { + case *amqp.QueueDeclare: + return channel.queueDeclare(method) + case *amqp.QueueBind: + return channel.queueBind(method) + case *amqp.QueueUnbind: + return channel.queueUnbind(method) + case *amqp.QueuePurge: + return channel.queuePurge(method) + case *amqp.QueueDelete: + return channel.queueDelete(method) + } + + return amqp.NewConnectionError(amqp.NotImplemented, "unable to route queue method "+method.Name(), method.ClassIdentifier(), method.MethodIdentifier()) +} + +func (channel *Channel) queueDeclare(method *amqp.QueueDeclare) *amqp.Error { + var existingQueue *queue.Queue + var notFoundErr, exclusiveErr *amqp.Error + + if method.Queue == "" { + return amqp.NewChannelError( + amqp.CommandInvalid, + "queue name is required", + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + + existingQueue, notFoundErr = channel.getQueueWithError(method.Queue, method) + exclusiveErr = channel.checkQueueLockWithError(existingQueue, method) + + if method.Passive { + if method.NoWait { + return nil + } + + if existingQueue == nil { + return notFoundErr + } + + if exclusiveErr != nil { + return exclusiveErr + } + + channel.SendMethod(&amqp.QueueDeclareOk{ + Queue: method.Queue, + MessageCount: uint32(existingQueue.Length()), + ConsumerCount: uint32(existingQueue.ConsumersCount()), + }) + + return nil + } + + newQueue := channel.conn.GetVirtualHost().NewQueue( + method.Queue, + channel.conn.id, + method.Exclusive, + method.AutoDelete, + method.Durable, + channel.server.config.Queue.ShardSize, + ) + + if existingQueue != nil { + if exclusiveErr != nil { + return exclusiveErr + } + + if err := existingQueue.EqualWithErr(newQueue); err != nil { + return amqp.NewChannelError( + amqp.PreconditionFailed, + err.Error(), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + + channel.SendMethod(&amqp.QueueDeclareOk{ + Queue: method.Queue, + MessageCount: uint32(existingQueue.Length()), + ConsumerCount: uint32(existingQueue.ConsumersCount()), + }) + return nil + } + + newQueue.Start() + err := channel.conn.GetVirtualHost().AppendQueue(newQueue) + if err != nil { + return amqp.NewChannelError( + amqp.PreconditionFailed, + err.Error(), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + channel.SendMethod(&amqp.QueueDeclareOk{ + Queue: method.Queue, + MessageCount: 0, + ConsumerCount: 0, + }) + + return nil +} + +func (channel *Channel) queueBind(method *amqp.QueueBind) *amqp.Error { + var ex *exchange.Exchange + var qu *queue.Queue + var err *amqp.Error + + if ex, err = channel.getExchangeWithError(method.Exchange, method); err != nil { + return err + } + + // @spec-note + // The server MUST NOT allow clients to access the default exchange except by specifying an empty exchange name in the Queue.Bind and content Publish methods. + if ex.GetName() == exDefaultName { + return amqp.NewChannelError( + amqp.AccessRefused, + fmt.Sprintf("operation not permitted on the default exchange"), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + + if qu, err = channel.getQueueWithError(method.Queue, method); err != nil { + return err + } + + if err = channel.checkQueueLockWithError(qu, method); err != nil { + return err + } + + bind, bindErr := binding.NewBinding(method.Queue, method.Exchange, + method.RoutingKey, method.Arguments, ex.ExType() == exchange.ExTypeTopic) + if bindErr != nil { + return amqp.NewChannelError( + amqp.PreconditionFailed, + bindErr.Error(), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + + } + + ex.AppendBinding(bind) + + // @spec-note + // Bindings of durable queues to durable exchanges are automatically durable and the server MUST restore such bindings after a server restart. + if ex.IsDurable() && qu.IsDurable() { + channel.conn.GetVirtualHost().PersistBinding(bind) + } + + if !method.NoWait { + channel.SendMethod(&amqp.QueueBindOk{}) + } + + return nil +} + +func (channel *Channel) queueUnbind(method *amqp.QueueUnbind) *amqp.Error { + var ex *exchange.Exchange + var qu *queue.Queue + var err *amqp.Error + + if ex, err = channel.getExchangeWithError(method.Exchange, method); err != nil { + return err + } + + if qu, err = channel.getQueueWithError(method.Queue, method); err != nil { + return err + } + + if err = channel.checkQueueLockWithError(qu, method); err != nil { + return err + } + + bind, bindErr := binding.NewBinding(method.Queue, method.Exchange, method.RoutingKey, method.Arguments, ex.ExType() == exchange.ExTypeTopic) + + if bindErr != nil { + return amqp.NewConnectionError( + amqp.PreconditionFailed, + bindErr.Error(), + method.ClassIdentifier(), + method.MethodIdentifier(), + ) + } + + ex.RemoveBinding(bind) + channel.conn.GetVirtualHost().RemoveBindings([]*binding.Binding{bind}) + channel.SendMethod(&amqp.QueueUnbindOk{}) + + return nil +} + +func (channel *Channel) queuePurge(method *amqp.QueuePurge) *amqp.Error { + var qu *queue.Queue + var err *amqp.Error + + if qu, err = channel.getQueueWithError(method.Queue, method); err != nil { + return err + } + + if err = channel.checkQueueLockWithError(qu, method); err != nil { + return err + } + + msgCnt := qu.Purge() + if !method.NoWait { + channel.SendMethod(&amqp.QueuePurgeOk{MessageCount: uint32(msgCnt)}) + } + return nil +} + +func (channel *Channel) queueDelete(method *amqp.QueueDelete) *amqp.Error { + var qu *queue.Queue + var err *amqp.Error + + if qu, err = channel.getQueueWithError(method.Queue, method); err != nil { + return err + } + + if err = channel.checkQueueLockWithError(qu, method); err != nil { + return err + } + + var length, errDel = channel.conn.GetVirtualHost().DeleteQueue(method.Queue, method.IfUnused, method.IfEmpty) + if errDel != nil { + return amqp.NewChannelError(amqp.PreconditionFailed, errDel.Error(), method.ClassIdentifier(), method.MethodIdentifier()) + } + + channel.SendMethod(&amqp.QueueDeleteOk{MessageCount: uint32(length)}) + return nil +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/server.go b/pkg/outputs/amqp/_fixtures/garagemq/server/server.go new file mode 100644 index 000000000..dea86b26e --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/server.go @@ -0,0 +1,255 @@ +package server + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/auth" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/config" + "net" + "os" + "os/signal" + "sync" + "syscall" + + log "github.com/sirupsen/logrus" +) + +type ServerState int + +// server state statuses +const ( + Stopped ServerState = iota + Running + Stopping +) + +// Server implements AMQP server +type Server struct { + host string + port string + protoVersion string + listener *net.TCPListener + connSeq uint64 + connLock sync.Mutex + connections map[uint64]*Connection + config *config.Config + users map[string]string + vhostsLock sync.Mutex + vhosts map[string]*VirtualHost + status ServerState +} + +// NewServer returns new instance of AMQP Server +func NewServer(host string, port string, protoVersion string, config *config.Config) (server *Server) { + server = &Server{ + host: host, + port: port, + connections: make(map[uint64]*Connection), + protoVersion: protoVersion, + config: config, + users: make(map[string]string), + vhosts: make(map[string]*VirtualHost), + connSeq: 0, + } + + return +} + +// Start start main server loop +func (srv *Server) Start() { + log.WithFields(log.Fields{ + "pid": os.Getpid(), + }).Info("Server starting") + + go srv.hookSignals() + + srv.initUsers() + srv.initDefaultVirtualHosts() + + go srv.listen() + + srv.status = Running + select {} +} + +// Stop stop server and all vhosts +func (srv *Server) Stop() { + srv.vhostsLock.Lock() + defer srv.vhostsLock.Unlock() + srv.status = Stopping + + // stop accept new connections + srv.listener.Close() + + var wg sync.WaitGroup + srv.connLock.Lock() + for _, conn := range srv.connections { + wg.Add(1) + go conn.safeClose(&wg) + } + srv.connLock.Unlock() + wg.Wait() + log.Info("All connections safe closed") + + // stop exchanges and queues + for _, virtualHost := range srv.vhosts { + virtualHost.Stop() + } + + srv.status = Stopped +} + +func (srv *Server) getVhost(name string) *VirtualHost { + srv.vhostsLock.Lock() + defer srv.vhostsLock.Unlock() + + return srv.vhosts[name] +} + +func (srv *Server) listen() { + address := srv.host + ":" + srv.port + tcpAddr, err := net.ResolveTCPAddr("tcp4", address) + srv.listener, err = net.ListenTCP("tcp", tcpAddr) + if err != nil { + log.WithError(err).WithFields(log.Fields{ + "address": address, + }).Error("Error on listener start") + os.Exit(1) + } + + log.WithFields(log.Fields{ + "address": address, + }).Info("Server started") + + for { + conn, err := srv.listener.AcceptTCP() + if err != nil { + if srv.status != Running { + return + } + srv.stopWithError(err, "accepting connection") + } + log.WithFields(log.Fields{ + "from": conn.RemoteAddr().String(), + "to": conn.LocalAddr().String(), + }).Info("accepting connection") + + conn.SetReadBuffer(srv.config.TCP.ReadBufSize) + conn.SetWriteBuffer(srv.config.TCP.WriteBufSize) + conn.SetNoDelay(srv.config.TCP.Nodelay) + + srv.acceptConnection(conn) + } +} + +func (srv *Server) stopWithError(err error, msg string) { + log.WithError(err).Error(msg) + srv.Stop() + os.Exit(1) +} + +func (srv *Server) acceptConnection(conn *net.TCPConn) { + srv.connLock.Lock() + defer srv.connLock.Unlock() + + connection := NewConnection(srv, conn) + srv.connections[connection.id] = connection + go connection.handleConnection() +} + +func (srv *Server) removeConnection(connID uint64) { + srv.connLock.Lock() + defer srv.connLock.Unlock() + + delete(srv.connections, connID) +} + +func (srv *Server) checkAuth(saslData auth.SaslData) bool { + for userName, passwordHash := range srv.users { + if userName != saslData.Username { + continue + } + + return auth.CheckPasswordHash( + saslData.Password, + passwordHash, + srv.config.Security.PasswordCheck == "md5", + ) + } + return false +} + +func (srv *Server) initUsers() { + for _, user := range srv.config.Users { + srv.users[user.Username] = user.Password + } +} + +func (srv *Server) initDefaultVirtualHosts() { + log.WithFields(log.Fields{ + "vhost": srv.config.Vhost.DefaultPath, + }).Info("Initialize default vhost") + + log.Info("Initialize host message msgStorage") + + srv.vhostsLock.Lock() + defer srv.vhostsLock.Unlock() + srv.vhosts[srv.config.Vhost.DefaultPath] = NewVhost(srv.config.Vhost.DefaultPath, true, srv) +} + +func (srv *Server) onSignal(sig os.Signal) { + switch sig { + case syscall.SIGTERM, syscall.SIGINT: + srv.Stop() + os.Exit(0) + } +} + +// Special method for calling in tests without os.Exit(0) +func (srv *Server) testOnSignal(sig os.Signal) { + switch sig { + case syscall.SIGTERM, syscall.SIGINT: + srv.Stop() + } +} + +func (srv *Server) hookSignals() { + c := make(chan os.Signal, 1) + signal.Notify(c, syscall.SIGINT, syscall.SIGTERM) + go func() { + for sig := range c { + log.Infof("Received [%d:%s] signal from OS", sig, sig.String()) + srv.onSignal(sig) + } + }() +} + +func (srv *Server) getConfirmChannel(meta *amqp.ConfirmMeta) *Channel { + srv.connLock.Lock() + defer srv.connLock.Unlock() + conn := srv.connections[meta.ConnID] + if conn == nil { + return nil + } + + return conn.getChannel(meta.ChanID) +} + +func (srv *Server) GetVhost(name string) *VirtualHost { + return srv.getVhost(name) +} + +func (srv *Server) GetVhosts() map[string]*VirtualHost { + return srv.vhosts +} + +func (srv *Server) GetConnections() map[uint64]*Connection { + return srv.connections +} + +func (srv *Server) GetProtoVersion() string { + return srv.protoVersion +} + +func (srv *Server) GetStatus() ServerState { + return srv.status +} diff --git a/pkg/outputs/amqp/_fixtures/garagemq/server/vhost.go b/pkg/outputs/amqp/_fixtures/garagemq/server/vhost.go new file mode 100644 index 000000000..025c4eca7 --- /dev/null +++ b/pkg/outputs/amqp/_fixtures/garagemq/server/vhost.go @@ -0,0 +1,304 @@ +package server + +import ( + "errors" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/amqp" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/binding" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/config" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/exchange" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/queue" + "sync" + + log "github.com/sirupsen/logrus" +) + +const exDefaultName = "" + +// VirtualHost represents AMQP virtual host +// Each virtual host is "parent" for its queues and exchanges +type VirtualHost struct { + name string + system bool + exLock sync.RWMutex + exchanges map[string]*exchange.Exchange + quLock sync.RWMutex + queues map[string]*queue.Queue + srv *Server + srvConfig *config.Config + logger *log.Entry + autoDeleteQueue chan string +} + +// NewVhost returns instance of VirtualHost +// When instantiating virtual host we +// 1) init system exchanges +// 2) load durable exchanges, queues and bindings from server storage +// 3) load persisted messages from message store into all initiated queues +// 4) run confirm loop +// Only after that vhost is in state running msgStoragePersistent, msgStorageTransient +func NewVhost(name string, system bool, srv *Server) *VirtualHost { + vhost := &VirtualHost{ + name: name, + system: system, + exchanges: make(map[string]*exchange.Exchange), + queues: make(map[string]*queue.Queue), + srvConfig: srv.config, + srv: srv, + autoDeleteQueue: make(chan string, 1), + } + + vhost.logger = log.WithFields(log.Fields{ + "vhost": name, + }) + + vhost.initSystemExchanges() + vhost.loadExchanges() + vhost.loadQueues() + vhost.loadBindings() + + vhost.logger.Info("Load messages into queues") + + vhost.loadMessagesIntoQueues() + for _, q := range vhost.GetQueues() { + q.Start() + vhost.logger.WithFields(log.Fields{ + "name": q.GetName(), + "length": q.Length(), + }).Info("Messages loaded into queue") + } + + go vhost.handleConfirms() + go vhost.handleAutoDeleteQueue() + + return vhost +} + +func (vhost *VirtualHost) handleAutoDeleteQueue() { + for queueName := range vhost.autoDeleteQueue { + //time.Sleep(5 * time.Second) + vhost.DeleteQueue(queueName, false, false) + } +} + +func (vhost *VirtualHost) handleConfirms() { + +} + +func (vhost *VirtualHost) initSystemExchanges() { + // @spec-note + // The server MUST, in each virtual host, pre­declare an exchange instance for each standard exchange type that it + // implements, where the name of the exchange instance, if defined, is "amq." followed by the exchange type name. + + // The server MUST, in each virtual host, pre­declare at least two direct exchange instances: one named "amq.direct", + // the other with no public name that serves as a default exchange for Publish methods. + + // The server MUST pre­declare a direct exchange with no public name to act as the default exchange for content Publish methods and for default queue bindings. + + vhost.logger.Info("Initialize host default exchanges...") + for _, exType := range []byte{ + exchange.ExTypeDirect, + exchange.ExTypeFanout, + exchange.ExTypeTopic, + } { + exTypeAlias, _ := exchange.GetExchangeTypeAlias(exType) + exName := "amq." + exTypeAlias + vhost.AppendExchange(exchange.NewExchange(exName, exType, true, false, false, true)) + } + + // Special case for exchange.ExTypeHeaders + // + // AMQP specifies that the default exchange for headers shall be called + // amq.match, but RabbitMQ declares it as amq.header + // + // To be compatible, we change its name depending on protoVersion + protoVer := vhost.srv.protoVersion + + exTypeAlias, _ := exchange.GetExchangeTypeAlias(exchange.ExTypeHeaders) + exName := "amq." + exTypeAlias + + if protoVer == amqp.ProtoRabbit { + exName = "amq.header" + } + vhost.AppendExchange(exchange.NewExchange(exName, exchange.ExTypeHeaders, true, false, false, true)) + + systemExchange := exchange.NewExchange(exDefaultName, exchange.ExTypeDirect, true, false, false, true) + vhost.AppendExchange(systemExchange) +} + +// GetQueue returns queue by name or nil if not exists +func (vhost *VirtualHost) GetQueue(name string) *queue.Queue { + vhost.quLock.RLock() + defer vhost.quLock.RUnlock() + return vhost.getQueue(name) +} + +// GetQueues return all vhost's queues +func (vhost *VirtualHost) GetQueues() map[string]*queue.Queue { + vhost.quLock.RLock() + defer vhost.quLock.RUnlock() + return vhost.queues +} + +func (vhost *VirtualHost) getQueue(name string) *queue.Queue { + return vhost.queues[name] +} + +// GetExchange returns exchange by name or nil if not exists +func (vhost *VirtualHost) GetExchange(name string) *exchange.Exchange { + vhost.exLock.RLock() + defer vhost.exLock.RUnlock() + return vhost.getExchange(name) +} + +func (vhost *VirtualHost) getExchange(name string) *exchange.Exchange { + return vhost.exchanges[name] +} + +func (vhost *VirtualHost) GetExchanges() map[string]*exchange.Exchange { + return vhost.exchanges +} + +// GetDefaultExchange returns default exchange +func (vhost *VirtualHost) GetDefaultExchange() *exchange.Exchange { + return vhost.exchanges[exDefaultName] +} + +// AppendExchange append new exchange and persist if it is durable +func (vhost *VirtualHost) AppendExchange(ex *exchange.Exchange) { + vhost.exLock.Lock() + defer vhost.exLock.Unlock() + exTypeAlias, _ := exchange.GetExchangeTypeAlias(ex.ExType()) + vhost.logger.WithFields(log.Fields{ + "name": ex.GetName(), + "type": exTypeAlias, + }).Info("Append exchange") + vhost.exchanges[ex.GetName()] = ex + +} + +// NewQueue returns new instance of queue by params +// we can't use just queue.NewQueue, cause we need to set msgStorage to queue +func (vhost *VirtualHost) NewQueue(name string, connID uint64, exclusive bool, autoDelete bool, durable bool, shardSize int) *queue.Queue { + return queue.NewQueue( + name, + connID, + exclusive, + autoDelete, + durable, + vhost.srvConfig.Queue, + nil, + nil, + vhost.autoDeleteQueue, + ) +} + +// AppendQueue append new queue and persist if it is durable and +// bindings into default exchange +func (vhost *VirtualHost) AppendQueue(qu *queue.Queue) error { + vhost.quLock.Lock() + defer vhost.quLock.Unlock() + vhost.logger.WithFields(log.Fields{ + "queueName": qu.GetName(), + }).Info("Append queue") + + vhost.queues[qu.GetName()] = qu + + // @spec-note + // The server MUST create a default binding for a newly­declared queue to the default exchange, + // which is an exchange of type 'direct' and use the queue name as the routing key. + ex := vhost.GetDefaultExchange() + bind, bindErr := binding.NewBinding(qu.GetName(), exDefaultName, + qu.GetName(), &amqp.Table{}, false) + if bindErr != nil { + // Should not happen since the only error paths are on `topic` and + // `headers` + return bindErr + } + + ex.AppendBinding(bind) + + if qu.IsDurable() { + + } + + return nil +} + +// PersistBinding store binding into server storage +func (vhost *VirtualHost) PersistBinding(binding *binding.Binding) { +} + +// RemoveBindings remove given bindings from server storage +func (vhost *VirtualHost) RemoveBindings(bindings []*binding.Binding) { +} + +func (vhost *VirtualHost) loadQueues() { +} + +func (vhost *VirtualHost) loadMessagesIntoQueues() { + var wg sync.WaitGroup + for queueName, q := range vhost.queues { + wg.Add(1) + go func(queueName string, queue *queue.Queue) { + wg.Done() + }(queueName, q) + } + wg.Wait() +} + +func (vhost *VirtualHost) loadExchanges() { +} + +func (vhost *VirtualHost) loadBindings() { +} + +// DeleteQueue delete queue from virtual host and all bindings to that queue +// Also queue will be removed from server storage +func (vhost *VirtualHost) DeleteQueue(queueName string, ifUnused bool, ifEmpty bool) (uint64, error) { + vhost.quLock.Lock() + defer vhost.quLock.Unlock() + + qu := vhost.getQueue(queueName) + if qu == nil { + return 0, errors.New("not found") + } + + var length, err = qu.Delete(ifUnused, ifEmpty) + if err != nil { + return 0, err + } + + qu.Stop() + + for _, ex := range vhost.exchanges { + removedBindings := ex.RemoveQueueBindings(queueName) + vhost.RemoveBindings(removedBindings) + } + delete(vhost.queues, queueName) + + return length, nil +} + +// Stop properly stop virtual host +// TODO: properly stop confirm loop +func (vhost *VirtualHost) Stop() error { + vhost.quLock.Lock() + vhost.exLock.Lock() + defer vhost.quLock.Unlock() + defer vhost.exLock.Unlock() + vhost.logger.Info("Stop virtual host") + for _, qu := range vhost.queues { + qu.Stop() + vhost.logger.WithFields(log.Fields{ + "queueName": qu.GetName(), + }).Info("Queue stopped") + } + + vhost.logger.Info("Storage closed") + close(vhost.autoDeleteQueue) + return nil +} + +func (vhost *VirtualHost) GetName() string { + return vhost.name +} diff --git a/pkg/outputs/amqp/amqp.go b/pkg/outputs/amqp/amqp.go new file mode 100644 index 000000000..fe2f3b23f --- /dev/null +++ b/pkg/outputs/amqp/amqp.go @@ -0,0 +1,81 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package amqp + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/outputs" +) + +var ( + // amqpErrors counts AMQP delivery errors + amqpErrors = expvar.NewInt("output.amqp.publish.errors") + // amqpMessages counts the total number of published messages + amqpMessages = expvar.NewInt("output.amqp.publish.messages") +) + +type rabbitmq struct { + client *client +} + +func init() { + outputs.Register(outputs.AMQP, initAmqp) +} + +func initAmqp(config outputs.Config) (outputs.OutputGroup, error) { + cfg, ok := config.Output.(Config) + if !ok { + return outputs.Fail(outputs.ErrInvalidConfig(outputs.AMQP, config.Output)) + } + + q := &rabbitmq{client: newClient(cfg)} + + return outputs.Success(q), nil +} + +func (q *rabbitmq) Connect() error { + err := q.client.connect(true) + if err != nil { + return err + } + return q.client.declareExchange() +} + +func (q *rabbitmq) Close() error { + if q.client == nil { + return nil + } + return q.client.close() +} + +func (q *rabbitmq) Publish(batch *kevent.Batch) error { + body := batch.MarshalJSON() + defer batch.Release() + + err := q.client.publish(body) + if err != nil { + amqpErrors.Add(1) + return err + } + + amqpMessages.Add(1) + + return nil +} diff --git a/pkg/outputs/amqp/amqp_test.go b/pkg/outputs/amqp/amqp_test.go new file mode 100644 index 000000000..97a8f4f14 --- /dev/null +++ b/pkg/outputs/amqp/amqp_test.go @@ -0,0 +1,384 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package amqp + +import ( + "encoding/json" + "fmt" + "github.com/phayes/freeport" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/config" + broker "github.com/rabbitstack/fibratus/pkg/outputs/amqp/_fixtures/garagemq/server" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + shandle "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/streadway/amqp" + "github.com/stretchr/testify/require" + "testing" + "time" +) + +func TestPublishAmqpOutput(t *testing.T) { + port, err := freeport.GetFreePort() + require.NoError(t, err) + amqpBroker := broker.NewServer("127.0.0.1", fmt.Sprintf("%d", port), "amqp-rabbit", config.Default()) + + done := make(chan struct{}) + + go func() { + amqpBroker.Start() + }() + defer amqpBroker.Stop() + + q := rabbitmq{client: newClient(Config{ + URL: amqpURL(port), + Exchange: "fibratus", + ExchangeType: "topic", + RoutingKey: "fibratus", + })} + require.NoError(t, q.Connect()) + defer q.Close() + + err = consumeKevents(t, amqpURL(port), done) + require.NoError(t, err) + + err = q.Publish(getBatch()) + require.NoError(t, err) + + <-done +} + +func TestHealthcheck(t *testing.T) { + port, err := freeport.GetFreePort() + require.NoError(t, err) + amqpBroker := broker.NewServer("127.0.0.1", fmt.Sprintf("%d", port), "amqp-rabbit", config.Default()) + + go func() { + amqpBroker.Start() + }() + + q := rabbitmq{client: newClient(Config{ + URL: amqpURL(port), + Exchange: "fibratus", + ExchangeType: "topic", + RoutingKey: "fibratus", + Timeout: time.Second, + })} + require.NoError(t, q.Connect()) + defer q.Close() + + time.Sleep(time.Millisecond * 400) + + amqpBroker.Stop() + + err = q.Publish(getBatch()) + require.Error(t, err) + + time.Sleep(time.Millisecond * 100) + + go func() { + amqpBroker.Start() + }() + + time.Sleep(time.Millisecond * 2000) + require.NoError(t, q.client.declareExchange()) + err = q.Publish(getBatch()) + require.NoError(t, err) + +} + +func consumeKevents(t *testing.T, amqpURI string, done chan struct{}) error { + conn, err := amqp.Dial(amqpURI) + if err != nil { + return err + } + + channel, err := conn.Channel() + if err != nil { + return err + } + queue, err := channel.QueueDeclare( + "fibratus", // name of the queue + true, // durable + false, // delete when unused + false, // exclusive + false, // noWait + nil, // arguments + ) + if err != nil { + return err + } + if err = channel.QueueBind( + queue.Name, // name of the queue + "fibratus", // bindingKey + "fibratus", // sourceExchange + false, // noWait + nil, // arguments + ); err != nil { + return err + } + + deliveries, err := channel.Consume( + queue.Name, // name + "kevents-consumer", // consumerTag, + false, // noAck + false, // exclusive + false, // noLocal + false, // noWait + nil, // arguments + ) + + go func() { + for d := range deliveries { + body := d.Body + if len(body) == 0 { + done <- struct{}{} + t.Fatal("got empty AMQP message") + } + var kevents []*kevent.Kevent + err := json.Unmarshal(body, &kevents) + if err != nil { + done <- struct{}{} + t.Fatal(err) + } + if len(kevents) != 3 { + done <- struct{}{} + t.Fatalf("expected 3 events in body but got %d", len(kevents)) + } + d.Ack(false) + done <- struct{}{} + } + }() + + return nil +} + +func amqpURL(port int) string { + return fmt.Sprintf("amqp://localhost:%d", port) +} + +func getBatch() *kevent.Batch { + kevt := &kevent.Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + + kevt1 := &kevent.Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 459, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + + kevt2 := &kevent.Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 829, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: time.Now(), + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 829, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + + return kevent.NewBatch(kevt, kevt1, kevt2) +} diff --git a/pkg/outputs/amqp/client.go b/pkg/outputs/amqp/client.go new file mode 100644 index 000000000..cb55b170a --- /dev/null +++ b/pkg/outputs/amqp/client.go @@ -0,0 +1,193 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package amqp + +import ( + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/util/tls" + log "github.com/sirupsen/logrus" + "github.com/streadway/amqp" + "net" + "time" +) + +var ( + connectionFailures = expvar.NewInt("output.amqp.connection.failures") + channelFailures = expvar.NewInt("output.amqp.channel.failures") +) + +// client encapsulates the AMQP connection/channel and deals with configuring, establishing the connection +// and publishing messages to the exchange. +type client struct { + conn *amqp.Connection + channel *amqp.Channel + config Config + quit chan struct{} +} + +// newClient creates a new AMQP client and setups the connection/channel. +func newClient(config Config) *client { + return &client{config: config, quit: make(chan struct{})} +} + +// connect opens a connection to the AMQP broker honoring the preferences that were passed in the config. +func (c *client) connect(healthcheck bool) error { + amqpConfig := amqp.Config{ + Vhost: c.config.Vhost, + Dial: func(network, addr string) (net.Conn, error) { + return net.DialTimeout(network, addr, c.config.Timeout) + }, + SASL: c.config.auth(), + } + tlsConfig, err := tls.MakeConfig(c.config.TLSCert, c.config.TLSKey, c.config.TLSCA, c.config.TLSInsecureSkipVerify) + if err != nil { + return fmt.Errorf("invalid TLS config: %v", err) + } + amqpConfig.TLSClientConfig = tlsConfig + + c.conn, err = amqp.DialConfig(c.config.URL, amqpConfig) + if err != nil { + return err + } + c.channel, err = c.conn.Channel() + if err != nil { + return fmt.Errorf("unable to open AMQP channel: %v", err) + } + + log.Infof("established connection to AMQP broker on %s", c.config.URL) + + if healthcheck { + go c.doHealthcheck() + } + + return nil +} + +// declareExchange creates the exchange in the broker where messages are published. +func (c *client) declareExchange() error { + var err error + if c.config.Passive { + err = c.channel.ExchangeDeclarePassive( + c.config.Exchange, + c.config.ExchangeType, + c.config.Durable, + false, + false, + false, + nil, + ) + } else { + err = c.channel.ExchangeDeclare( + c.config.Exchange, + c.config.ExchangeType, + c.config.Durable, + false, + false, + false, + nil, + ) + } + if err != nil { + return fmt.Errorf("unable to declare %s exchange: %v", c.config.Exchange, err) + } + return nil +} + +// publish sends the byte stream to the exchange. +func (c *client) publish(body []byte) error { + return c.channel.Publish(c.config.Exchange, c.config.RoutingKey, false, false, c.msg(body)) +} + +func (c *client) msg(body []byte) amqp.Publishing { + return amqp.Publishing{ + Body: body, + ContentType: "text/json", + Headers: c.config.amqpHeaders(), + DeliveryMode: c.config.deliveryMode(), + } +} + +// healthcheck monitors the state of the AMQP connection and its corresponding channel. Since AMQP channel is +// shutdown if an error occurs on it, we'll have to handle this situation properly and try to reopen the channel. +// Similarly if the connection is lost, the reconnect loop kicks in and tries to reconcile the connection state. +func (c *client) doHealthcheck() { + notify := c.conn.NotifyClose(make(chan *amqp.Error)) + cnotify := c.channel.NotifyClose(make(chan *amqp.Error)) + go func() { + for { + select { + case err := <-cnotify: + if err != nil { + channelFailures.Add(1) + log.Warnf("channel error: %v. Trying to reopen...", err) + if c.conn != nil && !c.conn.IsClosed() { + for { + var err error + c.channel, err = c.conn.Channel() + if err == nil { + log.Info("channel reopened") + cnotify = c.channel.NotifyClose(make(chan *amqp.Error)) + break + } + // sleep a bit before retrying + time.Sleep(time.Millisecond * 500) + } + } + } + case <-c.quit: + return + } + } + }() + + for { + select { + case err := <-notify: + if err != nil { + for { + connectionFailures.Add(1) + log.Warnf("connection error: %v. Trying to reconnect...", err) + e := c.connect(false) + if e == nil { + log.Info("connection recovered") + notify = c.conn.NotifyClose(make(chan *amqp.Error)) + break + } + } + } + case <-c.quit: + return + } + } +} + +// close tears down the underlying AMQP connection. +func (c *client) close() error { + if c.conn == nil { + return nil + } + c.quit <- struct{}{} + c.quit <- struct{}{} + err := c.conn.Close() + if err != nil && err != amqp.ErrClosed { + return err + } + return nil +} diff --git a/pkg/outputs/amqp/config.go b/pkg/outputs/amqp/config.go new file mode 100644 index 000000000..97ad336ac --- /dev/null +++ b/pkg/outputs/amqp/config.go @@ -0,0 +1,120 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package amqp + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs" + "github.com/spf13/pflag" + "github.com/streadway/amqp" + "time" +) + +const ( + amqpURI = "output.amqp.url" + amqpTimeout = "output.amqp.timeout" + amqpVhost = "output.amqp.vhost" + amqpExchange = "output.amqp.exchange" + amqpRoutingKey = "output.amqp.routing-key" + amqpExchangeType = "output.amqp.exchange-type" + amqpEnabled = "output.amqp.enabled" + amqpPassive = "output.amqp.passive" + amqpDurable = "output.amqp.durable" + amqpDeliveryMode = "output.amqp.delivery-mode" + amqpUsername = "output.amqp.username" + amqpPassword = "output.amqp.password" +) + +// Config contains the tweaks that influence the behaviour of the AMQP output. +type Config struct { + outputs.TLSConfig + // Enabled indicates if the AMQP output is enabled + Enabled bool `mapstructure:"enabled"` + // URL represents the AMQP connection string. + URL string `mapstructure:"url"` + // Timeout specifies the AMQP connection timeout. + Timeout time.Duration `mapstructure:"timeout"` + // Exchange is the AMQP exchange for publishing events. + Exchange string `mapstructure:"exchange"` + // ExchangeType is the AMQP exchange type. + ExchangeType string `mapstructure:"exchange-type"` + // Passive indicates that the server checks whether the exchange already exists and raises an error if it doesn't exist. + Passive bool `mapstructure:"passive"` + // Durable indicates that the exchange is marked as durable. Durable exchanges can survive server restarts. + Durable bool `mapstructure:"durable"` + // DeliveryMode determines if a published message is persistent or transient. + DeliveryMode string `mapstructure:"delivery-mode"` + // RoutingKey represents the static routing key to link exchanges with queues. + RoutingKey string `mapstructure:"routing-key"` + // Username is the username for the plain authentication method. + Username string `mapstructure:"username"` + // Password is the password for the plain authentication method. + Password string `mapstructure:"password"` + // Vhost represents the virtual host name. + Vhost string `mapstructure:"vhost"` + // Headers contains a list of headers that are added to AMQP message + Headers map[string]string `mapstructure:"headers"` +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.String(amqpURI, "amqp://localhost:5672", "Represents the AMQP broker address") + flags.Duration(amqpTimeout, time.Second*5, "Specifies the AMQP connection timeout") + flags.String(amqpVhost, "/", "The virtual host that provides logical grouping and separation of broker's resources") + flags.String(amqpExchange, "fibratus", "Specifies the target exchange name") + flags.String(amqpExchangeType, "topic", "Defines the AMQP exchange type") + flags.String(amqpRoutingKey, "fibratus", "Specifies the routing key") + flags.Bool(amqpDurable, false, "Indicates if the exchange is marked as durable. Durable exchanges can survive server restarts.") + flags.Bool(amqpPassive, false, "Indicates if the server checks whether the exchange already exists and raises an error if it doesn't exist.") + flags.Bool(amqpEnabled, false, "Indicates if the AMQP output is enabled") + flags.String(amqpDeliveryMode, "transient", "Determines if a published message is persistent or transient") + flags.String(amqpUsername, "", "The username for the plain authentication method") + flags.String(amqpPassword, "", "The password for the plain authentication method") + outputs.AddTLSFlags(flags, outputs.AMQP) +} + +func (c Config) amqpHeaders() amqp.Table { + headers := make(amqp.Table) + for k, v := range c.Headers { + headers[k] = v + } + return headers +} + +func (c Config) deliveryMode() uint8 { + switch c.DeliveryMode { + case "transient": + return amqp.Transient + case "persistent": + return amqp.Persistent + default: + return amqp.Transient + } +} + +func (c Config) auth() []amqp.Authentication { + if c.Username == "" && c.Password == "" { + return nil + } + return []amqp.Authentication{ + &amqp.PlainAuth{ + Username: c.Username, + Password: c.Password, + }, + } +} diff --git a/pkg/outputs/client.go b/pkg/outputs/client.go new file mode 100644 index 000000000..be98bdea8 --- /dev/null +++ b/pkg/outputs/client.go @@ -0,0 +1,30 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package outputs + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" +) + +// Client represents the minimal interface all output implementors have to satisfy. +type Client interface { + Close() error + Publish(*kevent.Batch) error + Connect() error +} diff --git a/pkg/outputs/config.go b/pkg/outputs/config.go new file mode 100644 index 000000000..41850daa6 --- /dev/null +++ b/pkg/outputs/config.go @@ -0,0 +1,52 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package outputs + +import ( + "fmt" + "github.com/spf13/pflag" +) + +// Config contains the output configuration. +type Config struct { + Type Type + Output interface{} +} + +// TLSConfig stores the client TLS parameters. +type TLSConfig struct { + // TLSCA represents the path of the certificate file that is associated with the Certification Authority (CA). + TLSCA string `mapstructure:"tls-ca"` + // TLSCert is the path to the certificate file. + TLSCert string `mapstructure:"tls-cert"` + // TLSKey represents the path to the public/private key file. + TLSKey string `mapstructure:"tls-key"` + // TLSInsecureSkipVerify skips the chain and host verification. + TLSInsecureSkipVerify bool `mapstructure:"tls-insecure-skip-verify"` +} + +// AddTLSFlags register the TLS flags for the specified output type. +func AddTLSFlags(flags *pflag.FlagSet, typ Type) { + flags.String(tlsForOutput("tls-ca", typ), "", "Represents the path of the certificate file that is associated with the Certification Authority (CA)") + flags.String(tlsForOutput("tls-cert", typ), "", "Path to certificate file") + flags.String(tlsForOutput("tls-key", typ), "", "Path to the public/private key file") + flags.Bool(tlsForOutput("tls-insecure-skip-verify", typ), false, "Indicates if the chain and host verification stage is skipped") +} + +func tlsForOutput(name string, typ Type) string { return fmt.Sprintf("output.%s.%s", typ, name) } diff --git a/pkg/outputs/console/config.go b/pkg/outputs/console/config.go new file mode 100644 index 000000000..583b894bd --- /dev/null +++ b/pkg/outputs/console/config.go @@ -0,0 +1,44 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package console + +import "github.com/spf13/pflag" + +const ( + frmt = "output.console.format" + tmpl = "output.console.template" + paramKVDelimiter = "output.console.kv-delimiter" + enabled = "output.console.enabled" +) + +// Config contains the tweaks that influence the behaviour of the console output. +type Config struct { + Format string `mapstructure:"format"` + Template string `mapstructure:"template"` + ParamKVDelimiter string `mapstructure:"kv-delimiter"` + Enabled bool `mapstructure:"enabled"` +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.String(frmt, string(pretty), "Specifies the output format. Choose between pretty|json") + flags.String(paramKVDelimiter, "", "The delimiter symbol for the kparams key/value pairs") + flags.String(tmpl, "", "Event formatting template") + flags.Bool(enabled, true, "Indicates if the console output is enabled") +} diff --git a/pkg/outputs/console/console.go b/pkg/outputs/console/console.go new file mode 100644 index 000000000..371c5daa1 --- /dev/null +++ b/pkg/outputs/console/console.go @@ -0,0 +1,124 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package console + +import ( + "bufio" + "expvar" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/outputs" + "os" +) + +var ( + consoleErrors = expvar.NewInt("output.console.errors") +) + +type format string + +const ( + pretty format = "pretty" + json format = "json" + // template represents the default template used in pretty rendering mode + template = "{{ .Seq }} {{ .Timestamp }} - {{ .CPU }} {{ .Process }} ({{ .Pid }}) - {{ .Type }} ({{ .Kparams }})" +) + +type console struct { + writer *bufio.Writer + formatter *kevent.Formatter + format format +} + +func init() { + outputs.Register(outputs.Console, initConsole) +} + +func initConsole(config outputs.Config) (outputs.OutputGroup, error) { + stdout := os.Stdout + cfg, ok := config.Output.(Config) + if !ok { + return outputs.Fail(outputs.ErrInvalidConfig(outputs.Console, config.Output)) + } + tmpl := cfg.Template + if tmpl == "" { + tmpl = template + } + formatter, err := kevent.NewFormatter(tmpl) + if err != nil { + return outputs.Fail(err) + } + if cfg.ParamKVDelimiter != "" { + kevent.ParamKVDelimiter = cfg.ParamKVDelimiter + } + + c := &console{ + writer: bufio.NewWriterSize(stdout, 8*1024), + formatter: formatter, + format: format(cfg.Format), + } + return outputs.Success(c), nil +} + +func (c *console) Close() error { return c.writer.Flush() } +func (c *console) Connect() error { return nil } +func (c *console) Publish(batch *kevent.Batch) error { + defer batch.Release() + + for _, kevt := range batch.Events { + var buf []byte + switch c.format { + case json: + buf = kevt.MarshalJSON() + case pretty: + buf = c.formatter.Format(kevt) + default: + return nil + } + + if err := c.write(buf); err != nil { + consoleErrors.Add(1) + continue + } + if err := c.write(nl); err != nil { + consoleErrors.Add(1) + continue + } + } + + if err := c.writer.Flush(); err != nil { + consoleErrors.Add(1) + return err + } + + return nil +} + +var nl = []byte("\n") + +func (c *console) write(buf []byte) error { + written := 0 + for written < len(buf) { + n, err := c.writer.Write(buf[written:]) + if err != nil { + return err + } + written += n + } + return nil +} diff --git a/pkg/outputs/elasticsearch/config.go b/pkg/outputs/elasticsearch/config.go new file mode 100644 index 000000000..f1afae01b --- /dev/null +++ b/pkg/outputs/elasticsearch/config.go @@ -0,0 +1,101 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package elasticsearch + +import ( + "github.com/rabbitstack/fibratus/pkg/outputs" + "github.com/spf13/pflag" + "time" +) + +const ( + esEnabled = "output.elasticsearch.enabled" + esServers = "output.elasticsearch.servers" + esTimeout = "output.elasticsearch.timeout" + esFlushPeriod = "output.elasticsearch.flush-period" + esHealthcheck = "output.elasticsearch.healthcheck" + esBulkWorkers = "output.elasticsearch.bulk-workers" + esHealthcheckInterval = "output.elasticsearch.healthcheck-interval" + esHealthcheckTimeout = "output.elasticsearch.healthcheck-timeout" + esUsername = "output.elasticsearch.username" + esPassword = "output.elasticsearch.password" + esSniff = "output.elasticsearch.sniff" + esTraceLog = "output.elasticsearch.trace-log" + esIndexName = "output.elasticsearch.index-name" + esTemplateName = "output.elasticsearch.template-name" + esTemplateConfig = "output.elasticsearch.template-config" + esGzipCompression = "output.elasticsearch.gzip-compression" +) + +// Config contains the options for tweaking the output behaviour. +type Config struct { + outputs.TLSConfig + // Enabled determines whether ES output is enabled. + Enabled bool `mapstructure:"enabled"` + // Servers contains a comma separated list of Elasticsearch instances that comprise the cluster. + Servers []string `mapstructure:"servers"` + // Timeout specifies the connection timeout. + Timeout time.Duration `mapstructure:"timeout"` + // FlushPeriod specifies when to flush the bulk at the end of the given interval. + FlushPeriod time.Duration `mapstructure:"flush-period"` + // BulkWorkers represents the number of workers that commit docs to Elasticserach. + BulkWorkers int `mapstructure:"bulk-workers"` + // Healthcheck enables/disables nodes health checking. + Healthcheck bool `mapstructure:"healthcheck"` + // HealthCheckInterval specifies the interval for checking if the Elasticsearch nodes are available. + HealthCheckInterval time.Duration `mapstructure:"healthcheck-interval"` + // HealthCheckTimeout sets the timeout for periodic health checks. + HealthCheckTimeout time.Duration `mapstructure:"healthcheck-timeout"` + // Username is the user name for the basic HTTP authentication. + Username string `mapstructure:"username"` + // Password is the password for the basic HTTP authentication. + Password string `mapstructure:"password"` + // Sniff enables the discovery of all Elasticsearch nodes in the cluster. This avoids populating the list of available Elasticsearch nodes. + Sniff bool `mapstructure:"sniff"` + // TraceLog determines if the Elasticsearch trace log is enabled. Useful for troubleshooting. + TraceLog bool `mapstructure:"tracelog"` + // IndexName represents the target index for kernel events. It allows time specifiers to create indices per time frame. + IndexName string `mapstructure:"index-name"` + // TemplateName specifies the name of the index template. + TemplateName string `mapstructure:"template-name"` + // TemplateConfig contains the full JSON body of the index template. + TemplateConfig string `mapstructure:"template-config"` + // GzipCompression specifies if gzip compression is enabled. + GzipCompression bool `mapstructure:"gzip-compression"` +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.Bool(esEnabled, false, "Determines whether ES output is enabled") + flags.StringSlice(esServers, []string{"http://127.0.0.1:9200"}, "Contains a comma separated list of Elasticsearch instances that comprise the cluster") + flags.Duration(esTimeout, time.Second*5, "Specifies the output connection timeout") + flags.Duration(esFlushPeriod, time.Second, "Specifies when to flush the bulk at the end of the given interval") + flags.Int(esBulkWorkers, 1, "Represents the number of workers that commit docs to Elasticsearch") + flags.Bool(esHealthcheck, true, "Enables/disables nodes health checking") + flags.Duration(esHealthcheckInterval, time.Second*10, "Specifies the interval for checking if the Elasticsearch nodes are available") + flags.Duration(esHealthcheckTimeout, time.Second*5, "Specifies the timeout for periodic health checks") + flags.String(esUsername, "", "Identifies the user name for the basic HTTP authentication") + flags.String(esPassword, "", "Specifies the password for the basic HTTP authentication") + flags.Bool(esSniff, false, "Enables the discovery of all Elasticsearch nodes in the cluster. This avoids populating the list of available Elasticsearch nodes") + flags.Bool(esTraceLog, false, "Determines if the Elasticsearch trace log is enabled. Useful for troubleshooting") + flags.String(esTemplateName, "fibratus", "Specifies the name of the index template") + flags.String(esIndexName, "fibratus", "Represents the target index for kernel events. It allows time specifiers to create indices per time frame") + flags.String(esTemplateConfig, "", "Contains the full JSON body of the index template") + flags.Bool(esGzipCompression, false, "Specifies if gzip compression is enabled") +} diff --git a/pkg/outputs/elasticsearch/elasticsearch.go b/pkg/outputs/elasticsearch/elasticsearch.go new file mode 100644 index 000000000..c9a9db1f2 --- /dev/null +++ b/pkg/outputs/elasticsearch/elasticsearch.go @@ -0,0 +1,201 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package elasticsearch + +import ( + "context" + "encoding/json" + "expvar" + "fmt" + "github.com/hashicorp/go-version" + "github.com/olivere/elastic/v7" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/outputs" + "github.com/rabbitstack/fibratus/pkg/util/tls" + log "github.com/sirupsen/logrus" + "net/http" +) + +// minElasticVersion is the minimal supported Elasticsearch version +var minElasticVersion, _ = version.NewVersion("5.5") + +var ( + // totalBulkedDocs contains the number of total bulked docs + totalBulkedDocs = expvar.NewInt("elasticsearch.total.bulked.docs") + // committedDocs counts the number of docs commited to Elasticsearch + committedDocs = expvar.NewInt("elasticsearch.committed.docs") + // failedDocs counts the number of docs that failed to commit to Elasticsearch + failedDocs = expvar.NewInt("elasticsearch.failed.docs") +) + +type elasticsearch struct { + client *elastic.Client + bulkProcessor *elastic.BulkProcessor + config Config + index index +} + +type logger struct{} + +func (l logger) Printf(format string, v ...interface{}) { + log.Infof(format, v...) +} + +func init() { + outputs.Register(outputs.Elasticsearch, initElastic) +} + +func initElastic(config outputs.Config) (outputs.OutputGroup, error) { + cfg, ok := config.Output.(Config) + if !ok { + return outputs.Fail(outputs.ErrInvalidConfig(outputs.Elasticsearch, config.Output)) + } + + es := &elasticsearch{config: cfg, index: index{config: cfg}} + + return outputs.Success(es), nil +} + +func (e *elasticsearch) Connect() error { + var opts []elastic.ClientOptionFunc + var client *elastic.Client + var err error + + // setup a new HTTP client with optional TLS transport + tlsConfig, err := tls.MakeConfig(e.config.TLSCert, e.config.TLSKey, e.config.TLSCA, e.config.TLSInsecureSkipVerify) + if err != nil { + return fmt.Errorf("invalid TLS config: %v", err) + } + httpClient := &http.Client{ + Timeout: e.config.Timeout, + Transport: &http.Transport{TLSClientConfig: tlsConfig}, + } + + opts = append( + opts, + elastic.SetSniff(e.config.Sniff), + elastic.SetHttpClient(httpClient), + elastic.SetURL(e.config.Servers...), + elastic.SetGzip(e.config.GzipCompression), + elastic.SetHealthcheck(e.config.Healthcheck), + elastic.SetHealthcheckTimeout(e.config.HealthCheckTimeout), + elastic.SetHealthcheckInterval(e.config.HealthCheckInterval), + ) + + if e.config.Username != "" && e.config.Password != "" { + opts = append( + opts, + elastic.SetBasicAuth(e.config.Username, e.config.Password), + ) + } + if e.config.TraceLog { + opts = append(opts, elastic.SetTraceLog(&logger{})) + } + + client, err = elastic.NewClient(opts...) + if err != nil { + return err + } + + ver, err := client.ElasticsearchVersion(e.config.Servers[0]) + if err != nil { + return fmt.Errorf("unable to fetch Elasticsearch version: %v", err) + } + + v, err := version.NewVersion(ver) + if err != nil { + return fmt.Errorf("unable to parse Elasticsearch version %s: %v", ver, err) + } + if v.LessThan(minElasticVersion) { + return fmt.Errorf("required at least Elasticsearch %s but found version %s", minElasticVersion.String(), ver) + } + + e.client = client + e.index.client = client + + bulkProcessor, err := client.BulkProcessor(). + After(func(executionId int64, requests []elastic.BulkableRequest, response *elastic.BulkResponse, err error) { + if err != nil { + log.Errorf("failed to execute bulk: %s", err) + return + } + + if response.Errors { + log.Errorf("failed to insert %d documents", len(response.Failed())) + for i, fail := range response.Failed() { + failedDocs.Add(1) + log.Errorf("failed to insert document %d: %v", i, fail.Error) + } + return + } + committedDocs.Add(int64(len(requests))) + }). + FlushInterval(e.config.FlushPeriod). + Workers(e.config.BulkWorkers). + Do(context.Background()) + if err != nil { + return fmt.Errorf("couldn't create Elasticsearch bulk processor: %v", err) + } + + err = e.index.putTemplate() + if err != nil { + return err + } + + err = bulkProcessor.Start(context.Background()) + if err != nil { + return err + } + + e.bulkProcessor = bulkProcessor + + log.Infof("established connection to Elasticsearch server(s): %v", e.config.Servers) + + return nil +} + +func (e *elasticsearch) Publish(batch *kevent.Batch) error { + for _, kevt := range batch.Events { + indexName := e.index.getName(kevt) + // create the bulk index request for each event in the batch. + // We already have a valid JSON body, so just pass the raw + // JSON message as request document + e.bulkProcessor.Add(newBulkIndexRequest(indexName, kevt)) + totalBulkedDocs.Add(1) + } + batch.Release() + + return nil +} + +func newBulkIndexRequest(indexName string, kevt *kevent.Kevent) *elastic.BulkIndexRequest { + kjson := kevt.MarshalJSON() + return elastic.NewBulkIndexRequest().Index(indexName).Doc(json.RawMessage(kjson)) +} + +func (e *elasticsearch) Close() error { + if e.bulkProcessor != nil { + // commit outstanding requests before shutdown + if err := e.bulkProcessor.Flush(); err != nil { + return err + } + return e.bulkProcessor.Close() + } + return nil +} diff --git a/pkg/outputs/elasticsearch/elasticsearch_test.go b/pkg/outputs/elasticsearch/elasticsearch_test.go new file mode 100644 index 000000000..fbe4fe10d --- /dev/null +++ b/pkg/outputs/elasticsearch/elasticsearch_test.go @@ -0,0 +1,355 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package elasticsearch + +import ( + "bytes" + "encoding/json" + "github.com/olivere/elastic/v7" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + shandle "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "io/ioutil" + "net/http" + "net/http/httptest" + "strings" + "testing" + "time" +) + +func TestElasticsearchConnect(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + ping := elastic.PingResult{ + Name: "es", + } + ping.Version.Number = "5.5.2" + resp, err := json.Marshal(&ping) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + } + + w.Write([]byte(resp)) + })) + defer srv.Close() + + es := &elasticsearch{config: Config{Servers: []string{srv.URL}, Healthcheck: false}} + + require.NoError(t, es.Connect()) +} + +func TestElasticsearchConnectUnsupportedVersion(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + ping := elastic.PingResult{ + Name: "es", + } + ping.Version.Number = "2.4.6" + resp, err := json.Marshal(&ping) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + } + + w.Write([]byte(resp)) + })) + defer srv.Close() + + es := &elasticsearch{config: Config{Servers: []string{srv.URL}, Healthcheck: false}} + + require.Error(t, es.Connect()) +} + +func TestElasticsearchPublish(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if strings.Contains(r.URL.Path, "_bulk") { + body, err := ioutil.ReadAll(r.Body) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + defer r.Body.Close() + // check we have the correct index name + assert.True(t, bytes.Contains(body, []byte("fibratus-2018-03"))) + // check kevent name is present + assert.True(t, bytes.Contains(body, []byte("CreateFile"))) + + // create the bulk response + response := elastic.BulkResponse{ + Took: 1, + Errors: false, + Items: []map[string]*elastic.BulkResponseItem{}, + } + resp, err := json.Marshal(&response) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + } + + w.Write(resp) + } else { + ping := elastic.PingResult{ + Name: "es", + } + ping.Version.Number = "5.5.2" + resp, err := json.Marshal(&ping) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + } + + w.Write(resp) + } + })) + defer srv.Close() + + kevent.SerializeHandles = true + + cfg := Config{ + Servers: []string{srv.URL}, + Healthcheck: false, + FlushPeriod: time.Millisecond * 250, + IndexName: "fibratus-%Y-%d", + TemplateName: "fibratus", + } + + es := &elasticsearch{ + config: cfg, + index: index{config: cfg}, + } + + require.NoError(t, es.Connect()) + + require.NoError(t, es.Publish(getBatch())) + + time.Sleep(time.Millisecond * 450) + + assert.Equal(t, int64(3), committedDocs.Value()) + assert.Equal(t, int64(0), failedDocs.Value()) +} + +func getBatch() *kevent.Batch { + ts, _ := time.Parse(time.RFC3339, "2018-05-03T15:04:05.323Z") + + kevt := &kevent.Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 859, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: ts, + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + + kevt1 := &kevent.Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 459, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: ts, + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + + kevt2 := &kevent.Kevent{ + Type: ktypes.CreateFile, + Tid: 2484, + PID: 829, + CPU: 1, + Seq: 2, + Name: "CreateFile", + Timestamp: ts, + Category: ktypes.File, + Host: "archrabbit", + Description: "Creates or opens a new file, directory, I/O device, pipe, console", + Kparams: kevent.Kparams{ + kparams.FileObject: {Name: kparams.FileObject, Type: kparams.Uint64, Value: uint64(12456738026482168384)}, + kparams.FileName: {Name: kparams.FileName, Type: kparams.UnicodeString, Value: "\\Device\\HarddiskVolume2\\Windows\\system32\\user32.dll"}, + kparams.FileType: {Name: kparams.FileType, Type: kparams.AnsiString, Value: "file"}, + kparams.FileOperation: {Name: kparams.FileOperation, Type: kparams.AnsiString, Value: "open"}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Int8, Value: int8(2)}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(2)}, + }, + Metadata: map[string]string{"foo": "bar", "fooz": "baarz"}, + PS: &pstypes.PS{ + PID: 829, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel=6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Handles: []htypes.Handle{ + {Num: shandle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: shandle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: shandle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + }, + } + + return kevent.NewBatch(kevt, kevt1, kevt2) +} diff --git a/pkg/outputs/elasticsearch/index.go b/pkg/outputs/elasticsearch/index.go new file mode 100644 index 000000000..698032c52 --- /dev/null +++ b/pkg/outputs/elasticsearch/index.go @@ -0,0 +1,95 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package elasticsearch + +import ( + "bytes" + "context" + "fmt" + "github.com/olivere/elastic/v7" + "github.com/rabbitstack/fibratus/pkg/kevent" + "html/template" + "strings" + "time" +) + +type index struct { + config Config + client *elastic.Client +} + +// putTemplate creates the index template. +func (i index) putTemplate() error { + if i.config.TemplateName == "" { + return nil + } + // get the index pattern for the template + indexPattern := i.config.IndexName + if strings.Contains(indexPattern, "%") { + indexPattern = indexPattern[0:strings.Index(indexPattern, "%")] + } + + var b bytes.Buffer + if i.config.TemplateConfig != "" { + b.WriteString(i.config.TemplateConfig) + } else { + // expand the Go template + tmpl := template.Must(template.New("template").Parse(indexTemplate)) + err := tmpl.Execute(&b, templateInfo{IndexPattern: indexPattern + "*"}) + if err != nil { + return err + } + } + + ctx := context.Background() + + exists, err := i.client.IndexTemplateExists(i.config.TemplateName).Do(ctx) + if err != nil { + return fmt.Errorf("unable to check the existence of the %q template: %v", i.config.TemplateName, err) + } + if exists { + return nil + } + // create index template + _, err = i.client.IndexPutTemplate(i.config.TemplateName).BodyJson(b.String()).Do(ctx) + if err != nil { + return fmt.Errorf("unable to create index for the %q template: %v", i.config.TemplateName, err) + } + + return nil +} + +// getName creates an index name by replacing specifiers to create time frame indices. If no time specifiers are +// used this method returns a fixed index name. +func (i index) getName(kevt *kevent.Kevent) string { + indexName := i.config.IndexName + if !strings.Contains(indexName, "%") { + return indexName + } + return i.replace(kevt.Timestamp) +} + +func (i index) replace(timestamp time.Time) string { + return strings.NewReplacer( + "%Y", timestamp.UTC().Format("2006"), + "%y", timestamp.UTC().Format("06"), + "%m", timestamp.UTC().Format("01"), + "%d", timestamp.UTC().Format("02"), + "%H", timestamp.UTC().Format("15")).Replace(i.config.IndexName) +} diff --git a/pkg/outputs/elasticsearch/index_test.go b/pkg/outputs/elasticsearch/index_test.go new file mode 100644 index 000000000..cb41f284b --- /dev/null +++ b/pkg/outputs/elasticsearch/index_test.go @@ -0,0 +1,50 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package elasticsearch + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/stretchr/testify/assert" + "testing" + "time" +) + +func TestProduceIndexName(t *testing.T) { + i := index{config: Config{IndexName: "fibratus-%Y-%m"}} + + ts, _ := time.Parse(time.RFC3339, "2011-05-03T15:04:05.323Z") + + indexName := i.getName(&kevent.Kevent{Timestamp: ts}) + assert.Equal(t, "fibratus-2011-05", indexName) + + i = index{config: Config{IndexName: "fibratus-%y-%d"}} + + indexName = i.getName(&kevent.Kevent{Timestamp: ts}) + assert.Equal(t, "fibratus-11-03", indexName) + + i = index{config: Config{IndexName: "fibratus-%d-%H"}} + + indexName = i.getName(&kevent.Kevent{Timestamp: ts}) + assert.Equal(t, "fibratus-03-15", indexName) + + i = index{config: Config{IndexName: "fibratus-events"}} + + indexName = i.getName(&kevent.Kevent{Timestamp: ts}) + assert.Equal(t, "fibratus-events", indexName) +} diff --git a/pkg/outputs/elasticsearch/template.go b/pkg/outputs/elasticsearch/template.go new file mode 100644 index 000000000..0d7db9f61 --- /dev/null +++ b/pkg/outputs/elasticsearch/template.go @@ -0,0 +1,74 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package elasticsearch + +type templateInfo struct { + IndexPattern string +} + +const indexTemplate = ` +{ + "index_patterns": [ "{{ .IndexPattern }}" ], + "settings": { + "index": { + "refresh_interval": "5s", + "number_of_shards": 1, + "number_of_replicas": 1 + } + }, + "mappings": { + "properties": { + "seq": { "type": "long" }, + "pid": { "type": "long" }, + "tid": { "type": "long" }, + "cpu": { "type": "short" }, + + "name": { "type": "keyword" }, + "category": { "type": "keyword" }, + "description": { "type": "text" }, + "host": { "type": "keyword" }, + + "timestamp": { "type": "date" }, + + "kparams": { + "type": "nested", + "properties": { + "dip": { "type": "ip" }, + "sip": { "type": "ip" } + } + }, + + "ps": { + "type": "nested", + "properties": { + "pid": { "type": "long" }, + "ppid": { "type": "long" }, + "name": { "type": "keyword" }, + "comm": { "type": "text" }, + "exe": { "type": "text" }, + "cwd": { "type": "text" }, + "sid": { "type": "keyword" }, + "sessionid": { "type": "short" } + } + } + + } + } +} +` diff --git a/pkg/outputs/null/config.go b/pkg/outputs/null/config.go new file mode 100644 index 000000000..51f5c6236 --- /dev/null +++ b/pkg/outputs/null/config.go @@ -0,0 +1,22 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package null + +// Config contains preferences for the null output. +type Config struct{} diff --git a/pkg/outputs/null/null.go b/pkg/outputs/null/null.go new file mode 100644 index 000000000..cc7a83eb4 --- /dev/null +++ b/pkg/outputs/null/null.go @@ -0,0 +1,46 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package null + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/outputs" +) + +var blackholeEventsCount = expvar.NewInt("output.null.blackhole.events") + +// null output devours kernel events the same way a black hole swallows the light +type null struct{} + +func init() { + outputs.Register(outputs.Null, initNull) +} + +func initNull(config outputs.Config) (outputs.OutputGroup, error) { + return outputs.Success(&null{}), nil +} + +func (null) Close() error { return nil } +func (null) Connect() error { return nil } +func (null) Publish(batch *kevent.Batch) error { + blackholeEventsCount.Add(batch.Len()) + batch.Release() + return nil +} diff --git a/pkg/outputs/outputs.go b/pkg/outputs/outputs.go new file mode 100644 index 000000000..a0ac4d5b9 --- /dev/null +++ b/pkg/outputs/outputs.go @@ -0,0 +1,94 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package outputs + +import ( + "fmt" + "reflect" + "strings" +) + +var ( + outputs = map[Type]Factory{} + // ErrInvalidConfig signals an invalid configuration input + ErrInvalidConfig = func(name Type, c interface{}) error { + return fmt.Errorf("invalid config for %q output. Got type %v instead of %s.Config", name, reflect.TypeOf(c), strings.ToLower(name.String())) + } +) + +type Factory func(config Config) (OutputGroup, error) + +// Type is the alias for the output type. +type Type uint8 + +const ( + // Console represents the default terminal output. + Console Type = iota + AMQP + Elasticsearch + Null +) + +// String returns the string representation of the output type. +func (t Type) String() string { + switch t { + case Console: + return "console" + case AMQP: + return "amqp" + case Elasticsearch: + return "elasticsearch" + case Null: + return "null" + default: + return "unknown" + } +} + +type OutputGroup struct { + Clients []Client +} + +func Success(clients ...Client) OutputGroup { + return OutputGroup{Clients: clients} +} + +func Fail(err error) (OutputGroup, error) { + return OutputGroup{}, err +} + +func Register(typ Type, factory Factory) { + if _, ok := outputs[typ]; ok { + panic(fmt.Sprintf("output %q is already registered", typ)) + } + outputs[typ] = factory +} + +// FindFactory locates the output factory. +func FindFactory(typ Type) Factory { + return outputs[typ] +} + +func Load(typ Type, config Config) (OutputGroup, error) { + factory := FindFactory(typ) + if factory == nil { + return OutputGroup{}, fmt.Errorf("output %q not availaible in the factory", typ) + } + return factory(config) +} diff --git a/pkg/pe/config.go b/pkg/pe/config.go new file mode 100644 index 000000000..c29c016a3 --- /dev/null +++ b/pkg/pe/config.go @@ -0,0 +1,71 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe + +import ( + "github.com/spf13/pflag" + "github.com/spf13/viper" + "path/filepath" + "strings" +) + +const ( + enabled = "pe.enabled" + readResources = "pe.read-resources" + readSymbols = "pe.read-symbols" + readSections = "pe.read-sections" + excludedImages = "pe.excluded-images" +) + +// Config stores the preferences that dictate the behaviour of the PE reader. +type Config struct { + Enabled bool `json:"pe.enabled" yaml:"pe.enabled"` + ReadResources bool `json:"pe.read-resources" yaml:"pe.read-resources"` + ReadSymbols bool `json:"pe.read-symbols" yaml:"pe.read-symbols"` + ReadSections bool `json:"pe.read-sections" yaml:"pe.read-sections"` + ExcludedImages []string `json:"pe.excluded-images" yaml:"pe.excluded-images"` +} + +// InitFromViper initializes PE config from Viper. +func (c *Config) InitFromViper(v *viper.Viper) { + c.Enabled = v.GetBool(enabled) + c.ReadResources = v.GetBool(readResources) + c.ReadSymbols = v.GetBool(readSymbols) + c.ReadSections = v.GetBool(readSections) + c.ExcludedImages = v.GetStringSlice(excludedImages) +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.Bool(enabled, false, "Specifies if PE metadata is fetched from the process' image file") + flags.Bool(readResources, false, "Determines if resources are read from the PE resource directory") + flags.Bool(readSymbols, false, "Indicates if symbols are read from the PE") + flags.Bool(readSections, false, "Indicates if full section inspection is allowed") + flags.StringSlice(excludedImages, []string{}, "Contains a list of comma-separated images names that are excluded from PE parsing") +} + +// ShouldSkipProcess determines whether the specified filename name is ignored by PE reader. +func (c Config) shouldSkipImage(filename string) bool { + for _, img := range c.ExcludedImages { + if strings.ToLower(img) == strings.ToLower(filepath.Base(filename)) { + return true + } + } + return false +} diff --git a/pkg/pe/doc.go b/pkg/pe/doc.go new file mode 100644 index 000000000..9bd81f93e --- /dev/null +++ b/pkg/pe/doc.go @@ -0,0 +1,21 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// Package pe contains different facilities for dealing with Portable Executable specifics and digging out valuable insights +// from it. +package pe diff --git a/pkg/pe/entropy.go b/pkg/pe/entropy.go new file mode 100644 index 000000000..3c892aa7f --- /dev/null +++ b/pkg/pe/entropy.go @@ -0,0 +1,41 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe + +import "math" + +// entropy calculates the entropy of the PE section's data. This function relies +// on Shannon Entropy formula to calculate the entropy. High entropy scores mean +// that there is a high variety of frequency over data located in sections. +func entropy(data []byte) float64 { + entropy := 0.0 + frq := make(map[byte]int, len(data)) + + // get the frequency of each rune + for _, i := range data { + frq[i]++ + } + + for _, value := range frq { + k := float64(value) / float64(len(data)) + entropy -= k * math.Log2(k) + } + + return entropy +} diff --git a/pkg/pe/marshaller.go b/pkg/pe/marshaller.go new file mode 100644 index 000000000..01434f9bc --- /dev/null +++ b/pkg/pe/marshaller.go @@ -0,0 +1,223 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/util/bytes" + "math" + "time" + "unsafe" +) + +// Marshal dumps the PE metadata to binary stream. +func (pe *PE) Marshal() []byte { + b := make([]byte, 0) + + // number of sections/symbols + b = append(b, bytes.WriteUint16(pe.NumberOfSections)...) + b = append(b, bytes.WriteUint32(pe.NumberOfSymbols)...) + + // image base + b = append(b, bytes.WriteUint16(uint16(len(pe.ImageBase)))...) + b = append(b, pe.ImageBase...) + + // entry point + b = append(b, bytes.WriteUint16(uint16(len(pe.EntryPoint)))...) + b = append(b, pe.EntryPoint...) + + // link time + linkTime := make([]byte, 0) + linkTime = pe.LinkTime.AppendFormat(linkTime, time.RFC3339Nano) + b = append(b, bytes.WriteUint16(uint16(len(linkTime)))...) + b = append(b, linkTime...) + + // sections + b = append(b, bytes.WriteUint16(uint16(len(pe.Sections)))...) + for _, sec := range pe.Sections { + // size + b = append(b, bytes.WriteUint32(sec.Size)...) + // entropy + b = append(b, bytes.WriteUint64(math.Float64bits(sec.Entropy))...) + // name + b = append(b, bytes.WriteUint16(uint16(len(sec.Name)))...) + b = append(b, sec.Name...) + // md5 + b = append(b, bytes.WriteUint16(uint16(len(sec.Md5)))...) + b = append(b, sec.Md5...) + } + + // symbols + b = append(b, bytes.WriteUint16(uint16(len(pe.Symbols)))...) + for _, sym := range pe.Symbols { + b = append(b, bytes.WriteUint16(uint16(len(sym)))...) + b = append(b, sym...) + } + + // imports + b = append(b, bytes.WriteUint16(uint16(len(pe.Imports)))...) + for _, imp := range pe.Imports { + b = append(b, bytes.WriteUint16(uint16(len(imp)))...) + b = append(b, imp...) + } + + // version resources + b = append(b, bytes.WriteUint16(uint16(len(pe.VersionResources)))...) + for k, v := range pe.VersionResources { + b = append(b, bytes.WriteUint16(uint16(len(k)))...) + b = append(b, k...) + b = append(b, bytes.WriteUint16(uint16(len(v)))...) + b = append(b, v...) + } + + return b +} + +// Unmarshal recovers the PE metadata from the byte stream. +func (pe *PE) Unmarshal(b []byte) error { + if len(b) < 6 { + return fmt.Errorf("expected at least 6 bytes but got %d bytes", len(b)) + } + + pe.NumberOfSections = bytes.ReadUint16(b[0:]) + pe.NumberOfSymbols = bytes.ReadUint32(b[2:]) + + // image base + l := bytes.ReadUint16(b[6:]) + buf := b[8:] + offset := uint32(l) + pe.ImageBase = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // entry point + l = bytes.ReadUint16(b[8+offset:]) + buf = b[10+offset:] + offset += uint32(l) + pe.EntryPoint = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // link time + l = bytes.ReadUint16(b[10+offset:]) + buf = b[12+offset:] + offset += uint32(l) + if len(buf) > 0 { + pe.LinkTime, _ = time.Parse(time.RFC3339Nano, string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + } + + // read sections + nsections := bytes.ReadUint16(b[12+offset:]) + var soffset uint32 + + for nsec := 0; nsec < int(nsections); nsec++ { + // section size + size := bytes.ReadUint32(b[14+offset+soffset:]) + // entropy + entropy := bytes.ReadUint64(b[18+offset+soffset:]) + + // section name + l := bytes.ReadUint16(b[26+offset+soffset:]) + buf := b[28+offset+soffset:] + soffset += uint32(l) + name := string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // section md5 hash + l = bytes.ReadUint16(b[28+offset+soffset:]) + buf = b[30+offset+soffset:] + soffset += uint32(l) + md5 := string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + pe.Sections = append(pe.Sections, + Sec{ + Name: name, + Size: size, + Entropy: math.Float64frombits(entropy), + Md5: md5, + }, + ) + + // increment the offset by summing the byte length of the size + entropy, and the section name length + md5 length encoded as uint16 values + soffset += 4 + 8 + 2 + 2 + } + + offset += soffset + + // read symbols + nsyms := bytes.ReadUint16(b[14+offset:]) + var syoffset uint32 + + for nsym := 0; nsym < int(nsyms); nsym++ { + l := bytes.ReadUint16(b[16+offset+syoffset:]) + buf := b[18+offset+syoffset:] + pe.Symbols = append(pe.Symbols, string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + syoffset += uint32(l + 2) + } + offset += syoffset + + // read imports + nimports := bytes.ReadUint16(b[16+offset:]) + var ioffset uint32 + + for nimp := 0; nimp < int(nimports); nimp++ { + l := bytes.ReadUint16(b[18+offset+ioffset:]) + buf := b[20+offset+ioffset:] + pe.Imports = append(pe.Imports, string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + ioffset += uint32(l + 2) + } + + offset += ioffset + + // read version resources + nresources := bytes.ReadUint16(b[18+offset:]) + var roffset uint32 + + for nres := 0; nres < int(nresources); nres++ { + // read key + klen := bytes.ReadUint16(b[20+offset+roffset:]) + buf := b[22+offset+roffset:] + key := string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:klen:klen]) + // read value + vlen := bytes.ReadUint16(b[22+offset+uint32(klen)+roffset:]) + buf = b[24+offset+uint32(klen)+roffset:] + if vlen == 0 { + roffset += uint32(klen) + 4 + continue + } + value := string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:vlen:vlen]) + // increment the offset by the length of the key + length value + size of uint16 * 2 + // that corresponds to byte patterns storing the lengths of the keys/values + roffset += uint32(klen) + uint32(vlen) + 4 + if key != "" { + pe.VersionResources[key] = value + } + } + + return nil +} + +// NewFromKcap restores the PE metadata from the byte stream. +func NewFromKcap(b []byte) (*PE, error) { + pe := &PE{ + Sections: make([]Sec, 0), + Symbols: make([]string, 0), + Imports: make([]string, 0), + VersionResources: make(map[string]string), + } + if err := pe.Unmarshal(b); err != nil { + return nil, err + } + return pe, nil +} diff --git a/pkg/pe/marshaller_test.go b/pkg/pe/marshaller_test.go new file mode 100644 index 000000000..c5e107c4d --- /dev/null +++ b/pkg/pe/marshaller_test.go @@ -0,0 +1,85 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe + +import ( + "github.com/stretchr/testify/assert" + + "github.com/stretchr/testify/require" + "testing" + "time" +) + +func TestMetadataMarshal(t *testing.T) { + + now := time.Now() + + pe := &PE{ + NumberOfSections: 7, + NumberOfSymbols: 10, + EntryPoint: "20110", + ImageBase: "140000000", + LinkTime: now, + Sections: []Sec{ + {Name: ".text", Size: 132608, Entropy: 6.368381, Md5: "db23dce3911a42e987041d98abd4f7cd"}, + {Name: ".rdata", Size: 35840, Entropy: 5.996976, Md5: "ffa5c960b421ca9887e54966588e97e8"}, + }, + Symbols: []string{"SelectObject", "GetTextFaceW", "EnumFontsW", "TextOutW", "GetProcessHeap"}, + Imports: []string{"GDI32.dll", "USER32.dll", "msvcrt.dll", "api-ms-win-core-libraryloader-l1-2-0.dl"}, + VersionResources: map[string]string{"CompanyName": "Microsoft Corporation", "FileDescription": "Notepad", "FileVersion": "10.0.18362.693"}, + } + + b := pe.Marshal() + + newPE := &PE{VersionResources: make(map[string]string)} + err := newPE.Unmarshal(b) + require.NoError(t, err) + + assert.Equal(t, uint16(7), newPE.NumberOfSections) + assert.Equal(t, uint32(10), newPE.NumberOfSymbols) + assert.Equal(t, "20110", newPE.EntryPoint) + assert.Equal(t, "140000000", newPE.ImageBase) + + assert.Equal(t, now.Day(), newPE.LinkTime.Day()) + assert.Equal(t, now.Minute(), newPE.LinkTime.Minute()) + + assert.Len(t, newPE.Sections, 2) + + textSection := newPE.Sections[0] + assert.Equal(t, ".text", textSection.Name) + assert.Equal(t, uint32(132608), textSection.Size) + assert.Equal(t, 6.368381, textSection.Entropy) + assert.Equal(t, "db23dce3911a42e987041d98abd4f7cd", textSection.Md5) + + assert.Len(t, newPE.Symbols, 5) + assert.Contains(t, newPE.Symbols, "SelectObject") + assert.Contains(t, newPE.Symbols, "TextOutW") + + assert.Len(t, newPE.Imports, 4) + assert.Contains(t, newPE.Imports, "GDI32.dll") + assert.Contains(t, newPE.Imports, "msvcrt.dll") + + assert.Len(t, newPE.VersionResources, 3) + assert.Contains(t, newPE.VersionResources, "CompanyName") + assert.Contains(t, newPE.VersionResources, "FileVersion") + + assert.Equal(t, "10.0.18362.693", newPE.VersionResources["FileVersion"]) + assert.Equal(t, "Microsoft Corporation", newPE.VersionResources["CompanyName"]) + assert.Equal(t, "Notepad", newPE.VersionResources["FileDescription"]) +} diff --git a/pkg/pe/reader.go b/pkg/pe/reader.go new file mode 100644 index 000000000..ff898d628 --- /dev/null +++ b/pkg/pe/reader.go @@ -0,0 +1,193 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe + +import ( + "bytes" + "debug/pe" + "expvar" + log "github.com/sirupsen/logrus" + "golang.org/x/text/encoding/unicode" + "io" + "os" + "strconv" + "strings" + "sync" + "time" +) + +var ( + peSkippedImages = expvar.NewInt("pe.skipped.images") + peReaderTimeouts = expvar.NewInt("pe.reader.timeouts") +) + +// Reader is the interface for PE (Portable Executable) format metadata parsing. The stdlib debug/pe package underpins +// the core functionality of the reader, but additionally, it provides numerous methods for reading resources, strings, +// IAT directories and other information that is not offered by the standard library package. +type Reader interface { + // Read is the main method that reads the PE metadata for the specified image file. + Read(filename string) (*PE, error) + // FindSectionByRVA gets the section containing the given address. + FindSectionByRVA(rva uint32) (*pe.Section, error) + // FindOffsetByRVA returns the file offset that maps to the given RVA. + FindOffsetByRVA(rva uint32) (int64, error) +} + +type reader struct { + f *os.File + sections []*pe.Section + oh interface{} + config Config +} + +// NewReader builds a new instance of the PE reader. +func NewReader(config Config) Reader { + return &reader{config: config} +} + +func (r *reader) Read(filename string) (*PE, error) { + if !r.config.Enabled { + return nil, nil + } + if r.config.shouldSkipImage(filename) { + peSkippedImages.Add(1) + return nil, nil + } + f, err := os.Open(filename) + if err != nil { + return nil, err + } + r.f = f + defer r.f.Close() + pefile, err := pe.NewFile(f) + if err != nil { + return nil, err + } + r.sections = pefile.Sections + r.oh = pefile.OptionalHeader + + // link time in PE header is represented as the number of seconds since January 1, 1970 + linkTime := time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Second * time.Duration(pefile.TimeDateStamp)) + + pex := &PE{ + NumberOfSections: pefile.NumberOfSections, + NumberOfSymbols: pefile.NumberOfSymbols, + LinkTime: linkTime, + Sections: r.readSections(pefile), + Symbols: make([]string, 0), + Imports: make([]string, 0), + } + + var resDir pe.DataDirectory + switch hdr := r.oh.(type) { + case *pe.OptionalHeader32: + resDir = hdr.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE] + pex.ImageBase = uintToHex(uint64(hdr.ImageBase)) + pex.EntryPoint = uintToHex(uint64(hdr.AddressOfEntryPoint)) + case *pe.OptionalHeader64: + resDir = hdr.DataDirectory[pe.IMAGE_DIRECTORY_ENTRY_RESOURCE] + pex.ImageBase = uintToHex(hdr.ImageBase) + pex.EntryPoint = uintToHex(uint64(hdr.AddressOfEntryPoint)) + } + + var wg sync.WaitGroup + + if r.config.ReadResources { + wg.Add(1) + go func(wg *sync.WaitGroup) { + defer wg.Done() + pex.VersionResources, err = r.readResources(resDir.VirtualAddress) + if err != nil { + log.Warnf("fail to read %q PE resources: %v", filename, err) + } + }(&wg) + } + + if r.config.ReadSymbols { + wg.Add(1) + go func(wg *sync.WaitGroup) { + defer wg.Done() + symbols, err := pefile.ImportedSymbols() + if err != nil { + log.Warnf("fail to read %q symbols: %v", filename, err) + return + } + // each symbol is anchored to its source library so we + // can dig out the imports from the symbol name + for _, sym := range symbols { + fields := strings.SplitN(sym, ":", 2) + if len(fields) != 2 { + continue + } + symbol, lib := fields[0], fields[1] + pex.addImport(lib) + pex.addSymbol(symbol) + } + }(&wg) + } + + // ensure this method terminates in a timely manner + done := make(chan struct{}) + + go func() { + wg.Wait() + done <- struct{}{} + }() + + select { + case <-done: + return pex, nil + case <-time.After(time.Second): + log.Warn("wait timeout reached during PE metadata parsing") + peReaderTimeouts.Add(1) + return pex, nil + } +} + +// readUTF16String reads an UTF16 string at the specified RVA. +func (r *reader) readUTF16String(rva uint32) (string, error) { + data := make([]byte, 1024) + offset, err := r.FindOffsetByRVA(rva) + if err != nil { + return "", err + } + n, err := r.f.ReadAt(data, offset) + if err != nil { + if err == io.EOF { + return "", nil + } + return "", err + } + idx := bytes.Index(data[:n], []byte{0, 0}) + if idx < 0 { + idx = n - 1 + } + decoder := unicode.UTF16(unicode.LittleEndian, unicode.UseBOM).NewDecoder() + utf8, err := decoder.Bytes(data[0 : idx+1]) + if err != nil { + return "", err + } + return string(utf8), nil +} + +func dwordAlign(offset, base int64) int64 { + return ((offset + base + 3) & 0xfffffffc) - (base & 0xfffffffc) +} + +func uintToHex(v uint64) string { return strconv.FormatUint(v, 16) } diff --git a/pkg/pe/reader_test.go b/pkg/pe/reader_test.go new file mode 100644 index 000000000..ca8bcec3c --- /dev/null +++ b/pkg/pe/reader_test.go @@ -0,0 +1,55 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe + +import ( + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "os" + "path/filepath" + "testing" +) + +func TestReader(t *testing.T) { + c := Config{ + Enabled: true, + ReadResources: true, + ReadSymbols: true, + ReadSections: true, + } + r := NewReader(c) + notepad := filepath.Join(os.Getenv("windir"), "notepad.exe") + + pe, err := r.Read(notepad) + require.NoError(t, err) + require.NotNil(t, pe) + + require.True(t, pe.NumberOfSections > 0) + require.True(t, len(pe.Symbols) > 0) + require.True(t, len(pe.Imports) > 0) + require.True(t, len(pe.Sections) > 0) + + require.NotEmpty(t, pe.EntryPoint) + require.NotEmpty(t, pe.ImageBase) + assert.Contains(t, pe.Symbols, "free") + assert.Contains(t, pe.Imports, "GDI32.dll") + + assert.Contains(t, pe.VersionResources, "CompanyName") + assert.Equal(t, "Microsoft Corporation", pe.VersionResources["CompanyName"]) +} diff --git a/pkg/pe/resource/types.go b/pkg/pe/resource/types.go new file mode 100644 index 000000000..8ae0a7846 --- /dev/null +++ b/pkg/pe/resource/types.go @@ -0,0 +1,141 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package resource + +import ( + "encoding/binary" +) + +// ID is the type for identifying resource types +type ID uint32 + +const ( + Version ID = 16 // Version defines version resources +) + +// String yields a human-readable resource type name. +func (id ID) String() string { + switch id { + case Version: + return "RT_VERSION" + default: + return "" + } +} + +// Directory represents the layout of the resource directory. +type Directory struct { + Characteristics uint32 + Timestamp uint32 + Major uint16 + Minor uint16 + NumberNamedEntries uint16 + NumberIDEntries uint16 +} + +// Size returns the size in bytes of the resource directory. +func (d Directory) Size() int { return binary.Size(d) } + +// DirectoryEntry defines the entry in the directory table. +type DirectoryEntry struct { + Name uint32 + OffsetToData uint32 +} + +// Size returns the size in bytes of the resource entry. +func (e DirectoryEntry) Size() int { return binary.Size(e) } + +// ID returns the type of the resource. +func (e DirectoryEntry) ID() ID { + if !e.IsString() { + return ID(e.Name) + } + return ID(e.Name & 0x0000FFF) +} + +// IsString determines if this resource contains string data. +func (e DirectoryEntry) IsString() bool { return ((e.Name & 0x80000000) >> 31) > 0 } + +// IsDir indicates if this resource entry is a directory instead of resource final data. +func (e DirectoryEntry) IsDir() bool { return ((e.OffsetToData & 0x80000000) >> 31) > 0 } + +// DirOffset returns the offset into the resource directory. +func (e DirectoryEntry) DirOffset() uint32 { return e.OffsetToData & 0x7FFFFFFF } + +// DataEntry stores the offset to the resource data. +type DataEntry struct { + OffsetToData uint32 + DataSize uint32 + CodePage uint32 + Reserved uint32 +} + +// Size returns the size in bytes of the resource data. +func (e DataEntry) Size() int { return binary.Size(e) } + +type VersionInfo struct { + Length uint16 + ValueLength uint16 + Type uint16 +} + +func (v VersionInfo) Size() int { return binary.Size(v) } + +type FixedFileinfo struct { + Signature uint32 + StructVer uint32 + FileVersionMS uint32 + FileVersionLS uint32 + ProductVersionMS uint32 + ProductVersionLS uint32 + FileFlagMask uint32 + FileFlags uint32 + FileOS uint32 + FileType uint32 + FileSubtype uint32 + FileDateMS uint32 + FileDateLS uint32 +} + +func (f FixedFileinfo) Size() int { return binary.Size(f) } + +type StringFileInfo struct { + Length uint16 + ValueLength uint16 + Type uint16 +} + +func (s StringFileInfo) Size() int { return binary.Size(s) } +func (s StringFileInfo) Skip() bool { return (s.Type != 0 && s.Type != 1) && s.ValueLength != 0 } + +type StringTable struct { + Length uint16 + ValueLength uint16 + Type uint16 +} + +func (s StringTable) Size() int { return binary.Size(s) } + +type String struct { + Length uint16 + ValueLength uint16 + Type uint16 +} + +func (s String) Size() int { return binary.Size(s) } diff --git a/pkg/pe/resources.go b/pkg/pe/resources.go new file mode 100644 index 000000000..e0bcf53a3 --- /dev/null +++ b/pkg/pe/resources.go @@ -0,0 +1,398 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe + +import ( + "encoding/binary" + "errors" + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/pe/resource" + "github.com/rabbitstack/fibratus/pkg/util/multierror" + "io" + "strings" +) + +const ( + seekStart = 0 + // maxAllowedResourceEntries determines the maximum number of directory entries we are allowed to process + maxAllowedResourceEntries = 4096 +) + +var ( + maxResourceEntriesExceeded = expvar.NewInt("pe.max.resource.entries.exceeded") + failedResourceEntryReads = expvar.NewInt("pe.failed.resource.entry.reads") + + errMalformedDir = errors.New("malformed directory") + errMaxAllowedDirEntries = func(nbEntries int) error { + return fmt.Errorf("the directory contains %d entries. Max allowed entries %d", nbEntries, maxAllowedResourceEntries) + } +) + +// rdir represents the resource directory with its entries +type rdir struct { + directory resource.Directory + entries []rdirEntry +} + +type rdirEntry struct { + id resource.ID + level uint16 + entry resource.DirectoryEntry + data resource.DataEntry + dir *rdir +} + +// readResources a plenty of logic in this code is inspired by pefile tool. The native stdlib package doesn't offer +// any kind of introspection on PE resources, so this function takes care of parsing the resource directory and extracting +// the version resources from it. +func (r *reader) readResources(rva uint32) (map[string]string, error) { + var vers map[string]string + dir, err := r.readResourcesDirectory(rva, 0, 0, nil) + if err != nil { + return nil, err + } + + for _, entry := range dir.entries { + if entry.dir == nil { + continue + } + if entry.level == 0 { + switch entry.id { + case resource.Version: + // read version information resources + vers, err = r.readVersionInfo(entry.dir) + if err != nil { + continue + } + } + } + } + + return vers, nil +} + +func (r *reader) readResourcesDirectory(rva uint32, baseRVA uint32, level uint16, dirs []uint32) (*rdir, error) { + if dirs == nil { + dirs = []uint32{rva} + } + if baseRVA == 0 { + baseRVA = rva + } + sr := io.NewSectionReader(r.f, 0, 1<<63-1) + offset, err := r.FindOffsetByRVA(rva) + if err != nil { + return nil, fmt.Errorf("couldn't read resources directory: %v", err) + } + // try to read the resource directory structure that is basically + // a header of the table preceding the actual resource entries + if _, err := sr.Seek(int64(offset), seekStart); err != nil { + return nil, err + } + var dir resource.Directory + if err := binary.Read(sr, binary.LittleEndian, &dir); err != nil { + return nil, err + } + + nbEntries := int(dir.NumberIDEntries + dir.NumberNamedEntries) + dirents := make([]rdirEntry, nbEntries) + + // we have to protect us against reading a huge number of entries + if nbEntries > maxAllowedResourceEntries { + maxResourceEntriesExceeded.Add(1) + return nil, errMaxAllowedDirEntries(nbEntries) + } + // advance the RVA to the position following the directory table + // header that points the the first entry in the table of entries + rva += uint32(dir.Size()) + +loop: + for i := 0; i < nbEntries; i++ { + res, err := r.readResourceEntry(sr, rva) + if err != nil { + failedResourceEntryReads.Add(1) + continue + } + // the entry is a directory so we have to parse it recursively + if res.IsDir() { + // The following comment is from pefile.py + // + // OC Patch: + // + // One trick malware can do is to recursively reference + // the next directory. This causes hilarity to ensue when + // trying to parse everything correctly. + // If the original RVA given to this function is equal to + // the next one to parse, we assume that it's a trick. + for _, dir := range dirs { + if baseRVA+res.DirOffset() == dir { + break loop + } + } + dirs = append(dirs, baseRVA+res.DirOffset()) + dir, err := r.readResourcesDirectory(baseRVA+res.DirOffset(), baseRVA, level+1, dirs) + if err != nil { + break + } + if dir == nil { + break + } + dirents[i] = rdirEntry{ + id: res.ID(), + entry: res, + dir: dir, + level: level, + } + } else { + // if we reached the actual directory data, let's read the structure that + // contains the offset and size of the resource's data + data, err := r.readResourceData(sr, baseRVA+res.DirOffset()) + if err != nil { + break + } + dirents[i] = rdirEntry{ + id: res.ID(), + entry: res, + data: data, + level: level, + } + } + // increment the RVA to the next directory entry + rva += uint32(res.Size()) + } + + return &rdir{directory: dir, entries: dirents}, nil +} + +func (r *reader) readResourceEntry(sr *io.SectionReader, rva uint32) (resource.DirectoryEntry, error) { + offset, err := r.FindOffsetByRVA(rva) + if err != nil { + return resource.DirectoryEntry{}, err + } + if _, err := sr.Seek(offset, seekStart); err != nil { + return resource.DirectoryEntry{}, err + } + var entry resource.DirectoryEntry + if err := binary.Read(sr, binary.LittleEndian, &entry); err != nil { + return resource.DirectoryEntry{}, fmt.Errorf("invalid directory entry at RVA 0x%x: %v", rva, err) + } + return entry, nil +} + +func (r *reader) readResourceData(sr *io.SectionReader, rva uint32) (resource.DataEntry, error) { + offset, err := r.FindOffsetByRVA(rva) + if err != nil { + return resource.DataEntry{}, err + } + if _, err := sr.Seek(offset, seekStart); err != nil { + return resource.DataEntry{}, err + } + var dataEntry resource.DataEntry + if err := binary.Read(sr, binary.LittleEndian, &dataEntry); err != nil { + return resource.DataEntry{}, fmt.Errorf("invalid resource data at RVA 0x%x: %v", rva, err) + } + return dataEntry, nil +} + +func (r *reader) readVersionInfo(vsDir *rdir) (map[string]string, error) { + if vsDir == nil || len(vsDir.entries) == 0 { + return nil, errMalformedDir + } + dir := vsDir.entries[0].dir + if dir == nil { + return nil, errMalformedDir + } + + errs := make([]error, 0) + vers := make(map[string]string) + vdents := dir.entries + sr := io.NewSectionReader(r.f, 0, 1<<63-1) + + for _, ve := range vdents { + offsetToData := ve.data.OffsetToData + startOffset, err := r.FindOffsetByRVA(offsetToData) + if err != nil { + return nil, err + } + // read the version info structure and the VS_VERSION_INFO string + versionInfo, versionString, err := r.parseVersionInfo(sr, startOffset, offsetToData) + if err != nil { + errs = append(errs, err) + continue + } + // if we've able to correctly parse the VS_VERSION_INFO string, the next step + // is to process the fixed version information by getting the offset of the struct + fixedFileinfoOffset := dwordAlign(int64(versionInfo.Size()+(2*len(versionString))+1), int64(offsetToData)) + fixedFileinfo, err := r.parseFixedFileinfoStruct(sr, fixedFileinfoOffset) + if err != nil { + errs = append(errs, err) + continue + } + // now the real work begins. To reach version keys/values, we first have to parse all + // of the StringFileInfo and VarFileInfo structures until we get to string table whose + // entries store the data we're after + stringFileinfoOffset := dwordAlign(int64(fixedFileinfoOffset+int64(fixedFileinfo.Size())), int64(offsetToData)) + for { + // process StringFileInfo/VarFileInfo structures. The file info string determines whether we + // should process StringFileInfo or VarFileInfo items + stringFileinfo, fileInfoString, err := r.parseStringFileinfo( + sr, + startOffset+stringFileinfoOffset, + uint32(int64(offsetToData)+stringFileinfoOffset)+uint32(versionInfo.Size()), + ) + if err != nil { + errs = append(errs, err) + break + } + + switch { + case strings.HasPrefix(fileInfoString, "StringFileInfo"): + if stringFileinfo.Skip() { + continue + } + stringTableOffset := dwordAlign(stringFileinfoOffset+int64(stringFileinfo.Size()+2*(len(fileInfoString)+1)), int64(offsetToData)) + // now we can start processing all the StringTable entries that contain the k/v pairs + for { + stringTable, langID, err := r.parseStringTable( + sr, + int64(startOffset+stringTableOffset), + offsetToData+uint32(stringTableOffset), + ) + if err != nil { + errs = append(errs, err) + break + } + // now we can process all the entries in the string table and populate the result map + entryOffset := dwordAlign(stringTableOffset+int64(stringTable.Size()+(2*len(langID)+1)), int64(offsetToData)) + for entryOffset < stringTableOffset+int64(stringTable.Length) { + if _, err := sr.Seek(int64(startOffset+entryOffset), 0); err != nil { + break + } + var str resource.String + if err := binary.Read(sr, binary.LittleEndian, &str); err != nil { + break + } + + key, err := r.readUTF16String(offsetToData + uint32(entryOffset) + uint32(str.Size())) + if err != nil { + break + } + valueOffset := dwordAlign(int64(2*(len(key)+1))+entryOffset+int64(str.Size()), int64(offsetToData)) + value, err := r.readUTF16String(uint32(offsetToData + uint32(valueOffset))) + if err != nil { + // couldn't read the value but still index the key + vers[key] = "" + break + } + vers[key] = value + if str.Length == 0 { + entryOffset = stringTableOffset + int64(stringTable.Length) + } else { + entryOffset = dwordAlign(int64(str.Length)+entryOffset, int64(offsetToData)) + } + } + + // these checks breaks on the entries that could lead to infinite loops + newStringtableOffset := dwordAlign(int64(stringTable.Length)+stringTableOffset, int64(offsetToData)) + if newStringtableOffset == stringTableOffset { + break + } + + stringTableOffset = newStringtableOffset + if stringTableOffset >= int64(stringFileinfo.Length) { + break + } + } + case strings.HasPrefix(fileInfoString, "VarFileInfo"): + break + default: + errs = append(errs, fmt.Errorf("unknown StringFileInfo string: %s", fileInfoString)) + break + } + // increment and align the string file info offset. Use the offset to check if we've + // consumed all the StringFileInfo and VarFileinfo items so we can break the loops + stringFileinfoOffset = dwordAlign(int64(stringFileinfo.Length)+stringFileinfoOffset, int64(offsetToData)) + if stringFileinfo.Length == 0 || stringFileinfoOffset >= int64(versionInfo.Length) { + break + } + } + } + + if len(vers) == 0 && len(errs) > 0 { + return nil, multierror.Wrap(errs) + } + + return vers, nil +} + +func (r *reader) parseVersionInfo(sr *io.SectionReader, startOffset int64, rva uint32) (resource.VersionInfo, string, error) { + if _, err := sr.Seek(startOffset, seekStart); err != nil { + return resource.VersionInfo{}, "", err + } + var versionInfo resource.VersionInfo + if err := binary.Read(sr, binary.LittleEndian, &versionInfo); err != nil { + return resource.VersionInfo{}, "", err + } + versionString, err := r.readUTF16String(rva + uint32(versionInfo.Size())) + if err != nil || versionString != "VS_VERSION_INFO" { + return resource.VersionInfo{}, "", fmt.Errorf("invalid VS_VERSION_INFO block: %s", versionString) + } + return versionInfo, versionString, nil +} + +func (r *reader) parseFixedFileinfoStruct(sr *io.SectionReader, offset int64) (resource.FixedFileinfo, error) { + if _, err := sr.Seek(offset, seekStart); err != nil { + return resource.FixedFileinfo{}, err + } + var fixedFileinfo resource.FixedFileinfo + if err := binary.Read(sr, binary.LittleEndian, &fixedFileinfo); err != nil { + return resource.FixedFileinfo{}, err + } + return fixedFileinfo, nil +} + +func (r *reader) parseStringFileinfo(sr *io.SectionReader, offset int64, rva uint32) (resource.StringFileInfo, string, error) { + var stringFileinfo resource.StringFileInfo + if _, err := sr.Seek(offset, seekStart); err != nil { + return resource.StringFileInfo{}, "", err + } + if err := binary.Read(sr, binary.LittleEndian, &stringFileinfo); err != nil { + return resource.StringFileInfo{}, "", fmt.Errorf("couldn't parse StringFileInfo/VarFileInfo structure: %v", err) + } + str, err := r.readUTF16String(rva) + if err != nil { + return resource.StringFileInfo{}, "", fmt.Errorf("couldn't read StringFileInfo unicode string at RVA 0x%x: %v", rva, err) + } + return stringFileinfo, str, nil +} + +func (r *reader) parseStringTable(sr *io.SectionReader, offset int64, rva uint32) (resource.StringTable, string, error) { + if _, err := sr.Seek(offset, seekStart); err != nil { + return resource.StringTable{}, "", err + } + var stringTable resource.StringTable + if err := binary.Read(sr, binary.LittleEndian, &stringTable); err != nil { + return resource.StringTable{}, "", fmt.Errorf("couldn't parse StringTable structure: %v", err) + } + langID, err := r.readUTF16String(rva + uint32(stringTable.Size())) + if err != nil { + return resource.StringTable{}, "", fmt.Errorf("couldn't read StringTable unicode string at RVA 0x%x: %v", rva+uint32(stringTable.Size()), err) + } + return stringTable, langID, nil +} diff --git a/pkg/pe/resources_test.go b/pkg/pe/resources_test.go new file mode 100644 index 000000000..0260aef76 --- /dev/null +++ b/pkg/pe/resources_test.go @@ -0,0 +1,19 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe diff --git a/pkg/pe/section.go b/pkg/pe/section.go new file mode 100644 index 000000000..13a770e43 --- /dev/null +++ b/pkg/pe/section.go @@ -0,0 +1,157 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe + +import ( + "context" + "crypto/md5" + "debug/pe" + "encoding/hex" + "fmt" + "os" + "sync" + "time" +) + +// Sec contains the section attributes. +type Sec struct { + Name string + Size uint32 + Entropy float64 + Md5 string +} + +// String returns the stirng representation of the section. +func (s Sec) String() string { + return fmt.Sprintf("Name: %s, Size: %d, Entropy: %f, Md5: %s", s.Name, s.Size, s.Entropy, s.Md5) +} + +func (r *reader) FindOffsetByRVA(rva uint32) (int64, error) { + sec, err := r.FindSectionByRVA(rva) + if err != nil { + return 0, err + } + offset := int64(rva - r.fixSectionAlignment(sec.VirtualAddress) + r.fixFileAlignment(sec.Offset)) + return offset, nil +} + +func (r *reader) FindSectionByRVA(rva uint32) (*pe.Section, error) { + for _, s := range r.sections { + if r.containsRVA(s, rva) { + return s, nil + } + } + return nil, fmt.Errorf("couldn't find section at RVA 0x%x", rva) +} + +func (r *reader) readSections(pefile *pe.File) []Sec { + secs := pefile.Sections + sections := make([]Sec, 0, len(secs)) + var wg sync.WaitGroup + + if r.config.ReadSections { + wg.Add(len(secs)) + } + for i := 0; i < len(secs); i++ { + s := secs[i] + if s == nil { + continue + } + + sec := Sec{ + Name: s.Name, + Size: s.Size, + } + + if r.config.ReadSections { + ctx, cancel := context.WithTimeout(context.Background(), time.Millisecond*250) + go func(wg *sync.WaitGroup, cancel context.CancelFunc) { + defer cancel() + data, err := s.Data() + if err != nil { + return + } + sum := md5.Sum(data) + sec.Md5 = hex.EncodeToString(sum[:]) + //sec.Entropy = entropy(data) + sections = append(sections, sec) + }(&wg, cancel) + + select { + case <-ctx.Done(): + wg.Done() + } + } else { + sections = append(sections, sec) + } + + } + + if r.config.ReadSections { + wg.Wait() + } + + return sections +} + +// containsRVA determines whether the section contains the address provided by checking the boundaries +// of the section address intervals. +func (r *reader) containsRVA(sec *pe.Section, rva uint32) bool { + va := r.fixSectionAlignment(sec.VirtualAddress) + if va <= rva && rva < va+sec.Size { + return true + } + return false +} + +// fixSecAlignment ensures the alignment of the section is greater or equal to the file alignment. +func (r *reader) fixSectionAlignment(rva uint32) uint32 { + var fa uint32 + var sa uint32 + switch hdr := r.oh.(type) { + case *pe.OptionalHeader32: + fa = hdr.FileAlignment + sa = hdr.SectionAlignment + case *pe.OptionalHeader64: + fa = hdr.FileAlignment + sa = hdr.SectionAlignment + } + if int(sa) < os.Getpagesize() { + sa = fa + } + if sa > 0 && (rva%fa) != 0 { + return sa * (rva / sa) + } + return rva +} + +// fixFileAlignment adjusts section file alignment. +func (r *reader) fixFileAlignment(rva uint32) uint32 { + var fa uint32 + switch hdr := r.oh.(type) { + case *pe.OptionalHeader32: + fa = hdr.FileAlignment + case *pe.OptionalHeader64: + fa = hdr.FileAlignment + } + if fa < 0x200 { + return rva + } + return (rva / 0x200) * 0x200 +} diff --git a/pkg/pe/section_test.go b/pkg/pe/section_test.go new file mode 100644 index 000000000..0260aef76 --- /dev/null +++ b/pkg/pe/section_test.go @@ -0,0 +1,19 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe diff --git a/pkg/pe/types.go b/pkg/pe/types.go new file mode 100644 index 000000000..c736b1761 --- /dev/null +++ b/pkg/pe/types.go @@ -0,0 +1,94 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package pe + +import ( + "fmt" + "time" +) + +// PE contains various headers that identifies the format and characteristics of the executable files. +type PE struct { + // NumberOfSections designates the total number of sections found withing the binary. + NumberOfSections uint16 `json:"nsections"` + // NumberOfSymbols represents the total number of symbols. + NumberOfSymbols uint32 `json:"nsymbols"` + // ImageBase designates the base address of the process' image. + ImageBase string `json:"image_base"` + // Entrypoint is the address of the entry point function. + EntryPoint string `json:"entry_point"` + // LinkTime represents the time that the image was created by the linker. + LinkTime time.Time `json:"link_time"` + // Sections contains all distinct sections and their metadata. + Sections []Sec `json:"sections"` + // Symbols contains the list of imported symbols. + Symbols []string `json:"symbols"` + // Imports contains the imported libraries. + Imports []string `json:"imports"` + // VersionResources holds the version resources + VersionResources map[string]string `json:"resources"` +} + +// String returns the string representation of the PE metadata. +func (pe PE) String() string { + return fmt.Sprintf(` + Number of sections: %d + Number of symbols: %d + Image base: %s + Entrypoint: %s + Link time: %v + Sections: %v + Symbols: %v + Imports: %v + Version resources: %v + `, + pe.NumberOfSections, + pe.NumberOfSymbols, + pe.ImageBase, + pe.EntryPoint, + pe.LinkTime, + pe.Sections, + pe.Symbols, + pe.Imports, + pe.VersionResources, + ) +} + +// Section returns the section with specified name. +func (pe *PE) Section(s string) *Sec { + for _, sec := range pe.Sections { + if sec.Name == s { + return &sec + } + } + return nil +} + +func (pe *PE) addImport(i string) { + for _, imp := range pe.Imports { + if imp == i { + return + } + } + pe.Imports = append(pe.Imports, i) +} + +func (pe *PE) addSymbol(s string) { + pe.Symbols = append(pe.Symbols, s) +} diff --git a/pkg/ps/doc.go b/pkg/ps/doc.go new file mode 100644 index 000000000..5b25018b9 --- /dev/null +++ b/pkg/ps/doc.go @@ -0,0 +1,20 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// Package ps contains process's state snapshotter implementation. +package ps diff --git a/pkg/ps/peb.go b/pkg/ps/peb.go new file mode 100644 index 000000000..91803525f --- /dev/null +++ b/pkg/ps/peb.go @@ -0,0 +1,148 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ps + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/process" + "strings" + "syscall" + "unicode/utf16" + "unsafe" +) + +const ( + maxEnvSize = 4096 +) + +// PEB contains various process's metadata from the Process Environment Block (PEB). PEB is an opaque data structure +// that contains information that apply across a whole process, including global context, startup parameters, data structures +// for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion +// for process-wide data structures. Although it is not encouraged to access this structure due to its unstable nature, some +// process's information like command line or environments strings are only available through Process Environment Block fields. +type PEB struct { + peb *process.PEB + handle handle.Handle + procParams *process.RTLUserProcessParameters +} + +// ReadPEB queries the process's basic information class structures and copies the PEB into +// the current process's address space. Returns the reference to the PEB of the process that is being queried. +func ReadPEB(handle handle.Handle) (*PEB, error) { + buf := make([]byte, unsafe.Sizeof(process.BasicInformation{})) + _, err := process.QueryInfo(handle, process.BasicInformationClass, buf) + if err != nil { + return nil, fmt.Errorf("couldn't query process information: %v", err) + } + info := (*process.BasicInformation)(unsafe.Pointer(&buf[0])) + // read the PEB to get the process parameters. Because the PEB structure resides + // in the address space of another process we must read the memory block in order + // to access the structure's fields. + peb, err := process.ReadMemory(handle, unsafe.Pointer(info.PEB), unsafe.Sizeof(process.PEB{})) + if err != nil { + return nil, fmt.Errorf("coulnd't read PEB: %v", err) + } + return &PEB{peb: (*process.PEB)(unsafe.Pointer(&peb[0])), handle: handle}, nil +} + +func (p PEB) GetImage() string { + params, err := p.readProcessParams() + if err != nil { + return "" + } + image, err := process.ReadMemoryUnicode(p.handle, unsafe.Pointer(params.ImagePathName.Buffer), uintptr(params.ImagePathName.Length)) + if err != nil { + return "" + } + return syscall.UTF16ToString(image) +} + +func (p PEB) GetCommandLine() string { + params, err := p.readProcessParams() + if err != nil { + return "" + } + comm, err := process.ReadMemoryUnicode(p.handle, unsafe.Pointer(params.CommandLine.Buffer), uintptr(params.CommandLine.Length)) + if err != nil { + return "" + } + return syscall.UTF16ToString(comm) +} + +func (p PEB) GetCurrentWorkingDirectory() string { + params, err := p.readProcessParams() + if err != nil { + return "" + } + cwd, err := process.ReadMemoryUnicode(p.handle, unsafe.Pointer(params.CurrentDirectory.DosPath.Buffer), uintptr(params.CurrentDirectory.DosPath.Length)) + if err != nil { + return "" + } + return syscall.UTF16ToString(cwd) +} + +func (p PEB) GetEnvs() map[string]string { + params, err := p.readProcessParams() + if err != nil { + return nil + } + // we can read the whole memory region starting from the env address + // and speculate the size of the env block, but we just use a fixed + // buffer size + s, err := process.ReadMemoryUnicode(p.handle, unsafe.Pointer(params.Environment), uintptr(maxEnvSize)) + if err != nil { + return nil + } + envs := make(map[string]string) + start, end := 0, 0 + for i, r := range s { + // each env variable key/value pair terminates with the NUL character + if r == 0 { + end = i + } + if end > start { + // the next token starts with a NUL character + // which means we have consumed all env variables + if s[start] == 0 { + break + } + env := string(utf16.Decode(s[start:end])) + if kv := strings.Split(env, "="); len(kv) == 2 { + envs[kv[0]] = kv[1] + } + start = end + 1 + } + } + return envs +} + +// readProcessParams reads the `RtlUserProcessParameters` struct +// which contains the command line and the image name of the process +func (p *PEB) readProcessParams() (*process.RTLUserProcessParameters, error) { + if p.procParams != nil { + return p.procParams, nil + } + b, err := process.ReadMemory(p.handle, unsafe.Pointer(p.peb.ProcessParameters), unsafe.Sizeof(process.RTLUserProcessParameters{})) + if err != nil { + return nil, fmt.Errorf("couldn't read process's parameters from PEB: %v", err) + } + p.procParams = (*process.RTLUserProcessParameters)(unsafe.Pointer(&b[0])) + return p.procParams, nil +} diff --git a/pkg/ps/peb_test.go b/pkg/ps/peb_test.go new file mode 100644 index 000000000..155007d2c --- /dev/null +++ b/pkg/ps/peb_test.go @@ -0,0 +1,42 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ps + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/process" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "os" + "path/filepath" + "testing" +) + +func TestPEBGetCurrentWorkingDirectory(t *testing.T) { + flags := process.QueryInformation | process.VMRead + handle, err := process.Open(flags, false, uint32(os.Getpid())) + if err != nil { + t.Fatal(err) + } + peb, err := ReadPEB(handle) + require.NoError(t, err) + + cwd := peb.GetCurrentWorkingDirectory() + require.NotEmpty(t, cwd) + assert.Equal(t, "ps", filepath.Base(cwd)) +} diff --git a/pkg/ps/snapshotter.go b/pkg/ps/snapshotter.go new file mode 100644 index 000000000..e41c4db70 --- /dev/null +++ b/pkg/ps/snapshotter.go @@ -0,0 +1,525 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ps + +import ( + "expvar" + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/handle" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/rabbitstack/fibratus/pkg/pe" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + hndl "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/process" + t "github.com/rabbitstack/fibratus/pkg/syscall/thread" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + log "github.com/sirupsen/logrus" + "os" + "path/filepath" + "strconv" + "sync" + "time" +) + +var ( + // reapPeriod specifies the interval for triggering the house keeping of dead processes + reapPeriod = time.Minute * 2 + + processLookupFailureCount = expvar.NewMap("process.lookup.failure.count") + reapedProcesses = expvar.NewInt("process.reaped") + processCount = expvar.NewInt("process.count") + threadCount = expvar.NewInt("process.thread.count") + moduleCount = expvar.NewInt("process.module.count") + pebReadErrors = expvar.NewInt("process.peb.read.errors") +) + +// Snapshotter is the interface that exposes a set of methods all process snapshotters have to satisfy. It stores the state +// of all running processes in the system including its threads, dynamically referenced libraries, handles and other +// metadata. +type Snapshotter interface { + // Write appends a new process state to the snapshotter. It takes as an input the inbound kernel event to fetch + // the basic data, but also enriches the process' state with extra metadata such as process' env variables, PE + // metadata and so on. + Write(kevt *kevent.Kevent) error + // WriteFromKcap appends a new process state to the snapshotter from the captured kernel event. + WriteFromKcap(kevt *kevent.Kevent) error + // Remove deletes process's state from the snapshotter. + Remove(kevt *kevent.Kevent) error + // Find attempts to retrieve process' state for the specified process identifier. + Find(pid uint32) *pstypes.PS + // Size returns the total number of process state items. + Size() uint32 + // Close closes process snapshotter and disposes all allocated resources. + Close() error +} + +type snapshotter struct { + mu sync.RWMutex + procs map[uint32]*pstypes.PS + quit chan struct{} + config *config.Config + handleSnap handle.Snapshotter + peReader pe.Reader + capture bool +} + +// NewSnapshotter returns a new instance of the process snapshotter. +func NewSnapshotter(handleSnap handle.Snapshotter, config *config.Config) Snapshotter { + s := &snapshotter{ + procs: make(map[uint32]*pstypes.PS), + quit: make(chan struct{}), + config: config, + handleSnap: handleSnap, + peReader: pe.NewReader(config.PE), + } + + s.mu.Lock() + defer s.mu.Unlock() + + s.handleSnap.RegisterCreateCallback(s.onHandleCreated) + s.handleSnap.RegisterDestroyCallback(s.onHandleDestroyed) + + go s.reapDeadProcesses() + + return s +} + +// NewSnapshotterFromKcap restores the snapshotter state from the kcap file. +func NewSnapshotterFromKcap(handleSnap handle.Snapshotter, config *config.Config) Snapshotter { + s := &snapshotter{ + procs: make(map[uint32]*pstypes.PS), + quit: make(chan struct{}), + config: config, + handleSnap: handleSnap, + peReader: pe.NewReader(config.PE), + capture: true, + } + + s.mu.Lock() + defer s.mu.Unlock() + + s.handleSnap.RegisterCreateCallback(s.onHandleCreated) + s.handleSnap.RegisterDestroyCallback(s.onHandleDestroyed) + + return s +} + +func (s *snapshotter) WriteFromKcap(kevt *kevent.Kevent) error { + s.mu.Lock() + defer s.mu.Unlock() + switch kevt.Type { + case ktypes.CreateProcess, ktypes.EnumProcess: + ps := kevt.PS + if ps == nil { + return nil + } + if ps.PID == winerrno.InvalidPID { + return nil + } + s.procs[ps.PID] = ps + + case ktypes.CreateThread, ktypes.EnumThread: + pid, err := kevt.Kparams.GetPid() + if err != nil { + return err + } + threadCount.Add(1) + thread := pstypes.ThreadFromKevent(unwrapThreadParams(pid, kevt)) + if ps, ok := s.procs[pid]; ok { + ps.AddThread(thread) + } + + case ktypes.LoadImage, ktypes.EnumImage: + pid, err := kevt.Kparams.GetPid() + if err != nil { + return err + } + moduleCount.Add(1) + ps, ok := s.procs[pid] + if !ok { + return nil + } + ps.AddModule(pstypes.ImageFromKevent(unwrapImageParams(kevt))) + } + return nil +} + +func (s *snapshotter) Write(kevt *kevent.Kevent) error { + s.mu.Lock() + defer s.mu.Unlock() + + switch kevt.Type { + case ktypes.CreateProcess, ktypes.EnumProcess: + pid, err := kevt.Kparams.GetPid() + if err != nil { + return err + } + // discard writing the snapshot state if the pid is already present + if _, ok := s.procs[pid]; ok { + return nil + } + processCount.Add(1) + if pid == winerrno.InvalidPID { + pid = pidFromThreadID(kevt.Tid) + } + + ps := pstypes.FromKevent(unwrapParams(pid, kevt)) + // enumerate process handles + handles, err := s.handleSnap.FindHandles(pid) + if err != nil { + log.Warnf("couldn't enumerate handles for pid (%d): %v", pid, err) + } + ps.Handles = handles + + // inspect PE metadata and attach corresponding headers + s.readPE(ps) + + // try to enum process's env variables and the cwd + flags := process.QueryInformation | process.VMRead + h, err := process.Open(flags, false, pid) + if err != nil { + kevt.PS = ps + s.procs[pid] = ps + return nil + } + defer h.Close() + + peb, err := ReadPEB(h) + if err != nil { + pebReadErrors.Add(1) + s.procs[pid] = ps + return nil + } + + ps.Envs = peb.GetEnvs() + ps.Cwd = peb.GetCurrentWorkingDirectory() + kevt.PS = ps + s.procs[pid] = ps + + case ktypes.CreateThread, ktypes.EnumThread: + pid, err := kevt.Kparams.GetPid() + if err != nil { + return err + } + threadCount.Add(1) + if pid == winerrno.InvalidPID { + threadID, _ := kevt.Kparams.GetTid() + pid = pidFromThreadID(threadID) + } + // thread can be associated with the process + // as it already exists in the map + thread := pstypes.ThreadFromKevent(unwrapThreadParams(pid, kevt)) + if ps, ok := s.procs[pid]; ok { + ps.AddThread(thread) + return nil + } + + // search for missing process and attempt to get its info + ps := s.findProcess(pid, thread) + + // enumerate process handles + handles, err := s.handleSnap.FindHandles(pid) + if err != nil { + log.Warnf("couldn't enumerate handles for pid (%d): %v", pid, err) + } + ps.Handles = handles + + s.procs[pid] = ps + + case ktypes.LoadImage, ktypes.EnumImage: + pid, err := kevt.Kparams.GetPid() + if err != nil { + return err + } + moduleCount.Add(1) + ps, ok := s.procs[pid] + if !ok { + return nil + } + ps.AddModule(pstypes.ImageFromKevent(unwrapImageParams(kevt))) + } + return nil +} + +func (s *snapshotter) Close() error { + s.quit <- struct{}{} + return nil +} + +// reapDeadProcesses periodically scans the map of the snapshot's processes and removes +// any terminated processes from it. This guarantees that any leftovers are cleaned-up +// in case we miss process' terminate events. +func (s *snapshotter) reapDeadProcesses() { + tick := time.NewTicker(reapPeriod) + for { + select { + case <-tick.C: + s.mu.Lock() + ss := len(s.procs) + log.Debugf("scanning for dead processes on the snapshot of %d items", ss) + + for pid := range s.procs { + h, err := process.Open(process.QueryLimitedInformation, false, pid) + if err != nil { + continue + } + if !process.IsAlive(h) { + delete(s.procs, pid) + } + h.Close() + } + + if ss > len(s.procs) { + reaped := ss - len(s.procs) + reapedProcesses.Add(int64(reaped)) + log.Debugf("%d dead process(es) reaped", reaped) + } + s.mu.Unlock() + case <-s.quit: + tick.Stop() + } + } +} + +func pidFromThreadID(tid uint32) uint32 { + h, err := t.Open(t.QueryLimitedInformation, false, tid) + if err != nil { + return winerrno.InvalidPID + } + defer h.Close() + pid, err := process.GetPIDFromThread(h) + if err != nil { + return winerrno.InvalidPID + } + return pid +} + +func ntoskrnl() string { return filepath.Join(os.Getenv("SystemRoot"), "ntoskrnl.exe") } + +func fromPEB(pid, ppid uint32, peb *PEB, thread pstypes.Thread) *pstypes.PS { + return pstypes.NewPS( + pid, + ppid, + peb.GetImage(), + peb.GetCurrentWorkingDirectory(), + peb.GetCommandLine(), + thread, + peb.GetEnvs(), + ) +} + +func (s *snapshotter) findProcess(pid uint32, thread pstypes.Thread) *pstypes.PS { + // several system protected processes don't allow for getting their handles + // even if SeDebugPrivilege is present in the process' token, so we'll handle + // them manually + switch pid { + case 0: + return pstypes.NewPS(pid, pid, "idle", "", "idle", thread, nil) + case 4: + return pstypes.NewPS(pid, pid, "System", "", ntoskrnl(), thread, nil) + } + flags := process.QueryInformation | process.VMRead + h, err := process.Open(flags, false, pid) + if err != nil { + // the access to protected / system process can't be achieved through + // `VMRead` or `QueryInformation` flags. + // Try to acquire the process handle again but with restricted access rights, + // so we can get the process image file name + h, err = process.Open( + process.QueryLimitedInformation, + false, + pid, + ) + if err != nil { + return pstypes.NewPS(pid, pid, "", "", "", thread, nil) + } + } + defer h.Close() + + // read process's metadata from the PEB + peb, err := ReadPEB(h) + if err != nil { + pebReadErrors.Add(1) + // couldn't query process basic info or read the PEB, + // so at least try to obtain the full process's image name + image, err := process.QueryFullImageName(h) + if err != nil { + return pstypes.NewPS(pid, pid, "", "", "", thread, nil) + } + return pstypes.NewPS(pid, pid, image, "", image, thread, nil) + } + ppid := process.GetParentPID(h) + + return fromPEB(pid, ppid, peb, thread) +} + +func (s *snapshotter) readPE(ps *pstypes.PS) { + // skip imageless processes such as Idle, System or Registry + pid := ps.PID + if pid == 0 || pid == 4 || pid == 72 || pid == 128 { + return + } + pex, err := s.peReader.Read(ps.Exe) + if err != nil { + log.Warnf("fail to inspect PE metadata for process %s (%d): %v", ps.Name, ps.PID, err) + return + } + + if pex == nil { + return + } + + ps.PE = pex + s.procs[pid] = ps +} + +func (s *snapshotter) onHandleCreated(pid uint32, handle htypes.Handle) { + s.mu.RLock() + ps, ok := s.procs[pid] + s.mu.RUnlock() + if ok { + s.mu.Lock() + defer s.mu.Unlock() + ps.AddHandle(handle) + s.procs[pid] = ps + } +} + +func (s *snapshotter) onHandleDestroyed(pid uint32, num hndl.Handle) { + s.mu.RLock() + ps, ok := s.procs[pid] + s.mu.RUnlock() + if ok { + s.mu.Lock() + defer s.mu.Unlock() + ps.RemoveHandle(num) + s.procs[pid] = ps + } +} + +func (s *snapshotter) Remove(kevt *kevent.Kevent) error { + s.mu.Lock() + defer s.mu.Unlock() + pid, err := kevt.Kparams.GetPid() + if err != nil { + return err + } + if kevt.Type == ktypes.TerminateProcess { + if _, ok := s.procs[pid]; ok { + delete(s.procs, pid) + processCount.Add(-1) + return nil + } + } else if kevt.Type == ktypes.TerminateThread { + if ps, ok := s.procs[pid]; ok { + tid, err := kevt.Kparams.GetTid() + if err != nil { + return err + } + ps.RemoveThread(tid) + threadCount.Add(-1) + } + } else if kevt.Type == ktypes.UnloadImage { + pid, err := kevt.Kparams.GetPid() + if err != nil { + return err + } + if ps, ok := s.procs[pid]; ok { + name, _ := kevt.Kparams.GetString(kparams.ImageFilename) + ps.RemoveModule(name) + moduleCount.Add(-1) + } + } + return nil +} + +func (s *snapshotter) Find(pid uint32) *pstypes.PS { + s.mu.RLock() + ps, ok := s.procs[pid] + s.mu.RUnlock() + if ok { + return ps + } + if s.capture { + return nil + } + processLookupFailureCount.Add(strconv.Itoa(int(pid)), 1) + // allocate missing process's state and fill in metadata/handles + thread := pstypes.Thread{} + ps = s.findProcess(pid, thread) + + s.readPE(ps) + + // enumerate process handles + handles, err := s.handleSnap.FindHandles(pid) + if err != nil { + log.Warnf("couldn't enumerate handles for pid (%d): %v", pid, err) + } + + ps.Handles = handles + s.mu.Lock() + defer s.mu.Unlock() + s.procs[pid] = ps + + return ps +} + +func (s *snapshotter) Size() uint32 { + s.mu.RLock() + defer s.mu.RUnlock() + return uint32(len(s.procs)) +} + +func unwrapParams(pid uint32, kevt *kevent.Kevent) (uint32, uint32, string, string, string, string, uint8) { + ppid, _ := kevt.Kparams.GetPid() + name, _ := kevt.Kparams.GetString(kparams.ProcessName) + comm, _ := kevt.Kparams.GetString(kparams.Comm) + exe, _ := kevt.Kparams.GetString(kparams.Exe) + sid, _ := kevt.Kparams.GetString(kparams.UserSID) + sessionID, _ := kevt.Kparams.GetUint32(kparams.SessionID) + + return pid, ppid, name, comm, exe, sid, uint8(sessionID) +} + +func unwrapThreadParams(pid uint32, kevt *kevent.Kevent) (uint32, uint32, kparams.Hex, kparams.Hex, kparams.Hex, kparams.Hex, uint8, uint8, uint8, kparams.Hex) { + tid, _ := kevt.Kparams.GetTid() + ustackBase, _ := kevt.Kparams.GetHex(kparams.UstackBase) + ustackLimit, _ := kevt.Kparams.GetHex(kparams.UstackLimit) + kstackBase, _ := kevt.Kparams.GetHex(kparams.KstackBase) + kstackLimit, _ := kevt.Kparams.GetHex(kparams.KstackLimit) + ioPrio, _ := kevt.Kparams.GetUint8(kparams.IOPrio) + basePrio, _ := kevt.Kparams.GetUint8(kparams.BasePrio) + pagePrio, _ := kevt.Kparams.GetUint8(kparams.PagePrio) + entrypoint, _ := kevt.Kparams.GetHex(kparams.ThreadEntrypoint) + + return pid, tid, ustackBase, ustackLimit, kstackBase, kstackLimit, ioPrio, basePrio, pagePrio, entrypoint +} + +func unwrapImageParams(kevt *kevent.Kevent) (uint32, uint32, string, kparams.Hex, kparams.Hex) { + size, _ := kevt.Kparams.GetUint32(kparams.ImageSize) + checksum, _ := kevt.Kparams.GetUint32(kparams.ImageCheckSum) + name, _ := kevt.Kparams.GetString(kparams.ImageFilename) + baseAddress, _ := kevt.Kparams.GetHex(kparams.ImageBase) + defaultBaseAddress, _ := kevt.Kparams.GetHex(kparams.ImageDefaultBase) + + return size, checksum, name, baseAddress, defaultBaseAddress +} diff --git a/pkg/ps/snapshotter_mock.go b/pkg/ps/snapshotter_mock.go new file mode 100644 index 000000000..e11508a7c --- /dev/null +++ b/pkg/ps/snapshotter_mock.go @@ -0,0 +1,44 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ps + +import ( + "github.com/rabbitstack/fibratus/pkg/kevent" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + "github.com/stretchr/testify/mock" +) + +type SnapshotterMock struct { + mock.Mock +} + +func (s *SnapshotterMock) Write(kevt *kevent.Kevent) error { return nil } +func (s *SnapshotterMock) Remove(kevt *kevent.Kevent) error { return nil } +func (s *SnapshotterMock) Find(pid uint32) *pstypes.PS { + args := s.Called(pid) + return args.Get(0).(*pstypes.PS) +} +func (s *SnapshotterMock) Size() uint32 { args := s.Called(); return uint32(args.Int(0)) } +func (s *SnapshotterMock) Close() error { return nil } +func (s *SnapshotterMock) GetSnapshot() []*pstypes.PS { + args := s.Called() + return args.Get(0).([]*pstypes.PS) +} + +func (s *SnapshotterMock) WriteFromKcap(kevt *kevent.Kevent) error { return nil } diff --git a/pkg/ps/snapshotter_test.go b/pkg/ps/snapshotter_test.go new file mode 100644 index 000000000..575a587ce --- /dev/null +++ b/pkg/ps/snapshotter_test.go @@ -0,0 +1,379 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ps + +import ( + "github.com/rabbitstack/fibratus/pkg/config" + "github.com/rabbitstack/fibratus/pkg/handle" + "github.com/rabbitstack/fibratus/pkg/kevent" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/kevent/ktypes" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "os" + "path/filepath" + "syscall" + "testing" + "time" +) + +func TestSnapshotterWrite(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + pid := uint32(os.Getpid()) + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: pid}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(8390)}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.UnicodeString, Value: "spotify.exe"}, + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`}, + kparams.Exe: {Name: kparams.Exe, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`}, + kparams.UserSID: {Name: kparams.UserSID, Type: kparams.UnicodeString, Value: `admin\SYSTEM`}, + }, + } + + err := psnap.Write(kevt) + require.NoError(t, err) + + ps := psnap.Find(pid) + require.NotNil(t, ps) + + assert.Equal(t, pid, ps.PID) + assert.Equal(t, uint32(8390), ps.Ppid) + assert.Equal(t, "spotify.exe", ps.Name) + assert.Equal(t, `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`, ps.Comm) + assert.Equal(t, `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`, ps.Exe) + assert.Equal(t, `admin\SYSTEM`, ps.SID) + assert.Len(t, ps.Args, 13) + assert.Equal(t, "--type=crashpad-handler", ps.Args[0]) + assert.Equal(t, "ps", filepath.Base(ps.Cwd)) + assert.True(t, len(ps.Envs) > 0) +} + +func TestSnapshotterWriteNoPIDInParams(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(8390)}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.UnicodeString, Value: "spotify.exe"}, + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`}, + kparams.Exe: {Name: kparams.Exe, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`}, + kparams.UserSID: {Name: kparams.UserSID, Type: kparams.UnicodeString, Value: `admin\SYSTEM`}, + }, + } + + require.Error(t, psnap.Write(kevt)) +} + +func TestSnapshotterWriteThread(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(6599)}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(8390)}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.UnicodeString, Value: "spotify.exe"}, + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`}, + kparams.Exe: {Name: kparams.Exe, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`}, + kparams.UserSID: {Name: kparams.UserSID, Type: kparams.UnicodeString, Value: `admin\SYSTEM`}, + }, + } + require.NoError(t, psnap.Write(kevt)) + + kevt1 := &kevent.Kevent{ + Type: ktypes.CreateThread, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(6599)}, + kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.TID, Value: uint32(3453)}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Uint8, Value: uint8(13)}, + kparams.ThreadEntrypoint: {Name: kparams.ThreadEntrypoint, Type: kparams.HexInt64, Value: kparams.Hex("0x7ffe2557ff80")}, + kparams.IOPrio: {Name: kparams.IOPrio, Type: kparams.Uint8, Value: uint8(2)}, + kparams.KstackBase: {Name: kparams.KstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810d6000")}, + kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810cf000")}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(5)}, + kparams.UstackBase: {Name: kparams.UstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0x5260000")}, + kparams.UstackLimit: {Name: kparams.UstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0x525f000")}, + }, + } + + require.NoError(t, psnap.Write(kevt1)) + + ps := psnap.Find(uint32(6599)) + require.NotNil(t, ps) + + require.Len(t, ps.Threads, 1) + + thread := ps.Threads[3453] + + assert.Equal(t, uint32(3453), thread.Tid) + assert.Equal(t, uint32(6599), thread.Pid) + assert.Equal(t, uint8(13), thread.BasePrio) + assert.Equal(t, kparams.Hex("0x7ffe2557ff80"), thread.Entrypoint) + assert.Equal(t, uint8(2), thread.IOPrio) + assert.Equal(t, uint8(5), thread.PagePrio) + assert.Equal(t, kparams.Hex("0xffffc307810d6000"), thread.KstackBase) + assert.Equal(t, kparams.Hex("0xffffc307810cf000"), thread.KstackLimit) + assert.Equal(t, kparams.Hex("0x5260000"), thread.UstackBase) + assert.Equal(t, kparams.Hex("0x525f000"), thread.UstackLimit) +} + +func TestSnapshotterWriteThreadPIDInParams(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + kevt := &kevent.Kevent{ + Type: ktypes.CreateThread, + Kparams: kevent.Kparams{ + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(8390)}, + kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.TID, Value: uint32(3453)}, + }, + } + + require.Error(t, psnap.Write(kevt)) +} + +func TestSnapshotterWritePSThreadMissingProc(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + pid := uint32(os.Getpid()) + kevt := &kevent.Kevent{ + Type: ktypes.CreateThread, + Kparams: kevent.Kparams{kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: pid}}, + } + + err := psnap.Write(kevt) + require.NoError(t, err) + + ps := psnap.Find(pid) + require.NotNil(t, ps) + assert.Equal(t, pid, ps.PID) + assert.Contains(t, ps.Name, "TestSnapshotterWritePSThreadMissingProc_in_github_com_rabbitstack_fibratus_pkg_ps.exe") + assert.True(t, len(ps.Envs) > 0) +} + +func TestSnapshotterWritePSThreadMissingProcIdle(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + kevt := &kevent.Kevent{ + Type: ktypes.CreateThread, + Kparams: kevent.Kparams{kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(0)}}, + } + + err := psnap.Write(kevt) + require.NoError(t, err) +} + +func TestSnapshotterWritePSThreadMissingProtectedProc(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + kevt := &kevent.Kevent{ + Type: ktypes.CreateThread, + Kparams: kevent.Kparams{kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(0)}}, + } + + err := psnap.Write(kevt) + require.NoError(t, err) +} + +func init() { + reapPeriod = time.Millisecond * 45 +} + +func TestReapDeadProcesses(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + defer psnap.Close() + + var si syscall.StartupInfo + var pi syscall.ProcessInformation + + argv := syscall.StringToUTF16Ptr(filepath.Join(os.Getenv("windir"), "notepad.exe")) + + err := syscall.CreateProcess( + nil, + argv, + nil, + nil, + true, + 0, + nil, + nil, + &si, + &pi) + + require.NoError(t, err) + + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: pi.ProcessId}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(8390)}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.UnicodeString, Value: "calc.exe"}, + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: `c:\\windows\\system32\\calc.exe`}, + kparams.Exe: {Name: kparams.Exe, Type: kparams.UnicodeString, Value: `c:\\windows\\system32\\calc.exe`}, + kparams.UserSID: {Name: kparams.UserSID, Type: kparams.UnicodeString, Value: `admin\SYSTEM`}, + }, + } + + require.NoError(t, psnap.Write(kevt)) + + kevt1 := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(os.Getpid())}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(8390)}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.UnicodeString, Value: "spotify.exe"}, + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`}, + kparams.Exe: {Name: kparams.Exe, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`}, + kparams.UserSID: {Name: kparams.UserSID, Type: kparams.UnicodeString, Value: `admin\SYSTEM`}, + }, + } + require.NoError(t, psnap.Write(kevt1)) + + require.True(t, psnap.Size() > 1) + require.NoError(t, syscall.TerminateProcess(pi.Process, uint32(257))) + time.Sleep(time.Millisecond * 100) + + require.True(t, psnap.Size() == 1) +} + +func TestRemove(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + pid := uint32(os.Getpid()) + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: pid}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(8390)}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.UnicodeString, Value: "spotify.exe"}, + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`}, + kparams.Exe: {Name: kparams.Exe, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`}, + kparams.UserSID: {Name: kparams.UserSID, Type: kparams.UnicodeString, Value: `admin\SYSTEM`}, + }, + } + + err := psnap.Write(kevt) + require.NoError(t, err) + + require.True(t, psnap.Size() > 0) + + err = psnap.Remove(&kevent.Kevent{ + Type: ktypes.TerminateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: pid}, + }, + }) + require.NoError(t, err) + require.True(t, psnap.Size() == 0) +} + +func TestRemoveProcNotFound(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + err := psnap.Remove(&kevent.Kevent{ + Type: ktypes.TerminateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(4596)}, + }, + }) + require.Error(t, err) +} + +func TestRemoveNoPidInParams(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(8390)}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.UnicodeString, Value: "spotify.exe"}, + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`}, + kparams.Exe: {Name: kparams.Exe, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`}, + kparams.UserSID: {Name: kparams.UserSID, Type: kparams.UnicodeString, Value: `admin\SYSTEM`}, + }, + } + + err := psnap.Write(kevt) + require.Error(t, err) + require.True(t, psnap.Size() == 0) +} + +func TestRemoveThread(t *testing.T) { + hsnap := new(handle.SnapshotterMock) + psnap := NewSnapshotter(hsnap, &config.Config{}) + + kevt := &kevent.Kevent{ + Type: ktypes.CreateProcess, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(6599)}, + kparams.ProcessParentID: {Name: kparams.ProcessParentID, Type: kparams.PID, Value: uint32(8390)}, + kparams.ProcessName: {Name: kparams.ProcessName, Type: kparams.UnicodeString, Value: "spotify.exe"}, + kparams.Comm: {Name: kparams.Comm, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--metrics-dir=C:\Users\admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x5a4,0x5a0,0x5a8,0x59c,0x5ac,0x6edcbf60,0x6edcbf70,0x6edcbf7c`}, + kparams.Exe: {Name: kparams.Exe, Type: kparams.UnicodeString, Value: `C:\Users\admin\AppData\Roaming\Spotify\Spotify.exe`}, + kparams.UserSID: {Name: kparams.UserSID, Type: kparams.UnicodeString, Value: `admin\SYSTEM`}, + }, + } + require.NoError(t, psnap.Write(kevt)) + + kevt1 := &kevent.Kevent{ + Type: ktypes.CreateThread, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(6599)}, + kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.TID, Value: uint32(3453)}, + kparams.BasePrio: {Name: kparams.BasePrio, Type: kparams.Uint8, Value: uint8(13)}, + kparams.ThreadEntrypoint: {Name: kparams.ThreadEntrypoint, Type: kparams.HexInt64, Value: kparams.Hex("0x7ffe2557ff80")}, + kparams.IOPrio: {Name: kparams.IOPrio, Type: kparams.Uint8, Value: uint8(2)}, + kparams.KstackBase: {Name: kparams.KstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810d6000")}, + kparams.KstackLimit: {Name: kparams.KstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0xffffc307810cf000")}, + kparams.PagePrio: {Name: kparams.PagePrio, Type: kparams.Uint8, Value: uint8(5)}, + kparams.UstackBase: {Name: kparams.UstackBase, Type: kparams.HexInt64, Value: kparams.Hex("0x5260000")}, + kparams.UstackLimit: {Name: kparams.UstackLimit, Type: kparams.HexInt64, Value: kparams.Hex("0x525f000")}, + }, + } + + require.NoError(t, psnap.Write(kevt1)) + + ps := psnap.Find(uint32(6599)) + require.NotNil(t, ps) + require.Len(t, ps.Threads, 1) + + err := psnap.Remove(&kevent.Kevent{ + Type: ktypes.TerminateThread, + Kparams: kevent.Kparams{ + kparams.ProcessID: {Name: kparams.ProcessID, Type: kparams.PID, Value: uint32(6599)}, + kparams.ThreadID: {Name: kparams.ThreadID, Type: kparams.TID, Value: uint32(3453)}, + }, + }) + require.NoError(t, err) + require.Len(t, ps.Threads, 0) +} diff --git a/pkg/ps/types/marshaller.go b/pkg/ps/types/marshaller.go new file mode 100644 index 000000000..91c9b7652 --- /dev/null +++ b/pkg/ps/types/marshaller.go @@ -0,0 +1,334 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package types + +import ( + "fmt" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kcap/section" + kcapver "github.com/rabbitstack/fibratus/pkg/kcap/version" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/pe" + "github.com/rabbitstack/fibratus/pkg/util/bytes" + "unsafe" +) + +// Marshal produces a byte stream of the process state for writing to the capture file. +func (ps *PS) Marshal() []byte { + b := make([]byte, 0) + + // write pid and ppid + b = append(b, bytes.WriteUint32(ps.PID)...) + b = append(b, bytes.WriteUint32(ps.Ppid)...) + + // write process name + b = append(b, bytes.WriteUint16(uint16(len(ps.Name)))...) + b = append(b, ps.Name...) + // write process command line + b = append(b, bytes.WriteUint16(uint16(len(ps.Comm)))...) + b = append(b, ps.Comm...) + // write full executable path + b = append(b, bytes.WriteUint16(uint16(len(ps.Exe)))...) + b = append(b, ps.Exe...) + // write current working directory + b = append(b, bytes.WriteUint16(uint16(len(ps.Cwd)))...) + b = append(b, ps.Cwd...) + // write SID + b = append(b, bytes.WriteUint16(uint16(len(ps.SID)))...) + b = append(b, ps.SID...) + + // write args + b = append(b, bytes.WriteUint16(uint16(len(ps.Args)))...) + for _, arg := range ps.Args { + b = append(b, bytes.WriteUint16(uint16(len(arg)))...) + b = append(b, arg...) + } + + // write session ID + b = append(b, ps.SessionID) + + // write env vars block + b = append(b, bytes.WriteUint16(uint16(len(ps.Envs)))...) + for k, v := range ps.Envs { + b = append(b, bytes.WriteUint16(uint16(len(k)))...) + b = append(b, k...) + b = append(b, bytes.WriteUint16(uint16(len(v)))...) + b = append(b, v...) + } + + // write handles + sec := section.New(section.Handle, kcapver.HandleSecV1, uint32(len(ps.Handles)), 0) + b = append(b, sec[:]...) + for _, handle := range ps.Handles { + buf := handle.Marshal() + b = append(b, bytes.WriteUint16(handle.Offset())...) + b = append(b, buf...) + } + + // write the PE metadata + if ps.PE != nil { + buf := ps.PE.Marshal() + sec := section.New(section.PE, kcapver.PESecV1, 0, uint32(len(buf))) + b = append(b, sec[:]...) + b = append(b, buf...) + } else { + sec := section.New(section.PE, kcapver.PESecV1, 0, 0) + b = append(b, sec[:]...) + } + + return b +} + +// Unmarshal recovers the process' state from the capture file. +func (ps *PS) Unmarshal(b []byte) error { + if len(b) < 8 { + return fmt.Errorf("expected at least 8 bytes but got %d bytes", len(b)) + } + var offset uint32 + + // read pid/ppid + ps.PID = bytes.ReadUint32(b[0:]) + ps.Ppid = bytes.ReadUint32(b[4:]) + + // read process image name + l := bytes.ReadUint16(b[8:]) + buf := b[10:] + offset = uint32(l) + ps.Name = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // read process cmdline + l = bytes.ReadUint16(b[10+offset:]) + buf = b[12+offset:] + offset += uint32(l) + ps.Comm = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // read full image path + l = bytes.ReadUint16(b[12+offset:]) + buf = b[14+offset:] + offset += uint32(l) + ps.Exe = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // read current working directory + l = bytes.ReadUint16(b[14+offset:]) + buf = b[16+offset:] + offset += uint32(l) + ps.Cwd = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + + // read the SID + l = bytes.ReadUint16(b[16+offset:]) + buf = b[18+offset:] + offset += uint32(l) + if len(buf) > 0 { + ps.SID = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l]) + } + + // read args + nargs := bytes.ReadUint16(b[18+offset:]) + var aoffset uint16 + for i := 0; i < int(nargs); i++ { + l := bytes.ReadUint16(b[20+offset+uint32(aoffset):]) + buf = b[22+offset+uint32(aoffset):] + ps.Args = append(ps.Args, string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + aoffset += 2 + l + } + + offset += uint32(aoffset) + // read session ID + ps.SessionID = b[20+offset] + + // read env vars + nvars := bytes.ReadUint16(b[21+offset:]) + var eoffset uint16 + for i := 0; i < int(nvars); i++ { + klen := bytes.ReadUint16(b[23+offset+uint32(eoffset):]) + buf = b[25+offset+uint32(eoffset):] + key := string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:klen:klen]) + vlen := bytes.ReadUint16(b[25+offset+uint32(eoffset)+uint32(klen):]) + buf = b[27+offset+uint32(eoffset)+uint32(klen):] + value := string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:vlen:vlen]) + ps.Envs[key] = value + eoffset += klen + vlen + 2 + 2 + } + + offset += uint32(eoffset) + + // read handles + sec := section.Read(b[23+offset:]) + offset += 10 // 10 is for the section size in bytes + var hoffset uint32 + if sec.Len() == 0 { + goto readpe + } + + for i := 0; i < int(sec.Len()); i++ { + // read handle length + l := uint32(bytes.ReadUint16(b[23+offset+hoffset:])) + + off := 25 + hoffset + offset + + handle, err := htypes.NewFromKcap(b[off : off+l]) + if err != nil { + return err + } + ps.Handles = append(ps.Handles, handle) + hoffset += l + 2 + } + +readpe: + offset += hoffset + // read PE metadata + sec = section.Read(b[23+offset:]) + if sec.Size() == 0 { + return nil + } + var err error + ps.PE, err = pe.NewFromKcap(b[33+offset:]) + if err != nil { + return err + } + + return nil +} + +// Marshal transforms the thread state to byte stream for persisting to capture files. +func (t *Thread) Marshal() []byte { + b := make([]byte, 0) + + // write thread/process ID + b = append(b, bytes.WriteUint32(t.Tid)...) + b = append(b, bytes.WriteUint32(t.Pid)...) + + // write priority fields + b = append(b, t.IOPrio) + b = append(b, t.BasePrio) + b = append(b, t.PagePrio) + + // write stack/kernel/entrypoint addresses + b = append(b, bytes.WriteUint16(uint16(len(t.UstackBase)))...) + b = append(b, t.UstackBase...) + b = append(b, bytes.WriteUint16(uint16(len(t.UstackLimit)))...) + b = append(b, t.UstackLimit...) + b = append(b, bytes.WriteUint16(uint16(len(t.KstackBase)))...) + b = append(b, t.KstackBase...) + b = append(b, bytes.WriteUint16(uint16(len(t.KstackLimit)))...) + b = append(b, t.KstackLimit...) + b = append(b, bytes.WriteUint16(uint16(len(t.Entrypoint)))...) + b = append(b, t.Entrypoint...) + + return b +} + +// Marshal produces a module byte stream state suitable for writing to capture files. +func (m *Module) Marshal() []byte { + b := make([]byte, 0) + + // write size and checksum + b = append(b, bytes.WriteUint32(m.Size)...) + b = append(b, bytes.WriteUint32(m.Checksum)...) + + // write image name + b = append(b, bytes.WriteUint16(uint16(len(m.Name)))...) + b = append(b, m.Name...) + + // write addresses + b = append(b, bytes.WriteUint16(uint16(len(m.BaseAddress)))...) + b = append(b, m.BaseAddress...) + b = append(b, bytes.WriteUint16(uint16(len(m.DefaultBaseAddress)))...) + b = append(b, m.DefaultBaseAddress...) + + return b +} + +func (t *Thread) Unmarshal(b []byte) (uint16, error) { + if len(b) < 11 { + return 0, fmt.Errorf("expected at least 11 bytes but got %d", len(b)) + } + + // read tid and pid + t.Tid = bytes.ReadUint32(b[0:]) + t.Pid = bytes.ReadUint32(b[4:]) + + // read priorities + t.IOPrio = b[8] + t.BasePrio = b[9] + t.PagePrio = b[10] + + // read user space stack base address + l := bytes.ReadUint16(b[11:]) + buf := b[13:] + offset := l + t.UstackBase = kparams.Hex(string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + + // read user space stack limit + l = bytes.ReadUint16(b[13+offset:]) + buf = b[15+offset:] + offset += l + t.UstackLimit = kparams.Hex(string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + + // read kernel space stack base address + l = bytes.ReadUint16(b[15+offset:]) + buf = b[17+offset:] + offset += l + t.KstackBase = kparams.Hex(string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + + // read kernel space stack limit + l = bytes.ReadUint16(b[17+offset:]) + buf = b[19+offset:] + offset += l + t.KstackLimit = kparams.Hex(string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + + // read entry point address + l = bytes.ReadUint16(b[19+offset:]) + buf = b[21+offset:] + offset += l + t.Entrypoint = kparams.Hex(string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])) + + return offset + 21, nil +} + +// Unmarshal reconstructs module state from the byte stream. +func (m *Module) Unmarshal(b []byte) (uint16, error) { + if len(b) < 11 { + return 0, fmt.Errorf("expected at least 11 bytes but got %d", len(b)) + } + + // read size + m.Size = bytes.ReadUint32(b[0:]) + // read checksum + m.Checksum = bytes.ReadUint32(b[4:]) + + // read DLL full path + length := bytes.ReadUint16(b[8:]) + buf := b[10:] + offset := length + m.Name = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:length:length]) + + // read addresses + length = bytes.ReadUint16(b[10+offset:]) + buf = b[12+offset:] + offset += length + m.BaseAddress = kparams.Hex(string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:length:length])) + + length = bytes.ReadUint16(b[12+offset:]) + buf = b[14+offset:] + offset += length + m.DefaultBaseAddress = kparams.Hex(string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:length:length])) + + return offset + 14, nil +} diff --git a/pkg/ps/types/marshaller_test.go b/pkg/ps/types/marshaller_test.go new file mode 100644 index 000000000..43141650a --- /dev/null +++ b/pkg/ps/types/marshaller_test.go @@ -0,0 +1,97 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package types + +import ( + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "testing" +) + +func TestPSMarshaler(t *testing.T) { + ps := &PS{ + PID: 2436, + Ppid: 6304, + Name: "firefox.exe", + Exe: `C:\Program Files\Mozilla Firefox\firefox.exe`, + Comm: `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, + Cwd: `C:\Program Files\Mozilla Firefox\`, + SID: "archrabbit\\SYSTEM", + Args: []string{"-contentproc", `--channel="6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, + SessionID: 4, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Handles: []htypes.Handle{ + {Num: handle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: handle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: handle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + } + + b := ps.Marshal() + clone, err := NewFromKcap(b) + require.NoError(t, err) + + assert.Equal(t, uint32(2436), clone.PID) + assert.Equal(t, uint32(6304), clone.Ppid) + assert.Equal(t, "firefox.exe", clone.Name) + assert.Equal(t, `C:\Program Files\Mozilla Firefox\firefox.exe`, clone.Exe) + assert.Equal(t, `C:\Program Files\Mozilla Firefox\firefox.exe -contentproc --channel="6304.3.1055809391\1014207667" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2580 -prefsLen 70 -prefMapSize 216993 -parentBuildID 20200107212822 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 6304 "\\.\pipe\gecko-crash-server-pipe.6304" 2596 tab`, clone.Comm) + assert.Equal(t, `C:\Program Files\Mozilla Firefox\`, clone.Cwd) + assert.Equal(t, "archrabbit\\SYSTEM", clone.SID) + assert.Equal(t, []string{"-contentproc", `--channel="6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, clone.Args) + assert.Equal(t, uint8(4), clone.SessionID) + assert.Equal(t, map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, clone.Envs) + + require.Len(t, clone.Handles, 3) + + alpc := clone.Handles[1] + assert.Equal(t, "ALPC Port", alpc.Type) + assert.Equal(t, `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, alpc.Name) + assert.IsType(t, &htypes.AlpcPortInfo{}, alpc.MD) + + md := alpc.MD.(*htypes.AlpcPortInfo) + assert.Equal(t, uint32(1), md.Seqno) +} diff --git a/pkg/ps/types/types.go b/pkg/ps/types/types.go new file mode 100644 index 000000000..30049fc05 --- /dev/null +++ b/pkg/ps/types/types.go @@ -0,0 +1,293 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package types + +import ( + "fmt" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/pe" + hndl "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "path/filepath" + "strings" + "sync" +) + +// PS encapsulates process' state such as allocated resources and other metadata. +type PS struct { + mu sync.RWMutex + // PID is the identifier of this process. This value is valid from the time a process is created until it is terminated. + PID uint32 `json:"pid"` + // Ppipd represents the parent of this process. Process identifier numbers are reused, so they only identify a process + // for the lifetime of that process. It is possible that the process identified by `Ppid` is terminated, + // so `Ppid` may not refer to a running process. It is also possible that `Ppid` incorrectly refers + // to a process that reuses a process identifier. + Ppid uint32 `json:"ppid"` + // Name is the process' image name including file extension (e.g. cmd.exe) + Name string `json:"name"` + // Comm is the full process' command line (e.g. C:\Windows\system32\cmd.exe /cdir /-C /W) + Comm string `json:"comm"` + // Exe is the full name of the process' executable (e.g. C:\Windows\system32\cmd.exe) + Exe string `json:"exe"` + // Cwd designates the current working directory of the process. + Cwd string `json:"cwd"` + // SID is the security identifier under which this process is run. + SID string `json:"sid"` + // Args contains process' command line arguments (e.g. /cdir, /-C, /W) + Args []string `json:"args"` + // SessionID is the unique identifier for the current session. + SessionID uint8 `json:"session"` + // Envs contains process' environment variables indexed by env variable name. + Envs map[string]string `json:"envs"` + // Threads contains all the threads running in the address space of this process. + Threads map[uint32]Thread `json:"-"` + // Modules contains all the modules loaded by the process. + Modules []Module `json:"modules"` + // Handles represents the collection of handles allocated by the process. + Handles htypes.Handles `json:"handles"` + // PE stores the PE (Portable Executable) metadata. + PE *pe.PE `json:"pe"` +} + +// String returns a string representation of the process' state. +func (ps PS) String() string { + return fmt.Sprintf(` + Pid: %d + Ppid: %d + Name: %s + Comm: %s + Exe: %s + Cwd: %s + SID: %s + Args: %s + Session ID: %d + Envs: %s + `, + ps.PID, + ps.Ppid, + ps.Name, + ps.Comm, + ps.Exe, + ps.Cwd, + ps.SID, + ps.Args, + ps.SessionID, + ps.Envs, + ) +} + +// Thread stores several metadata about a thread that's executing in process's address space. +type Thread struct { + // Tid is the unique identifier of thread inside the process. + Tid uint32 + // Pid is the identifier of the process to which this thread pertains. + Pid uint32 + // IOPrio represents an I/O priority hint for scheduling I/O operations generated by the thread. + IOPrio uint8 + // BasePrio is the scheduler priority of the thread. + BasePrio uint8 + // PagePrio is a memory page priority hint for memory pages accessed by the thread. + PagePrio uint8 + // UstackBase is the base address of the thread's user space stack. + UstackBase kparams.Hex + // UstackLimit is the limit of the thread's user space stack. + UstackLimit kparams.Hex + // KStackBase is the base address of the thread's kernel space stack. + KstackBase kparams.Hex + // KstackLimit is the limit of the thread's kernel space stack. + KstackLimit kparams.Hex + // Entrypoint is the starting address of the function to be executed by the thread. + Entrypoint kparams.Hex +} + +// String returns the thread as a human-readable string. +func (t Thread) String() string { + return fmt.Sprintf("ID: %d IO prio: %d, Base prio: %d, Page prio: %d, Ustack base: %s, Ustack limit: %s, Kstack base: %s, Kstack limit: %s, Entrypoint: %s", t.Tid, t.IOPrio, t.BasePrio, t.PagePrio, t.UstackBase, t.UstackLimit, t.KstackBase, t.UstackLimit, t.Entrypoint) +} + +// Module represents the data for all dynamic libraries/executables that reside in the process' address space. +type Module struct { + // Size designates the size in bytes of the image file. + Size uint32 + // Checksum is the checksum of the image file. + Checksum uint32 + // Name represents the full path of this image. + Name string + // BaseAddress is the base address of process in which the image is loaded. + BaseAddress kparams.Hex + // DefaultBaseAddress is the default base address. + DefaultBaseAddress kparams.Hex +} + +// String returns the string representation of the module. +func (m Module) String() string { + return fmt.Sprintf("Name: %s, Size: %d, Checksum: %d, Base address: %s, Default base address: %s", m.Name, m.Size, m.Checksum, m.BaseAddress, m.DefaultBaseAddress) +} + +// FromKevent produces a new process state from kernel event. +func FromKevent(pid, ppid uint32, name, comm, exe, sid string, sessionID uint8) *PS { + return &PS{ + PID: pid, + Ppid: ppid, + Name: name, + Comm: comm, + Exe: exe, + Args: splitArgs(comm), + SID: sid, + SessionID: sessionID, + Threads: make(map[uint32]Thread), + Modules: make([]Module, 0), + Handles: make([]htypes.Handle, 0), + } +} + +// ThreadFromKevent builds a thread info from kernel event. +func ThreadFromKevent(pid, tid uint32, ustackBase, ustackLimit, kstackBase, kstackLimit kparams.Hex, ioPrio, basePrio, pagePrio uint8, entrypoint kparams.Hex) Thread { + return Thread{ + Pid: pid, + Tid: tid, + UstackBase: ustackBase, + UstackLimit: ustackLimit, + KstackBase: kstackBase, + KstackLimit: kstackLimit, + IOPrio: ioPrio, + BasePrio: basePrio, + PagePrio: pagePrio, + Entrypoint: entrypoint, + } +} + +// ImageFromKevent constructs a module info from the corresponding kernel event. +func ImageFromKevent(size, checksum uint32, name string, baseAddress, defaultBaseAddress kparams.Hex) Module { + return Module{ + Size: size, + Checksum: checksum, + Name: name, + BaseAddress: baseAddress, + DefaultBaseAddress: defaultBaseAddress, + } +} + +// NewPS produces a new process state from passed arguments. +func NewPS(pid, ppid uint32, exe, cwd, comm string, thread Thread, envs map[string]string) *PS { + return &PS{ + PID: pid, + Ppid: ppid, + Name: filepath.Base(exe), + Exe: exe, + Comm: comm, + Cwd: cwd, + Args: splitArgs(comm), + Threads: map[uint32]Thread{thread.Tid: thread}, + Modules: make([]Module, 0), + Handles: make([]htypes.Handle, 0), + Envs: envs, + } +} + +// NewFromKcap reconstructs the state of the process from kcap file. +func NewFromKcap(buf []byte) (*PS, error) { + ps := PS{ + Args: make([]string, 0), + Envs: make(map[string]string), + Handles: make([]htypes.Handle, 0), + Modules: make([]Module, 0), + Threads: make(map[uint32]Thread), + } + if err := ps.Unmarshal(buf); err != nil { + return nil, err + } + return &ps, nil +} + +func splitArgs(comm string) []string { + ext := strings.Index(comm, ".exe") + if ext == -1 { + return []string{} + } + ext += 5 + if ext > len(comm) { + return []string{} + } + return strings.Fields(comm[ext:]) +} + +// AddThread adds a thread to process's state descriptor. +func (ps *PS) AddThread(thread Thread) { + ps.mu.Lock() + defer ps.mu.Unlock() + ps.Threads[thread.Tid] = thread +} + +// RemoveThread eliminates a thread from the process's state. +func (ps *PS) RemoveThread(tid uint32) { + ps.mu.Lock() + defer ps.mu.Unlock() + delete(ps.Threads, tid) +} + +// RLock acquires a read mutex on the process state. +func (ps *PS) RLock() { + ps.mu.RLock() +} + +// RLock releases a read mutex on the process sate. +func (ps *PS) RUnlock() { + ps.mu.RUnlock() +} + +// AddHandle adds a new handle to this process state. +func (ps *PS) AddHandle(handle htypes.Handle) { + ps.Handles = append(ps.Handles, handle) +} + +// RemoveHandle removes a handle with specified identifier from the list of allocated handles. +func (ps *PS) RemoveHandle(num hndl.Handle) { + for i, h := range ps.Handles { + if h.Num == num { + ps.Handles = append(ps.Handles[:i], ps.Handles[i+1:]...) + break + } + } +} + +// AddModule adds a new module to this process state. +func (ps *PS) AddModule(mod Module) { + ps.Modules = append(ps.Modules, mod) +} + +// RemoveModule removes a module with specified full-path from this process state. +func (ps *PS) RemoveModule(name string) { + for i, mod := range ps.Modules { + if mod.Name == name { + ps.Modules = append(ps.Modules[:i], ps.Modules[i+1:]...) + break + } + } +} + +// FindModule finds the module by name. +func (ps *PS) FindModule(name string) *Module { + for _, mod := range ps.Modules { + if filepath.Base(mod.Name) == name { + return &mod + } + } + return nil +} diff --git a/pkg/syscall/doc.go b/pkg/syscall/doc.go new file mode 100644 index 000000000..7cb3585a2 --- /dev/null +++ b/pkg/syscall/doc.go @@ -0,0 +1,20 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// Package syscall contains the definitions of functions, structures and constants for interacting with the Windows API. +package syscall diff --git a/pkg/syscall/etw/etw.go b/pkg/syscall/etw/etw.go new file mode 100644 index 000000000..4b9470e94 --- /dev/null +++ b/pkg/syscall/etw/etw.go @@ -0,0 +1,159 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package etw + +import ( + "os" + "syscall" + "unsafe" + + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/syscall/utf16" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" +) + +var ( + advapi32 = syscall.NewLazyDLL("advapi32.dll") + + startTrace = advapi32.NewProc("StartTraceW") + controlTrace = advapi32.NewProc("ControlTraceW") + closeTrace = advapi32.NewProc("CloseTrace") + openTrace = advapi32.NewProc("OpenTraceW") + processTrace = advapi32.NewProc("ProcessTrace") + traceSetInformation = advapi32.NewProc("TraceSetInformation") + enableTrace = advapi32.NewProc("EnableTraceEx") +) + +type TraceOperation uint32 + +const ( + Query TraceOperation = 0 + Stop TraceOperation = 1 + Update TraceOperation = 2 + Flush TraceOperation = 3 +) + +// TraceHandle is an alias for trace handle type +type TraceHandle uintptr + +// IsValid determines if the session handle is valid +func (handle TraceHandle) IsValid() bool { return handle != 0 } + +// StartTrace registers and starts an event tracing session for the specified provider. The trace assumes there will be a real-time +// event consumer responsible for collecting and processing events. If the function succeeds, it returns the handle to the tracing +// session. +func StartTrace(name string, props *EventTraceProperties) (TraceHandle, error) { + var handle TraceHandle + errno, _, err := startTrace.Call( + uintptr(unsafe.Pointer(&handle)), + uintptr(unsafe.Pointer(utf16.StringToUTF16Ptr(name))), + uintptr(unsafe.Pointer(props)), + ) + switch winerrno.Errno(errno) { + case winerrno.Success: + return handle, nil + case winerrno.AccessDenied: + return TraceHandle(0), kerrors.ErrTraceAccessDenied + case winerrno.DiskFull: + return TraceHandle(0), kerrors.ErrTraceDiskFull + case winerrno.AlreadyExists: + return TraceHandle(0), kerrors.ErrTraceAlreadyRunning + case winerrno.InvalidParameter: + return TraceHandle(0), kerrors.ErrTraceInvalidParameter + case winerrno.BadLength: + return TraceHandle(0), kerrors.ErrTraceBadLength + case winerrno.NoSysResources: + return TraceHandle(0), kerrors.ErrTraceNoSysResources + default: + return TraceHandle(0), os.NewSyscallError("StartTrace", err) + } +} + +// ControlTrace performs various operation on the specified event tracing session, such as updating, flushing or stopping +// the session. +func ControlTrace(handle TraceHandle, name string, props *EventTraceProperties, operation TraceOperation) error { + errno, _, err := controlTrace.Call( + uintptr(handle), + uintptr(unsafe.Pointer(utf16.StringToUTF16Ptr(name))), + uintptr(unsafe.Pointer(props)), + uintptr(operation), + ) + switch winerrno.Errno(errno) { + case winerrno.Success: + return nil + case winerrno.WMIInstanceNotFound: + return kerrors.ErrKsessionNotRunning + default: + return os.NewSyscallError("ControlTrace", err) + } +} + +// CloseTrace closes a trace. If you call this function before ProcessTrace returns, the CloseTrace function +// returns ErrorCtxClosePending. The ErrorCtxClosePending code indicates that the CloseTrace function call +// was successful; the ProcessTrace function will stop processing events after it processes all events in its buffers. +func CloseTrace(handle TraceHandle) error { + errno, _, err := closeTrace.Call(uintptr(handle)) + if winerrno.Errno(errno) != winerrno.Success && winerrno.Errno(errno) != winerrno.CtxClosePending { + return os.NewSyscallError("CloseTrace", err) + } + return nil +} + +// OpenTrace opens a real-time trace session or log file for consuming. +func OpenTrace(ktrace EventTraceLogfile) TraceHandle { + handle, _, _ := openTrace.Call(uintptr(unsafe.Pointer(&ktrace))) + return TraceHandle(handle) +} + +// ProcessTrace function delivers events from one or more event tracing sessions to the consumer. Function sorts the events +// chronologically and delivers all events generated between StartTime and EndTime. The ProcessTrace function blocks the +// thread until it delivers all events, the BufferCallback function returns false, or you call CloseTrace. +func ProcessTrace(handle TraceHandle) error { + errno, _, err := processTrace.Call(uintptr(unsafe.Pointer(&handle)), 1, 0, 0) + switch winerrno.Errno(errno) { + case winerrno.Success: + return nil + case winerrno.WMIInstanceNotFound: + return kerrors.ErrKsessionNotRunning + case winerrno.NoAccess: + return kerrors.ErrEventCallbackException + case winerrno.Cancelled: + return kerrors.ErrTraceCancelled + default: + return os.NewSyscallError("ProcessTrace", err) + } +} + +// SetTraceInformation enables or disables event tracing session settings for the specified information class. +func SetTraceInformation(handle TraceHandle, infoClass uint8, traceFlags []EventTraceFlags) error { + errno, _, err := traceSetInformation.Call(uintptr(handle), uintptr(infoClass), uintptr(unsafe.Pointer(&traceFlags[0])), unsafe.Sizeof(traceFlags)) + if winerrno.Errno(errno) == winerrno.Success { + return nil + } + return os.NewSyscallError("TraceSetInformation", err) +} + +// EnableTrace influences the behaviour of the specified event trace provider. +func EnableTrace(guid syscall.GUID, handle TraceHandle, keyword uint32) error { + errno, _, err := enableTrace.Call(uintptr(unsafe.Pointer(&guid)), 0, uintptr(handle), 1, 0, uintptr(keyword), 0, 0, 0) + if winerrno.Errno(errno) == winerrno.Success { + return nil + } + return os.NewSyscallError("EnableTraceEx", err) +} diff --git a/pkg/syscall/etw/types.go b/pkg/syscall/etw/types.go new file mode 100644 index 000000000..ad7bbcaed --- /dev/null +++ b/pkg/syscall/etw/types.go @@ -0,0 +1,465 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package etw + +import ( + "strings" + "syscall" +) + +// EventTraceFlags is the type alias for kernel trace events +type EventTraceFlags uint32 + +// KernelTraceControlGUID is the GUID for the kernel system logger +var KernelTraceControlGUID = syscall.GUID{Data1: 0x9e814aad, Data2: 0x3204, Data3: 0x11d2, Data4: [8]byte{0x9a, 0x82, 0x00, 0x60, 0x08, 0xa8, 0x69, 0x39}} + +// KernelRundownGUID is the GUID for the kernel rundown logger +var KernelRundownGUID = syscall.GUID{Data1: 0x3b9c9951, Data2: 0x3480, Data3: 0x4220, Data4: [8]byte{0x93, 0x77, 0x9c, 0x8e, 0x51, 0x84, 0xf5, 0xcd}} + +const ( + // TraceSystemTraceEnableFlagsInfo controls system logger event flags + TraceSystemTraceEnableFlagsInfo = uint8(4) +) + +const ( + // KernelLoggerSession represents the default session name for NT kernel logger + KernelLoggerSession = "NT Kernel Logger" + KernelLoggerRundownSession = "Kernel Rundown Logger" + // WnodeTraceFlagGUID indicates that the structure contains event tracing information + WnodeTraceFlagGUID = 0x00020000 + // ProcessTraceModeRealtime denotes that there will be a real-time consumers for events forwarded from the providers + ProcessTraceModeRealtime = 0x00000100 + // ProcessTraceModeEventRecord is the mode that enables the "event record" format for kernel events + ProcessTraceModeEventRecord = 0x10000000 +) + +const ( + ALPC EventTraceFlags = 0x00100000 + Cswitch EventTraceFlags = 0x00000010 + DbgPrint EventTraceFlags = 0x00040000 + DiskFileIO EventTraceFlags = 0x00000200 + DiskIO EventTraceFlags = 0x00000100 + DiskIOInit EventTraceFlags = 0x00000400 + Dispatcher EventTraceFlags = 0x00000800 + DPC EventTraceFlags = 0x00000020 + Driver EventTraceFlags = 0x00800000 + FileIO EventTraceFlags = 0x02000000 + FileIOInit EventTraceFlags = 0x04000000 + ImageLoad EventTraceFlags = 0x00000004 + Handle EventTraceFlags = 0x80000040 + IRQ EventTraceFlags = 0x00000040 + Job EventTraceFlags = 0x00080000 + NetTCPIP EventTraceFlags = 0x00010000 + Process EventTraceFlags = 0x00000001 + Registry EventTraceFlags = 0x00020000 + Syscall EventTraceFlags = 0x00000080 + Thread EventTraceFlags = 0x00000002 +) + +// String returns the string representation of enabled event trace flags. +func (f EventTraceFlags) String() string { + flags := make([]string, 0) + if f&ALPC == ALPC { + flags = append(flags, "ALPC") + } + if f&Cswitch == Cswitch { + flags = append(flags, "Cswitch") + } + if f&DiskFileIO == DiskFileIO { + flags = append(flags, "DiskFileIO") + } + if f&DiskIO == DiskIO { + flags = append(flags, "DiskIO") + } + if f&FileIO == FileIO { + flags = append(flags, "FileIO") + } + if f&ImageLoad == ImageLoad { + flags = append(flags, "DLL") + } + if f&Handle == Handle { + flags = append(flags, "Handle") + } + if f&NetTCPIP == NetTCPIP { + flags = append(flags, "TCPIP") + } + if f&Process == Process { + flags = append(flags, "Process") + } + if f&Registry == Registry { + flags = append(flags, "Registry") + } + if f&Thread == Thread { + flags = append(flags, "Thread") + } + return strings.Join(flags, ", ") +} + +// WnodeHeader is a member of `EventTraceProperties` structure. The majority of the fields in this structure are not relevant to us. +type WnodeHeader struct { + // BufferSize is the total size of memory allocated, in bytes, for the event tracing session properties. + BufferSize uint32 + // ProviderID is reserved for internal use. + ProviderID uint32 + // HostricalContext is an union field with the following C representation: + // union { + // ULONG64 HistoricalContext; + // struct { + // ULONG Version; + // ULONG Linkage; + // }; + // }; + // On output, HistoricalContext stores the handle to the event tracing session. Version and Linkage fields are reserved for internal use. + HistoricalContext [8]byte + // KernelHandle is an union with the following C representation: + // union { + // HANDLE KernelHandle; + // LARGE_INTEGER TimeStamp; + // }; + // `KernelHandle` is reserved for internal use. `TimeStamp` designates the instant at which the information of this + // structure was updated. + KernelHandle [8]byte + // GUID that defines the session. For NT Kernel Logger session we have to set this member to `SystemTraceControlGuid`. + GUID syscall.GUID + // ClientContext represents clock resolution to use when logging the time stamp for each event. The default is Query performance counter (QPC). + ClientContext uint32 + // Flags must contain `WnodeFlagTracedGUID` to indicate that the structure contains event tracing information. + Flags uint32 +} + +// EventTraceProperties contains information about an event tracing session. Each time a new session is created, or an existing session +// is about to be modified, this structure is used to describe session properties. +type EventTraceProperties struct { + // Wnode structure requires `BufferSize`, `Flags` and `GUID` members to be initialized. + Wnode WnodeHeader + // BufferSize represents the amount of memory allocated for each event tracing session buffer, in kilobytes. + // The maximum buffer size is 1 MB. ETW uses the size of physical memory to calculate this value. + // If an application expects a relatively low event rate, the buffer size should be set to the memory page size. + // To get the page memory size, you can invoke GetSystemInfo() function. + // If the event rate is expected to be relatively high, the application should specify a larger buffer size, + // and should increase the maximum number of buffers. + // + // The buffer size affects the rate at which buffers fill and must be flushed. Although a small buffer size requires + // less memory, it increases the rate at which buffers must be flushed. + BufferSize uint32 + // MinimumBuffers specifies the minimum number of buffers allocated for the event tracing session's buffer pool. + // The minimum number of buffers that you can specify is two buffers per processor. For example, on a single processor machine, + // the minimum number of buffers is two. + MinimumBuffers uint32 + // MaximumBuffers is the maximum number of buffers allocated for the event tracing session's buffer pool. Typically, this value is + // the minimum number of buffers plus twenty. ETW uses the buffer size and the size of physical memory to calculate this value. + MaximumBuffers uint32 + // MaximumFileSize is the maximum size of the file used to log events, in megabytes. + MaximumFileSize uint32 + // LogFileMode determines the logging modes for the event tracing session. You use this member to specify that you want events written to a + // log file, a real-time consumer, or both. In real-time logging mode, if no consumers are available, events will be written + // to disk, and when a consumers begins processing real-time events, the events in the playback file are consumed first. + LogFileMode uint32 + // FlushTimer specifies how often, in seconds, the trace buffers are forcibly flushed. The minimum flush time is 1 second. + // This forced flush is in addition to the automatic flush that occurs whenever a buffer is full and when the trace session + // stops. If zero, ETW flushes buffers as soon as they become full. If nonzero, ETW flushes all buffers that contain events + // based on the timer value. Typically, you want to flush buffers only when they become full. Forcing the buffers to flush + // (either by setting this member to a nonzero value or by calling `FlushTrace`) can increase the file size of the log file + // with unfilled buffer space. + // + // If the consumer is consuming events in real time, you may want to set this member to a nonzero value if the event rate is + // low to force events to be delivered before the buffer is full. + // For the case of a realtime logger, a value of zero (the default value) means that the flush time will be set to 1 second. + // A realtime logger is when LogFileMode is set to `EventTraceRealTimeMode`. + FlushTimer uint32 + // EnableFlags specifies which kernel events are delievered to the consumer when NT Kernel logger session is started. + // For example, registry events, process, disk IO and so on. + EnableFlags EventTraceFlags + // AgeLimit is not used. + AgeLimit int32 + // NumberOfBuffers indicates the number of buffers allocated for the event tracing session's buffer pool. + NumberOfBuffers uint32 + // FreeBuffers indicates the number of buffers that are allocated but unused in the event tracing session's buffer pool. + FreeBuffers uint32 + // EventsLost counts the number of events that were not recorded. + EventsLost uint32 + // BuffersWritten counts the number of buffers written. + BuffersWritten uint32 + // LogBuffersLost determines the number of buffers that could not be written to the log file. + LogBuffersLost uint32 + // RealTimeBuffersLost represents the number of buffers that could not be delivered in real-time to the consumer. + RealTimeBuffersLost uint32 + // LoggerThreadID is the thread identifier for the event tracing session. + LoggerThreadID uintptr + // LogFileNameOffset is the offset from the start of the structure's allocated memory to beginning of the null-terminated + // string that contains the log file name. + LogFileNameOffset uint32 + // LoggerNameOffset is the offset from the start of the structure's allocated memory to beginning of the null-terminated + // string that contains the session name. The session name is limited to 1024 characters. The session name is case-insensitive + // and must be unique. + LoggerNameOffset uint32 +} + +// EventTraceHeader contains standard event tracing information common to all events. +type EventTraceHeader struct { + // Size represents the total number of bytes of the event. It includes the size of the header structure, + // plus the size of any event-specific data appended to the header. + Size uint16 + // FieldTypeFlags is an union field represented as follow: + // union { + // USHORT FieldTypeFlags; + // struct { + // UCHAR HeaderType; + // UCHAR MarkerFlags; + // }; + // }; + // All memebers of this union are reserved for internal use. + FieldTypeFlags [2]byte + // Versions in an union field with the following declaration: + // union { + // ULONG Version; + // struct { + // UCHAR Type; + // UCHAR Level; + // USHORT Version; + // } Class; + // }; + // `Type` field indicates the general purpose type of this event (e.g. data collection end/start, checkpoint, etc.) + // `Level` designates the severity of the generated event and the `Version` tells the consumer which MOF class to use to + // decipher the event data. + Version [4]byte + // ThreadID identifes the thread that generated this event. + ThreadID uint32 + // ProcessID identifes the process that generated this event. + ProcessID uint32 + // Timestamp contains the time that the event occurred. + Timestamp uint64 + // GUID is an union: + // union { + // GUID Guid; + // ULONGLONG GuidPtr; + // }; + // `Guid` identifies a category of events. `GuidPtr` is the pointer to an event trace class GUID. + GUID [16]byte + // ProcessorTime is another union type: + // union { + // struct { + // ULONG ClientContext; + // ULONG Flags; + // }; + // struct { + // ULONG KernelTime; + // ULONG UserTime; + // }; + // ULONG64 ProcessorTime; + // }; + // `ClientContext` is reserved, while `Flags` must be set to `WnodeFlagTracedGuid`. The rest of the members + // specify elapsed execution time for kernel and user mode instructions respectively. + ProcessorTime [8]byte +} + +// EventTrace stores event information that is delivered to an event trace consumer. +type EventTrace struct { + // Header contains standard event tracing metadata. + Header EventTraceHeader + // InstanceID represents the instance identifier. + InstanceID uint32 + // ParentInstanceID represents instance identifer for a parent event. + ParentInstanceID uint32 + // ParentGUID is the class GUID of the parent event. + ParentGUID syscall.GUID + // MofData is the pointer to the beginning of the event-specific data for this event. + MofData uintptr + // MofLength represents the number of bytes to which `MofData` points. + MofLength uint32 + // Context is an union type: + // union { + // ULONG ClientContext; + // ETW_BUFFER_CONTEXT BufferContext; + // }; + // `ClientContext` field is reserved. `BufferContext` Provides information about the event such as the session identifier + // and processor number of the CPU on which the provider process ran. + Context [2]byte +} + +// TraceLogfileHeader contains information about an event tracing session and its events. +type TraceLogfileHeader struct { + // BufferSize is the size of the event tracing session's buffers in bytes. + BufferSize uint32 + // Version is the union type that represents version number of the operating system. + Version [4]byte + // ProviderVersion is the build number of the operating system. + ProviderVersion uint32 + // NumberOfProcessors indicates the number of processors on the system. + NumberOfProcessors uint32 + // EndTime is the time at which the event tracing session stopped. This value is 0 for real time event consumers. + EndTime uint64 + // TimerResolution is the resolution of the hardware timer, in units of 100 nanoseconds. + TimerResolution uint32 + // MaximumFileSize is the size of the log file, in megabytes. + MaximumFileSize uint32 + // LogfileMode represents the current logging mode for the event tracing session. + LogfileMode uint32 + // BuffersWritten is the total number of buffers written by the event tracing session. + BuffersWritten uint32 + // GUID is a an union type with the two first field reserved for internal usage. Other fields indicate + // the number of events lost and the CPU speed in Mhz. + GUID [16]byte + // LoggerName is a reserved field. + LoggerName *uint16 + // LogfileName is a reserved field. + LogfileName *uint16 + // TimeZone contains time-zone information for `BootTime`, `EndTime` and `StartTime` fields. + TimeZone syscall.Timezoneinformation + // BootTime is the time at which the system was started, in 100-nanosecond intervals since midnight, January 1, 1601. + BootTime uint64 + // PerfFreq is the frequency of the high-resolution performance counter, if one exists. + PerfFreq uint64 + // StartTime is the time at which the event tracing session started, in 100-nanosecond intervals since midnight, January 1, 1601. + StartTime uint64 + // ReservedFlags specifies the clock type. + ReservedFlags uint32 + // BuffersLost is the total number of buffers lost during the event tracing session. + BuffersLost uint32 +} + +// EventTraceLogfile specifies how the consumer wants to read events (from a log file or in real-time) and the callbacks +// that will receive the events.When ETW flushes a buffer, this structure contains information about the event tracing +// session and the buffer that ETW flushed. +type EventTraceLogfile struct { + // LogFileName is the name of the log file used by the event tracing session. + LogFileName *uint16 + // LoggerName is the name of the event tracing session. Only applicable when consuming events in real time. + LoggerName *uint16 + // CurrentTime on output, the current time, in 100-nanosecond intervals since midnight, January 1, 1601. + CurrentTime int64 + // BuffersRead represents the number of buffers processed. + BuffersRead uint32 + // LogFileMode is union type the dictates the processing mode for events. + LogFileMode [4]byte + // CurrentEvents contains the last event processed. + CurrentEvent EventTrace + // LogfileHeader represents global information about the tracing session. + LogfileHeader TraceLogfileHeader + // BufferCallback is a pointer to the function that receives buffer-related statistics for each buffer ETW flushes. + // ETW calls this callback after it delivers all the events in the buffer. + BufferCallback uintptr + // BufferSize contains the size of each buffer, in bytes. + BufferSize uint32 + // Filled contains the number of bytes in the buffer that contain valid information. + Filled uint32 + // EventsLost is an unused field. + EventsLost uint32 + // EventCallback is the union field that contains pointers to callback functions that ETW calls for each buffer. + EventCallback [8]byte + // IsKernelTrace specifies whether the event tracing session is the NT kernel logger. + IsKernelTrace uint32 + // Context is data that a consumer can specify when calling `OpenTrace` function. + Context uintptr +} + +// EventDescriptor contains metadata that defines the event. +type EventDescriptor struct { + // ID represents event identifier. + ID uint16 + // Version indicates a revision to the event definition. + Version uint8 + // Channel is the audience for the event (e.g. administrator or developer). + Channel uint8 + // Level is the severity or level of detail included in the event. + Level uint8 + // Opcode is step in a sequence of operations being performed within the `Task` field. For MOF-defined events, + // the `Opcode` member contains the event type value. + Opcode uint8 + // Task represents a larger unit of work within an application or component. + Task uint16 + // Keyword A bitmask that specifies a logical group of related events. Each bit corresponds to one group. An event may belong to one or more groups. + // The keyword can contain one or more provider-defined keywords, standard keywords, or both. + Keyword uint64 +} + +// EventHeader defines information about the event. +type EventHeader struct { + // Size represents the size of the event, in bytes. + Size uint16 + // HeaderType is reserved. + HeaderType uint16 + // Flags provides information about the event such as the type of session it was logged to and if + // the event contains extended data. + Flags uint16 + // EventProperty indicates the source to use for parsing the event data. + EventProperty uint16 + // ThreadID identifies the thread that generated the event. + ThreadID uint32 + // ProcessID identifies the process that generated the event. + ProcessID uint32 + // Timestamps contains the time that the event occurred. + Timestamp uint64 + // ProviderID is the GUID that uniquely identifies the provider that logged the event. + ProviderID syscall.GUID + // EventDescriptor defines the information about the event such as the event identifier and severity level. + EventDescriptor EventDescriptor + // ProcessorTime is the union type that defines elapsed execution time for kernel-mode and user-mode instructions + // in CPU units. + ProcessorTime [8]byte + // ActivityID is the identifier that relates two events. + ActivityID syscall.GUID +} + +// ETWBufferContexts provides context information about the event. +type ETWBufferContext struct { + // ProcessorIndex is an union type that contains among other fields the number of the CPU on which + // the provider process was running. + ProcessorIndex [2]byte + // LoggerID identifies of the session that logged the event. + LoggerID uint16 +} + +// Linkage is the inner struct for EventHeaderExtendedDataItem. +type Linkage struct { + Linkage uint16 + Resreved2 uint16 +} + +// EventHeaderExtendedDataItem defines the extended data that ETW collects as part of the event data. +type EventHeaderExtendedDataItem struct { + // Reserverd1 is a reserved field. + Reserved1 uint16 + // ExtType defines the type of extended data. + ExtType uint16 + Linkage + // DataSize is the size in bytes, of the extended data + DataSize uint16 + // DataPtr is the pointer to extended data. + DataPtr uint64 +} + +// EventRecord defines the layout of an event that ETW delivers. +type EventRecord struct { + // Header represents information about the event such as the time stamp for when it was written. + Header EventHeader + // BufferContext defines information such as the session that logged the event. + BufferContext ETWBufferContext + // ExtendedDataCount is the number of extended data structures in the `ExtendedData` field. + ExtendedDataCount uint16 + // UserDataLength represents the size, in bytes, of the data in the `UserData` field. + UserDataLength uint16 + // ExtendedData designates extended data items that ETW collects. The extended data includes some items, such as the security + // identifier (SID) of the user that logged the event. + ExtendedData *EventHeaderExtendedDataItem + // UserData represents event specific data that's parsed via TDH API. + UserData uintptr + // UserContext is a pointer to custom user data passed in `EventTraceLogfile` structure. + UserContext uintptr +} diff --git a/pkg/syscall/file/file.go b/pkg/syscall/file/file.go new file mode 100644 index 000000000..6de55705b --- /dev/null +++ b/pkg/syscall/file/file.go @@ -0,0 +1,124 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package file + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/utf16" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + "os" + "syscall" + "unsafe" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32") + shlwapi = syscall.NewLazyDLL("shlwapi") + nt = syscall.NewLazyDLL("ntdll") + + getLogicalDrives = kernel32.NewProc("GetLogicalDrives") + queryDosDevice = kernel32.NewProc("QueryDosDeviceW") + pathIsDirectory = shlwapi.NewProc("PathIsDirectoryW") + + ntQueryVolumeInformationFile = nt.NewProc("NtQueryVolumeInformationFile") + + drives = []string{ + "A", + "B", + "C", + "D", + "E", + "F", + "G", + "H", + "I", + "J", + "K", + "L", + "M", + "N", + "O", + "P", + "Q", + "R", + "S", + "T", + "U", + "V", + "W", + "X", + "Y", + "Z"} +) + +const ( + fsDeviceInformation = 4 +) + +// GetLogicalDrives returns available device drives in the system. +func GetLogicalDrives() []string { + r, _, _ := getLogicalDrives.Call() + bitmask := uint32(r) + devs := make([]string, 0) + for _, drive := range drives { + if bitmask&1 == 1 { + devs = append(devs, drive+":") + } + bitmask >>= 1 + } + return devs +} + +// QueryVolumeInfo obtains device information for the specified file handle. +func QueryVolumeInfo(fd uintptr) (*DevInfo, error) { + var ( + iosb ioStatusBlock + di DevInfo + ) + _, _, err := ntQueryVolumeInformationFile.Call( + fd, + uintptr(unsafe.Pointer(&iosb)), + uintptr(unsafe.Pointer(&di)), + uintptr(unsafe.Sizeof(di)), + uintptr(fsDeviceInformation), + ) + if err != nil && err != syscall.Errno(0) { + return nil, os.NewSyscallError("NtQueryVolumeInformationFile", err) + } + return &di, nil +} + +// QueryDosDevice translates the DOS device name to hard disk drive letter. +func QueryDosDevice(drive string) (string, error) { + dev := make([]uint16, syscall.MAX_PATH) + errno, _, err := queryDosDevice.Call( + uintptr(unsafe.Pointer(utf16.StringToUTF16Ptr(drive))), + uintptr(unsafe.Pointer(&dev[0])), + uintptr(syscall.MAX_PATH), + ) + if winerrno.Errno(errno) == winerrno.Success { + return "", os.NewSyscallError("QueryDosDevice", err) + } + return syscall.UTF16ToString(dev), nil +} + +// IsPathDirectory indicates if path is a valid directory. +func IsPathDirectory(path string) bool { + isDir, _, _ := pathIsDirectory.Call(uintptr(unsafe.Pointer(utf16.StringToUTF16Ptr(path)))) + return isDir > 0 +} diff --git a/pkg/syscall/file/types.go b/pkg/syscall/file/types.go new file mode 100644 index 000000000..bcb0f52fb --- /dev/null +++ b/pkg/syscall/file/types.go @@ -0,0 +1,54 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package file + +import "syscall" + +// AttributeData contains meta information about a file. +type AttributeData struct { + // FileAttributes represents the file attributes. + FileAttributes uint32 + // CreationTime specifies when a file or directory is created. If the underlying file system does not support creation time, this member is zero. + CreationTime syscall.Filetime + // LastAccessTime for a file, the structure specifies the last time that a file is read from or written to. + // For a directory, the structure specifies when the directory is created. For both files and directories, + // the specified date is correct, but the time of day is always set to midnight. If the underlying file + // system does not support the last access time, this member is zero (0). + LastAccessTime syscall.Filetime + // LastWriteTime for a file, the structure specifies the last time that a file is written to. For a directory, + // the structure specifies when the directory is created. If the underlying file system does not support the last write time, + // this member is zero (0). + LastWriteTime syscall.Filetime + // FileSizeHigh high-order part of the file size. + FileSizeHigh uint32 + // FileSizeLow low-order part of the file size. + FileSizeLow uint32 +} + +// DevInfo provides file system device information about the type of device object associated with a file object. +type DevInfo struct { + // Type designates the type of underlying device. + Type uint32 + // Characteristics represents device characteristics. + Characteristcs uint32 +} + +type ioStatusBlock struct { + status, information uintptr +} diff --git a/pkg/syscall/handle/handle.go b/pkg/syscall/handle/handle.go new file mode 100644 index 000000000..cba0c5ef8 --- /dev/null +++ b/pkg/syscall/handle/handle.go @@ -0,0 +1,83 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package handle + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + "os" + "syscall" + "unsafe" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32.dll") + + closeHandle = kernel32.NewProc("CloseHandle") + duplicateHandle = kernel32.NewProc("DuplicateHandle") +) + +// Handle represents the handle type. +type Handle uintptr + +// DuplicateAccess is the enum for handle duplicate access flags. +type DuplicateAccess uint32 + +const ( + // ThreadQueryAccess determines that handle duplication requires the ability to query thread info. + ThreadQueryAccess DuplicateAccess = 0x0040 + // ProcessQueryAccess determines that handle duplication requires the ability to query process info. + ProcessQueryAccess DuplicateAccess = 0x1000 + // ReadControlAccess specifies the ability to query the security descriptor. + ReadControlAccess DuplicateAccess = 0x00020000 + // SemaQueryAccess is the duplicate access type required for synchronization objects such as mutants. + SemaQueryAccess DuplicateAccess = 0x0001 + // AllAccess doesn't specify the access mask. + AllAccess DuplicateAccess = 0 +) + +// IsValid determines if handle instance if valid. +func (handle Handle) IsValid() bool { + return handle != ^Handle(0) +} + +// Close disposes the underlying handle object. +func (handle Handle) Close() { + if handle == 0 { + return + } + _, _, _ = closeHandle.Call(uintptr(handle)) +} + +// Duplicate duplicates an object handle in the caller address's space. +func (handle Handle) Duplicate(src, dest Handle, access DuplicateAccess) (Handle, error) { + var destHandle Handle + errno, _, err := duplicateHandle.Call( + uintptr(src), + uintptr(handle), + uintptr(dest), + uintptr(unsafe.Pointer(&destHandle)), + uintptr(access), + 0, + 0, + ) + if winerrno.Errno(errno) != winerrno.Success { + return destHandle, nil + } + return Handle(0), os.NewSyscallError("DuplicateHandle", err) +} diff --git a/pkg/syscall/object/alpc.go b/pkg/syscall/object/alpc.go new file mode 100644 index 000000000..136346ec0 --- /dev/null +++ b/pkg/syscall/object/alpc.go @@ -0,0 +1,50 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package object + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "unsafe" +) + +// AlpcInformationClass defines the type for the ALPC information class values. +type AlpcInformationClass uint8 + +const ( + // AlpcBasicPortInfo obtains basic ALPC port information + AlpcBasicPortInfo AlpcInformationClass = iota +) + +var ntAlpcQueryInformation = nt.NewProc("NtAlpcQueryInformation") + +// GetAlpcInformation gets specified information for the ALPC handle. +func GetAlpcInformation(handle handle.Handle, klass AlpcInformationClass, buf []byte) error { + status, _, _ := ntAlpcQueryInformation.Call( + uintptr(handle), + uintptr(klass), + uintptr(unsafe.Pointer(&buf[0])), + uintptr(len(buf)), + 0, + ) + if status != 0 { + return fmt.Errorf("NtAlpcQueryInformation failed with status code 0x%X", status) + } + return nil +} diff --git a/pkg/syscall/object/event.go b/pkg/syscall/object/event.go new file mode 100644 index 000000000..87fafa8e4 --- /dev/null +++ b/pkg/syscall/object/event.go @@ -0,0 +1,73 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package object + +import ( + "os" + "syscall" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32") + createEvent = kernel32.NewProc("CreateEventA") + setEvent = kernel32.NewProc("SetEvent") + resetEvent = kernel32.NewProc("ResetEvent") +) + +type Event uintptr + +func NewEvent(manualReset, isSignaled bool) (Event, error) { + var reset uint8 + var signaled uint8 + if manualReset { + reset = 1 + } + if isSignaled { + signaled = 1 + } + handle, _, err := createEvent.Call(0, uintptr(reset), uintptr(signaled), 0) + if handle == 0 { + return Event(0), os.NewSyscallError("CreateEventA", err) + } + return Event(handle), nil +} + +func NewNamedEvent() { + +} + +func (e Event) Set() error { + errno, _, err := setEvent.Call(uintptr(e)) + if errno == 0 { + return os.NewSyscallError("SetEvent", err) + } + return nil +} + +func (e Event) Reset() error { + errno, _, err := resetEvent.Call(uintptr(e)) + if errno == 0 { + return os.NewSyscallError("ResetEvent", err) + } + return nil +} + +func (e Event) Close() error { + return syscall.Close(syscall.Handle(e)) +} diff --git a/pkg/syscall/object/mutant.go b/pkg/syscall/object/mutant.go new file mode 100644 index 000000000..2410d4bdf --- /dev/null +++ b/pkg/syscall/object/mutant.go @@ -0,0 +1,48 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package object + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "unsafe" +) + +var ntQueryMutant = nt.NewProc("NtQueryMutant") + +type MutantInformationClass uint8 + +const ( + MutantBasicInfo MutantInformationClass = iota +) + +// QueryMutant gets mutant detalied information according to the information class. +func QueryMutant(handle handle.Handle, klass MutantInformationClass, buf []byte) error { + status, _, _ := ntQueryMutant.Call( + uintptr(handle), + uintptr(klass), + uintptr(unsafe.Pointer(&buf[0])), + uintptr(len(buf)), + 0, + ) + if status != 0 { + return fmt.Errorf("NtQueryMutant failed with status code 0x%X", status) + } + return nil +} diff --git a/pkg/syscall/object/object.go b/pkg/syscall/object/object.go new file mode 100644 index 000000000..e3d14e105 --- /dev/null +++ b/pkg/syscall/object/object.go @@ -0,0 +1,63 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package object + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + "syscall" + "unsafe" +) + +var ( + nt = syscall.NewLazyDLL("ntdll") + + ntQueryObject = nt.NewProc("NtQueryObject") +) + +type InformationClass uint8 + +const ( + NameInformationClass InformationClass = 1 + TypeInformationClass InformationClass = 2 + TypesInformationClass InformationClass = 3 + SystemHandleInformationClass = 16 + SystemExtendedHandleInformation = 64 +) + +// Query retrieves specified information for the handle reference. +func Query(handle handle.Handle, klass InformationClass, buf []byte) (uint32, error) { + size := uint32(len(buf)) + status, _, _ := ntQueryObject.Call( + uintptr(handle), + uintptr(klass), + uintptr(unsafe.Pointer(&buf[0])), + uintptr(size), + uintptr(unsafe.Pointer(&size)), + ) + if status != 0 { + if status == winerrno.StatusInfoLengthMismatch || status == winerrno.StatusBufferTooSmall { + return size, errors.ErrNeedsReallocateBuffer + } + return size, fmt.Errorf("NtQueryObject failed with status code 0x%X", status) + } + return size, nil +} diff --git a/pkg/syscall/object/types.go b/pkg/syscall/object/types.go new file mode 100644 index 000000000..4dbdd2290 --- /dev/null +++ b/pkg/syscall/object/types.go @@ -0,0 +1,100 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package object + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/utf16" +) + +type genericMapping struct { + GenericRead uint32 + GenericWrite uint32 + GenericExecute uint32 + GenericAll uint32 +} + +// TypeInformation contains object type data. +type TypeInformation struct { + TypeName utf16.UnicodeString + TotalNumberOfObjects uint32 + TotalNumberOfHandles uint32 + TotalPagedPoolUsage uint32 + TotalNonPagedPoolUsage uint32 + TotalNamePoolUsage uint32 + TotalHandleTableUsage uint32 + HighWaterNumberOfObjects uint32 + HighWaterNumberOfHandles uint32 + HighWaterPagedPoolUsage uint32 + HighWaterNonPagedPoolUsage uint32 + HighWaterNamePoolUsage uint32 + HighWaterHandleTableUsage uint32 + InvalidAttributes uint32 + GenericMapping genericMapping + ValidAccessMask uint32 + SecurityRequired bool + MaintainHandleCount bool + TypeIndex uint8 + ReservedByte int8 + PoolType uint32 + DefaultPagedPoolCharge uint32 + DefaultNonPagedPoolCharge uint32 +} + +// TypesInformation stores the number of resolved object type names. +type TypesInformation struct { + NumberOfTypes uint32 +} + +type NameInformation struct { + ObjectName utf16.UnicodeString +} + +type ProcessHandleTableEntryInfo struct { + Handle handle.Handle + HandleCount uintptr + PointerCount uintptr + GrantedAccess uint32 + ObjectTypeIndex uint32 + HandleAttributes uint32 + reserved uint32 +} + +type ProcessHandleSnapshotInformation struct { + NumberOfHandles uintptr + reserved uintptr + Handles [1]ProcessHandleTableEntryInfo +} + +type SystemHandleTableEntryInfoEx struct { + Object uint64 + ProcessID uintptr + Handle handle.Handle + GrantedAccess uint32 + CreatorBackTraceIndex uint8 + ObjectTypeIndex uint8 + HandleAttributes uint32 + reserved uint32 +} + +type SystemHandleInformationEx struct { + NumberOfHandles uintptr + reserved uintptr + Handles [1]SystemHandleTableEntryInfoEx +} diff --git a/pkg/syscall/process/process.go b/pkg/syscall/process/process.go new file mode 100644 index 000000000..b299e91ec --- /dev/null +++ b/pkg/syscall/process/process.go @@ -0,0 +1,174 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package process + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + "os" + "syscall" + "time" + "unsafe" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32.dll") + native = syscall.NewLazyDLL("ntdll.dll") + + openProcess = kernel32.NewProc("OpenProcess") + queryFullProcessImageName = kernel32.NewProc("QueryFullProcessImageNameW") + readProcessMemory = kernel32.NewProc("ReadProcessMemory") + ntQueryInformationProcess = native.NewProc("NtQueryInformationProcess") + getProcessTimes = kernel32.NewProc("GetProcessTimes") + getProcessIdOfThread = kernel32.NewProc("GetProcessIdOfThread") + getExitCodeProcess = kernel32.NewProc("GetExitCodeProcess") +) + +// DesiredAccess defines the type alias for process's access modifiers +type DesiredAccess uint32 + +const ( + procStatusStillActive = 259 + // QueryInformation is required to retrieve certain information about a process, such as its token, exit code, and priority class + QueryInformation DesiredAccess = 0x0400 + // QueryLimitedInformation is required to get certain information about process, such as process's image name + QueryLimitedInformation DesiredAccess = 0x1000 + // VMRead is required to read memory in a process + VMRead DesiredAccess = 0x0010 + // DupHandle lets duplicate handles of the target process + DupHandle DesiredAccess = 0x0040 +) + +// InfoClassFlags defines the type for process's info class +type InfoClassFlags uint8 + +const ( + // BasicInformationClass returns basic process's information + BasicInformationClass InfoClassFlags = 0 + HandleInformationClass InfoClassFlags = 51 +) + +// Open acquires an handle from the running process. +func Open(access DesiredAccess, inheritHandle bool, processID uint32) (handle.Handle, error) { + var inherit uint8 + if inheritHandle { + inherit = 1 + } else { + inherit = 0 + } + h, _, err := openProcess.Call(uintptr(access), uintptr(inherit), uintptr(processID)) + if h == 0 { + return handle.Handle(0), os.NewSyscallError("OpenProcess", err) + } + return handle.Handle(h), nil +} + +// QueryFullImageName retrieves the full name of the executable image for the specified process. +func QueryFullImageName(handle handle.Handle) (string, error) { + var size uint32 = syscall.MAX_PATH + name := make([]uint16, size) + + errno, _, err := queryFullProcessImageName.Call(uintptr(handle), uintptr(0), uintptr(unsafe.Pointer(&name[0])), uintptr(unsafe.Pointer(&size))) + if winerrno.Errno(errno) != winerrno.Success { + return syscall.UTF16ToString(name), nil + } + return "", os.NewSyscallError("QueryFullProcessImageName", err) +} + +// QueryInfo retrieves a variety of process's information depending on the info class passed to this function. +func QueryInfo(handle handle.Handle, infoClass InfoClassFlags, buf []byte) (uint32, error) { + var size uint32 + if ntQueryInformationProcess != nil { + errno, _, _ := ntQueryInformationProcess.Call(uintptr(handle), uintptr(infoClass), uintptr(unsafe.Pointer(&buf[0])), uintptr(len(buf)), uintptr(unsafe.Pointer(&size))) + if winerrno.Errno(errno) != winerrno.Success { + if errno == winerrno.StatusInfoLengthMismatch || errno == winerrno.StatusBufferTooSmall { + return size, errors.ErrNeedsReallocateBuffer + } + return size, fmt.Errorf("NtQueryInformationProcess failed with status code 0x%X", errno) + } + return size, nil + } + return size, nil +} + +// ReadMemory reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails. +func ReadMemory(handle handle.Handle, addr unsafe.Pointer, size uintptr) ([]byte, error) { + buf := make([]byte, size) + errno, _, err := readProcessMemory.Call(uintptr(handle), uintptr(addr), uintptr(unsafe.Pointer(&buf[0])), size, uintptr(0)) + if winerrno.Errno(errno) != winerrno.Success { + return buf, nil + } + return nil, os.NewSyscallError("ReadProcessMemory", err) +} + +func ReadMemoryUnicode(handle handle.Handle, addr unsafe.Pointer, size uintptr) ([]uint16, error) { + buf := make([]uint16, size) + errno, _, err := readProcessMemory.Call(uintptr(handle), uintptr(addr), uintptr(unsafe.Pointer(&buf[0])), size, uintptr(0)) + if winerrno.Errno(errno) != winerrno.Success { + return buf, nil + } + return nil, os.NewSyscallError("ReadProcessMemory", err) +} + +// GetParentPID returns the identifier of the parent process from the process's basic information structure. +func GetParentPID(handle handle.Handle) uint32 { + buf := make([]byte, unsafe.Sizeof(BasicInformation{})) + _, err := QueryInfo(handle, BasicInformationClass, buf) + if err != nil { + return uint32(0) + } + info := (*BasicInformation)(unsafe.Pointer(&buf[0])) + return uint32(info.InheritedFromUniqueProcessID) +} + +// GetStartTime returns process's timing statistics. +func GetStartTime(handle handle.Handle) (time.Time, error) { + var ( + ct syscall.Filetime + xt syscall.Filetime + kt syscall.Filetime + ut syscall.Filetime + ) + errno, _, err := getProcessTimes.Call(uintptr(handle), uintptr(unsafe.Pointer(&ct)), uintptr(unsafe.Pointer(&xt)), uintptr(unsafe.Pointer(&kt)), uintptr(unsafe.Pointer(&ut))) + if winerrno.Errno(errno) != winerrno.Success { + return time.Unix(0, ct.Nanoseconds()), nil + } + return time.Now(), os.NewSyscallError("GetProcessTime", err) +} + +// GetPIDFromThread returns the pid to which the specified thread belongs. +func GetPIDFromThread(handle handle.Handle) (uint32, error) { + pid, _, err := getProcessIdOfThread.Call(uintptr(handle)) + if pid == 0 { + return uint32(0), os.NewSyscallError("GetProcessIdOfThread", err) + } + return uint32(pid), nil +} + +// IsAlive checks if the process identified by the specified handle is still in running state. +func IsAlive(handle handle.Handle) bool { + var exitCode uint32 + errno, _, _ := getExitCodeProcess.Call(uintptr(handle), uintptr(unsafe.Pointer(&exitCode))) + if winerrno.Errno(errno) == winerrno.Success { + return false + } + return exitCode == procStatusStillActive +} diff --git a/pkg/syscall/process/types.go b/pkg/syscall/process/types.go new file mode 100644 index 000000000..ece61db26 --- /dev/null +++ b/pkg/syscall/process/types.go @@ -0,0 +1,76 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package process + +import "github.com/rabbitstack/fibratus/pkg/syscall/utf16" + +type PEB struct { + Reserved1 [2]byte + BeingDebugged byte + Reserved2 [21]byte + LDR *LDRData + ProcessParameters *RTLUserProcessParameters + Reserved3 [520]byte + PostProcessInitRoutine uintptr + Reserved4 [136]byte + SessionID uint32 +} + +type BasicInformation struct { + Reserved1 uintptr + PEB *PEB + Reserved2 [2]uintptr + UniqueProcessID uintptr + InheritedFromUniqueProcessID uintptr +} + +type String struct { + Length uint8 + MaximumLength uint8 +} + +type RTLUserProcessParameters struct { + Reserved1 [16]byte + consoleHandle uintptr + consoleFlags uint32 + stdin uintptr + stdout uintptr + stderr uintptr + CurrentDirectory CurDir + dllPath utf16.UnicodeString + ImagePathName utf16.UnicodeString + CommandLine utf16.UnicodeString + Environment uintptr +} + +type CurDir struct { + DosPath utf16.UnicodeString + Handle uintptr +} + +type LDRData struct { + Reserved1 [8]byte + Reserved2 [3]uintptr + ModuleList ListEntry +} + +type ListEntry struct { + Flink *ListEntry + Blink *ListEntry +} diff --git a/pkg/syscall/registry/key.go b/pkg/syscall/registry/key.go new file mode 100644 index 000000000..8ebc3d387 --- /dev/null +++ b/pkg/syscall/registry/key.go @@ -0,0 +1,52 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package registry + +// Key is the type alias for the registry root keys +type Key uint32 + +const ( + InvalidKey Key = 0 +) + +const ( + ClassesRoot Key = 0x80000000 + iota + CurrentUser + LocalMachine + Users + Hive +) + +// String returns a human-readable root key name. +func (k Key) String() string { + switch k { + case ClassesRoot: + return "HKEY_CLASSES_ROOT" + case CurrentUser: + return "HKEY_CURRENT_USER" + case LocalMachine: + return "HKEY_LOCAL_MACHINE" + case Users: + return "HKEY_USERS" + case Hive: + return "" + default: + return "Unknown" + } +} diff --git a/pkg/syscall/security/privileges.go b/pkg/syscall/security/privileges.go new file mode 100644 index 000000000..4e50092ea --- /dev/null +++ b/pkg/syscall/security/privileges.go @@ -0,0 +1,158 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package security + +import ( + "bytes" + "encoding/binary" + "github.com/pkg/errors" + "sync" + "syscall" + "unsafe" +) + +var ( + procLookupPrivilegeValueW = advapi32.NewProc("LookupPrivilegeValueW") + procAdjustTokenPrivileges = advapi32.NewProc("AdjustTokenPrivileges") +) + +// Cache of privilege names to LUIDs. +var ( + privNames = make(map[string]int64) + privNameMutex sync.Mutex +) + +const ( + // SeDebugPrivilege is the name of the privilege used to debug programs. + SeDebugPrivilege = "SeDebugPrivilege" +) + +// Errors returned by AdjustTokenPrivileges. +const ( + ERROR_NOT_ALL_ASSIGNED syscall.Errno = 1300 +) + +// Attribute bits for privileges. +const ( + _SE_PRIVILEGE_ENABLED_BY_DEFAULT uint32 = 0x00000001 + _SE_PRIVILEGE_ENABLED uint32 = 0x00000002 + _SE_PRIVILEGE_REMOVED uint32 = 0x00000004 + _SE_PRIVILEGE_USED_FOR_ACCESS uint32 = 0x80000000 +) + +func _LookupPrivilegeValue(systemName string, name string, luid *int64) (err error) { + var _p0 *uint16 + _p0, err = syscall.UTF16PtrFromString(systemName) + if err != nil { + return + } + var _p1 *uint16 + _p1, err = syscall.UTF16PtrFromString(name) + if err != nil { + return + } + return __LookupPrivilegeValue(_p0, _p1, luid) +} + +func __LookupPrivilegeValue(systemName *uint16, name *uint16, luid *int64) (err error) { + r1, _, e1 := syscall.Syscall(procLookupPrivilegeValueW.Addr(), 3, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(luid))) + if r1 == 0 { + if e1 != 0 { + err = error(e1) + } else { + err = syscall.EINVAL + } + } + return +} + +func _AdjustTokenPrivileges(token syscall.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) { + var _p0 uint32 + if releaseAll { + _p0 = 1 + } else { + _p0 = 0 + } + r0, _, e1 := syscall.Syscall6(procAdjustTokenPrivileges.Addr(), 6, uintptr(token), uintptr(_p0), uintptr(unsafe.Pointer(input)), uintptr(outputSize), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(requiredSize))) + success = r0 != 0 + if true { + if e1 != 0 { + err = error(e1) + } else { + err = syscall.EINVAL + } + } + return +} + +// mapPrivileges maps privilege names to LUID values. +func mapPrivileges(names []string) ([]int64, error) { + var privileges []int64 + privNameMutex.Lock() + defer privNameMutex.Unlock() + for _, name := range names { + p, ok := privNames[name] + if !ok { + err := _LookupPrivilegeValue("", name, &p) + if err != nil { + return nil, errors.Wrapf(err, "LookupPrivilegeValue failed on '%v'", name) + } + privNames[name] = p + } + privileges = append(privileges, p) + } + return privileges, nil +} + +// EnableTokenPrivileges enables the specified privileges in the given +// Token. The token must have TOKEN_ADJUST_PRIVILEGES access. If the token +// does not already contain the privilege it cannot be enabled. +func EnableTokenPrivileges(token syscall.Token, privileges ...string) error { + privValues, err := mapPrivileges(privileges) + if err != nil { + return err + } + + var b bytes.Buffer + binary.Write(&b, binary.LittleEndian, uint32(len(privValues))) + for _, p := range privValues { + binary.Write(&b, binary.LittleEndian, p) + binary.Write(&b, binary.LittleEndian, uint32(_SE_PRIVILEGE_ENABLED)) + } + + success, err := _AdjustTokenPrivileges(token, false, &b.Bytes()[0], uint32(b.Len()), nil, nil) + if !success { + return err + } + if err == ERROR_NOT_ALL_ASSIGNED { + return errors.Wrap(err, "error not all privileges were assigned") + } + + return nil +} + +// SetDebugPrivilege sets the debug privilege in the current running process. +func SetDebugPrivilege() { + h, err := syscall.GetCurrentProcess() + if err == nil { + var token syscall.Token + _ = syscall.OpenProcessToken(syscall.Handle(h), syscall.TOKEN_ADJUST_PRIVILEGES|syscall.TOKEN_QUERY, &token) + _ = EnableTokenPrivileges(token, SeDebugPrivilege) + } +} diff --git a/pkg/syscall/security/sid.go b/pkg/syscall/security/sid.go new file mode 100644 index 000000000..d423abf46 --- /dev/null +++ b/pkg/syscall/security/sid.go @@ -0,0 +1,131 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package security + +import ( + "errors" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + "os" + "syscall" + "unsafe" +) + +var ( + advapi32 = syscall.NewLazyDLL("advapi32.dll") + netapi32 = syscall.NewLazyDLL("netapi32.dll") + + lookupAccountSid = advapi32.NewProc("LookupAccountSidW") + netUserEnum = netapi32.NewProc("NetUserEnum") + netBufferFree = netapi32.NewProc("NetApiBufferFree") +) + +const ( + userMaxPreferredLength = 0xFFFFFFFF +) + +// LookupAccount returns the account and domain name from a security identifier. +func LookupAccount(buffer []byte, wbemSID bool) (string, string) { + n := uint32(50) + dn := uint32(50) + sid := uintptr(unsafe.Pointer(&buffer[0])) + + if wbemSID { + // a WBEM SID is actually a TOKEN_USER structure followed + // by the SID, so we have to double the pointer size + sid += uintptr(8 * 2) + } + var accType uint32 + for { + b := make([]uint16, n) + db := make([]uint16, dn) + errno, _, _ := lookupAccountSid.Call( + 0, + sid, + uintptr(unsafe.Pointer(&b[0])), + uintptr(unsafe.Pointer(&n)), + uintptr(unsafe.Pointer(&db[0])), + uintptr(unsafe.Pointer(&dn)), + uintptr(unsafe.Pointer(&accType)), + 0, + 0) + + if winerrno.Errno(errno) != winerrno.Success { + return syscall.UTF16ToString(b), syscall.UTF16ToString(db) + } + if winerrno.Errno(errno) != winerrno.InsufficientBuffer { + return "", "" + } + if n <= uint32(len(b)) { + return "", "" + } + } +} + +type userInfo struct { + name *uint16 +} + +// LookupAllSids returns SIDs for each user account in the system. +func LookupAllSids() ([]string, error) { + var ( + buf uintptr + handle uintptr + read uint32 + total uint32 + ) + + errno, _, err := netUserEnum.Call( + uintptr(0), + uintptr(uint32(0)), + uintptr(0), + uintptr(unsafe.Pointer(&buf)), + uintptr(uint32(userMaxPreferredLength)), + uintptr(unsafe.Pointer(&read)), + uintptr(unsafe.Pointer(&total)), + uintptr(unsafe.Pointer(&handle)), + ) + if winerrno.Errno(errno) != winerrno.Success { + return nil, os.NewSyscallError("NetUserEnum", err) + } + + if buf == uintptr(0) { + return nil, os.NewSyscallError("NetUserEnum", errors.New("null buffer pointer")) + } + sids := make([]string, 0) + entry := buf + for i := uint32(0); i < read; i++ { + info := (*userInfo)(unsafe.Pointer(entry)) + if info == nil { + continue + } + username := syscall.UTF16ToString((*[4096]uint16)(unsafe.Pointer(info.name))[:]) + sid, _, _, err := syscall.LookupSID("", username) + if err != nil { + continue + } + s, err := sid.String() + if err != nil { + continue + } + sids = append(sids, s) + entry = uintptr(unsafe.Pointer(entry + unsafe.Sizeof(userInfo{}))) + } + netBufferFree.Call(buf) + return sids, nil +} diff --git a/pkg/syscall/sys/sys.go b/pkg/syscall/sys/sys.go new file mode 100644 index 000000000..f289bf9a7 --- /dev/null +++ b/pkg/syscall/sys/sys.go @@ -0,0 +1,57 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package sys + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/syscall/object" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + "syscall" + "unsafe" +) + +var ( + native = syscall.NewLazyDLL("ntdll") + + ntQuerySystemInformation = native.NewProc("NtQuerySystemInformation") + rtlNtStatusToDosError = native.NewProc("RtlNtStatusToDosError") +) + +// QuerySystemInformation retrieves system low-level information. +func QuerySystemInformation(class object.InformationClass, buf []byte) (uint32, error) { + size := uint32(0) + status, _, _ := ntQuerySystemInformation.Call(uintptr(class), + uintptr(unsafe.Pointer(&buf[0])), + uintptr(len(buf)), + uintptr(unsafe.Pointer(&size))) + if status != 0 { + if status == winerrno.StatusInfoLengthMismatch || status == winerrno.StatusBufferTooSmall { + return size, errors.ErrNeedsReallocateBuffer + } + return size, fmt.Errorf("NtQuerySystemInformation failed with status code 0x%X", status) + } + return size, nil +} + +// CodeFromNtStatus converts the specified NTSTATUS code to its equivalent system error code. +func CodeFromNtStatus(status uint32) uint32 { + code, _, _ := rtlNtStatusToDosError.Call(uintptr(status)) + return uint32(code) +} diff --git a/pkg/syscall/tdh/tdh.go b/pkg/syscall/tdh/tdh.go new file mode 100644 index 000000000..9e9a36ef6 --- /dev/null +++ b/pkg/syscall/tdh/tdh.go @@ -0,0 +1,90 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package tdh + +import ( + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/syscall/etw" + "github.com/rabbitstack/fibratus/pkg/syscall/winerrno" + "os" + "syscall" + "unsafe" +) + +var ( + tdh = syscall.NewLazyDLL("tdh.dll") + + tdhGetEventInformation = tdh.NewProc("TdhGetEventInformation") + tdhGetPropertySize = tdh.NewProc("TdhGetPropertySize") + tdhGetProperty = tdh.NewProc("TdhGetProperty") +) + +// GetEventInformation retrieves metadata about an event. It receives a buffer that to allocate +// `TraceEventInfo` structure. +func GetEventInformation(evt *etw.EventRecord, buffer []byte, size uint32) error { + errno, _, err := tdhGetEventInformation.Call( + uintptr(unsafe.Pointer(evt)), + 0, + 0, + uintptr(unsafe.Pointer(&buffer[0])), + uintptr(unsafe.Pointer(&size)), + ) + switch winerrno.Errno(errno) { + case winerrno.Success: + return nil + case winerrno.InsufficientBuffer: + return kerrors.ErrInsufficentBuffer + case winerrno.NotFound: + return kerrors.ErrEventSchemaNotFound + default: + return os.NewSyscallError("TdhGetEventInformation", err) + } +} + +func GetPropertySize(evt *etw.EventRecord, descriptor *PropertyDataDescriptor) (uint32, error) { + var size uint32 + errno, _, err := tdhGetPropertySize.Call( + uintptr(unsafe.Pointer(evt)), + 0, + 0, + 1, + uintptr(unsafe.Pointer(descriptor)), + uintptr(unsafe.Pointer(&size)), + ) + if winerrno.Errno(errno) != winerrno.Success { + return uint32(0), os.NewSyscallError("TdhGetPropertySize", err) + } + return size, nil +} + +func GetProperty(evt *etw.EventRecord, descriptor *PropertyDataDescriptor, size uint32, buffer []byte) error { + errno, _, err := tdhGetProperty.Call( + uintptr(unsafe.Pointer(evt)), + 0, + 0, + 1, + uintptr(unsafe.Pointer(descriptor)), + uintptr(size), + uintptr(unsafe.Pointer(&buffer[0])), + ) + if winerrno.Errno(errno) != winerrno.Success { + return os.NewSyscallError("TdhGetProperty", err) + } + return nil +} diff --git a/pkg/syscall/tdh/types.go b/pkg/syscall/tdh/types.go new file mode 100644 index 000000000..8314af476 --- /dev/null +++ b/pkg/syscall/tdh/types.go @@ -0,0 +1,139 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package tdh + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/etw" + sc "syscall" + "unsafe" +) + +const ( + IntypeNull = iota + IntypeUnicodeString + IntypeAnsiString + IntypeInt8 + IntypeUint8 + IntypeInt16 + IntypeUint16 + IntypeInt32 + IntypeUint32 + IntypeInt64 + IntypeUint64 + IntypeFloat + IntypeDouble + IntypeBoolean + IntypeBinary + IntypeGUID + IntypePointer + IntypeFiletime + IntypeSystime + IntypeSID + IntypeHexInt32 + IntypeHexInt64 + IntypeCountedString = 300 + IntypeCountedAnsiString = 301 + IntypeReversedCountedString = 302 + IntypeReversedCountedAnsiString = 303 + IntypeNoNullTerminatedString = 304 + IntypeNoNulTerminatedAnsiString = 305 + IntypeUnicodeChar = 306 + IntypeAnsiChar = 307 + IntypeSizet = 308 + IntypeHexdump = 309 + IntypeWbemSID = 310 +) + +const ( + OutypeNull = iota + OutypeString + OutypeDatetime + OutypeByte + OutypeUnsignedByte + OutypeShort + OutypeUnsignedShort + OutypeInt + OutypeUnsignedInt + OutypeLong + OutypeUnsignedLong + OutypeFloat + OutypeDouble + OutypeBoolean + OutypeGUID + OutypeHexBinary + OutypeHexInt8 + OutypeHexInt16 + OutypeHexInt32 + OutypeHexInt64 + OutypePID + OutypeTID + OutypePort + OutypeIPv4 + OutypeIPv6 + OutypeSocketAddress + OutypeCIMDatetime + OutypeETWTime + OutypeXML + OUTYTPEErrorCode + OutypeReducedString = 300 +) + +type NonStructType struct { + InType uint16 + OutType uint16 + MapNameOffset uint32 +} + +type EventPropertyInfo struct { + Flags int32 + NameOffset uint32 + Types [8]byte + Count [2]byte + Length [2]byte + Reserved [4]byte +} + +type TraceEventInfo struct { + ProviderGUID sc.GUID + EventGUID sc.GUID + EventDescriptor etw.EventDescriptor + DecodingSource int32 + ProviderNameOffset uint32 + LevelNameOffset uint32 + ChannelNameOffset uint32 + KeywordsNameOffset uint32 + TaskNameOffset uint32 + OpcodeNameOffset uint32 + EventMessageOffset uint32 + ProviderMessageOffset uint32 + BinaryXMLOffset uint32 + BinaryXMLSize uint32 + EventNameOffset [4]byte + EventAttributeOffset [4]byte + PropertyCount uint32 + TopLevelPropertyCount uint32 + Flags [4]byte + EventPropertyInfoArray [1]EventPropertyInfo +} + +type PropertyDataDescriptor struct { + PropertyName unsafe.Pointer + ArrayIndex uint32 + Reserved uint32 +} diff --git a/pkg/syscall/thread/thread.go b/pkg/syscall/thread/thread.go new file mode 100644 index 000000000..a96743d7b --- /dev/null +++ b/pkg/syscall/thread/thread.go @@ -0,0 +1,79 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package thread + +import ( + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/utf16" + "os" + "syscall" + "unsafe" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32.dll") + + openThread = kernel32.NewProc("OpenThread") + createThread = kernel32.NewProc("CreateThread") + terminateThread = kernel32.NewProc("TerminateThread") +) + +// DesiredAccess defines the type alias for thread's access modifiers +type DesiredAccess uint32 + +const ( + // QueryLimitedInformation is required to get certain information from the thread objects (e.g. PID to which pertains some thread) + QueryLimitedInformation DesiredAccess = 0x0800 +) + +type threadNameInfo struct { + ThreadName utf16.UnicodeString +} + +// Open opens an existing thread object. +func Open(access DesiredAccess, inheritHandle bool, threadID uint32) (handle.Handle, error) { + var inherit uint8 + if inheritHandle { + inherit = 1 + } else { + inherit = 0 + } + h, _, err := openThread.Call(uintptr(access), uintptr(inherit), uintptr(threadID)) + if h == 0 { + return handle.Handle(0), os.NewSyscallError("OpenThread", err) + } + return handle.Handle(h), nil +} + +func Create(ctx unsafe.Pointer, cb uintptr) (handle.Handle, uint32, error) { + var threadID uint32 + h, _, err := createThread.Call(0, 0, cb, uintptr(ctx), 0, uintptr(unsafe.Pointer(&threadID))) + if h == 0 { + return handle.Handle(0), threadID, os.NewSyscallError("CreateThread", err) + } + return handle.Handle(h), threadID, nil +} + +func Terminate(handle handle.Handle, exitCode uint32) error { + errno, _, err := terminateThread.Call(uintptr(handle), uintptr(exitCode)) + if errno == 0 { + return os.NewSyscallError("TerminateThread", err) + } + return nil +} diff --git a/pkg/syscall/utf16/string.go b/pkg/syscall/utf16/string.go new file mode 100644 index 000000000..1e90d8c44 --- /dev/null +++ b/pkg/syscall/utf16/string.go @@ -0,0 +1,73 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package utf16 + +import ( + "reflect" + "syscall" + "unicode/utf16" + "unsafe" +) + +// UnicodeString stores the size and the memory buffer of the unicode string. +type UnicodeString struct { + Length uint16 + MaxLength uint16 + Buffer *uint16 +} + +// String returns the native string from the Unicode stream. +func (u UnicodeString) String() string { + if u.Length == 0 { + return "" + } + var s []uint16 + hdr := (*reflect.SliceHeader)(unsafe.Pointer(&s)) + hdr.Data = uintptr(unsafe.Pointer(u.Buffer)) + hdr.Len = int(u.Length / 2) + hdr.Cap = int(u.MaxLength / 2) + return string(utf16.Decode(s)) +} + +// StringToUTF16Ptr returns the pointer to UTF-8 encoded string. It will silently return +// an invalid pointer if `s` argument contains a NUL byte at any location. +func StringToUTF16Ptr(s string) *uint16 { + var p *uint16 + p, _ = syscall.UTF16PtrFromString(s) + return p +} + +// UTF16PtrToString is like UTF16ToString, but takes *uint16 +// as a parameter instead of []uint16. +func UTF16PtrToString(p unsafe.Pointer) string { + if p == nil { + return "" + } + var s []uint16 + hdr := (*reflect.SliceHeader)(unsafe.Pointer(&s)) + hdr.Data = uintptr(p) + hdr.Cap = 1 + hdr.Len = 1 + for s[len(s)-1] != 0 { + hdr.Cap++ + hdr.Len++ + } + // Remove trailing NUL and decode into a Go string.. + return string(utf16.Decode(s[:len(s)-1])) +} diff --git a/pkg/syscall/ver/ver.go b/pkg/syscall/ver/ver.go new file mode 100644 index 000000000..293c19d33 --- /dev/null +++ b/pkg/syscall/ver/ver.go @@ -0,0 +1,24 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ver + +// IsWin8OrGreater indicates if the current OS version matches, or is greater than, the Windows 8 version. +func IsWin8OrGreater() bool { + return true +} diff --git a/pkg/syscall/winerrno/errors.go b/pkg/syscall/winerrno/errors.go new file mode 100644 index 000000000..8f5f60b39 --- /dev/null +++ b/pkg/syscall/winerrno/errors.go @@ -0,0 +1,53 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package winerrno + +// Errno is the type alias for error codes returned by API functions +type Errno uintptr + +const ( + // InvalidProcessTraceHandle designates an invalid trace handle reference + InvalidProcessTraceHandle uint64 = 0xffffffffffffffff + // InvalidPID indicates invalid process identifier value + InvalidPID uint32 = 0xffffffff + StatusInfoLengthMismatch = 0xC0000004 + StatusBufferTooSmall = 0xC0000023 + // StatusBufferOverflow indicates that the data was too small to fit in the buffer + StatusBufferOverflow = 0x80000005 + // Success determines successful return code + Success Errno = 0x0 + InvalidParameter Errno = 0x57 + AlreadyExists Errno = 0xb7 + DiskFull Errno = 0x70 + AccessDenied Errno = 0x5 + NoSysResources Errno = 0x5aa + BadLength Errno = 0x18 + WMIInstanceNotFound Errno = 0x1069 + Cancelled Errno = 0x4c7 + NoAccess Errno = 0x3e6 + InsufficientBuffer Errno = 0x7a + NotFound Errno = 0x490 + // CtxClosePending indicates that function will stop after it has processed all real-time events in + // its buffers (it will not receive any new events) + CtxClosePending Errno = 0x1B5F +) + +func (e Errno) IsNotFound() bool { + return e == NotFound +} diff --git a/pkg/util/bytes/bytes.go b/pkg/util/bytes/bytes.go new file mode 100644 index 000000000..5674bd949 --- /dev/null +++ b/pkg/util/bytes/bytes.go @@ -0,0 +1,80 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package bytes + +import ( + "encoding/binary" + "unsafe" +) + +// NativeEndian represents the endianness of the current machine +var NativeEndian binary.ByteOrder + +func init() { + InitNativeEndian(nil) +} + +// InitNativeEndian figures out the endianness of the current machine (https://stackoverflow.com/questions/51332658/any-better-way-to-check-endianness-in-go) +func InitNativeEndian(b []byte) { + buf := [8]byte{} + if b != nil && len(b) == 8 { + copy(buf[:], b[:8]) + } else { + *(*uint64)(unsafe.Pointer(&buf[0])) = uint64(0x6669627261747573) + } + + switch buf { + case [8]byte{0x73, 0x75, 0x74, 0x61, 0x72, 0x62, 0x69, 0x66}: + NativeEndian = binary.LittleEndian + case [8]byte{0x66, 0x69, 0x62, 0x72, 0x61, 0x74, 0x75, 0x73}: + NativeEndian = binary.BigEndian + default: + panic("could not determine native endianness") + } +} + +func ReadUint16(b []byte) uint16 { + return NativeEndian.Uint16(b) +} + +func ReadUint32(b []byte) uint32 { + return NativeEndian.Uint32(b) +} + +func ReadUint64(b []byte) uint64 { + return NativeEndian.Uint64(b) +} + +func WriteUint16(v uint16) (b []byte) { + b = make([]byte, 2) + NativeEndian.PutUint16(b, v) + return +} + +func WriteUint32(v uint32) (b []byte) { + b = make([]byte, 4) + NativeEndian.PutUint32(b, v) + return +} + +func WriteUint64(v uint64) (b []byte) { + b = make([]byte, 8) + NativeEndian.PutUint64(b, v) + return +} diff --git a/pkg/util/fasttemplate/doc.go b/pkg/util/fasttemplate/doc.go new file mode 100644 index 000000000..e9ffd8131 --- /dev/null +++ b/pkg/util/fasttemplate/doc.go @@ -0,0 +1,25 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// Package fasttemplate implements simple and fast template library. Credits goes to: https://github.com/valyala/fasttemplate +// +// Fasttemplate is faster than text/template, strings.Replace +// and strings.Replacer. +// +// Fasttemplate ideally fits for fast and simple placeholders' substitutions. +package fasttemplate diff --git a/pkg/util/fasttemplate/template.go b/pkg/util/fasttemplate/template.go new file mode 100644 index 000000000..f02024db5 --- /dev/null +++ b/pkg/util/fasttemplate/template.go @@ -0,0 +1,210 @@ +/* + * The MIT License (MIT) + * + * Copyright (c) 2015 Aliaksandr Valialkin + * Modifications Copyright (c) 2019-2020 by Nedim Sabic + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + */ + +package fasttemplate + +import ( + "bytes" + "errors" + "fmt" + "github.com/valyala/bytebufferpool" + "io" +) + +// Template implements simple template engine, which can be used for fast +// tags' (aka placeholders) substitution. +type Template struct { + template string + startTag string + endTag string + + texts [][]byte + tags []string + byteBufferPool bytebufferpool.Pool +} + +// NewTemplate parses the given template using the given startTag and endTag +// as tag start and tag end. +// +// The returned template can be executed by concurrently running goroutines +// using Execute* methods. +func NewTemplate(template, startTag, endTag string) (*Template, error) { + var t Template + err := t.Reset(template, startTag, endTag) + if err != nil { + return nil, err + } + return &t, nil +} + +// TagFunc can be used as a substitution value in the map passed to Execute*. +// Execute* functions pass tag (placeholder) name in 'tag' argument. +// +// TagFunc must be safe to call from concurrently running goroutines. +// +// TagFunc must write contents to w and return the number of bytes written. +type TagFunc func(w io.Writer, tag string) (int, error) + +// Reset resets the template t to new one defined by +// template, startTag and endTag. +// +// Reset allows Template object re-use. +// +// Reset may be called only if no other goroutines call t methods at the moment. +func (t *Template) Reset(template, startTag, endTag string) error { + // Keep these vars in t, so GC won't collect them and won't break + // vars derived via unsafe* + t.template = template + t.startTag = startTag + t.endTag = endTag + t.texts = t.texts[:0] + t.tags = t.tags[:0] + + if len(startTag) == 0 { + return errors.New("start tag cannot be empty") + } + if len(endTag) == 0 { + return errors.New("end tag cannot be empty") + } + + s := stringToBytes(template) + a := stringToBytes(startTag) + b := stringToBytes(endTag) + + tagsCount := bytes.Count(s, a) + if tagsCount == 0 { + return nil + } + + if tagsCount+1 > cap(t.texts) { + t.texts = make([][]byte, 0, tagsCount+1) + } + if tagsCount > cap(t.tags) { + t.tags = make([]string, 0, tagsCount) + } + + for { + n := bytes.Index(s, a) + if n < 0 { + t.texts = append(t.texts, s) + break + } + t.texts = append(t.texts, s[:n]) + + s = s[n+len(a):] + n = bytes.Index(s, b) + if n < 0 { + return fmt.Errorf("cannot find end tag=%q in the template=%q starting from %q", endTag, template, s) + } + + t.tags = append(t.tags, bytesToString(s[:n])) + s = s[n+len(b):] + } + + return nil +} + +// ExecuteFunc calls f on each template tag (placeholder) occurrence. +// +// Returns the number of bytes written to w. +// +// This function is optimized for frozen templates. +// Use ExecuteFunc for constantly changing templates. +func (t *Template) ExecuteFunc(w io.Writer, f TagFunc) (int64, error) { + var nn int64 + + n := len(t.texts) - 1 + if n == -1 { + ni, err := w.Write(stringToBytes(t.template)) + return int64(ni), err + } + + for i := 0; i < n; i++ { + ni, err := w.Write(t.texts[i]) + nn += int64(ni) + if err != nil { + return nn, err + } + + ni, err = f(w, t.tags[i]) + nn += int64(ni) + if err != nil { + return nn, err + } + } + ni, err := w.Write(t.texts[n]) + nn += int64(ni) + return nn, err +} + +// Execute substitutes template tags (placeholders) with the corresponding +// values from the map m and writes the result to the given writer w. +// +// Substitution map m may contain values with the following types: +// * []byte - the fastest value type +// * string - convenient value type +// * TagFunc - flexible value type +// +// Returns the number of bytes written to w. +func (t *Template) Execute(w io.Writer, m map[string]interface{}) (int64, error) { + return t.ExecuteFunc(w, func(w io.Writer, tag string) (int, error) { return stdTagFunc(w, tag, m) }) +} + +// ExecuteFuncString calls f on each template tag (placeholder) occurrence +// and substitutes it with the data written to TagFunc's w. +// +// Returns the resulting string. +// +// This function is optimized for frozen templates. +// Use ExecuteFuncString for constantly changing templates. +func (t *Template) ExecuteFuncString(f TagFunc) []byte { + bb := t.byteBufferPool.Get() + if _, err := t.ExecuteFunc(bb, f); err != nil { + return []byte{} + } + s := bb.Bytes() + bb.Reset() + t.byteBufferPool.Put(bb) + return s +} + +// ExecuteString substitutes template tags (placeholders) with the corresponding +// values from the map m and returns the result. +// +// Substitution map m may contain values with the following types: +// * []byte - the fastest value type +// * string - convenient value type +// * TagFunc - flexible value type +// +// This function is optimized for frozen templates. +// Use ExecuteString for constantly changing templates. +func (t *Template) ExecuteString(m map[string]interface{}) []byte { + return t.ExecuteFuncString(func(w io.Writer, tag string) (int, error) { return stdTagFunc(w, tag, m) }) +} + +func stdTagFunc(w io.Writer, tag string, m map[string]interface{}) (int, error) { + v := m[tag] + if v == nil { + return 0, nil + } + switch value := v.(type) { + case []byte: + return w.Write(value) + case string: + return w.Write([]byte(value)) + case TagFunc: + return value(w, tag) + default: + return 0, fmt.Errorf("tag=%q contains unexpected value type=%#v. Expected []byte, string or TagFunc", tag, v) + } +} diff --git a/pkg/util/fasttemplate/unsafe.go b/pkg/util/fasttemplate/unsafe.go new file mode 100644 index 000000000..6552e08ca --- /dev/null +++ b/pkg/util/fasttemplate/unsafe.go @@ -0,0 +1,33 @@ +/* + * The MIT License (MIT) + * + * Copyright (c) 2015 Aliaksandr Valialkin + * Modifications Copyright (c) 2019-2020 by Nedim Sabic + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + */ + +package fasttemplate + +import ( + "reflect" + "unsafe" +) + +func bytesToString(b []byte) string { + return *(*string)(unsafe.Pointer(&b)) +} + +func stringToBytes(s string) []byte { + sh := (*reflect.StringHeader)(unsafe.Pointer(&s)) + bh := reflect.SliceHeader{ + Data: sh.Data, + Len: sh.Len, + Cap: sh.Len, + } + return *(*[]byte)(unsafe.Pointer(&bh)) +} diff --git a/pkg/util/filetime/filetime.go b/pkg/util/filetime/filetime.go new file mode 100644 index 000000000..19636186e --- /dev/null +++ b/pkg/util/filetime/filetime.go @@ -0,0 +1,30 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package filetime + +import ( + "syscall" + "time" +) + +// ToEpoch converts file timestamp to Unix time. +func ToEpoch(ts uint64) time.Time { + ft := &syscall.Filetime{HighDateTime: uint32(ts >> 32), LowDateTime: uint32(ts)} + return time.Unix(0, ft.Nanoseconds()) +} diff --git a/pkg/util/hostname/hostname.go b/pkg/util/hostname/hostname.go new file mode 100644 index 000000000..f788b85e6 --- /dev/null +++ b/pkg/util/hostname/hostname.go @@ -0,0 +1,109 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package hostname + +import "C" +import ( + "expvar" + "net" + "os" + "syscall" + "unsafe" +) + +// hostname is the current host name or FQDN +var hostname string + +// hostnameErrors exposes host/fqdn resolution errors +var hostnameErrors = expvar.NewMap("hostname.errors") + +const computerNamePhysicalDnsFullyQualified = 7 + +var ( + kernel32 = syscall.NewLazyDLL("kernel32.dll") + getComputerName = kernel32.NewProc("GetComputerNameExW") +) + +// Get returns the host name or the FQDN of the machine. +func Get() string { + if hostname != "" { + return hostname + } + var err error + hostname, err = os.Hostname() + if err != nil { + hostnameErrors.Add(err.Error(), 1) + } + + // get the Fully Qualified Domain Name (FQDN) of this machine + maxComputerLength := 1024 + buf := make([]uint16, maxComputerLength) + errno, _, err := getComputerName.Call( + uintptr(computerNamePhysicalDnsFullyQualified), + uintptr(unsafe.Pointer(&buf[0])), + uintptr(unsafe.Pointer(&maxComputerLength))) + if errno == 0 { + // we couldn't get the hostname neither the FQDN + // so we try to fetch the local IP and use as hostname + if hostname == "" { + ip := localIP() + if ip != "" { + hostname = ip + } else { + hostname = "unknown" + } + } + hostnameErrors.Add(err.Error(), 1) + return hostname + } + + fqdn := syscall.UTF16ToString(buf) + if fqdn != "" { + hostname = fqdn + } + + return hostname +} + +// localIP returns the first non-loopback interface IP address. +func localIP() string { + ifaces, err := net.Interfaces() + if err != nil { + return "" + } + for _, i := range ifaces { + addrs, err := i.Addrs() + if err != nil { + continue + } + for _, addr := range addrs { + var ip net.IP + switch v := addr.(type) { + case *net.IPNet: + ip = v.IP + case *net.IPAddr: + ip = v.IP + } + if !ip.IsLoopback() { + return ip.String() + } + } + } + return "" +} diff --git a/pkg/util/ip/ip.go b/pkg/util/ip/ip.go new file mode 100644 index 000000000..613ca994d --- /dev/null +++ b/pkg/util/ip/ip.go @@ -0,0 +1,46 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ip + +import ( + "net" + "syscall" + "unsafe" +) + +var ( + nt = syscall.NewLazyDLL("ntdll.dll") + + // rtlIpv6AddressToString is the procedure for `RtlIpv6AddressToStringW` API call. + rtlIpv6AddressToString = nt.NewProc("RtlIpv6AddressToStringW") +) + +// ToIPv4 accepts an integer IP address in network byte order and returns an IP-typed address. +func ToIPv4(ip uint32) net.IP { + return net.IPv4(byte(ip), byte(ip>>8), byte(ip>>16), byte(ip>>24)) +} + +// ToIPv6 converts the buffer with IPv6 address in network byte order to an IP-typed address. +func ToIPv6(buffer []byte) net.IP { + ipv6 := make([]uint16, 46) + if rtlIpv6AddressToString != nil { + _, _, _ = rtlIpv6AddressToString.Call(uintptr(unsafe.Pointer(&buffer[0])), uintptr(unsafe.Pointer(&ipv6[0]))) + } + return net.ParseIP(syscall.UTF16ToString(ipv6)) +} diff --git a/pkg/util/ip/ip_test.go b/pkg/util/ip/ip_test.go new file mode 100644 index 000000000..2bcb18835 --- /dev/null +++ b/pkg/util/ip/ip_test.go @@ -0,0 +1,34 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package ip + +import ( + "github.com/stretchr/testify/assert" + "testing" +) + +func TestToIPv4(t *testing.T) { + ip := ToIPv4(16777343) + assert.Equal(t, "127.0.0.1", ip.String()) +} + +func TestToIPv6(t *testing.T) { + ip := ToIPv6([]byte{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1}) + assert.Equal(t, "::1", ip.String()) +} diff --git a/pkg/util/log/_fixtures/.gitkeep b/pkg/util/log/_fixtures/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/util/log/_fixtures/fibratus.log b/pkg/util/log/_fixtures/fibratus.log new file mode 100644 index 000000000..1f45c1934 --- /dev/null +++ b/pkg/util/log/_fixtures/fibratus.log @@ -0,0 +1 @@ +time="2020-11-07T21:58:53+01:00" level=info msg="fibratus initialized" source="log/logger_test.go:28" diff --git a/pkg/util/log/config.go b/pkg/util/log/config.go new file mode 100644 index 000000000..64755cf49 --- /dev/null +++ b/pkg/util/log/config.go @@ -0,0 +1,76 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package log + +import ( + "github.com/spf13/pflag" + "github.com/spf13/viper" +) + +const ( + logLevel = "logging.level" + logMaxAge = "logging.max-age" + logMaxBackups = "logging.max-backups" + logMaxSize = "logging.max-size" + logFormatter = "logging.formatter" + logPath = "logging.path" + logStdout = "logging.log-stdout" +) + +// Config contains a set of setting that control the behaviour of the logging system. +type Config struct { + // Level specifies the minimum allowed log level. + Level string `json:"logging.level" yaml:"logging.level"` + // MaxAge is the maximum number of days to retain old log files based on the + // timestamp encoded in their filename. + MaxAge int `json:"logging.max-age" yaml:"logging.max-age"` + // MaxBackups is the maximum number of old log files to retain. + MaxBackups int `json:"logging.max-backups" yaml:"logging.max-backups"` + // MaxSize is the maximum size in megabytes of the log file before it gets rotated. + MaxSize int `json:"logging.max-size" yaml:"logging.max-size"` + // Formatter represents the log formatter (json | text ). + Formatter string `json:"logging.formatter" yaml:"logging.formatter"` + // Path represents the alternative paths for storing the logs. + Path string `json:"logging.path" yaml:"logging.path"` + // LogStdout indicates whether log lines are written to standard output in addition to writing them + // to log files. + LogStdout bool `json:"logging.log-stdout" yaml:"logging.log-stdout"` +} + +// InitFromViper initializes logging configuration from Viper. +func (c *Config) InitFromViper(v *viper.Viper) { + c.Level = v.GetString(logLevel) + c.MaxAge = v.GetInt(logMaxAge) + c.MaxBackups = v.GetInt(logMaxBackups) + c.MaxSize = v.GetInt(logMaxSize) + c.Formatter = v.GetString(logFormatter) + c.Path = v.GetString(logPath) + c.LogStdout = v.GetBool(logStdout) +} + +// AddFlags registers persistent logging flags. +func (c *Config) AddFlags(flags *pflag.FlagSet) { + flags.String(logLevel, "info", "Specifies the minimum allowed log level") + flags.Int(logMaxAge, 0, "Sets he maximum number of days to retain old log files based on the timestamp encoded in their filename. By default no old log files will be removed") + flags.Int(logMaxBackups, 15, "Specifies the maximum number of old log files to retain") + flags.Int(logMaxSize, 100, "Specifies the maximum size in megabytes of the log file before it gets rotated") + flags.String(logFormatter, "json", "Represents the log formatter (json|text )") + flags.String(logPath, "", "Specifies the alternative paths for storing the logs") + flags.Bool(logStdout, false, "Indicates whether log lines are written to standard output in addition to writing them to log files") +} diff --git a/pkg/util/log/logger.go b/pkg/util/log/logger.go new file mode 100644 index 000000000..ef2b170aa --- /dev/null +++ b/pkg/util/log/logger.go @@ -0,0 +1,112 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package log + +import ( + "errors" + "expvar" + "fmt" + "github.com/rabbitstack/fibratus/pkg/util/log/rotate" + fs "github.com/rifflock/lfshook" + "github.com/sirupsen/logrus" + "io/ioutil" + "os" + "path/filepath" +) + +var ( + // errEmptyLogsPath contains logger setup errors + loggerErrors = expvar.NewMap("logger.errors") +) + +// InitFromConfig initializes a Logrus instance from config options. +func InitFromConfig(c Config) error { + exe, err := os.Executable() + var path string + if err != nil { + path = filepath.Join(os.Getenv("PROGRAMFILES"), "fibratus", "logs") + } else { + path = filepath.Join(filepath.Dir(exe), "..", "logs") + } + if c.Path != "" { + path = c.Path + } + if path == "" { + return errors.New("got an empty logs directory path. Please make sure Fibratus is installed properly") + } + _, err = os.Stat(path) + if err != nil { + // let's create the logs directory since it doesn't exist, even though + // this should rarely happen because Fibratus installer already creates + // the logs directory + if err := os.MkdirAll(path, os.ModePerm); err != nil { + return fmt.Errorf("unable to create the %s logs directory: %v", path, err) + } + } + + file := filepath.Join(path, "fibratus.log") + + // setup log formatter + var formatter logrus.Formatter + switch c.Formatter { + case "json": + formatter = &logrus.JSONFormatter{} + case "text": + formatter = &logrus.TextFormatter{} + default: + formatter = &logrus.JSONFormatter{} + } + logrus.SetFormatter(formatter) + + level, err := logrus.ParseLevel(c.Level) + if err != nil { + return err + } + logrus.SetLevel(level) + + // disable writing to stdout + if !c.LogStdout { + logrus.SetOutput(ioutil.Discard) + } + + // initialize log rotate hook + rhook, err := rotate.NewHook(rotate.Config{ + MaxAge: c.MaxAge, + MaxBackups: c.MaxBackups, + MaxSize: c.MaxSize, + Level: level, + Formatter: formatter, + Filename: file, + }) + + if err != nil { + loggerErrors.Add(err.Error(), 1) + // failed to initialize log rotate, so we fallback on simple log hook + var pathMap fs.PathMap = make(map[logrus.Level]string, 0) + for _, lvl := range logrus.AllLevels { + pathMap[lvl] = file + } + logrus.AddHook(fs.NewHook(pathMap, formatter)) + logrus.Warnf("unable to initialize rotate file hook: %v", err) + return nil + } + logrus.AddHook(rhook) + + return nil +} diff --git a/pkg/util/log/logger_test.go b/pkg/util/log/logger_test.go new file mode 100644 index 000000000..a87a97e19 --- /dev/null +++ b/pkg/util/log/logger_test.go @@ -0,0 +1,38 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package log + +import ( + "github.com/sirupsen/logrus" + "github.com/stretchr/testify/require" + "os" + "testing" +) + +func TestInitFromConfig(t *testing.T) { + require.Error(t, InitFromConfig(Config{})) + require.NoError(t, InitFromConfig(Config{Path: "_fixtures", Level: "info", Formatter: "text"})) + + os.Remove("_fixtures\\fibratus.log") + + logrus.Info("fibratus initialized") + + _, err := os.Stat("_fixtures\\fibratus.log") + require.NoError(t, err) +} diff --git a/pkg/util/log/rotate/rotate.go b/pkg/util/log/rotate/rotate.go new file mode 100644 index 000000000..19590a0a0 --- /dev/null +++ b/pkg/util/log/rotate/rotate.go @@ -0,0 +1,137 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package rotate + +import ( + "fmt" + "github.com/sirupsen/logrus" + "gopkg.in/natefinch/lumberjack.v2" + "io" + "runtime" + "strings" +) + +// Config is the configuration for the rotate file hook. +type Config struct { + Filename string + MaxSize int + MaxBackups int + MaxAge int + Level logrus.Level + Formatter logrus.Formatter +} + +// RotateFile represents the rotate file hook. +type RotateFile struct { + config Config + w io.Writer + depth int + skip int + formatter func(file, function string, line int) string + skipPrefixes []string +} + +// NewHook builds a new rotate file hook. +func NewHook(config Config) (logrus.Hook, error) { + hook := RotateFile{ + config: config, + depth: 20, + skip: 5, + skipPrefixes: []string{"logrus/", "logrus@"}, + formatter: func(file, function string, line int) string { + return fmt.Sprintf("%s:%d", file, line) + }, + } + hook.w = &lumberjack.Logger{ + Filename: config.Filename, + MaxSize: config.MaxSize, + MaxBackups: config.MaxBackups, + MaxAge: config.MaxAge, + } + return &hook, nil +} + +// Levels determines log levels that for which the logs are written. +func (hook *RotateFile) Levels() []logrus.Level { + return logrus.AllLevels[:hook.config.Level+1] +} + +// Fire is called by logrus when it is about to write the log entry. +func (hook *RotateFile) Fire(entry *logrus.Entry) (err error) { + modified := entry.WithField("source", hook.formatter(hook.findCaller())) + modified.Level = entry.Level + modified.Message = entry.Message + b, err := hook.config.Formatter.Format(modified) + if err != nil { + return err + } + _, err = hook.w.Write(b) + return err +} + +func (hook *RotateFile) findCaller() (string, string, int) { + var ( + pc uintptr + file string + function string + line int + ) + for i := 0; i < hook.depth; i++ { + pc, file, line = getCaller(hook.skip + i) + if !hook.skipFile(file) { + break + } + } + if pc != 0 { + frames := runtime.CallersFrames([]uintptr{pc}) + frame, _ := frames.Next() + function = frame.Function + } + + return file, function, line +} + +func (hook *RotateFile) skipFile(file string) bool { + for i := range hook.skipPrefixes { + if strings.HasPrefix(file, hook.skipPrefixes[i]) { + return true + } + } + return false +} + +func getCaller(skip int) (uintptr, string, int) { + pc, file, line, ok := runtime.Caller(skip) + if !ok { + return 0, "", 0 + } + + n := 0 + for i := len(file) - 1; i > 0; i-- { + if file[i] == '/' { + n++ + if n >= 2 { + file = file[i+1:] + break + } + } + } + + return pc, file, line +} diff --git a/pkg/util/multierror/multierror.go b/pkg/util/multierror/multierror.go new file mode 100644 index 000000000..04d0d6464 --- /dev/null +++ b/pkg/util/multierror/multierror.go @@ -0,0 +1,55 @@ +// Copyright (c) 2017 Uber Technologies, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package multierror + +import ( + "fmt" + "strings" +) + +// Wrap takes a slice of errors and returns a single error that encapsulates +// those underlying errors. If the slice is nil or empty it returns nil. +// If the slice only contains a single element, that error is returned directly. +// When more than one error is wrapped, the Error() string is a concatenation +// of the Error() values of all underlying errors. +func Wrap(errs []error) error { + return multiError(errs).flatten() +} + +// multiError bundles several errors together into a single error. +type multiError []error + +// flatten returns either: nil, the only error, or the multiError instance itself +// if there are 0, 1, or more errors in the slice respectively. +func (errors multiError) flatten() error { + switch len(errors) { + case 0: + return nil + case 1: + return errors[0] + default: + return errors + } +} + +// Error returns a string like "[e1, e2, ...]" where each eN is the Error() of +// each error in the slice. +func (errors multiError) Error() string { + parts := make([]string, len(errors)) + for i, err := range errors { + parts[i] = err.Error() + } + return fmt.Sprintf("[%s]", strings.Join(parts, ", ")) +} diff --git a/pkg/util/ports/iana_ports.go b/pkg/util/ports/iana_ports.go new file mode 100644 index 000000000..ab657f33e --- /dev/null +++ b/pkg/util/ports/iana_ports.go @@ -0,0 +1,11352 @@ +// Copyright 2012 Google, Inc. All rights reserved. +// Borrowed from gopacket. https://github.com/google/gopacket/blob/master/layers/iana_ports.go + +package ports + +// Created by gen.go, don't edit manually +// Generated at 2017-10-23 09:57:28.214859163 -0600 MDT m=+1.011679290 +// Fetched from "http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml" + +// TCPPortNames contains the port names for all TCP ports. +var TCPPortNames = tcpPortNames + +// UDPPortNames contains the port names for all UDP ports. +var UDPPortNames = udpPortNames + +// SCTPPortNames contains the port names for all SCTP ports. +var SCTPPortNames = sctpPortNames + +var tcpPortNames = map[uint16]string{ + 1: "tcpmux", + 2: "compressnet", + 3: "compressnet", + 5: "rje", + 7: "echo", + 9: "discard", + 11: "systat", + 13: "daytime", + 17: "qotd", + 18: "msp", + 19: "chargen", + 20: "ftp-data", + 21: "ftp", + 22: "ssh", + 23: "telnet", + 25: "smtp", + 27: "nsw-fe", + 29: "msg-icp", + 31: "msg-auth", + 33: "dsp", + 37: "time", + 38: "rap", + 39: "rlp", + 41: "graphics", + 42: "name", + 43: "nicname", + 44: "mpm-flags", + 45: "mpm", + 46: "mpm-snd", + 48: "auditd", + 49: "tacacs", + 50: "re-mail-ck", + 52: "xns-time", + 53: "domain", + 54: "xns-ch", + 55: "isi-gl", + 56: "xns-auth", + 58: "xns-mail", + 62: "acas", + 63: "whoispp", + 64: "covia", + 65: "tacacs-ds", + 66: "sql-net", + 67: "bootps", + 68: "bootpc", + 69: "tftp", + 70: "gopher", + 71: "netrjs-1", + 72: "netrjs-2", + 73: "netrjs-3", + 74: "netrjs-4", + 76: "deos", + 78: "vettcp", + 79: "finger", + 80: "http", + 82: "xfer", + 83: "mit-ml-dev", + 84: "ctf", + 85: "mit-ml-dev", + 86: "mfcobol", + 88: "kerberos", + 89: "su-mit-tg", + 90: "dnsix", + 91: "mit-dov", + 92: "npp", + 93: "dcp", + 94: "objcall", + 95: "supdup", + 96: "dixie", + 97: "swift-rvf", + 98: "tacnews", + 99: "metagram", + 101: "hostname", + 102: "iso-tsap", + 103: "gppitnp", + 104: "acr-nema", + 105: "cso", + 106: "3com-tsmux", + 107: "rtelnet", + 108: "snagas", + 109: "pop2", + 110: "pop3", + 111: "sunrpc", + 112: "mcidas", + 113: "ident", + 115: "sftp", + 116: "ansanotify", + 117: "uucp-path", + 118: "sqlserv", + 119: "nntp", + 120: "cfdptkt", + 121: "erpc", + 122: "smakynet", + 123: "ntp", + 124: "ansatrader", + 125: "locus-map", + 126: "nxedit", + 127: "locus-con", + 128: "gss-xlicen", + 129: "pwdgen", + 130: "cisco-fna", + 131: "cisco-tna", + 132: "cisco-sys", + 133: "statsrv", + 134: "ingres-net", + 135: "epmap", + 136: "profile", + 137: "netbios-ns", + 138: "netbios-dgm", + 139: "netbios-ssn", + 140: "emfis-data", + 141: "emfis-cntl", + 142: "bl-idm", + 143: "imap", + 144: "uma", + 145: "uaac", + 146: "iso-tp0", + 147: "iso-ip", + 148: "jargon", + 149: "aed-512", + 150: "sql-net", + 151: "hems", + 152: "bftp", + 153: "sgmp", + 154: "netsc-prod", + 155: "netsc-dev", + 156: "sqlsrv", + 157: "knet-cmp", + 158: "pcmail-srv", + 159: "nss-routing", + 160: "sgmp-traps", + 161: "snmp", + 162: "snmptrap", + 163: "cmip-man", + 164: "cmip-agent", + 165: "xns-courier", + 166: "s-net", + 167: "namp", + 168: "rsvd", + 169: "send", + 170: "print-srv", + 171: "multiplex", + 172: "cl-1", + 173: "xyplex-mux", + 174: "mailq", + 175: "vmnet", + 176: "genrad-mux", + 177: "xdmcp", + 178: "nextstep", + 179: "bgp", + 180: "ris", + 181: "unify", + 182: "audit", + 183: "ocbinder", + 184: "ocserver", + 185: "remote-kis", + 186: "kis", + 187: "aci", + 188: "mumps", + 189: "qft", + 190: "gacp", + 191: "prospero", + 192: "osu-nms", + 193: "srmp", + 194: "irc", + 195: "dn6-nlm-aud", + 196: "dn6-smm-red", + 197: "dls", + 198: "dls-mon", + 199: "smux", + 200: "src", + 201: "at-rtmp", + 202: "at-nbp", + 203: "at-3", + 204: "at-echo", + 205: "at-5", + 206: "at-zis", + 207: "at-7", + 208: "at-8", + 209: "qmtp", + 210: "z39-50", + 211: "914c-g", + 212: "anet", + 213: "ipx", + 214: "vmpwscs", + 215: "softpc", + 216: "CAIlic", + 217: "dbase", + 218: "mpp", + 219: "uarps", + 220: "imap3", + 221: "fln-spx", + 222: "rsh-spx", + 223: "cdc", + 224: "masqdialer", + 242: "direct", + 243: "sur-meas", + 244: "inbusiness", + 245: "link", + 246: "dsp3270", + 247: "subntbcst-tftp", + 248: "bhfhs", + 256: "rap", + 257: "set", + 259: "esro-gen", + 260: "openport", + 261: "nsiiops", + 262: "arcisdms", + 263: "hdap", + 264: "bgmp", + 265: "x-bone-ctl", + 266: "sst", + 267: "td-service", + 268: "td-replica", + 269: "manet", + 271: "pt-tls", + 280: "http-mgmt", + 281: "personal-link", + 282: "cableport-ax", + 283: "rescap", + 284: "corerjd", + 286: "fxp", + 287: "k-block", + 308: "novastorbakcup", + 309: "entrusttime", + 310: "bhmds", + 311: "asip-webadmin", + 312: "vslmp", + 313: "magenta-logic", + 314: "opalis-robot", + 315: "dpsi", + 316: "decauth", + 317: "zannet", + 318: "pkix-timestamp", + 319: "ptp-event", + 320: "ptp-general", + 321: "pip", + 322: "rtsps", + 323: "rpki-rtr", + 324: "rpki-rtr-tls", + 333: "texar", + 344: "pdap", + 345: "pawserv", + 346: "zserv", + 347: "fatserv", + 348: "csi-sgwp", + 349: "mftp", + 350: "matip-type-a", + 351: "matip-type-b", + 352: "dtag-ste-sb", + 353: "ndsauth", + 354: "bh611", + 355: "datex-asn", + 356: "cloanto-net-1", + 357: "bhevent", + 358: "shrinkwrap", + 359: "nsrmp", + 360: "scoi2odialog", + 361: "semantix", + 362: "srssend", + 363: "rsvp-tunnel", + 364: "aurora-cmgr", + 365: "dtk", + 366: "odmr", + 367: "mortgageware", + 368: "qbikgdp", + 369: "rpc2portmap", + 370: "codaauth2", + 371: "clearcase", + 372: "ulistproc", + 373: "legent-1", + 374: "legent-2", + 375: "hassle", + 376: "nip", + 377: "tnETOS", + 378: "dsETOS", + 379: "is99c", + 380: "is99s", + 381: "hp-collector", + 382: "hp-managed-node", + 383: "hp-alarm-mgr", + 384: "arns", + 385: "ibm-app", + 386: "asa", + 387: "aurp", + 388: "unidata-ldm", + 389: "ldap", + 390: "uis", + 391: "synotics-relay", + 392: "synotics-broker", + 393: "meta5", + 394: "embl-ndt", + 395: "netcp", + 396: "netware-ip", + 397: "mptn", + 398: "kryptolan", + 399: "iso-tsap-c2", + 400: "osb-sd", + 401: "ups", + 402: "genie", + 403: "decap", + 404: "nced", + 405: "ncld", + 406: "imsp", + 407: "timbuktu", + 408: "prm-sm", + 409: "prm-nm", + 410: "decladebug", + 411: "rmt", + 412: "synoptics-trap", + 413: "smsp", + 414: "infoseek", + 415: "bnet", + 416: "silverplatter", + 417: "onmux", + 418: "hyper-g", + 419: "ariel1", + 420: "smpte", + 421: "ariel2", + 422: "ariel3", + 423: "opc-job-start", + 424: "opc-job-track", + 425: "icad-el", + 426: "smartsdp", + 427: "svrloc", + 428: "ocs-cmu", + 429: "ocs-amu", + 430: "utmpsd", + 431: "utmpcd", + 432: "iasd", + 433: "nnsp", + 434: "mobileip-agent", + 435: "mobilip-mn", + 436: "dna-cml", + 437: "comscm", + 438: "dsfgw", + 439: "dasp", + 440: "sgcp", + 441: "decvms-sysmgt", + 442: "cvc-hostd", + 443: "https", + 444: "snpp", + 445: "microsoft-ds", + 446: "ddm-rdb", + 447: "ddm-dfm", + 448: "ddm-ssl", + 449: "as-servermap", + 450: "tserver", + 451: "sfs-smp-net", + 452: "sfs-config", + 453: "creativeserver", + 454: "contentserver", + 455: "creativepartnr", + 456: "macon-tcp", + 457: "scohelp", + 458: "appleqtc", + 459: "ampr-rcmd", + 460: "skronk", + 461: "datasurfsrv", + 462: "datasurfsrvsec", + 463: "alpes", + 464: "kpasswd", + 465: "urd", + 466: "digital-vrc", + 467: "mylex-mapd", + 468: "photuris", + 469: "rcp", + 470: "scx-proxy", + 471: "mondex", + 472: "ljk-login", + 473: "hybrid-pop", + 474: "tn-tl-w1", + 475: "tcpnethaspsrv", + 476: "tn-tl-fd1", + 477: "ss7ns", + 478: "spsc", + 479: "iafserver", + 480: "iafdbase", + 481: "ph", + 482: "bgs-nsi", + 483: "ulpnet", + 484: "integra-sme", + 485: "powerburst", + 486: "avian", + 487: "saft", + 488: "gss-http", + 489: "nest-protocol", + 490: "micom-pfs", + 491: "go-login", + 492: "ticf-1", + 493: "ticf-2", + 494: "pov-ray", + 495: "intecourier", + 496: "pim-rp-disc", + 497: "retrospect", + 498: "siam", + 499: "iso-ill", + 500: "isakmp", + 501: "stmf", + 502: "mbap", + 503: "intrinsa", + 504: "citadel", + 505: "mailbox-lm", + 506: "ohimsrv", + 507: "crs", + 508: "xvttp", + 509: "snare", + 510: "fcp", + 511: "passgo", + 512: "exec", + 513: "login", + 514: "shell", + 515: "printer", + 516: "videotex", + 517: "talk", + 518: "ntalk", + 519: "utime", + 520: "efs", + 521: "ripng", + 522: "ulp", + 523: "ibm-db2", + 524: "ncp", + 525: "timed", + 526: "tempo", + 527: "stx", + 528: "custix", + 529: "irc-serv", + 530: "courier", + 531: "conference", + 532: "netnews", + 533: "netwall", + 534: "windream", + 535: "iiop", + 536: "opalis-rdv", + 537: "nmsp", + 538: "gdomap", + 539: "apertus-ldp", + 540: "uucp", + 541: "uucp-rlogin", + 542: "commerce", + 543: "klogin", + 544: "kshell", + 545: "appleqtcsrvr", + 546: "dhcpv6-client", + 547: "dhcpv6-server", + 548: "afpovertcp", + 549: "idfp", + 550: "new-rwho", + 551: "cybercash", + 552: "devshr-nts", + 553: "pirp", + 554: "rtsp", + 555: "dsf", + 556: "remotefs", + 557: "openvms-sysipc", + 558: "sdnskmp", + 559: "teedtap", + 560: "rmonitor", + 561: "monitor", + 562: "chshell", + 563: "nntps", + 564: "9pfs", + 565: "whoami", + 566: "streettalk", + 567: "banyan-rpc", + 568: "ms-shuttle", + 569: "ms-rome", + 570: "meter", + 571: "meter", + 572: "sonar", + 573: "banyan-vip", + 574: "ftp-agent", + 575: "vemmi", + 576: "ipcd", + 577: "vnas", + 578: "ipdd", + 579: "decbsrv", + 580: "sntp-heartbeat", + 581: "bdp", + 582: "scc-security", + 583: "philips-vc", + 584: "keyserver", + 586: "password-chg", + 587: "submission", + 588: "cal", + 589: "eyelink", + 590: "tns-cml", + 591: "http-alt", + 592: "eudora-set", + 593: "http-rpc-epmap", + 594: "tpip", + 595: "cab-protocol", + 596: "smsd", + 597: "ptcnameservice", + 598: "sco-websrvrmg3", + 599: "acp", + 600: "ipcserver", + 601: "syslog-conn", + 602: "xmlrpc-beep", + 603: "idxp", + 604: "tunnel", + 605: "soap-beep", + 606: "urm", + 607: "nqs", + 608: "sift-uft", + 609: "npmp-trap", + 610: "npmp-local", + 611: "npmp-gui", + 612: "hmmp-ind", + 613: "hmmp-op", + 614: "sshell", + 615: "sco-inetmgr", + 616: "sco-sysmgr", + 617: "sco-dtmgr", + 618: "dei-icda", + 619: "compaq-evm", + 620: "sco-websrvrmgr", + 621: "escp-ip", + 622: "collaborator", + 623: "oob-ws-http", + 624: "cryptoadmin", + 625: "dec-dlm", + 626: "asia", + 627: "passgo-tivoli", + 628: "qmqp", + 629: "3com-amp3", + 630: "rda", + 631: "ipp", + 632: "bmpp", + 633: "servstat", + 634: "ginad", + 635: "rlzdbase", + 636: "ldaps", + 637: "lanserver", + 638: "mcns-sec", + 639: "msdp", + 640: "entrust-sps", + 641: "repcmd", + 642: "esro-emsdp", + 643: "sanity", + 644: "dwr", + 645: "pssc", + 646: "ldp", + 647: "dhcp-failover", + 648: "rrp", + 649: "cadview-3d", + 650: "obex", + 651: "ieee-mms", + 652: "hello-port", + 653: "repscmd", + 654: "aodv", + 655: "tinc", + 656: "spmp", + 657: "rmc", + 658: "tenfold", + 660: "mac-srvr-admin", + 661: "hap", + 662: "pftp", + 663: "purenoise", + 664: "oob-ws-https", + 665: "sun-dr", + 666: "mdqs", + 667: "disclose", + 668: "mecomm", + 669: "meregister", + 670: "vacdsm-sws", + 671: "vacdsm-app", + 672: "vpps-qua", + 673: "cimplex", + 674: "acap", + 675: "dctp", + 676: "vpps-via", + 677: "vpp", + 678: "ggf-ncp", + 679: "mrm", + 680: "entrust-aaas", + 681: "entrust-aams", + 682: "xfr", + 683: "corba-iiop", + 684: "corba-iiop-ssl", + 685: "mdc-portmapper", + 686: "hcp-wismar", + 687: "asipregistry", + 688: "realm-rusd", + 689: "nmap", + 690: "vatp", + 691: "msexch-routing", + 692: "hyperwave-isp", + 693: "connendp", + 694: "ha-cluster", + 695: "ieee-mms-ssl", + 696: "rushd", + 697: "uuidgen", + 698: "olsr", + 699: "accessnetwork", + 700: "epp", + 701: "lmp", + 702: "iris-beep", + 704: "elcsd", + 705: "agentx", + 706: "silc", + 707: "borland-dsj", + 709: "entrust-kmsh", + 710: "entrust-ash", + 711: "cisco-tdp", + 712: "tbrpf", + 713: "iris-xpc", + 714: "iris-xpcs", + 715: "iris-lwz", + 729: "netviewdm1", + 730: "netviewdm2", + 731: "netviewdm3", + 741: "netgw", + 742: "netrcs", + 744: "flexlm", + 747: "fujitsu-dev", + 748: "ris-cm", + 749: "kerberos-adm", + 750: "rfile", + 751: "pump", + 752: "qrh", + 753: "rrh", + 754: "tell", + 758: "nlogin", + 759: "con", + 760: "ns", + 761: "rxe", + 762: "quotad", + 763: "cycleserv", + 764: "omserv", + 765: "webster", + 767: "phonebook", + 769: "vid", + 770: "cadlock", + 771: "rtip", + 772: "cycleserv2", + 773: "submit", + 774: "rpasswd", + 775: "entomb", + 776: "wpages", + 777: "multiling-http", + 780: "wpgs", + 800: "mdbs-daemon", + 801: "device", + 802: "mbap-s", + 810: "fcp-udp", + 828: "itm-mcell-s", + 829: "pkix-3-ca-ra", + 830: "netconf-ssh", + 831: "netconf-beep", + 832: "netconfsoaphttp", + 833: "netconfsoapbeep", + 847: "dhcp-failover2", + 848: "gdoi", + 853: "domain-s", + 854: "dlep", + 860: "iscsi", + 861: "owamp-control", + 862: "twamp-control", + 873: "rsync", + 886: "iclcnet-locate", + 887: "iclcnet-svinfo", + 888: "accessbuilder", + 900: "omginitialrefs", + 901: "smpnameres", + 902: "ideafarm-door", + 903: "ideafarm-panic", + 910: "kink", + 911: "xact-backup", + 912: "apex-mesh", + 913: "apex-edge", + 953: "rndc", + 989: "ftps-data", + 990: "ftps", + 991: "nas", + 992: "telnets", + 993: "imaps", + 995: "pop3s", + 996: "vsinet", + 997: "maitrd", + 998: "busboy", + 999: "garcon", + 1000: "cadlock2", + 1001: "webpush", + 1010: "surf", + 1021: "exp1", + 1022: "exp2", + 1025: "blackjack", + 1026: "cap", + 1029: "solid-mux", + 1033: "netinfo-local", + 1034: "activesync", + 1035: "mxxrlogin", + 1036: "nsstp", + 1037: "ams", + 1038: "mtqp", + 1039: "sbl", + 1040: "netarx", + 1041: "danf-ak2", + 1042: "afrog", + 1043: "boinc-client", + 1044: "dcutility", + 1045: "fpitp", + 1046: "wfremotertm", + 1047: "neod1", + 1048: "neod2", + 1049: "td-postman", + 1050: "cma", + 1051: "optima-vnet", + 1052: "ddt", + 1053: "remote-as", + 1054: "brvread", + 1055: "ansyslmd", + 1056: "vfo", + 1057: "startron", + 1058: "nim", + 1059: "nimreg", + 1060: "polestar", + 1061: "kiosk", + 1062: "veracity", + 1063: "kyoceranetdev", + 1064: "jstel", + 1065: "syscomlan", + 1066: "fpo-fns", + 1067: "instl-boots", + 1068: "instl-bootc", + 1069: "cognex-insight", + 1070: "gmrupdateserv", + 1071: "bsquare-voip", + 1072: "cardax", + 1073: "bridgecontrol", + 1074: "warmspotMgmt", + 1075: "rdrmshc", + 1076: "dab-sti-c", + 1077: "imgames", + 1078: "avocent-proxy", + 1079: "asprovatalk", + 1080: "socks", + 1081: "pvuniwien", + 1082: "amt-esd-prot", + 1083: "ansoft-lm-1", + 1084: "ansoft-lm-2", + 1085: "webobjects", + 1086: "cplscrambler-lg", + 1087: "cplscrambler-in", + 1088: "cplscrambler-al", + 1089: "ff-annunc", + 1090: "ff-fms", + 1091: "ff-sm", + 1092: "obrpd", + 1093: "proofd", + 1094: "rootd", + 1095: "nicelink", + 1096: "cnrprotocol", + 1097: "sunclustermgr", + 1098: "rmiactivation", + 1099: "rmiregistry", + 1100: "mctp", + 1101: "pt2-discover", + 1102: "adobeserver-1", + 1103: "adobeserver-2", + 1104: "xrl", + 1105: "ftranhc", + 1106: "isoipsigport-1", + 1107: "isoipsigport-2", + 1108: "ratio-adp", + 1110: "webadmstart", + 1111: "lmsocialserver", + 1112: "icp", + 1113: "ltp-deepspace", + 1114: "mini-sql", + 1115: "ardus-trns", + 1116: "ardus-cntl", + 1117: "ardus-mtrns", + 1118: "sacred", + 1119: "bnetgame", + 1120: "bnetfile", + 1121: "rmpp", + 1122: "availant-mgr", + 1123: "murray", + 1124: "hpvmmcontrol", + 1125: "hpvmmagent", + 1126: "hpvmmdata", + 1127: "kwdb-commn", + 1128: "saphostctrl", + 1129: "saphostctrls", + 1130: "casp", + 1131: "caspssl", + 1132: "kvm-via-ip", + 1133: "dfn", + 1134: "aplx", + 1135: "omnivision", + 1136: "hhb-gateway", + 1137: "trim", + 1138: "encrypted-admin", + 1139: "evm", + 1140: "autonoc", + 1141: "mxomss", + 1142: "edtools", + 1143: "imyx", + 1144: "fuscript", + 1145: "x9-icue", + 1146: "audit-transfer", + 1147: "capioverlan", + 1148: "elfiq-repl", + 1149: "bvtsonar", + 1150: "blaze", + 1151: "unizensus", + 1152: "winpoplanmess", + 1153: "c1222-acse", + 1154: "resacommunity", + 1155: "nfa", + 1156: "iascontrol-oms", + 1157: "iascontrol", + 1158: "dbcontrol-oms", + 1159: "oracle-oms", + 1160: "olsv", + 1161: "health-polling", + 1162: "health-trap", + 1163: "sddp", + 1164: "qsm-proxy", + 1165: "qsm-gui", + 1166: "qsm-remote", + 1167: "cisco-ipsla", + 1168: "vchat", + 1169: "tripwire", + 1170: "atc-lm", + 1171: "atc-appserver", + 1172: "dnap", + 1173: "d-cinema-rrp", + 1174: "fnet-remote-ui", + 1175: "dossier", + 1176: "indigo-server", + 1177: "dkmessenger", + 1178: "sgi-storman", + 1179: "b2n", + 1180: "mc-client", + 1181: "3comnetman", + 1182: "accelenet", + 1183: "llsurfup-http", + 1184: "llsurfup-https", + 1185: "catchpole", + 1186: "mysql-cluster", + 1187: "alias", + 1188: "hp-webadmin", + 1189: "unet", + 1190: "commlinx-avl", + 1191: "gpfs", + 1192: "caids-sensor", + 1193: "fiveacross", + 1194: "openvpn", + 1195: "rsf-1", + 1196: "netmagic", + 1197: "carrius-rshell", + 1198: "cajo-discovery", + 1199: "dmidi", + 1200: "scol", + 1201: "nucleus-sand", + 1202: "caiccipc", + 1203: "ssslic-mgr", + 1204: "ssslog-mgr", + 1205: "accord-mgc", + 1206: "anthony-data", + 1207: "metasage", + 1208: "seagull-ais", + 1209: "ipcd3", + 1210: "eoss", + 1211: "groove-dpp", + 1212: "lupa", + 1213: "mpc-lifenet", + 1214: "kazaa", + 1215: "scanstat-1", + 1216: "etebac5", + 1217: "hpss-ndapi", + 1218: "aeroflight-ads", + 1219: "aeroflight-ret", + 1220: "qt-serveradmin", + 1221: "sweetware-apps", + 1222: "nerv", + 1223: "tgp", + 1224: "vpnz", + 1225: "slinkysearch", + 1226: "stgxfws", + 1227: "dns2go", + 1228: "florence", + 1229: "zented", + 1230: "periscope", + 1231: "menandmice-lpm", + 1232: "first-defense", + 1233: "univ-appserver", + 1234: "search-agent", + 1235: "mosaicsyssvc1", + 1236: "bvcontrol", + 1237: "tsdos390", + 1238: "hacl-qs", + 1239: "nmsd", + 1240: "instantia", + 1241: "nessus", + 1242: "nmasoverip", + 1243: "serialgateway", + 1244: "isbconference1", + 1245: "isbconference2", + 1246: "payrouter", + 1247: "visionpyramid", + 1248: "hermes", + 1249: "mesavistaco", + 1250: "swldy-sias", + 1251: "servergraph", + 1252: "bspne-pcc", + 1253: "q55-pcc", + 1254: "de-noc", + 1255: "de-cache-query", + 1256: "de-server", + 1257: "shockwave2", + 1258: "opennl", + 1259: "opennl-voice", + 1260: "ibm-ssd", + 1261: "mpshrsv", + 1262: "qnts-orb", + 1263: "dka", + 1264: "prat", + 1265: "dssiapi", + 1266: "dellpwrappks", + 1267: "epc", + 1268: "propel-msgsys", + 1269: "watilapp", + 1270: "opsmgr", + 1271: "excw", + 1272: "cspmlockmgr", + 1273: "emc-gateway", + 1274: "t1distproc", + 1275: "ivcollector", + 1277: "miva-mqs", + 1278: "dellwebadmin-1", + 1279: "dellwebadmin-2", + 1280: "pictrography", + 1281: "healthd", + 1282: "emperion", + 1283: "productinfo", + 1284: "iee-qfx", + 1285: "neoiface", + 1286: "netuitive", + 1287: "routematch", + 1288: "navbuddy", + 1289: "jwalkserver", + 1290: "winjaserver", + 1291: "seagulllms", + 1292: "dsdn", + 1293: "pkt-krb-ipsec", + 1294: "cmmdriver", + 1295: "ehtp", + 1296: "dproxy", + 1297: "sdproxy", + 1298: "lpcp", + 1299: "hp-sci", + 1300: "h323hostcallsc", + 1301: "ci3-software-1", + 1302: "ci3-software-2", + 1303: "sftsrv", + 1304: "boomerang", + 1305: "pe-mike", + 1306: "re-conn-proto", + 1307: "pacmand", + 1308: "odsi", + 1309: "jtag-server", + 1310: "husky", + 1311: "rxmon", + 1312: "sti-envision", + 1313: "bmc-patroldb", + 1314: "pdps", + 1315: "els", + 1316: "exbit-escp", + 1317: "vrts-ipcserver", + 1318: "krb5gatekeeper", + 1319: "amx-icsp", + 1320: "amx-axbnet", + 1321: "pip", + 1322: "novation", + 1323: "brcd", + 1324: "delta-mcp", + 1325: "dx-instrument", + 1326: "wimsic", + 1327: "ultrex", + 1328: "ewall", + 1329: "netdb-export", + 1330: "streetperfect", + 1331: "intersan", + 1332: "pcia-rxp-b", + 1333: "passwrd-policy", + 1334: "writesrv", + 1335: "digital-notary", + 1336: "ischat", + 1337: "menandmice-dns", + 1338: "wmc-log-svc", + 1339: "kjtsiteserver", + 1340: "naap", + 1341: "qubes", + 1342: "esbroker", + 1343: "re101", + 1344: "icap", + 1345: "vpjp", + 1346: "alta-ana-lm", + 1347: "bbn-mmc", + 1348: "bbn-mmx", + 1349: "sbook", + 1350: "editbench", + 1351: "equationbuilder", + 1352: "lotusnote", + 1353: "relief", + 1354: "XSIP-network", + 1355: "intuitive-edge", + 1356: "cuillamartin", + 1357: "pegboard", + 1358: "connlcli", + 1359: "ftsrv", + 1360: "mimer", + 1361: "linx", + 1362: "timeflies", + 1363: "ndm-requester", + 1364: "ndm-server", + 1365: "adapt-sna", + 1366: "netware-csp", + 1367: "dcs", + 1368: "screencast", + 1369: "gv-us", + 1370: "us-gv", + 1371: "fc-cli", + 1372: "fc-ser", + 1373: "chromagrafx", + 1374: "molly", + 1375: "bytex", + 1376: "ibm-pps", + 1377: "cichlid", + 1378: "elan", + 1379: "dbreporter", + 1380: "telesis-licman", + 1381: "apple-licman", + 1382: "udt-os", + 1383: "gwha", + 1384: "os-licman", + 1385: "atex-elmd", + 1386: "checksum", + 1387: "cadsi-lm", + 1388: "objective-dbc", + 1389: "iclpv-dm", + 1390: "iclpv-sc", + 1391: "iclpv-sas", + 1392: "iclpv-pm", + 1393: "iclpv-nls", + 1394: "iclpv-nlc", + 1395: "iclpv-wsm", + 1396: "dvl-activemail", + 1397: "audio-activmail", + 1398: "video-activmail", + 1399: "cadkey-licman", + 1400: "cadkey-tablet", + 1401: "goldleaf-licman", + 1402: "prm-sm-np", + 1403: "prm-nm-np", + 1404: "igi-lm", + 1405: "ibm-res", + 1406: "netlabs-lm", + 1407: "tibet-server", + 1408: "sophia-lm", + 1409: "here-lm", + 1410: "hiq", + 1411: "af", + 1412: "innosys", + 1413: "innosys-acl", + 1414: "ibm-mqseries", + 1415: "dbstar", + 1416: "novell-lu6-2", + 1417: "timbuktu-srv1", + 1418: "timbuktu-srv2", + 1419: "timbuktu-srv3", + 1420: "timbuktu-srv4", + 1421: "gandalf-lm", + 1422: "autodesk-lm", + 1423: "essbase", + 1424: "hybrid", + 1425: "zion-lm", + 1426: "sais", + 1427: "mloadd", + 1428: "informatik-lm", + 1429: "nms", + 1430: "tpdu", + 1431: "rgtp", + 1432: "blueberry-lm", + 1433: "ms-sql-s", + 1434: "ms-sql-m", + 1435: "ibm-cics", + 1436: "saism", + 1437: "tabula", + 1438: "eicon-server", + 1439: "eicon-x25", + 1440: "eicon-slp", + 1441: "cadis-1", + 1442: "cadis-2", + 1443: "ies-lm", + 1444: "marcam-lm", + 1445: "proxima-lm", + 1446: "ora-lm", + 1447: "apri-lm", + 1448: "oc-lm", + 1449: "peport", + 1450: "dwf", + 1451: "infoman", + 1452: "gtegsc-lm", + 1453: "genie-lm", + 1454: "interhdl-elmd", + 1455: "esl-lm", + 1456: "dca", + 1457: "valisys-lm", + 1458: "nrcabq-lm", + 1459: "proshare1", + 1460: "proshare2", + 1461: "ibm-wrless-lan", + 1462: "world-lm", + 1463: "nucleus", + 1464: "msl-lmd", + 1465: "pipes", + 1466: "oceansoft-lm", + 1467: "csdmbase", + 1468: "csdm", + 1469: "aal-lm", + 1470: "uaiact", + 1471: "csdmbase", + 1472: "csdm", + 1473: "openmath", + 1474: "telefinder", + 1475: "taligent-lm", + 1476: "clvm-cfg", + 1477: "ms-sna-server", + 1478: "ms-sna-base", + 1479: "dberegister", + 1480: "pacerforum", + 1481: "airs", + 1482: "miteksys-lm", + 1483: "afs", + 1484: "confluent", + 1485: "lansource", + 1486: "nms-topo-serv", + 1487: "localinfosrvr", + 1488: "docstor", + 1489: "dmdocbroker", + 1490: "insitu-conf", + 1492: "stone-design-1", + 1493: "netmap-lm", + 1494: "ica", + 1495: "cvc", + 1496: "liberty-lm", + 1497: "rfx-lm", + 1498: "sybase-sqlany", + 1499: "fhc", + 1500: "vlsi-lm", + 1501: "saiscm", + 1502: "shivadiscovery", + 1503: "imtc-mcs", + 1504: "evb-elm", + 1505: "funkproxy", + 1506: "utcd", + 1507: "symplex", + 1508: "diagmond", + 1509: "robcad-lm", + 1510: "mvx-lm", + 1511: "3l-l1", + 1512: "wins", + 1513: "fujitsu-dtc", + 1514: "fujitsu-dtcns", + 1515: "ifor-protocol", + 1516: "vpad", + 1517: "vpac", + 1518: "vpvd", + 1519: "vpvc", + 1520: "atm-zip-office", + 1521: "ncube-lm", + 1522: "ricardo-lm", + 1523: "cichild-lm", + 1524: "ingreslock", + 1525: "orasrv", + 1526: "pdap-np", + 1527: "tlisrv", + 1529: "coauthor", + 1530: "rap-service", + 1531: "rap-listen", + 1532: "miroconnect", + 1533: "virtual-places", + 1534: "micromuse-lm", + 1535: "ampr-info", + 1536: "ampr-inter", + 1537: "sdsc-lm", + 1538: "3ds-lm", + 1539: "intellistor-lm", + 1540: "rds", + 1541: "rds2", + 1542: "gridgen-elmd", + 1543: "simba-cs", + 1544: "aspeclmd", + 1545: "vistium-share", + 1546: "abbaccuray", + 1547: "laplink", + 1548: "axon-lm", + 1549: "shivahose", + 1550: "3m-image-lm", + 1551: "hecmtl-db", + 1552: "pciarray", + 1553: "sna-cs", + 1554: "caci-lm", + 1555: "livelan", + 1556: "veritas-pbx", + 1557: "arbortext-lm", + 1558: "xingmpeg", + 1559: "web2host", + 1560: "asci-val", + 1561: "facilityview", + 1562: "pconnectmgr", + 1563: "cadabra-lm", + 1564: "pay-per-view", + 1565: "winddlb", + 1566: "corelvideo", + 1567: "jlicelmd", + 1568: "tsspmap", + 1569: "ets", + 1570: "orbixd", + 1571: "rdb-dbs-disp", + 1572: "chip-lm", + 1573: "itscomm-ns", + 1574: "mvel-lm", + 1575: "oraclenames", + 1576: "moldflow-lm", + 1577: "hypercube-lm", + 1578: "jacobus-lm", + 1579: "ioc-sea-lm", + 1580: "tn-tl-r1", + 1581: "mil-2045-47001", + 1582: "msims", + 1583: "simbaexpress", + 1584: "tn-tl-fd2", + 1585: "intv", + 1586: "ibm-abtact", + 1587: "pra-elmd", + 1588: "triquest-lm", + 1589: "vqp", + 1590: "gemini-lm", + 1591: "ncpm-pm", + 1592: "commonspace", + 1593: "mainsoft-lm", + 1594: "sixtrak", + 1595: "radio", + 1596: "radio-sm", + 1597: "orbplus-iiop", + 1598: "picknfs", + 1599: "simbaservices", + 1600: "issd", + 1601: "aas", + 1602: "inspect", + 1603: "picodbc", + 1604: "icabrowser", + 1605: "slp", + 1606: "slm-api", + 1607: "stt", + 1608: "smart-lm", + 1609: "isysg-lm", + 1610: "taurus-wh", + 1611: "ill", + 1612: "netbill-trans", + 1613: "netbill-keyrep", + 1614: "netbill-cred", + 1615: "netbill-auth", + 1616: "netbill-prod", + 1617: "nimrod-agent", + 1618: "skytelnet", + 1619: "xs-openstorage", + 1620: "faxportwinport", + 1621: "softdataphone", + 1622: "ontime", + 1623: "jaleosnd", + 1624: "udp-sr-port", + 1625: "svs-omagent", + 1626: "shockwave", + 1627: "t128-gateway", + 1628: "lontalk-norm", + 1629: "lontalk-urgnt", + 1630: "oraclenet8cman", + 1631: "visitview", + 1632: "pammratc", + 1633: "pammrpc", + 1634: "loaprobe", + 1635: "edb-server1", + 1636: "isdc", + 1637: "islc", + 1638: "ismc", + 1639: "cert-initiator", + 1640: "cert-responder", + 1641: "invision", + 1642: "isis-am", + 1643: "isis-ambc", + 1644: "saiseh", + 1645: "sightline", + 1646: "sa-msg-port", + 1647: "rsap", + 1648: "concurrent-lm", + 1649: "kermit", + 1650: "nkd", + 1651: "shiva-confsrvr", + 1652: "xnmp", + 1653: "alphatech-lm", + 1654: "stargatealerts", + 1655: "dec-mbadmin", + 1656: "dec-mbadmin-h", + 1657: "fujitsu-mmpdc", + 1658: "sixnetudr", + 1659: "sg-lm", + 1660: "skip-mc-gikreq", + 1661: "netview-aix-1", + 1662: "netview-aix-2", + 1663: "netview-aix-3", + 1664: "netview-aix-4", + 1665: "netview-aix-5", + 1666: "netview-aix-6", + 1667: "netview-aix-7", + 1668: "netview-aix-8", + 1669: "netview-aix-9", + 1670: "netview-aix-10", + 1671: "netview-aix-11", + 1672: "netview-aix-12", + 1673: "proshare-mc-1", + 1674: "proshare-mc-2", + 1675: "pdp", + 1676: "netcomm1", + 1677: "groupwise", + 1678: "prolink", + 1679: "darcorp-lm", + 1680: "microcom-sbp", + 1681: "sd-elmd", + 1682: "lanyon-lantern", + 1683: "ncpm-hip", + 1684: "snaresecure", + 1685: "n2nremote", + 1686: "cvmon", + 1687: "nsjtp-ctrl", + 1688: "nsjtp-data", + 1689: "firefox", + 1690: "ng-umds", + 1691: "empire-empuma", + 1692: "sstsys-lm", + 1693: "rrirtr", + 1694: "rrimwm", + 1695: "rrilwm", + 1696: "rrifmm", + 1697: "rrisat", + 1698: "rsvp-encap-1", + 1699: "rsvp-encap-2", + 1700: "mps-raft", + 1701: "l2f", + 1702: "deskshare", + 1703: "hb-engine", + 1704: "bcs-broker", + 1705: "slingshot", + 1706: "jetform", + 1707: "vdmplay", + 1708: "gat-lmd", + 1709: "centra", + 1710: "impera", + 1711: "pptconference", + 1712: "registrar", + 1713: "conferencetalk", + 1714: "sesi-lm", + 1715: "houdini-lm", + 1716: "xmsg", + 1717: "fj-hdnet", + 1718: "h323gatedisc", + 1719: "h323gatestat", + 1720: "h323hostcall", + 1721: "caicci", + 1722: "hks-lm", + 1723: "pptp", + 1724: "csbphonemaster", + 1725: "iden-ralp", + 1726: "iberiagames", + 1727: "winddx", + 1728: "telindus", + 1729: "citynl", + 1730: "roketz", + 1731: "msiccp", + 1732: "proxim", + 1733: "siipat", + 1734: "cambertx-lm", + 1735: "privatechat", + 1736: "street-stream", + 1737: "ultimad", + 1738: "gamegen1", + 1739: "webaccess", + 1740: "encore", + 1741: "cisco-net-mgmt", + 1742: "3Com-nsd", + 1743: "cinegrfx-lm", + 1744: "ncpm-ft", + 1745: "remote-winsock", + 1746: "ftrapid-1", + 1747: "ftrapid-2", + 1748: "oracle-em1", + 1749: "aspen-services", + 1750: "sslp", + 1751: "swiftnet", + 1752: "lofr-lm", + 1753: "predatar-comms", + 1754: "oracle-em2", + 1755: "ms-streaming", + 1756: "capfast-lmd", + 1757: "cnhrp", + 1758: "tftp-mcast", + 1759: "spss-lm", + 1760: "www-ldap-gw", + 1761: "cft-0", + 1762: "cft-1", + 1763: "cft-2", + 1764: "cft-3", + 1765: "cft-4", + 1766: "cft-5", + 1767: "cft-6", + 1768: "cft-7", + 1769: "bmc-net-adm", + 1770: "bmc-net-svc", + 1771: "vaultbase", + 1772: "essweb-gw", + 1773: "kmscontrol", + 1774: "global-dtserv", + 1775: "vdab", + 1776: "femis", + 1777: "powerguardian", + 1778: "prodigy-intrnet", + 1779: "pharmasoft", + 1780: "dpkeyserv", + 1781: "answersoft-lm", + 1782: "hp-hcip", + 1784: "finle-lm", + 1785: "windlm", + 1786: "funk-logger", + 1787: "funk-license", + 1788: "psmond", + 1789: "hello", + 1790: "nmsp", + 1791: "ea1", + 1792: "ibm-dt-2", + 1793: "rsc-robot", + 1794: "cera-bcm", + 1795: "dpi-proxy", + 1796: "vocaltec-admin", + 1797: "uma", + 1798: "etp", + 1799: "netrisk", + 1800: "ansys-lm", + 1801: "msmq", + 1802: "concomp1", + 1803: "hp-hcip-gwy", + 1804: "enl", + 1805: "enl-name", + 1806: "musiconline", + 1807: "fhsp", + 1808: "oracle-vp2", + 1809: "oracle-vp1", + 1810: "jerand-lm", + 1811: "scientia-sdb", + 1812: "radius", + 1813: "radius-acct", + 1814: "tdp-suite", + 1815: "mmpft", + 1816: "harp", + 1817: "rkb-oscs", + 1818: "etftp", + 1819: "plato-lm", + 1820: "mcagent", + 1821: "donnyworld", + 1822: "es-elmd", + 1823: "unisys-lm", + 1824: "metrics-pas", + 1825: "direcpc-video", + 1826: "ardt", + 1827: "asi", + 1828: "itm-mcell-u", + 1829: "optika-emedia", + 1830: "net8-cman", + 1831: "myrtle", + 1832: "tht-treasure", + 1833: "udpradio", + 1834: "ardusuni", + 1835: "ardusmul", + 1836: "ste-smsc", + 1837: "csoft1", + 1838: "talnet", + 1839: "netopia-vo1", + 1840: "netopia-vo2", + 1841: "netopia-vo3", + 1842: "netopia-vo4", + 1843: "netopia-vo5", + 1844: "direcpc-dll", + 1845: "altalink", + 1846: "tunstall-pnc", + 1847: "slp-notify", + 1848: "fjdocdist", + 1849: "alpha-sms", + 1850: "gsi", + 1851: "ctcd", + 1852: "virtual-time", + 1853: "vids-avtp", + 1854: "buddy-draw", + 1855: "fiorano-rtrsvc", + 1856: "fiorano-msgsvc", + 1857: "datacaptor", + 1858: "privateark", + 1859: "gammafetchsvr", + 1860: "sunscalar-svc", + 1861: "lecroy-vicp", + 1862: "mysql-cm-agent", + 1863: "msnp", + 1864: "paradym-31port", + 1865: "entp", + 1866: "swrmi", + 1867: "udrive", + 1868: "viziblebrowser", + 1869: "transact", + 1870: "sunscalar-dns", + 1871: "canocentral0", + 1872: "canocentral1", + 1873: "fjmpjps", + 1874: "fjswapsnp", + 1875: "westell-stats", + 1876: "ewcappsrv", + 1877: "hp-webqosdb", + 1878: "drmsmc", + 1879: "nettgain-nms", + 1880: "vsat-control", + 1881: "ibm-mqseries2", + 1882: "ecsqdmn", + 1883: "mqtt", + 1884: "idmaps", + 1885: "vrtstrapserver", + 1886: "leoip", + 1887: "filex-lport", + 1888: "ncconfig", + 1889: "unify-adapter", + 1890: "wilkenlistener", + 1891: "childkey-notif", + 1892: "childkey-ctrl", + 1893: "elad", + 1894: "o2server-port", + 1896: "b-novative-ls", + 1897: "metaagent", + 1898: "cymtec-port", + 1899: "mc2studios", + 1900: "ssdp", + 1901: "fjicl-tep-a", + 1902: "fjicl-tep-b", + 1903: "linkname", + 1904: "fjicl-tep-c", + 1905: "sugp", + 1906: "tpmd", + 1907: "intrastar", + 1908: "dawn", + 1909: "global-wlink", + 1910: "ultrabac", + 1911: "mtp", + 1912: "rhp-iibp", + 1913: "armadp", + 1914: "elm-momentum", + 1915: "facelink", + 1916: "persona", + 1917: "noagent", + 1918: "can-nds", + 1919: "can-dch", + 1920: "can-ferret", + 1921: "noadmin", + 1922: "tapestry", + 1923: "spice", + 1924: "xiip", + 1925: "discovery-port", + 1926: "egs", + 1927: "videte-cipc", + 1928: "emsd-port", + 1929: "bandwiz-system", + 1930: "driveappserver", + 1931: "amdsched", + 1932: "ctt-broker", + 1933: "xmapi", + 1934: "xaapi", + 1935: "macromedia-fcs", + 1936: "jetcmeserver", + 1937: "jwserver", + 1938: "jwclient", + 1939: "jvserver", + 1940: "jvclient", + 1941: "dic-aida", + 1942: "res", + 1943: "beeyond-media", + 1944: "close-combat", + 1945: "dialogic-elmd", + 1946: "tekpls", + 1947: "sentinelsrm", + 1948: "eye2eye", + 1949: "ismaeasdaqlive", + 1950: "ismaeasdaqtest", + 1951: "bcs-lmserver", + 1952: "mpnjsc", + 1953: "rapidbase", + 1954: "abr-api", + 1955: "abr-secure", + 1956: "vrtl-vmf-ds", + 1957: "unix-status", + 1958: "dxadmind", + 1959: "simp-all", + 1960: "nasmanager", + 1961: "bts-appserver", + 1962: "biap-mp", + 1963: "webmachine", + 1964: "solid-e-engine", + 1965: "tivoli-npm", + 1966: "slush", + 1967: "sns-quote", + 1968: "lipsinc", + 1969: "lipsinc1", + 1970: "netop-rc", + 1971: "netop-school", + 1972: "intersys-cache", + 1973: "dlsrap", + 1974: "drp", + 1975: "tcoflashagent", + 1976: "tcoregagent", + 1977: "tcoaddressbook", + 1978: "unisql", + 1979: "unisql-java", + 1980: "pearldoc-xact", + 1981: "p2pq", + 1982: "estamp", + 1983: "lhtp", + 1984: "bb", + 1985: "hsrp", + 1986: "licensedaemon", + 1987: "tr-rsrb-p1", + 1988: "tr-rsrb-p2", + 1989: "tr-rsrb-p3", + 1990: "stun-p1", + 1991: "stun-p2", + 1992: "stun-p3", + 1993: "snmp-tcp-port", + 1994: "stun-port", + 1995: "perf-port", + 1996: "tr-rsrb-port", + 1997: "gdp-port", + 1998: "x25-svc-port", + 1999: "tcp-id-port", + 2000: "cisco-sccp", + 2001: "dc", + 2002: "globe", + 2003: "brutus", + 2004: "mailbox", + 2005: "berknet", + 2006: "invokator", + 2007: "dectalk", + 2008: "conf", + 2009: "news", + 2010: "search", + 2011: "raid-cc", + 2012: "ttyinfo", + 2013: "raid-am", + 2014: "troff", + 2015: "cypress", + 2016: "bootserver", + 2017: "cypress-stat", + 2018: "terminaldb", + 2019: "whosockami", + 2020: "xinupageserver", + 2021: "servexec", + 2022: "down", + 2023: "xinuexpansion3", + 2024: "xinuexpansion4", + 2025: "ellpack", + 2026: "scrabble", + 2027: "shadowserver", + 2028: "submitserver", + 2029: "hsrpv6", + 2030: "device2", + 2031: "mobrien-chat", + 2032: "blackboard", + 2033: "glogger", + 2034: "scoremgr", + 2035: "imsldoc", + 2036: "e-dpnet", + 2037: "applus", + 2038: "objectmanager", + 2039: "prizma", + 2040: "lam", + 2041: "interbase", + 2042: "isis", + 2043: "isis-bcast", + 2044: "rimsl", + 2045: "cdfunc", + 2046: "sdfunc", + 2047: "dls", + 2048: "dls-monitor", + 2049: "shilp", + 2050: "av-emb-config", + 2051: "epnsdp", + 2052: "clearvisn", + 2053: "lot105-ds-upd", + 2054: "weblogin", + 2055: "iop", + 2056: "omnisky", + 2057: "rich-cp", + 2058: "newwavesearch", + 2059: "bmc-messaging", + 2060: "teleniumdaemon", + 2061: "netmount", + 2062: "icg-swp", + 2063: "icg-bridge", + 2064: "icg-iprelay", + 2065: "dlsrpn", + 2066: "aura", + 2067: "dlswpn", + 2068: "avauthsrvprtcl", + 2069: "event-port", + 2070: "ah-esp-encap", + 2071: "acp-port", + 2072: "msync", + 2073: "gxs-data-port", + 2074: "vrtl-vmf-sa", + 2075: "newlixengine", + 2076: "newlixconfig", + 2077: "tsrmagt", + 2078: "tpcsrvr", + 2079: "idware-router", + 2080: "autodesk-nlm", + 2081: "kme-trap-port", + 2082: "infowave", + 2083: "radsec", + 2084: "sunclustergeo", + 2085: "ada-cip", + 2086: "gnunet", + 2087: "eli", + 2088: "ip-blf", + 2089: "sep", + 2090: "lrp", + 2091: "prp", + 2092: "descent3", + 2093: "nbx-cc", + 2094: "nbx-au", + 2095: "nbx-ser", + 2096: "nbx-dir", + 2097: "jetformpreview", + 2098: "dialog-port", + 2099: "h2250-annex-g", + 2100: "amiganetfs", + 2101: "rtcm-sc104", + 2102: "zephyr-srv", + 2103: "zephyr-clt", + 2104: "zephyr-hm", + 2105: "minipay", + 2106: "mzap", + 2107: "bintec-admin", + 2108: "comcam", + 2109: "ergolight", + 2110: "umsp", + 2111: "dsatp", + 2112: "idonix-metanet", + 2113: "hsl-storm", + 2114: "newheights", + 2115: "kdm", + 2116: "ccowcmr", + 2117: "mentaclient", + 2118: "mentaserver", + 2119: "gsigatekeeper", + 2120: "qencp", + 2121: "scientia-ssdb", + 2122: "caupc-remote", + 2123: "gtp-control", + 2124: "elatelink", + 2125: "lockstep", + 2126: "pktcable-cops", + 2127: "index-pc-wb", + 2128: "net-steward", + 2129: "cs-live", + 2130: "xds", + 2131: "avantageb2b", + 2132: "solera-epmap", + 2133: "zymed-zpp", + 2134: "avenue", + 2135: "gris", + 2136: "appworxsrv", + 2137: "connect", + 2138: "unbind-cluster", + 2139: "ias-auth", + 2140: "ias-reg", + 2141: "ias-admind", + 2142: "tdmoip", + 2143: "lv-jc", + 2144: "lv-ffx", + 2145: "lv-pici", + 2146: "lv-not", + 2147: "lv-auth", + 2148: "veritas-ucl", + 2149: "acptsys", + 2150: "dynamic3d", + 2151: "docent", + 2152: "gtp-user", + 2153: "ctlptc", + 2154: "stdptc", + 2155: "brdptc", + 2156: "trp", + 2157: "xnds", + 2158: "touchnetplus", + 2159: "gdbremote", + 2160: "apc-2160", + 2161: "apc-2161", + 2162: "navisphere", + 2163: "navisphere-sec", + 2164: "ddns-v3", + 2165: "x-bone-api", + 2166: "iwserver", + 2167: "raw-serial", + 2168: "easy-soft-mux", + 2169: "brain", + 2170: "eyetv", + 2171: "msfw-storage", + 2172: "msfw-s-storage", + 2173: "msfw-replica", + 2174: "msfw-array", + 2175: "airsync", + 2176: "rapi", + 2177: "qwave", + 2178: "bitspeer", + 2179: "vmrdp", + 2180: "mc-gt-srv", + 2181: "eforward", + 2182: "cgn-stat", + 2183: "cgn-config", + 2184: "nvd", + 2185: "onbase-dds", + 2186: "gtaua", + 2187: "ssmc", + 2188: "radware-rpm", + 2189: "radware-rpm-s", + 2190: "tivoconnect", + 2191: "tvbus", + 2192: "asdis", + 2193: "drwcs", + 2197: "mnp-exchange", + 2198: "onehome-remote", + 2199: "onehome-help", + 2200: "ici", + 2201: "ats", + 2202: "imtc-map", + 2203: "b2-runtime", + 2204: "b2-license", + 2205: "jps", + 2206: "hpocbus", + 2207: "hpssd", + 2208: "hpiod", + 2209: "rimf-ps", + 2210: "noaaport", + 2211: "emwin", + 2212: "leecoposserver", + 2213: "kali", + 2214: "rpi", + 2215: "ipcore", + 2216: "vtu-comms", + 2217: "gotodevice", + 2218: "bounzza", + 2219: "netiq-ncap", + 2220: "netiq", + 2221: "ethernet-ip-s", + 2222: "EtherNet-IP-1", + 2223: "rockwell-csp2", + 2224: "efi-mg", + 2225: "rcip-itu", + 2226: "di-drm", + 2227: "di-msg", + 2228: "ehome-ms", + 2229: "datalens", + 2230: "queueadm", + 2231: "wimaxasncp", + 2232: "ivs-video", + 2233: "infocrypt", + 2234: "directplay", + 2235: "sercomm-wlink", + 2236: "nani", + 2237: "optech-port1-lm", + 2238: "aviva-sna", + 2239: "imagequery", + 2240: "recipe", + 2241: "ivsd", + 2242: "foliocorp", + 2243: "magicom", + 2244: "nmsserver", + 2245: "hao", + 2246: "pc-mta-addrmap", + 2247: "antidotemgrsvr", + 2248: "ums", + 2249: "rfmp", + 2250: "remote-collab", + 2251: "dif-port", + 2252: "njenet-ssl", + 2253: "dtv-chan-req", + 2254: "seispoc", + 2255: "vrtp", + 2256: "pcc-mfp", + 2257: "simple-tx-rx", + 2258: "rcts", + 2260: "apc-2260", + 2261: "comotionmaster", + 2262: "comotionback", + 2263: "ecwcfg", + 2264: "apx500api-1", + 2265: "apx500api-2", + 2266: "mfserver", + 2267: "ontobroker", + 2268: "amt", + 2269: "mikey", + 2270: "starschool", + 2271: "mmcals", + 2272: "mmcal", + 2273: "mysql-im", + 2274: "pcttunnell", + 2275: "ibridge-data", + 2276: "ibridge-mgmt", + 2277: "bluectrlproxy", + 2278: "s3db", + 2279: "xmquery", + 2280: "lnvpoller", + 2281: "lnvconsole", + 2282: "lnvalarm", + 2283: "lnvstatus", + 2284: "lnvmaps", + 2285: "lnvmailmon", + 2286: "nas-metering", + 2287: "dna", + 2288: "netml", + 2289: "dict-lookup", + 2290: "sonus-logging", + 2291: "eapsp", + 2292: "mib-streaming", + 2293: "npdbgmngr", + 2294: "konshus-lm", + 2295: "advant-lm", + 2296: "theta-lm", + 2297: "d2k-datamover1", + 2298: "d2k-datamover2", + 2299: "pc-telecommute", + 2300: "cvmmon", + 2301: "cpq-wbem", + 2302: "binderysupport", + 2303: "proxy-gateway", + 2304: "attachmate-uts", + 2305: "mt-scaleserver", + 2306: "tappi-boxnet", + 2307: "pehelp", + 2308: "sdhelp", + 2309: "sdserver", + 2310: "sdclient", + 2311: "messageservice", + 2312: "wanscaler", + 2313: "iapp", + 2314: "cr-websystems", + 2315: "precise-sft", + 2316: "sent-lm", + 2317: "attachmate-g32", + 2318: "cadencecontrol", + 2319: "infolibria", + 2320: "siebel-ns", + 2321: "rdlap", + 2322: "ofsd", + 2323: "3d-nfsd", + 2324: "cosmocall", + 2325: "ansysli", + 2326: "idcp", + 2327: "xingcsm", + 2328: "netrix-sftm", + 2329: "nvd", + 2330: "tscchat", + 2331: "agentview", + 2332: "rcc-host", + 2333: "snapp", + 2334: "ace-client", + 2335: "ace-proxy", + 2336: "appleugcontrol", + 2337: "ideesrv", + 2338: "norton-lambert", + 2339: "3com-webview", + 2340: "wrs-registry", + 2341: "xiostatus", + 2342: "manage-exec", + 2343: "nati-logos", + 2344: "fcmsys", + 2345: "dbm", + 2346: "redstorm-join", + 2347: "redstorm-find", + 2348: "redstorm-info", + 2349: "redstorm-diag", + 2350: "psbserver", + 2351: "psrserver", + 2352: "pslserver", + 2353: "pspserver", + 2354: "psprserver", + 2355: "psdbserver", + 2356: "gxtelmd", + 2357: "unihub-server", + 2358: "futrix", + 2359: "flukeserver", + 2360: "nexstorindltd", + 2361: "tl1", + 2362: "digiman", + 2363: "mediacntrlnfsd", + 2364: "oi-2000", + 2365: "dbref", + 2366: "qip-login", + 2367: "service-ctrl", + 2368: "opentable", + 2370: "l3-hbmon", + 2371: "hp-rda", + 2372: "lanmessenger", + 2373: "remographlm", + 2374: "hydra", + 2375: "docker", + 2376: "docker-s", + 2377: "swarm", + 2379: "etcd-client", + 2380: "etcd-server", + 2381: "compaq-https", + 2382: "ms-olap3", + 2383: "ms-olap4", + 2384: "sd-request", + 2385: "sd-data", + 2386: "virtualtape", + 2387: "vsamredirector", + 2388: "mynahautostart", + 2389: "ovsessionmgr", + 2390: "rsmtp", + 2391: "3com-net-mgmt", + 2392: "tacticalauth", + 2393: "ms-olap1", + 2394: "ms-olap2", + 2395: "lan900-remote", + 2396: "wusage", + 2397: "ncl", + 2398: "orbiter", + 2399: "fmpro-fdal", + 2400: "opequus-server", + 2401: "cvspserver", + 2402: "taskmaster2000", + 2403: "taskmaster2000", + 2404: "iec-104", + 2405: "trc-netpoll", + 2406: "jediserver", + 2407: "orion", + 2408: "railgun-webaccl", + 2409: "sns-protocol", + 2410: "vrts-registry", + 2411: "netwave-ap-mgmt", + 2412: "cdn", + 2413: "orion-rmi-reg", + 2414: "beeyond", + 2415: "codima-rtp", + 2416: "rmtserver", + 2417: "composit-server", + 2418: "cas", + 2419: "attachmate-s2s", + 2420: "dslremote-mgmt", + 2421: "g-talk", + 2422: "crmsbits", + 2423: "rnrp", + 2424: "kofax-svr", + 2425: "fjitsuappmgr", + 2426: "vcmp", + 2427: "mgcp-gateway", + 2428: "ott", + 2429: "ft-role", + 2430: "venus", + 2431: "venus-se", + 2432: "codasrv", + 2433: "codasrv-se", + 2434: "pxc-epmap", + 2435: "optilogic", + 2436: "topx", + 2437: "unicontrol", + 2438: "msp", + 2439: "sybasedbsynch", + 2440: "spearway", + 2441: "pvsw-inet", + 2442: "netangel", + 2443: "powerclientcsf", + 2444: "btpp2sectrans", + 2445: "dtn1", + 2446: "bues-service", + 2447: "ovwdb", + 2448: "hpppssvr", + 2449: "ratl", + 2450: "netadmin", + 2451: "netchat", + 2452: "snifferclient", + 2453: "madge-ltd", + 2454: "indx-dds", + 2455: "wago-io-system", + 2456: "altav-remmgt", + 2457: "rapido-ip", + 2458: "griffin", + 2459: "community", + 2460: "ms-theater", + 2461: "qadmifoper", + 2462: "qadmifevent", + 2463: "lsi-raid-mgmt", + 2464: "direcpc-si", + 2465: "lbm", + 2466: "lbf", + 2467: "high-criteria", + 2468: "qip-msgd", + 2469: "mti-tcs-comm", + 2470: "taskman-port", + 2471: "seaodbc", + 2472: "c3", + 2473: "aker-cdp", + 2474: "vitalanalysis", + 2475: "ace-server", + 2476: "ace-svr-prop", + 2477: "ssm-cvs", + 2478: "ssm-cssps", + 2479: "ssm-els", + 2480: "powerexchange", + 2481: "giop", + 2482: "giop-ssl", + 2483: "ttc", + 2484: "ttc-ssl", + 2485: "netobjects1", + 2486: "netobjects2", + 2487: "pns", + 2488: "moy-corp", + 2489: "tsilb", + 2490: "qip-qdhcp", + 2491: "conclave-cpp", + 2492: "groove", + 2493: "talarian-mqs", + 2494: "bmc-ar", + 2495: "fast-rem-serv", + 2496: "dirgis", + 2497: "quaddb", + 2498: "odn-castraq", + 2499: "unicontrol", + 2500: "rtsserv", + 2501: "rtsclient", + 2502: "kentrox-prot", + 2503: "nms-dpnss", + 2504: "wlbs", + 2505: "ppcontrol", + 2506: "jbroker", + 2507: "spock", + 2508: "jdatastore", + 2509: "fjmpss", + 2510: "fjappmgrbulk", + 2511: "metastorm", + 2512: "citrixima", + 2513: "citrixadmin", + 2514: "facsys-ntp", + 2515: "facsys-router", + 2516: "maincontrol", + 2517: "call-sig-trans", + 2518: "willy", + 2519: "globmsgsvc", + 2520: "pvsw", + 2521: "adaptecmgr", + 2522: "windb", + 2523: "qke-llc-v3", + 2524: "optiwave-lm", + 2525: "ms-v-worlds", + 2526: "ema-sent-lm", + 2527: "iqserver", + 2528: "ncr-ccl", + 2529: "utsftp", + 2530: "vrcommerce", + 2531: "ito-e-gui", + 2532: "ovtopmd", + 2533: "snifferserver", + 2534: "combox-web-acc", + 2535: "madcap", + 2536: "btpp2audctr1", + 2537: "upgrade", + 2538: "vnwk-prapi", + 2539: "vsiadmin", + 2540: "lonworks", + 2541: "lonworks2", + 2542: "udrawgraph", + 2543: "reftek", + 2544: "novell-zen", + 2545: "sis-emt", + 2546: "vytalvaultbrtp", + 2547: "vytalvaultvsmp", + 2548: "vytalvaultpipe", + 2549: "ipass", + 2550: "ads", + 2551: "isg-uda-server", + 2552: "call-logging", + 2553: "efidiningport", + 2554: "vcnet-link-v10", + 2555: "compaq-wcp", + 2556: "nicetec-nmsvc", + 2557: "nicetec-mgmt", + 2558: "pclemultimedia", + 2559: "lstp", + 2560: "labrat", + 2561: "mosaixcc", + 2562: "delibo", + 2563: "cti-redwood", + 2564: "hp-3000-telnet", + 2565: "coord-svr", + 2566: "pcs-pcw", + 2567: "clp", + 2568: "spamtrap", + 2569: "sonuscallsig", + 2570: "hs-port", + 2571: "cecsvc", + 2572: "ibp", + 2573: "trustestablish", + 2574: "blockade-bpsp", + 2575: "hl7", + 2576: "tclprodebugger", + 2577: "scipticslsrvr", + 2578: "rvs-isdn-dcp", + 2579: "mpfoncl", + 2580: "tributary", + 2581: "argis-te", + 2582: "argis-ds", + 2583: "mon", + 2584: "cyaserv", + 2585: "netx-server", + 2586: "netx-agent", + 2587: "masc", + 2588: "privilege", + 2589: "quartus-tcl", + 2590: "idotdist", + 2591: "maytagshuffle", + 2592: "netrek", + 2593: "mns-mail", + 2594: "dts", + 2595: "worldfusion1", + 2596: "worldfusion2", + 2597: "homesteadglory", + 2598: "citriximaclient", + 2599: "snapd", + 2600: "hpstgmgr", + 2601: "discp-client", + 2602: "discp-server", + 2603: "servicemeter", + 2604: "nsc-ccs", + 2605: "nsc-posa", + 2606: "netmon", + 2607: "connection", + 2608: "wag-service", + 2609: "system-monitor", + 2610: "versa-tek", + 2611: "lionhead", + 2612: "qpasa-agent", + 2613: "smntubootstrap", + 2614: "neveroffline", + 2615: "firepower", + 2616: "appswitch-emp", + 2617: "cmadmin", + 2618: "priority-e-com", + 2619: "bruce", + 2620: "lpsrecommender", + 2621: "miles-apart", + 2622: "metricadbc", + 2623: "lmdp", + 2624: "aria", + 2625: "blwnkl-port", + 2626: "gbjd816", + 2627: "moshebeeri", + 2628: "dict", + 2629: "sitaraserver", + 2630: "sitaramgmt", + 2631: "sitaradir", + 2632: "irdg-post", + 2633: "interintelli", + 2634: "pk-electronics", + 2635: "backburner", + 2636: "solve", + 2637: "imdocsvc", + 2638: "sybaseanywhere", + 2639: "aminet", + 2640: "ami-control", + 2641: "hdl-srv", + 2642: "tragic", + 2643: "gte-samp", + 2644: "travsoft-ipx-t", + 2645: "novell-ipx-cmd", + 2646: "and-lm", + 2647: "syncserver", + 2648: "upsnotifyprot", + 2649: "vpsipport", + 2650: "eristwoguns", + 2651: "ebinsite", + 2652: "interpathpanel", + 2653: "sonus", + 2654: "corel-vncadmin", + 2655: "unglue", + 2656: "kana", + 2657: "sns-dispatcher", + 2658: "sns-admin", + 2659: "sns-query", + 2660: "gcmonitor", + 2661: "olhost", + 2662: "bintec-capi", + 2663: "bintec-tapi", + 2664: "patrol-mq-gm", + 2665: "patrol-mq-nm", + 2666: "extensis", + 2667: "alarm-clock-s", + 2668: "alarm-clock-c", + 2669: "toad", + 2670: "tve-announce", + 2671: "newlixreg", + 2672: "nhserver", + 2673: "firstcall42", + 2674: "ewnn", + 2675: "ttc-etap", + 2676: "simslink", + 2677: "gadgetgate1way", + 2678: "gadgetgate2way", + 2679: "syncserverssl", + 2680: "pxc-sapxom", + 2681: "mpnjsomb", + 2683: "ncdloadbalance", + 2684: "mpnjsosv", + 2685: "mpnjsocl", + 2686: "mpnjsomg", + 2687: "pq-lic-mgmt", + 2688: "md-cg-http", + 2689: "fastlynx", + 2690: "hp-nnm-data", + 2691: "itinternet", + 2692: "admins-lms", + 2694: "pwrsevent", + 2695: "vspread", + 2696: "unifyadmin", + 2697: "oce-snmp-trap", + 2698: "mck-ivpip", + 2699: "csoft-plusclnt", + 2700: "tqdata", + 2701: "sms-rcinfo", + 2702: "sms-xfer", + 2703: "sms-chat", + 2704: "sms-remctrl", + 2705: "sds-admin", + 2706: "ncdmirroring", + 2707: "emcsymapiport", + 2708: "banyan-net", + 2709: "supermon", + 2710: "sso-service", + 2711: "sso-control", + 2712: "aocp", + 2713: "raventbs", + 2714: "raventdm", + 2715: "hpstgmgr2", + 2716: "inova-ip-disco", + 2717: "pn-requester", + 2718: "pn-requester2", + 2719: "scan-change", + 2720: "wkars", + 2721: "smart-diagnose", + 2722: "proactivesrvr", + 2723: "watchdog-nt", + 2724: "qotps", + 2725: "msolap-ptp2", + 2726: "tams", + 2727: "mgcp-callagent", + 2728: "sqdr", + 2729: "tcim-control", + 2730: "nec-raidplus", + 2731: "fyre-messanger", + 2732: "g5m", + 2733: "signet-ctf", + 2734: "ccs-software", + 2735: "netiq-mc", + 2736: "radwiz-nms-srv", + 2737: "srp-feedback", + 2738: "ndl-tcp-ois-gw", + 2739: "tn-timing", + 2740: "alarm", + 2741: "tsb", + 2742: "tsb2", + 2743: "murx", + 2744: "honyaku", + 2745: "urbisnet", + 2746: "cpudpencap", + 2747: "fjippol-swrly", + 2748: "fjippol-polsvr", + 2749: "fjippol-cnsl", + 2750: "fjippol-port1", + 2751: "fjippol-port2", + 2752: "rsisysaccess", + 2753: "de-spot", + 2754: "apollo-cc", + 2755: "expresspay", + 2756: "simplement-tie", + 2757: "cnrp", + 2758: "apollo-status", + 2759: "apollo-gms", + 2760: "sabams", + 2761: "dicom-iscl", + 2762: "dicom-tls", + 2763: "desktop-dna", + 2764: "data-insurance", + 2765: "qip-audup", + 2766: "compaq-scp", + 2767: "uadtc", + 2768: "uacs", + 2769: "exce", + 2770: "veronica", + 2771: "vergencecm", + 2772: "auris", + 2773: "rbakcup1", + 2774: "rbakcup2", + 2775: "smpp", + 2776: "ridgeway1", + 2777: "ridgeway2", + 2778: "gwen-sonya", + 2779: "lbc-sync", + 2780: "lbc-control", + 2781: "whosells", + 2782: "everydayrc", + 2783: "aises", + 2784: "www-dev", + 2785: "aic-np", + 2786: "aic-oncrpc", + 2787: "piccolo", + 2788: "fryeserv", + 2789: "media-agent", + 2790: "plgproxy", + 2791: "mtport-regist", + 2792: "f5-globalsite", + 2793: "initlsmsad", + 2795: "livestats", + 2796: "ac-tech", + 2797: "esp-encap", + 2798: "tmesis-upshot", + 2799: "icon-discover", + 2800: "acc-raid", + 2801: "igcp", + 2802: "veritas-tcp1", + 2803: "btprjctrl", + 2804: "dvr-esm", + 2805: "wta-wsp-s", + 2806: "cspuni", + 2807: "cspmulti", + 2808: "j-lan-p", + 2809: "corbaloc", + 2810: "netsteward", + 2811: "gsiftp", + 2812: "atmtcp", + 2813: "llm-pass", + 2814: "llm-csv", + 2815: "lbc-measure", + 2816: "lbc-watchdog", + 2817: "nmsigport", + 2818: "rmlnk", + 2819: "fc-faultnotify", + 2820: "univision", + 2821: "vrts-at-port", + 2822: "ka0wuc", + 2823: "cqg-netlan", + 2824: "cqg-netlan-1", + 2826: "slc-systemlog", + 2827: "slc-ctrlrloops", + 2828: "itm-lm", + 2829: "silkp1", + 2830: "silkp2", + 2831: "silkp3", + 2832: "silkp4", + 2833: "glishd", + 2834: "evtp", + 2835: "evtp-data", + 2836: "catalyst", + 2837: "repliweb", + 2838: "starbot", + 2839: "nmsigport", + 2840: "l3-exprt", + 2841: "l3-ranger", + 2842: "l3-hawk", + 2843: "pdnet", + 2844: "bpcp-poll", + 2845: "bpcp-trap", + 2846: "aimpp-hello", + 2847: "aimpp-port-req", + 2848: "amt-blc-port", + 2849: "fxp", + 2850: "metaconsole", + 2851: "webemshttp", + 2852: "bears-01", + 2853: "ispipes", + 2854: "infomover", + 2855: "msrp", + 2856: "cesdinv", + 2857: "simctlp", + 2858: "ecnp", + 2859: "activememory", + 2860: "dialpad-voice1", + 2861: "dialpad-voice2", + 2862: "ttg-protocol", + 2863: "sonardata", + 2864: "astromed-main", + 2865: "pit-vpn", + 2866: "iwlistener", + 2867: "esps-portal", + 2868: "npep-messaging", + 2869: "icslap", + 2870: "daishi", + 2871: "msi-selectplay", + 2872: "radix", + 2874: "dxmessagebase1", + 2875: "dxmessagebase2", + 2876: "sps-tunnel", + 2877: "bluelance", + 2878: "aap", + 2879: "ucentric-ds", + 2880: "synapse", + 2881: "ndsp", + 2882: "ndtp", + 2883: "ndnp", + 2884: "flashmsg", + 2885: "topflow", + 2886: "responselogic", + 2887: "aironetddp", + 2888: "spcsdlobby", + 2889: "rsom", + 2890: "cspclmulti", + 2891: "cinegrfx-elmd", + 2892: "snifferdata", + 2893: "vseconnector", + 2894: "abacus-remote", + 2895: "natuslink", + 2896: "ecovisiong6-1", + 2897: "citrix-rtmp", + 2898: "appliance-cfg", + 2899: "powergemplus", + 2900: "quicksuite", + 2901: "allstorcns", + 2902: "netaspi", + 2903: "suitcase", + 2904: "m2ua", + 2905: "m3ua", + 2906: "caller9", + 2907: "webmethods-b2b", + 2908: "mao", + 2909: "funk-dialout", + 2910: "tdaccess", + 2911: "blockade", + 2912: "epicon", + 2913: "boosterware", + 2914: "gamelobby", + 2915: "tksocket", + 2916: "elvin-server", + 2917: "elvin-client", + 2918: "kastenchasepad", + 2919: "roboer", + 2920: "roboeda", + 2921: "cesdcdman", + 2922: "cesdcdtrn", + 2923: "wta-wsp-wtp-s", + 2924: "precise-vip", + 2926: "mobile-file-dl", + 2927: "unimobilectrl", + 2928: "redstone-cpss", + 2929: "amx-webadmin", + 2930: "amx-weblinx", + 2931: "circle-x", + 2932: "incp", + 2933: "4-tieropmgw", + 2934: "4-tieropmcli", + 2935: "qtp", + 2936: "otpatch", + 2937: "pnaconsult-lm", + 2938: "sm-pas-1", + 2939: "sm-pas-2", + 2940: "sm-pas-3", + 2941: "sm-pas-4", + 2942: "sm-pas-5", + 2943: "ttnrepository", + 2944: "megaco-h248", + 2945: "h248-binary", + 2946: "fjsvmpor", + 2947: "gpsd", + 2948: "wap-push", + 2949: "wap-pushsecure", + 2950: "esip", + 2951: "ottp", + 2952: "mpfwsas", + 2953: "ovalarmsrv", + 2954: "ovalarmsrv-cmd", + 2955: "csnotify", + 2956: "ovrimosdbman", + 2957: "jmact5", + 2958: "jmact6", + 2959: "rmopagt", + 2960: "dfoxserver", + 2961: "boldsoft-lm", + 2962: "iph-policy-cli", + 2963: "iph-policy-adm", + 2964: "bullant-srap", + 2965: "bullant-rap", + 2966: "idp-infotrieve", + 2967: "ssc-agent", + 2968: "enpp", + 2969: "essp", + 2970: "index-net", + 2971: "netclip", + 2972: "pmsm-webrctl", + 2973: "svnetworks", + 2974: "signal", + 2975: "fjmpcm", + 2976: "cns-srv-port", + 2977: "ttc-etap-ns", + 2978: "ttc-etap-ds", + 2979: "h263-video", + 2980: "wimd", + 2981: "mylxamport", + 2982: "iwb-whiteboard", + 2983: "netplan", + 2984: "hpidsadmin", + 2985: "hpidsagent", + 2986: "stonefalls", + 2987: "identify", + 2988: "hippad", + 2989: "zarkov", + 2990: "boscap", + 2991: "wkstn-mon", + 2992: "avenyo", + 2993: "veritas-vis1", + 2994: "veritas-vis2", + 2995: "idrs", + 2996: "vsixml", + 2997: "rebol", + 2998: "realsecure", + 2999: "remoteware-un", + 3000: "hbci", + 3001: "origo-native", + 3002: "exlm-agent", + 3003: "cgms", + 3004: "csoftragent", + 3005: "geniuslm", + 3006: "ii-admin", + 3007: "lotusmtap", + 3008: "midnight-tech", + 3009: "pxc-ntfy", + 3010: "gw", + 3011: "trusted-web", + 3012: "twsdss", + 3013: "gilatskysurfer", + 3014: "broker-service", + 3015: "nati-dstp", + 3016: "notify-srvr", + 3017: "event-listener", + 3018: "srvc-registry", + 3019: "resource-mgr", + 3020: "cifs", + 3021: "agriserver", + 3022: "csregagent", + 3023: "magicnotes", + 3024: "nds-sso", + 3025: "arepa-raft", + 3026: "agri-gateway", + 3027: "LiebDevMgmt-C", + 3028: "LiebDevMgmt-DM", + 3029: "LiebDevMgmt-A", + 3030: "arepa-cas", + 3031: "eppc", + 3032: "redwood-chat", + 3033: "pdb", + 3034: "osmosis-aeea", + 3035: "fjsv-gssagt", + 3036: "hagel-dump", + 3037: "hp-san-mgmt", + 3038: "santak-ups", + 3039: "cogitate", + 3040: "tomato-springs", + 3041: "di-traceware", + 3042: "journee", + 3043: "brp", + 3044: "epp", + 3045: "responsenet", + 3046: "di-ase", + 3047: "hlserver", + 3048: "pctrader", + 3049: "nsws", + 3050: "gds-db", + 3051: "galaxy-server", + 3052: "apc-3052", + 3053: "dsom-server", + 3054: "amt-cnf-prot", + 3055: "policyserver", + 3056: "cdl-server", + 3057: "goahead-fldup", + 3058: "videobeans", + 3059: "qsoft", + 3060: "interserver", + 3061: "cautcpd", + 3062: "ncacn-ip-tcp", + 3063: "ncadg-ip-udp", + 3064: "rprt", + 3065: "slinterbase", + 3066: "netattachsdmp", + 3067: "fjhpjp", + 3068: "ls3bcast", + 3069: "ls3", + 3070: "mgxswitch", + 3071: "xplat-replicate", + 3072: "csd-monitor", + 3073: "vcrp", + 3074: "xbox", + 3075: "orbix-locator", + 3076: "orbix-config", + 3077: "orbix-loc-ssl", + 3078: "orbix-cfg-ssl", + 3079: "lv-frontpanel", + 3080: "stm-pproc", + 3081: "tl1-lv", + 3082: "tl1-raw", + 3083: "tl1-telnet", + 3084: "itm-mccs", + 3085: "pcihreq", + 3086: "jdl-dbkitchen", + 3087: "asoki-sma", + 3088: "xdtp", + 3089: "ptk-alink", + 3090: "stss", + 3091: "1ci-smcs", + 3093: "rapidmq-center", + 3094: "rapidmq-reg", + 3095: "panasas", + 3096: "ndl-aps", + 3098: "umm-port", + 3099: "chmd", + 3100: "opcon-xps", + 3101: "hp-pxpib", + 3102: "slslavemon", + 3103: "autocuesmi", + 3104: "autocuelog", + 3105: "cardbox", + 3106: "cardbox-http", + 3107: "business", + 3108: "geolocate", + 3109: "personnel", + 3110: "sim-control", + 3111: "wsynch", + 3112: "ksysguard", + 3113: "cs-auth-svr", + 3114: "ccmad", + 3115: "mctet-master", + 3116: "mctet-gateway", + 3117: "mctet-jserv", + 3118: "pkagent", + 3119: "d2000kernel", + 3120: "d2000webserver", + 3121: "pcmk-remote", + 3122: "vtr-emulator", + 3123: "edix", + 3124: "beacon-port", + 3125: "a13-an", + 3127: "ctx-bridge", + 3128: "ndl-aas", + 3129: "netport-id", + 3130: "icpv2", + 3131: "netbookmark", + 3132: "ms-rule-engine", + 3133: "prism-deploy", + 3134: "ecp", + 3135: "peerbook-port", + 3136: "grubd", + 3137: "rtnt-1", + 3138: "rtnt-2", + 3139: "incognitorv", + 3140: "ariliamulti", + 3141: "vmodem", + 3142: "rdc-wh-eos", + 3143: "seaview", + 3144: "tarantella", + 3145: "csi-lfap", + 3146: "bears-02", + 3147: "rfio", + 3148: "nm-game-admin", + 3149: "nm-game-server", + 3150: "nm-asses-admin", + 3151: "nm-assessor", + 3152: "feitianrockey", + 3153: "s8-client-port", + 3154: "ccmrmi", + 3155: "jpegmpeg", + 3156: "indura", + 3157: "e3consultants", + 3158: "stvp", + 3159: "navegaweb-port", + 3160: "tip-app-server", + 3161: "doc1lm", + 3162: "sflm", + 3163: "res-sap", + 3164: "imprs", + 3165: "newgenpay", + 3166: "sossecollector", + 3167: "nowcontact", + 3168: "poweronnud", + 3169: "serverview-as", + 3170: "serverview-asn", + 3171: "serverview-gf", + 3172: "serverview-rm", + 3173: "serverview-icc", + 3174: "armi-server", + 3175: "t1-e1-over-ip", + 3176: "ars-master", + 3177: "phonex-port", + 3178: "radclientport", + 3179: "h2gf-w-2m", + 3180: "mc-brk-srv", + 3181: "bmcpatrolagent", + 3182: "bmcpatrolrnvu", + 3183: "cops-tls", + 3184: "apogeex-port", + 3185: "smpppd", + 3186: "iiw-port", + 3187: "odi-port", + 3188: "brcm-comm-port", + 3189: "pcle-infex", + 3190: "csvr-proxy", + 3191: "csvr-sslproxy", + 3192: "firemonrcc", + 3193: "spandataport", + 3194: "magbind", + 3195: "ncu-1", + 3196: "ncu-2", + 3197: "embrace-dp-s", + 3198: "embrace-dp-c", + 3199: "dmod-workspace", + 3200: "tick-port", + 3201: "cpq-tasksmart", + 3202: "intraintra", + 3203: "netwatcher-mon", + 3204: "netwatcher-db", + 3205: "isns", + 3206: "ironmail", + 3207: "vx-auth-port", + 3208: "pfu-prcallback", + 3209: "netwkpathengine", + 3210: "flamenco-proxy", + 3211: "avsecuremgmt", + 3212: "surveyinst", + 3213: "neon24x7", + 3214: "jmq-daemon-1", + 3215: "jmq-daemon-2", + 3216: "ferrari-foam", + 3217: "unite", + 3218: "smartpackets", + 3219: "wms-messenger", + 3220: "xnm-ssl", + 3221: "xnm-clear-text", + 3222: "glbp", + 3223: "digivote", + 3224: "aes-discovery", + 3225: "fcip-port", + 3226: "isi-irp", + 3227: "dwnmshttp", + 3228: "dwmsgserver", + 3229: "global-cd-port", + 3230: "sftdst-port", + 3231: "vidigo", + 3232: "mdtp", + 3233: "whisker", + 3234: "alchemy", + 3235: "mdap-port", + 3236: "apparenet-ts", + 3237: "apparenet-tps", + 3238: "apparenet-as", + 3239: "apparenet-ui", + 3240: "triomotion", + 3241: "sysorb", + 3242: "sdp-id-port", + 3243: "timelot", + 3244: "onesaf", + 3245: "vieo-fe", + 3246: "dvt-system", + 3247: "dvt-data", + 3248: "procos-lm", + 3249: "ssp", + 3250: "hicp", + 3251: "sysscanner", + 3252: "dhe", + 3253: "pda-data", + 3254: "pda-sys", + 3255: "semaphore", + 3256: "cpqrpm-agent", + 3257: "cpqrpm-server", + 3258: "ivecon-port", + 3259: "epncdp2", + 3260: "iscsi-target", + 3261: "winshadow", + 3262: "necp", + 3263: "ecolor-imager", + 3264: "ccmail", + 3265: "altav-tunnel", + 3266: "ns-cfg-server", + 3267: "ibm-dial-out", + 3268: "msft-gc", + 3269: "msft-gc-ssl", + 3270: "verismart", + 3271: "csoft-prev", + 3272: "user-manager", + 3273: "sxmp", + 3274: "ordinox-server", + 3275: "samd", + 3276: "maxim-asics", + 3277: "awg-proxy", + 3278: "lkcmserver", + 3279: "admind", + 3280: "vs-server", + 3281: "sysopt", + 3282: "datusorb", + 3283: "Apple Remote Desktop (Net Assistant)", + 3284: "4talk", + 3285: "plato", + 3286: "e-net", + 3287: "directvdata", + 3288: "cops", + 3289: "enpc", + 3290: "caps-lm", + 3291: "sah-lm", + 3292: "cart-o-rama", + 3293: "fg-fps", + 3294: "fg-gip", + 3295: "dyniplookup", + 3296: "rib-slm", + 3297: "cytel-lm", + 3298: "deskview", + 3299: "pdrncs", + 3300: "ceph", + 3302: "mcs-fastmail", + 3303: "opsession-clnt", + 3304: "opsession-srvr", + 3305: "odette-ftp", + 3306: "mysql", + 3307: "opsession-prxy", + 3308: "tns-server", + 3309: "tns-adv", + 3310: "dyna-access", + 3311: "mcns-tel-ret", + 3312: "appman-server", + 3313: "uorb", + 3314: "uohost", + 3315: "cdid", + 3316: "aicc-cmi", + 3317: "vsaiport", + 3318: "ssrip", + 3319: "sdt-lmd", + 3320: "officelink2000", + 3321: "vnsstr", + 3326: "sftu", + 3327: "bbars", + 3328: "egptlm", + 3329: "hp-device-disc", + 3330: "mcs-calypsoicf", + 3331: "mcs-messaging", + 3332: "mcs-mailsvr", + 3333: "dec-notes", + 3334: "directv-web", + 3335: "directv-soft", + 3336: "directv-tick", + 3337: "directv-catlg", + 3338: "anet-b", + 3339: "anet-l", + 3340: "anet-m", + 3341: "anet-h", + 3342: "webtie", + 3343: "ms-cluster-net", + 3344: "bnt-manager", + 3345: "influence", + 3346: "trnsprntproxy", + 3347: "phoenix-rpc", + 3348: "pangolin-laser", + 3349: "chevinservices", + 3350: "findviatv", + 3351: "btrieve", + 3352: "ssql", + 3353: "fatpipe", + 3354: "suitjd", + 3355: "ordinox-dbase", + 3356: "upnotifyps", + 3357: "adtech-test", + 3358: "mpsysrmsvr", + 3359: "wg-netforce", + 3360: "kv-server", + 3361: "kv-agent", + 3362: "dj-ilm", + 3363: "nati-vi-server", + 3364: "creativeserver", + 3365: "contentserver", + 3366: "creativepartnr", + 3372: "tip2", + 3373: "lavenir-lm", + 3374: "cluster-disc", + 3375: "vsnm-agent", + 3376: "cdbroker", + 3377: "cogsys-lm", + 3378: "wsicopy", + 3379: "socorfs", + 3380: "sns-channels", + 3381: "geneous", + 3382: "fujitsu-neat", + 3383: "esp-lm", + 3384: "hp-clic", + 3385: "qnxnetman", + 3386: "gprs-data", + 3387: "backroomnet", + 3388: "cbserver", + 3389: "ms-wbt-server", + 3390: "dsc", + 3391: "savant", + 3392: "efi-lm", + 3393: "d2k-tapestry1", + 3394: "d2k-tapestry2", + 3395: "dyna-lm", + 3396: "printer-agent", + 3397: "cloanto-lm", + 3398: "mercantile", + 3399: "csms", + 3400: "csms2", + 3401: "filecast", + 3402: "fxaengine-net", + 3405: "nokia-ann-ch1", + 3406: "nokia-ann-ch2", + 3407: "ldap-admin", + 3408: "BESApi", + 3409: "networklens", + 3410: "networklenss", + 3411: "biolink-auth", + 3412: "xmlblaster", + 3413: "svnet", + 3414: "wip-port", + 3415: "bcinameservice", + 3416: "commandport", + 3417: "csvr", + 3418: "rnmap", + 3419: "softaudit", + 3420: "ifcp-port", + 3421: "bmap", + 3422: "rusb-sys-port", + 3423: "xtrm", + 3424: "xtrms", + 3425: "agps-port", + 3426: "arkivio", + 3427: "websphere-snmp", + 3428: "twcss", + 3429: "gcsp", + 3430: "ssdispatch", + 3431: "ndl-als", + 3432: "osdcp", + 3433: "opnet-smp", + 3434: "opencm", + 3435: "pacom", + 3436: "gc-config", + 3437: "autocueds", + 3438: "spiral-admin", + 3439: "hri-port", + 3440: "ans-console", + 3441: "connect-client", + 3442: "connect-server", + 3443: "ov-nnm-websrv", + 3444: "denali-server", + 3445: "monp", + 3446: "3comfaxrpc", + 3447: "directnet", + 3448: "dnc-port", + 3449: "hotu-chat", + 3450: "castorproxy", + 3451: "asam", + 3452: "sabp-signal", + 3453: "pscupd", + 3454: "mira", + 3455: "prsvp", + 3456: "vat", + 3457: "vat-control", + 3458: "d3winosfi", + 3459: "integral", + 3460: "edm-manager", + 3461: "edm-stager", + 3462: "edm-std-notify", + 3463: "edm-adm-notify", + 3464: "edm-mgr-sync", + 3465: "edm-mgr-cntrl", + 3466: "workflow", + 3467: "rcst", + 3468: "ttcmremotectrl", + 3469: "pluribus", + 3470: "jt400", + 3471: "jt400-ssl", + 3472: "jaugsremotec-1", + 3473: "jaugsremotec-2", + 3474: "ttntspauto", + 3475: "genisar-port", + 3476: "nppmp", + 3477: "ecomm", + 3478: "stun", + 3479: "twrpc", + 3480: "plethora", + 3481: "cleanerliverc", + 3482: "vulture", + 3483: "slim-devices", + 3484: "gbs-stp", + 3485: "celatalk", + 3486: "ifsf-hb-port", + 3487: "ltctcp", + 3488: "fs-rh-srv", + 3489: "dtp-dia", + 3490: "colubris", + 3491: "swr-port", + 3492: "tvdumtray-port", + 3493: "nut", + 3494: "ibm3494", + 3495: "seclayer-tcp", + 3496: "seclayer-tls", + 3497: "ipether232port", + 3498: "dashpas-port", + 3499: "sccip-media", + 3500: "rtmp-port", + 3501: "isoft-p2p", + 3502: "avinstalldisc", + 3503: "lsp-ping", + 3504: "ironstorm", + 3505: "ccmcomm", + 3506: "apc-3506", + 3507: "nesh-broker", + 3508: "interactionweb", + 3509: "vt-ssl", + 3510: "xss-port", + 3511: "webmail-2", + 3512: "aztec", + 3513: "arcpd", + 3514: "must-p2p", + 3515: "must-backplane", + 3516: "smartcard-port", + 3517: "802-11-iapp", + 3518: "artifact-msg", + 3519: "nvmsgd", + 3520: "galileolog", + 3521: "mc3ss", + 3522: "nssocketport", + 3523: "odeumservlink", + 3524: "ecmport", + 3525: "eisport", + 3526: "starquiz-port", + 3527: "beserver-msg-q", + 3528: "jboss-iiop", + 3529: "jboss-iiop-ssl", + 3530: "gf", + 3531: "joltid", + 3532: "raven-rmp", + 3533: "raven-rdp", + 3534: "urld-port", + 3535: "ms-la", + 3536: "snac", + 3537: "ni-visa-remote", + 3538: "ibm-diradm", + 3539: "ibm-diradm-ssl", + 3540: "pnrp-port", + 3541: "voispeed-port", + 3542: "hacl-monitor", + 3543: "qftest-lookup", + 3544: "teredo", + 3545: "camac", + 3547: "symantec-sim", + 3548: "interworld", + 3549: "tellumat-nms", + 3550: "ssmpp", + 3551: "apcupsd", + 3552: "taserver", + 3553: "rbr-discovery", + 3554: "questnotify", + 3555: "razor", + 3556: "sky-transport", + 3557: "personalos-001", + 3558: "mcp-port", + 3559: "cctv-port", + 3560: "iniserve-port", + 3561: "bmc-onekey", + 3562: "sdbproxy", + 3563: "watcomdebug", + 3564: "esimport", + 3565: "m2pa", + 3566: "quest-data-hub", + 3567: "dof-eps", + 3568: "dof-tunnel-sec", + 3569: "mbg-ctrl", + 3570: "mccwebsvr-port", + 3571: "megardsvr-port", + 3572: "megaregsvrport", + 3573: "tag-ups-1", + 3574: "dmaf-server", + 3575: "ccm-port", + 3576: "cmc-port", + 3577: "config-port", + 3578: "data-port", + 3579: "ttat3lb", + 3580: "nati-svrloc", + 3581: "kfxaclicensing", + 3582: "press", + 3583: "canex-watch", + 3584: "u-dbap", + 3585: "emprise-lls", + 3586: "emprise-lsc", + 3587: "p2pgroup", + 3588: "sentinel", + 3589: "isomair", + 3590: "wv-csp-sms", + 3591: "gtrack-server", + 3592: "gtrack-ne", + 3593: "bpmd", + 3594: "mediaspace", + 3595: "shareapp", + 3596: "iw-mmogame", + 3597: "a14", + 3598: "a15", + 3599: "quasar-server", + 3600: "trap-daemon", + 3601: "visinet-gui", + 3602: "infiniswitchcl", + 3603: "int-rcv-cntrl", + 3604: "bmc-jmx-port", + 3605: "comcam-io", + 3606: "splitlock", + 3607: "precise-i3", + 3608: "trendchip-dcp", + 3609: "cpdi-pidas-cm", + 3610: "echonet", + 3611: "six-degrees", + 3612: "hp-dataprotect", + 3613: "alaris-disc", + 3614: "sigma-port", + 3615: "start-network", + 3616: "cd3o-protocol", + 3617: "sharp-server", + 3618: "aairnet-1", + 3619: "aairnet-2", + 3620: "ep-pcp", + 3621: "ep-nsp", + 3622: "ff-lr-port", + 3623: "haipe-discover", + 3624: "dist-upgrade", + 3625: "volley", + 3626: "bvcdaemon-port", + 3627: "jamserverport", + 3628: "ept-machine", + 3629: "escvpnet", + 3630: "cs-remote-db", + 3631: "cs-services", + 3632: "distcc", + 3633: "wacp", + 3634: "hlibmgr", + 3635: "sdo", + 3636: "servistaitsm", + 3637: "scservp", + 3638: "ehp-backup", + 3639: "xap-ha", + 3640: "netplay-port1", + 3641: "netplay-port2", + 3642: "juxml-port", + 3643: "audiojuggler", + 3644: "ssowatch", + 3645: "cyc", + 3646: "xss-srv-port", + 3647: "splitlock-gw", + 3648: "fjcp", + 3649: "nmmp", + 3650: "prismiq-plugin", + 3651: "xrpc-registry", + 3652: "vxcrnbuport", + 3653: "tsp", + 3654: "vaprtm", + 3655: "abatemgr", + 3656: "abatjss", + 3657: "immedianet-bcn", + 3658: "ps-ams", + 3659: "apple-sasl", + 3660: "can-nds-ssl", + 3661: "can-ferret-ssl", + 3662: "pserver", + 3663: "dtp", + 3664: "ups-engine", + 3665: "ent-engine", + 3666: "eserver-pap", + 3667: "infoexch", + 3668: "dell-rm-port", + 3669: "casanswmgmt", + 3670: "smile", + 3671: "efcp", + 3672: "lispworks-orb", + 3673: "mediavault-gui", + 3674: "wininstall-ipc", + 3675: "calltrax", + 3676: "va-pacbase", + 3677: "roverlog", + 3678: "ipr-dglt", + 3679: "Escale (Newton Dock)", + 3680: "npds-tracker", + 3681: "bts-x73", + 3682: "cas-mapi", + 3683: "bmc-ea", + 3684: "faxstfx-port", + 3685: "dsx-agent", + 3686: "tnmpv2", + 3687: "simple-push", + 3688: "simple-push-s", + 3689: "daap", + 3690: "svn", + 3691: "magaya-network", + 3692: "intelsync", + 3693: "easl", + 3695: "bmc-data-coll", + 3696: "telnetcpcd", + 3697: "nw-license", + 3698: "sagectlpanel", + 3699: "kpn-icw", + 3700: "lrs-paging", + 3701: "netcelera", + 3702: "ws-discovery", + 3703: "adobeserver-3", + 3704: "adobeserver-4", + 3705: "adobeserver-5", + 3706: "rt-event", + 3707: "rt-event-s", + 3708: "sun-as-iiops", + 3709: "ca-idms", + 3710: "portgate-auth", + 3711: "edb-server2", + 3712: "sentinel-ent", + 3713: "tftps", + 3714: "delos-dms", + 3715: "anoto-rendezv", + 3716: "wv-csp-sms-cir", + 3717: "wv-csp-udp-cir", + 3718: "opus-services", + 3719: "itelserverport", + 3720: "ufastro-instr", + 3721: "xsync", + 3722: "xserveraid", + 3723: "sychrond", + 3724: "blizwow", + 3725: "na-er-tip", + 3726: "array-manager", + 3727: "e-mdu", + 3728: "e-woa", + 3729: "fksp-audit", + 3730: "client-ctrl", + 3731: "smap", + 3732: "m-wnn", + 3733: "multip-msg", + 3734: "synel-data", + 3735: "pwdis", + 3736: "rs-rmi", + 3737: "xpanel", + 3738: "versatalk", + 3739: "launchbird-lm", + 3740: "heartbeat", + 3741: "wysdma", + 3742: "cst-port", + 3743: "ipcs-command", + 3744: "sasg", + 3745: "gw-call-port", + 3746: "linktest", + 3747: "linktest-s", + 3748: "webdata", + 3749: "cimtrak", + 3750: "cbos-ip-port", + 3751: "gprs-cube", + 3752: "vipremoteagent", + 3753: "nattyserver", + 3754: "timestenbroker", + 3755: "sas-remote-hlp", + 3756: "canon-capt", + 3757: "grf-port", + 3758: "apw-registry", + 3759: "exapt-lmgr", + 3760: "adtempusclient", + 3761: "gsakmp", + 3762: "gbs-smp", + 3763: "xo-wave", + 3764: "mni-prot-rout", + 3765: "rtraceroute", + 3766: "sitewatch-s", + 3767: "listmgr-port", + 3768: "rblcheckd", + 3769: "haipe-otnk", + 3770: "cindycollab", + 3771: "paging-port", + 3772: "ctp", + 3773: "ctdhercules", + 3774: "zicom", + 3775: "ispmmgr", + 3776: "dvcprov-port", + 3777: "jibe-eb", + 3778: "c-h-it-port", + 3779: "cognima", + 3780: "nnp", + 3781: "abcvoice-port", + 3782: "iso-tp0s", + 3783: "bim-pem", + 3784: "bfd-control", + 3785: "bfd-echo", + 3786: "upstriggervsw", + 3787: "fintrx", + 3788: "isrp-port", + 3789: "remotedeploy", + 3790: "quickbooksrds", + 3791: "tvnetworkvideo", + 3792: "sitewatch", + 3793: "dcsoftware", + 3794: "jaus", + 3795: "myblast", + 3796: "spw-dialer", + 3797: "idps", + 3798: "minilock", + 3799: "radius-dynauth", + 3800: "pwgpsi", + 3801: "ibm-mgr", + 3802: "vhd", + 3803: "soniqsync", + 3804: "iqnet-port", + 3805: "tcpdataserver", + 3806: "wsmlb", + 3807: "spugna", + 3808: "sun-as-iiops-ca", + 3809: "apocd", + 3810: "wlanauth", + 3811: "amp", + 3812: "neto-wol-server", + 3813: "rap-ip", + 3814: "neto-dcs", + 3815: "lansurveyorxml", + 3816: "sunlps-http", + 3817: "tapeware", + 3818: "crinis-hb", + 3819: "epl-slp", + 3820: "scp", + 3821: "pmcp", + 3822: "acp-discovery", + 3823: "acp-conduit", + 3824: "acp-policy", + 3825: "ffserver", + 3826: "warmux", + 3827: "netmpi", + 3828: "neteh", + 3829: "neteh-ext", + 3830: "cernsysmgmtagt", + 3831: "dvapps", + 3832: "xxnetserver", + 3833: "aipn-auth", + 3834: "spectardata", + 3835: "spectardb", + 3836: "markem-dcp", + 3837: "mkm-discovery", + 3838: "sos", + 3839: "amx-rms", + 3840: "flirtmitmir", + 3841: "shiprush-db-svr", + 3842: "nhci", + 3843: "quest-agent", + 3844: "rnm", + 3845: "v-one-spp", + 3846: "an-pcp", + 3847: "msfw-control", + 3848: "item", + 3849: "spw-dnspreload", + 3850: "qtms-bootstrap", + 3851: "spectraport", + 3852: "sse-app-config", + 3853: "sscan", + 3854: "stryker-com", + 3855: "opentrac", + 3856: "informer", + 3857: "trap-port", + 3858: "trap-port-mom", + 3859: "nav-port", + 3860: "sasp", + 3861: "winshadow-hd", + 3862: "giga-pocket", + 3863: "asap-tcp", + 3864: "asap-tcp-tls", + 3865: "xpl", + 3866: "dzdaemon", + 3867: "dzoglserver", + 3868: "diameter", + 3869: "ovsam-mgmt", + 3870: "ovsam-d-agent", + 3871: "avocent-adsap", + 3872: "oem-agent", + 3873: "fagordnc", + 3874: "sixxsconfig", + 3875: "pnbscada", + 3876: "dl-agent", + 3877: "xmpcr-interface", + 3878: "fotogcad", + 3879: "appss-lm", + 3880: "igrs", + 3881: "idac", + 3882: "msdts1", + 3883: "vrpn", + 3884: "softrack-meter", + 3885: "topflow-ssl", + 3886: "nei-management", + 3887: "ciphire-data", + 3888: "ciphire-serv", + 3889: "dandv-tester", + 3890: "ndsconnect", + 3891: "rtc-pm-port", + 3892: "pcc-image-port", + 3893: "cgi-starapi", + 3894: "syam-agent", + 3895: "syam-smc", + 3896: "sdo-tls", + 3897: "sdo-ssh", + 3898: "senip", + 3899: "itv-control", + 3900: "udt-os", + 3901: "nimsh", + 3902: "nimaux", + 3903: "charsetmgr", + 3904: "omnilink-port", + 3905: "mupdate", + 3906: "topovista-data", + 3907: "imoguia-port", + 3908: "hppronetman", + 3909: "surfcontrolcpa", + 3910: "prnrequest", + 3911: "prnstatus", + 3912: "gbmt-stars", + 3913: "listcrt-port", + 3914: "listcrt-port-2", + 3915: "agcat", + 3916: "wysdmc", + 3917: "aftmux", + 3918: "pktcablemmcops", + 3919: "hyperip", + 3920: "exasoftport1", + 3921: "herodotus-net", + 3922: "sor-update", + 3923: "symb-sb-port", + 3924: "mpl-gprs-port", + 3925: "zmp", + 3926: "winport", + 3927: "natdataservice", + 3928: "netboot-pxe", + 3929: "smauth-port", + 3930: "syam-webserver", + 3931: "msr-plugin-port", + 3932: "dyn-site", + 3933: "plbserve-port", + 3934: "sunfm-port", + 3935: "sdp-portmapper", + 3936: "mailprox", + 3937: "dvbservdsc", + 3938: "dbcontrol-agent", + 3939: "aamp", + 3940: "xecp-node", + 3941: "homeportal-web", + 3942: "srdp", + 3943: "tig", + 3944: "sops", + 3945: "emcads", + 3946: "backupedge", + 3947: "ccp", + 3948: "apdap", + 3949: "drip", + 3950: "namemunge", + 3951: "pwgippfax", + 3952: "i3-sessionmgr", + 3953: "xmlink-connect", + 3954: "adrep", + 3955: "p2pcommunity", + 3956: "gvcp", + 3957: "mqe-broker", + 3958: "mqe-agent", + 3959: "treehopper", + 3960: "bess", + 3961: "proaxess", + 3962: "sbi-agent", + 3963: "thrp", + 3964: "sasggprs", + 3965: "ati-ip-to-ncpe", + 3966: "bflckmgr", + 3967: "ppsms", + 3968: "ianywhere-dbns", + 3969: "landmarks", + 3970: "lanrevagent", + 3971: "lanrevserver", + 3972: "iconp", + 3973: "progistics", + 3974: "citysearch", + 3975: "airshot", + 3976: "opswagent", + 3977: "opswmanager", + 3978: "secure-cfg-svr", + 3979: "smwan", + 3980: "acms", + 3981: "starfish", + 3982: "eis", + 3983: "eisp", + 3984: "mapper-nodemgr", + 3985: "mapper-mapethd", + 3986: "mapper-ws-ethd", + 3987: "centerline", + 3988: "dcs-config", + 3989: "bv-queryengine", + 3990: "bv-is", + 3991: "bv-smcsrv", + 3992: "bv-ds", + 3993: "bv-agent", + 3995: "iss-mgmt-ssl", + 3996: "abcsoftware", + 3997: "agentsease-db", + 3998: "dnx", + 3999: "nvcnet", + 4000: "terabase", + 4001: "newoak", + 4002: "pxc-spvr-ft", + 4003: "pxc-splr-ft", + 4004: "pxc-roid", + 4005: "pxc-pin", + 4006: "pxc-spvr", + 4007: "pxc-splr", + 4008: "netcheque", + 4009: "chimera-hwm", + 4010: "samsung-unidex", + 4011: "altserviceboot", + 4012: "pda-gate", + 4013: "acl-manager", + 4014: "taiclock", + 4015: "talarian-mcast1", + 4016: "talarian-mcast2", + 4017: "talarian-mcast3", + 4018: "talarian-mcast4", + 4019: "talarian-mcast5", + 4020: "trap", + 4021: "nexus-portal", + 4022: "dnox", + 4023: "esnm-zoning", + 4024: "tnp1-port", + 4025: "partimage", + 4026: "as-debug", + 4027: "bxp", + 4028: "dtserver-port", + 4029: "ip-qsig", + 4030: "jdmn-port", + 4031: "suucp", + 4032: "vrts-auth-port", + 4033: "sanavigator", + 4034: "ubxd", + 4035: "wap-push-http", + 4036: "wap-push-https", + 4037: "ravehd", + 4038: "fazzt-ptp", + 4039: "fazzt-admin", + 4040: "yo-main", + 4041: "houston", + 4042: "ldxp", + 4043: "nirp", + 4044: "ltp", + 4045: "npp", + 4046: "acp-proto", + 4047: "ctp-state", + 4049: "wafs", + 4050: "cisco-wafs", + 4051: "cppdp", + 4052: "interact", + 4053: "ccu-comm-1", + 4054: "ccu-comm-2", + 4055: "ccu-comm-3", + 4056: "lms", + 4057: "wfm", + 4058: "kingfisher", + 4059: "dlms-cosem", + 4060: "dsmeter-iatc", + 4061: "ice-location", + 4062: "ice-slocation", + 4063: "ice-router", + 4064: "ice-srouter", + 4065: "avanti-cdp", + 4066: "pmas", + 4067: "idp", + 4068: "ipfltbcst", + 4069: "minger", + 4070: "tripe", + 4071: "aibkup", + 4072: "zieto-sock", + 4073: "iRAPP", + 4074: "cequint-cityid", + 4075: "perimlan", + 4076: "seraph", + 4078: "cssp", + 4079: "santools", + 4080: "lorica-in", + 4081: "lorica-in-sec", + 4082: "lorica-out", + 4083: "lorica-out-sec", + 4085: "ezmessagesrv", + 4087: "applusservice", + 4088: "npsp", + 4089: "opencore", + 4090: "omasgport", + 4091: "ewinstaller", + 4092: "ewdgs", + 4093: "pvxpluscs", + 4094: "sysrqd", + 4095: "xtgui", + 4096: "bre", + 4097: "patrolview", + 4098: "drmsfsd", + 4099: "dpcp", + 4100: "igo-incognito", + 4101: "brlp-0", + 4102: "brlp-1", + 4103: "brlp-2", + 4104: "brlp-3", + 4105: "shofar", + 4106: "synchronite", + 4107: "j-ac", + 4108: "accel", + 4109: "izm", + 4110: "g2tag", + 4111: "xgrid", + 4112: "apple-vpns-rp", + 4113: "aipn-reg", + 4114: "jomamqmonitor", + 4115: "cds", + 4116: "smartcard-tls", + 4117: "hillrserv", + 4118: "netscript", + 4119: "assuria-slm", + 4120: "minirem", + 4121: "e-builder", + 4122: "fprams", + 4123: "z-wave", + 4124: "tigv2", + 4125: "opsview-envoy", + 4126: "ddrepl", + 4127: "unikeypro", + 4128: "nufw", + 4129: "nuauth", + 4130: "fronet", + 4131: "stars", + 4132: "nuts-dem", + 4133: "nuts-bootp", + 4134: "nifty-hmi", + 4135: "cl-db-attach", + 4136: "cl-db-request", + 4137: "cl-db-remote", + 4138: "nettest", + 4139: "thrtx", + 4140: "cedros-fds", + 4141: "oirtgsvc", + 4142: "oidocsvc", + 4143: "oidsr", + 4145: "vvr-control", + 4146: "tgcconnect", + 4147: "vrxpservman", + 4148: "hhb-handheld", + 4149: "agslb", + 4150: "PowerAlert-nsa", + 4151: "menandmice-noh", + 4152: "idig-mux", + 4153: "mbl-battd", + 4154: "atlinks", + 4155: "bzr", + 4156: "stat-results", + 4157: "stat-scanner", + 4158: "stat-cc", + 4159: "nss", + 4160: "jini-discovery", + 4161: "omscontact", + 4162: "omstopology", + 4163: "silverpeakpeer", + 4164: "silverpeakcomm", + 4165: "altcp", + 4166: "joost", + 4167: "ddgn", + 4168: "pslicser", + 4169: "iadt", + 4170: "d-cinema-csp", + 4171: "ml-svnet", + 4172: "pcoip", + 4174: "smcluster", + 4175: "bccp", + 4176: "tl-ipcproxy", + 4177: "wello", + 4178: "storman", + 4179: "MaxumSP", + 4180: "httpx", + 4181: "macbak", + 4182: "pcptcpservice", + 4183: "cyborgnet", + 4184: "universe-suite", + 4185: "wcpp", + 4186: "boxbackupstore", + 4187: "csc-proxy", + 4188: "vatata", + 4189: "pcep", + 4190: "sieve", + 4192: "azeti", + 4193: "pvxplusio", + 4197: "hctl", + 4199: "eims-admin", + 4300: "corelccam", + 4301: "d-data", + 4302: "d-data-control", + 4303: "srcp", + 4304: "owserver", + 4305: "batman", + 4306: "pinghgl", + 4307: "trueconf", + 4308: "compx-lockview", + 4309: "dserver", + 4310: "mirrtex", + 4311: "p6ssmc", + 4312: "pscl-mgt", + 4313: "perrla", + 4314: "choiceview-agt", + 4316: "choiceview-clt", + 4320: "fdt-rcatp", + 4321: "rwhois", + 4322: "trim-event", + 4323: "trim-ice", + 4325: "geognosisman", + 4326: "geognosis", + 4327: "jaxer-web", + 4328: "jaxer-manager", + 4329: "publiqare-sync", + 4330: "dey-sapi", + 4331: "ktickets-rest", + 4333: "ahsp", + 4334: "netconf-ch-ssh", + 4335: "netconf-ch-tls", + 4336: "restconf-ch-tls", + 4340: "gaia", + 4341: "lisp-data", + 4342: "lisp-cons", + 4343: "unicall", + 4344: "vinainstall", + 4345: "m4-network-as", + 4346: "elanlm", + 4347: "lansurveyor", + 4348: "itose", + 4349: "fsportmap", + 4350: "net-device", + 4351: "plcy-net-svcs", + 4352: "pjlink", + 4353: "f5-iquery", + 4354: "qsnet-trans", + 4355: "qsnet-workst", + 4356: "qsnet-assist", + 4357: "qsnet-cond", + 4358: "qsnet-nucl", + 4359: "omabcastltkm", + 4360: "matrix-vnet", + 4368: "wxbrief", + 4369: "epmd", + 4370: "elpro-tunnel", + 4371: "l2c-control", + 4372: "l2c-data", + 4373: "remctl", + 4374: "psi-ptt", + 4375: "tolteces", + 4376: "bip", + 4377: "cp-spxsvr", + 4378: "cp-spxdpy", + 4379: "ctdb", + 4389: "xandros-cms", + 4390: "wiegand", + 4391: "apwi-imserver", + 4392: "apwi-rxserver", + 4393: "apwi-rxspooler", + 4395: "omnivisionesx", + 4396: "fly", + 4400: "ds-srv", + 4401: "ds-srvr", + 4402: "ds-clnt", + 4403: "ds-user", + 4404: "ds-admin", + 4405: "ds-mail", + 4406: "ds-slp", + 4407: "nacagent", + 4408: "slscc", + 4409: "netcabinet-com", + 4410: "itwo-server", + 4411: "found", + 4413: "avi-nms", + 4414: "updog", + 4415: "brcd-vr-req", + 4416: "pjj-player", + 4417: "workflowdir", + 4419: "cbp", + 4420: "nvm-express", + 4421: "scaleft", + 4422: "tsepisp", + 4423: "thingkit", + 4425: "netrockey6", + 4426: "beacon-port-2", + 4427: "drizzle", + 4428: "omviserver", + 4429: "omviagent", + 4430: "rsqlserver", + 4431: "wspipe", + 4432: "l-acoustics", + 4433: "vop", + 4442: "saris", + 4443: "pharos", + 4444: "krb524", + 4445: "upnotifyp", + 4446: "n1-fwp", + 4447: "n1-rmgmt", + 4448: "asc-slmd", + 4449: "privatewire", + 4450: "camp", + 4451: "ctisystemmsg", + 4452: "ctiprogramload", + 4453: "nssalertmgr", + 4454: "nssagentmgr", + 4455: "prchat-user", + 4456: "prchat-server", + 4457: "prRegister", + 4458: "mcp", + 4484: "hpssmgmt", + 4485: "assyst-dr", + 4486: "icms", + 4487: "prex-tcp", + 4488: "awacs-ice", + 4500: "ipsec-nat-t", + 4535: "ehs", + 4536: "ehs-ssl", + 4537: "wssauthsvc", + 4538: "swx-gate", + 4545: "worldscores", + 4546: "sf-lm", + 4547: "lanner-lm", + 4548: "synchromesh", + 4549: "aegate", + 4550: "gds-adppiw-db", + 4551: "ieee-mih", + 4552: "menandmice-mon", + 4553: "icshostsvc", + 4554: "msfrs", + 4555: "rsip", + 4556: "dtn-bundle", + 4559: "hylafax", + 4563: "amahi-anywhere", + 4566: "kwtc", + 4567: "tram", + 4568: "bmc-reporting", + 4569: "iax", + 4570: "deploymentmap", + 4573: "cardifftec-back", + 4590: "rid", + 4591: "l3t-at-an", + 4593: "ipt-anri-anri", + 4594: "ias-session", + 4595: "ias-paging", + 4596: "ias-neighbor", + 4597: "a21-an-1xbs", + 4598: "a16-an-an", + 4599: "a17-an-an", + 4600: "piranha1", + 4601: "piranha2", + 4602: "mtsserver", + 4603: "menandmice-upg", + 4604: "irp", + 4605: "sixchat", + 4658: "playsta2-app", + 4659: "playsta2-lob", + 4660: "smaclmgr", + 4661: "kar2ouche", + 4662: "oms", + 4663: "noteit", + 4664: "ems", + 4665: "contclientms", + 4666: "eportcomm", + 4667: "mmacomm", + 4668: "mmaeds", + 4669: "eportcommdata", + 4670: "light", + 4671: "acter", + 4672: "rfa", + 4673: "cxws", + 4674: "appiq-mgmt", + 4675: "dhct-status", + 4676: "dhct-alerts", + 4677: "bcs", + 4678: "traversal", + 4679: "mgesupervision", + 4680: "mgemanagement", + 4681: "parliant", + 4682: "finisar", + 4683: "spike", + 4684: "rfid-rp1", + 4685: "autopac", + 4686: "msp-os", + 4687: "nst", + 4688: "mobile-p2p", + 4689: "altovacentral", + 4690: "prelude", + 4691: "mtn", + 4692: "conspiracy", + 4700: "netxms-agent", + 4701: "netxms-mgmt", + 4702: "netxms-sync", + 4703: "npqes-test", + 4704: "assuria-ins", + 4711: "trinity-dist", + 4725: "truckstar", + 4727: "fcis", + 4728: "capmux", + 4730: "gearman", + 4731: "remcap", + 4733: "resorcs", + 4737: "ipdr-sp", + 4738: "solera-lpn", + 4739: "ipfix", + 4740: "ipfixs", + 4741: "lumimgrd", + 4742: "sicct", + 4743: "openhpid", + 4744: "ifsp", + 4745: "fmp", + 4749: "profilemac", + 4750: "ssad", + 4751: "spocp", + 4752: "snap", + 4753: "simon", + 4756: "RDCenter", + 4774: "converge", + 4784: "bfd-multi-ctl", + 4786: "smart-install", + 4787: "sia-ctrl-plane", + 4788: "xmcp", + 4800: "iims", + 4801: "iwec", + 4802: "ilss", + 4803: "notateit", + 4827: "htcp", + 4837: "varadero-0", + 4838: "varadero-1", + 4839: "varadero-2", + 4840: "opcua-tcp", + 4841: "quosa", + 4842: "gw-asv", + 4843: "opcua-tls", + 4844: "gw-log", + 4845: "wcr-remlib", + 4846: "contamac-icm", + 4847: "wfc", + 4848: "appserv-http", + 4849: "appserv-https", + 4850: "sun-as-nodeagt", + 4851: "derby-repli", + 4867: "unify-debug", + 4868: "phrelay", + 4869: "phrelaydbg", + 4870: "cc-tracking", + 4871: "wired", + 4876: "tritium-can", + 4877: "lmcs", + 4879: "wsdl-event", + 4880: "hislip", + 4883: "wmlserver", + 4884: "hivestor", + 4885: "abbs", + 4894: "lyskom", + 4899: "radmin-port", + 4900: "hfcs", + 4901: "flr-agent", + 4902: "magiccontrol", + 4912: "lutap", + 4913: "lutcp", + 4914: "bones", + 4915: "frcs", + 4940: "eq-office-4940", + 4941: "eq-office-4941", + 4942: "eq-office-4942", + 4949: "munin", + 4950: "sybasesrvmon", + 4951: "pwgwims", + 4952: "sagxtsds", + 4953: "dbsyncarbiter", + 4969: "ccss-qmm", + 4970: "ccss-qsm", + 4971: "burp", + 4984: "webyast", + 4985: "gerhcs", + 4986: "mrip", + 4987: "smar-se-port1", + 4988: "smar-se-port2", + 4989: "parallel", + 4990: "busycal", + 4991: "vrt", + 4999: "hfcs-manager", + 5000: "commplex-main", + 5001: "commplex-link", + 5002: "rfe", + 5003: "fmpro-internal", + 5004: "avt-profile-1", + 5005: "avt-profile-2", + 5006: "wsm-server", + 5007: "wsm-server-ssl", + 5008: "synapsis-edge", + 5009: "winfs", + 5010: "telelpathstart", + 5011: "telelpathattack", + 5012: "nsp", + 5013: "fmpro-v6", + 5015: "fmwp", + 5020: "zenginkyo-1", + 5021: "zenginkyo-2", + 5022: "mice", + 5023: "htuilsrv", + 5024: "scpi-telnet", + 5025: "scpi-raw", + 5026: "strexec-d", + 5027: "strexec-s", + 5028: "qvr", + 5029: "infobright", + 5030: "surfpass", + 5032: "signacert-agent", + 5033: "jtnetd-server", + 5034: "jtnetd-status", + 5042: "asnaacceler8db", + 5043: "swxadmin", + 5044: "lxi-evntsvc", + 5045: "osp", + 5048: "texai", + 5049: "ivocalize", + 5050: "mmcc", + 5051: "ita-agent", + 5052: "ita-manager", + 5053: "rlm", + 5054: "rlm-admin", + 5055: "unot", + 5056: "intecom-ps1", + 5057: "intecom-ps2", + 5059: "sds", + 5060: "sip", + 5061: "sips", + 5062: "na-localise", + 5063: "csrpc", + 5064: "ca-1", + 5065: "ca-2", + 5066: "stanag-5066", + 5067: "authentx", + 5068: "bitforestsrv", + 5069: "i-net-2000-npr", + 5070: "vtsas", + 5071: "powerschool", + 5072: "ayiya", + 5073: "tag-pm", + 5074: "alesquery", + 5075: "pvaccess", + 5080: "onscreen", + 5081: "sdl-ets", + 5082: "qcp", + 5083: "qfp", + 5084: "llrp", + 5085: "encrypted-llrp", + 5086: "aprigo-cs", + 5087: "biotic", + 5093: "sentinel-lm", + 5094: "hart-ip", + 5099: "sentlm-srv2srv", + 5100: "socalia", + 5101: "talarian-tcp", + 5102: "oms-nonsecure", + 5103: "actifio-c2c", + 5106: "actifioudsagent", + 5107: "actifioreplic", + 5111: "taep-as-svc", + 5112: "pm-cmdsvr", + 5114: "ev-services", + 5115: "autobuild", + 5117: "gradecam", + 5120: "barracuda-bbs", + 5133: "nbt-pc", + 5134: "ppactivation", + 5135: "erp-scale", + 5137: "ctsd", + 5145: "rmonitor-secure", + 5146: "social-alarm", + 5150: "atmp", + 5151: "esri-sde", + 5152: "sde-discovery", + 5153: "toruxserver", + 5154: "bzflag", + 5155: "asctrl-agent", + 5156: "rugameonline", + 5157: "mediat", + 5161: "snmpssh", + 5162: "snmpssh-trap", + 5163: "sbackup", + 5164: "vpa", + 5165: "ife-icorp", + 5166: "winpcs", + 5167: "scte104", + 5168: "scte30", + 5172: "pcoip-mgmt", + 5190: "aol", + 5191: "aol-1", + 5192: "aol-2", + 5193: "aol-3", + 5194: "cpscomm", + 5195: "ampl-lic", + 5196: "ampl-tableproxy", + 5197: "tunstall-lwp", + 5200: "targus-getdata", + 5201: "targus-getdata1", + 5202: "targus-getdata2", + 5203: "targus-getdata3", + 5209: "nomad", + 5215: "noteza", + 5221: "3exmp", + 5222: "xmpp-client", + 5223: "hpvirtgrp", + 5224: "hpvirtctrl", + 5225: "hp-server", + 5226: "hp-status", + 5227: "perfd", + 5228: "hpvroom", + 5229: "jaxflow", + 5230: "jaxflow-data", + 5231: "crusecontrol", + 5232: "csedaemon", + 5233: "enfs", + 5234: "eenet", + 5235: "galaxy-network", + 5236: "padl2sim", + 5237: "mnet-discovery", + 5245: "downtools", + 5248: "caacws", + 5249: "caaclang2", + 5250: "soagateway", + 5251: "caevms", + 5252: "movaz-ssc", + 5253: "kpdp", + 5254: "logcabin", + 5264: "3com-njack-1", + 5265: "3com-njack-2", + 5269: "xmpp-server", + 5270: "cartographerxmp", + 5271: "cuelink", + 5272: "pk", + 5280: "xmpp-bosh", + 5281: "undo-lm", + 5282: "transmit-port", + 5298: "presence", + 5299: "nlg-data", + 5300: "hacl-hb", + 5301: "hacl-gs", + 5302: "hacl-cfg", + 5303: "hacl-probe", + 5304: "hacl-local", + 5305: "hacl-test", + 5306: "sun-mc-grp", + 5307: "sco-aip", + 5308: "cfengine", + 5309: "jprinter", + 5310: "outlaws", + 5312: "permabit-cs", + 5313: "rrdp", + 5314: "opalis-rbt-ipc", + 5315: "hacl-poll", + 5316: "hpbladems", + 5317: "hpdevms", + 5318: "pkix-cmc", + 5320: "bsfserver-zn", + 5321: "bsfsvr-zn-ssl", + 5343: "kfserver", + 5344: "xkotodrcp", + 5349: "stuns", + 5352: "dns-llq", + 5353: "mdns", + 5354: "mdnsresponder", + 5355: "llmnr", + 5356: "ms-smlbiz", + 5357: "wsdapi", + 5358: "wsdapi-s", + 5359: "ms-alerter", + 5360: "ms-sideshow", + 5361: "ms-s-sideshow", + 5362: "serverwsd2", + 5363: "net-projection", + 5397: "stresstester", + 5398: "elektron-admin", + 5399: "securitychase", + 5400: "excerpt", + 5401: "excerpts", + 5402: "mftp", + 5403: "hpoms-ci-lstn", + 5404: "hpoms-dps-lstn", + 5405: "netsupport", + 5406: "systemics-sox", + 5407: "foresyte-clear", + 5408: "foresyte-sec", + 5409: "salient-dtasrv", + 5410: "salient-usrmgr", + 5411: "actnet", + 5412: "continuus", + 5413: "wwiotalk", + 5414: "statusd", + 5415: "ns-server", + 5416: "sns-gateway", + 5417: "sns-agent", + 5418: "mcntp", + 5419: "dj-ice", + 5420: "cylink-c", + 5421: "netsupport2", + 5422: "salient-mux", + 5423: "virtualuser", + 5424: "beyond-remote", + 5425: "br-channel", + 5426: "devbasic", + 5427: "sco-peer-tta", + 5428: "telaconsole", + 5429: "base", + 5430: "radec-corp", + 5431: "park-agent", + 5432: "postgresql", + 5433: "pyrrho", + 5434: "sgi-arrayd", + 5435: "sceanics", + 5443: "spss", + 5445: "smbdirect", + 5450: "tiepie", + 5453: "surebox", + 5454: "apc-5454", + 5455: "apc-5455", + 5456: "apc-5456", + 5461: "silkmeter", + 5462: "ttl-publisher", + 5463: "ttlpriceproxy", + 5464: "quailnet", + 5465: "netops-broker", + 5470: "apsolab-col", + 5471: "apsolab-cols", + 5472: "apsolab-tag", + 5473: "apsolab-tags", + 5475: "apsolab-data", + 5500: "fcp-addr-srvr1", + 5501: "fcp-addr-srvr2", + 5502: "fcp-srvr-inst1", + 5503: "fcp-srvr-inst2", + 5504: "fcp-cics-gw1", + 5505: "checkoutdb", + 5506: "amc", + 5507: "psl-management", + 5550: "cbus", + 5553: "sgi-eventmond", + 5554: "sgi-esphttp", + 5555: "personal-agent", + 5556: "freeciv", + 5557: "farenet", + 5565: "hpe-dp-bura", + 5566: "westec-connect", + 5567: "dof-dps-mc-sec", + 5568: "sdt", + 5569: "rdmnet-ctrl", + 5573: "sdmmp", + 5574: "lsi-bobcat", + 5575: "ora-oap", + 5579: "fdtracks", + 5580: "tmosms0", + 5581: "tmosms1", + 5582: "fac-restore", + 5583: "tmo-icon-sync", + 5584: "bis-web", + 5585: "bis-sync", + 5586: "att-mt-sms", + 5597: "ininmessaging", + 5598: "mctfeed", + 5599: "esinstall", + 5600: "esmmanager", + 5601: "esmagent", + 5602: "a1-msc", + 5603: "a1-bs", + 5604: "a3-sdunode", + 5605: "a4-sdunode", + 5618: "efr", + 5627: "ninaf", + 5628: "htrust", + 5629: "symantec-sfdb", + 5630: "precise-comm", + 5631: "pcanywheredata", + 5632: "pcanywherestat", + 5633: "beorl", + 5634: "xprtld", + 5635: "sfmsso", + 5636: "sfm-db-server", + 5637: "cssc", + 5638: "flcrs", + 5639: "ics", + 5646: "vfmobile", + 5666: "nrpe", + 5670: "filemq", + 5671: "amqps", + 5672: "amqp", + 5673: "jms", + 5674: "hyperscsi-port", + 5675: "v5ua", + 5676: "raadmin", + 5677: "questdb2-lnchr", + 5678: "rrac", + 5679: "dccm", + 5680: "auriga-router", + 5681: "ncxcp", + 5688: "ggz", + 5689: "qmvideo", + 5693: "rbsystem", + 5696: "kmip", + 5700: "supportassist", + 5705: "storageos", + 5713: "proshareaudio", + 5714: "prosharevideo", + 5715: "prosharedata", + 5716: "prosharerequest", + 5717: "prosharenotify", + 5718: "dpm", + 5719: "dpm-agent", + 5720: "ms-licensing", + 5721: "dtpt", + 5722: "msdfsr", + 5723: "omhs", + 5724: "omsdk", + 5725: "ms-ilm", + 5726: "ms-ilm-sts", + 5727: "asgenf", + 5728: "io-dist-data", + 5729: "openmail", + 5730: "unieng", + 5741: "ida-discover1", + 5742: "ida-discover2", + 5743: "watchdoc-pod", + 5744: "watchdoc", + 5745: "fcopy-server", + 5746: "fcopys-server", + 5747: "tunatic", + 5748: "tunalyzer", + 5750: "rscd", + 5755: "openmailg", + 5757: "x500ms", + 5766: "openmailns", + 5767: "s-openmail", + 5768: "openmailpxy", + 5769: "spramsca", + 5770: "spramsd", + 5771: "netagent", + 5777: "dali-port", + 5780: "vts-rpc", + 5781: "3par-evts", + 5782: "3par-mgmt", + 5783: "3par-mgmt-ssl", + 5785: "3par-rcopy", + 5793: "xtreamx", + 5813: "icmpd", + 5814: "spt-automation", + 5841: "shiprush-d-ch", + 5842: "reversion", + 5859: "wherehoo", + 5863: "ppsuitemsg", + 5868: "diameters", + 5883: "jute", + 5900: "rfb", + 5910: "cm", + 5911: "cpdlc", + 5912: "fis", + 5913: "ads-c", + 5963: "indy", + 5968: "mppolicy-v5", + 5969: "mppolicy-mgr", + 5984: "couchdb", + 5985: "wsman", + 5986: "wsmans", + 5987: "wbem-rmi", + 5988: "wbem-http", + 5989: "wbem-https", + 5990: "wbem-exp-https", + 5991: "nuxsl", + 5992: "consul-insight", + 5993: "cim-rs", + 5999: "cvsup", + 6064: "ndl-ahp-svc", + 6065: "winpharaoh", + 6066: "ewctsp", + 6068: "gsmp-ancp", + 6069: "trip", + 6070: "messageasap", + 6071: "ssdtp", + 6072: "diagnose-proc", + 6073: "directplay8", + 6074: "max", + 6075: "dpm-acm", + 6076: "msft-dpm-cert", + 6077: "iconstructsrv", + 6084: "reload-config", + 6085: "konspire2b", + 6086: "pdtp", + 6087: "ldss", + 6088: "doglms", + 6099: "raxa-mgmt", + 6100: "synchronet-db", + 6101: "synchronet-rtc", + 6102: "synchronet-upd", + 6103: "rets", + 6104: "dbdb", + 6105: "primaserver", + 6106: "mpsserver", + 6107: "etc-control", + 6108: "sercomm-scadmin", + 6109: "globecast-id", + 6110: "softcm", + 6111: "spc", + 6112: "dtspcd", + 6113: "dayliteserver", + 6114: "wrspice", + 6115: "xic", + 6116: "xtlserv", + 6117: "daylitetouch", + 6121: "spdy", + 6122: "bex-webadmin", + 6123: "backup-express", + 6124: "pnbs", + 6130: "damewaremobgtwy", + 6133: "nbt-wol", + 6140: "pulsonixnls", + 6141: "meta-corp", + 6142: "aspentec-lm", + 6143: "watershed-lm", + 6144: "statsci1-lm", + 6145: "statsci2-lm", + 6146: "lonewolf-lm", + 6147: "montage-lm", + 6148: "ricardo-lm", + 6149: "tal-pod", + 6159: "efb-aci", + 6160: "ecmp", + 6161: "patrol-ism", + 6162: "patrol-coll", + 6163: "pscribe", + 6200: "lm-x", + 6209: "qmtps", + 6222: "radmind", + 6241: "jeol-nsdtp-1", + 6242: "jeol-nsdtp-2", + 6243: "jeol-nsdtp-3", + 6244: "jeol-nsdtp-4", + 6251: "tl1-raw-ssl", + 6252: "tl1-ssh", + 6253: "crip", + 6267: "gld", + 6268: "grid", + 6269: "grid-alt", + 6300: "bmc-grx", + 6301: "bmc-ctd-ldap", + 6306: "ufmp", + 6315: "scup", + 6316: "abb-escp", + 6317: "nav-data-cmd", + 6320: "repsvc", + 6321: "emp-server1", + 6322: "emp-server2", + 6324: "hrd-ncs", + 6325: "dt-mgmtsvc", + 6326: "dt-vra", + 6343: "sflow", + 6344: "streletz", + 6346: "gnutella-svc", + 6347: "gnutella-rtr", + 6350: "adap", + 6355: "pmcs", + 6360: "metaedit-mu", + 6370: "metaedit-se", + 6379: "redis", + 6382: "metatude-mds", + 6389: "clariion-evr01", + 6390: "metaedit-ws", + 6417: "faxcomservice", + 6418: "syserverremote", + 6419: "svdrp", + 6420: "nim-vdrshell", + 6421: "nim-wan", + 6432: "pgbouncer", + 6442: "tarp", + 6443: "sun-sr-https", + 6444: "sge-qmaster", + 6445: "sge-execd", + 6446: "mysql-proxy", + 6455: "skip-cert-recv", + 6456: "skip-cert-send", + 6464: "ieee11073-20701", + 6471: "lvision-lm", + 6480: "sun-sr-http", + 6481: "servicetags", + 6482: "ldoms-mgmt", + 6483: "SunVTS-RMI", + 6484: "sun-sr-jms", + 6485: "sun-sr-iiop", + 6486: "sun-sr-iiops", + 6487: "sun-sr-iiop-aut", + 6488: "sun-sr-jmx", + 6489: "sun-sr-admin", + 6500: "boks", + 6501: "boks-servc", + 6502: "boks-servm", + 6503: "boks-clntd", + 6505: "badm-priv", + 6506: "badm-pub", + 6507: "bdir-priv", + 6508: "bdir-pub", + 6509: "mgcs-mfp-port", + 6510: "mcer-port", + 6513: "netconf-tls", + 6514: "syslog-tls", + 6515: "elipse-rec", + 6543: "lds-distrib", + 6544: "lds-dump", + 6547: "apc-6547", + 6548: "apc-6548", + 6549: "apc-6549", + 6550: "fg-sysupdate", + 6551: "sum", + 6558: "xdsxdm", + 6566: "sane-port", + 6568: "canit-store", + 6579: "affiliate", + 6580: "parsec-master", + 6581: "parsec-peer", + 6582: "parsec-game", + 6583: "joaJewelSuite", + 6600: "mshvlm", + 6601: "mstmg-sstp", + 6602: "wsscomfrmwk", + 6619: "odette-ftps", + 6620: "kftp-data", + 6621: "kftp", + 6622: "mcftp", + 6623: "ktelnet", + 6624: "datascaler-db", + 6625: "datascaler-ctl", + 6626: "wago-service", + 6627: "nexgen", + 6628: "afesc-mc", + 6629: "nexgen-aux", + 6632: "mxodbc-connect", + 6640: "ovsdb", + 6653: "openflow", + 6655: "pcs-sf-ui-man", + 6656: "emgmsg", + 6670: "vocaltec-gold", + 6671: "p4p-portal", + 6672: "vision-server", + 6673: "vision-elmd", + 6678: "vfbp", + 6679: "osaut", + 6687: "clever-ctrace", + 6688: "clever-tcpip", + 6689: "tsa", + 6690: "cleverdetect", + 6697: "ircs-u", + 6701: "kti-icad-srvr", + 6702: "e-design-net", + 6703: "e-design-web", + 6714: "ibprotocol", + 6715: "fibotrader-com", + 6716: "princity-agent", + 6767: "bmc-perf-agent", + 6768: "bmc-perf-mgrd", + 6769: "adi-gxp-srvprt", + 6770: "plysrv-http", + 6771: "plysrv-https", + 6777: "ntz-tracker", + 6778: "ntz-p2p-storage", + 6785: "dgpf-exchg", + 6786: "smc-jmx", + 6787: "smc-admin", + 6788: "smc-http", + 6789: "radg", + 6790: "hnmp", + 6791: "hnm", + 6801: "acnet", + 6817: "pentbox-sim", + 6831: "ambit-lm", + 6841: "netmo-default", + 6842: "netmo-http", + 6850: "iccrushmore", + 6868: "acctopus-cc", + 6888: "muse", + 6900: "rtimeviewer", + 6901: "jetstream", + 6935: "ethoscan", + 6936: "xsmsvc", + 6946: "bioserver", + 6951: "otlp", + 6961: "jmact3", + 6962: "jmevt2", + 6963: "swismgr1", + 6964: "swismgr2", + 6965: "swistrap", + 6966: "swispol", + 6969: "acmsoda", + 6970: "conductor", + 6997: "MobilitySrv", + 6998: "iatp-highpri", + 6999: "iatp-normalpri", + 7000: "afs3-fileserver", + 7001: "afs3-callback", + 7002: "afs3-prserver", + 7003: "afs3-vlserver", + 7004: "afs3-kaserver", + 7005: "afs3-volser", + 7006: "afs3-errors", + 7007: "afs3-bos", + 7008: "afs3-update", + 7009: "afs3-rmtsys", + 7010: "ups-onlinet", + 7011: "talon-disc", + 7012: "talon-engine", + 7013: "microtalon-dis", + 7014: "microtalon-com", + 7015: "talon-webserver", + 7016: "spg", + 7017: "grasp", + 7018: "fisa-svc", + 7019: "doceri-ctl", + 7020: "dpserve", + 7021: "dpserveadmin", + 7022: "ctdp", + 7023: "ct2nmcs", + 7024: "vmsvc", + 7025: "vmsvc-2", + 7030: "op-probe", + 7031: "iposplanet", + 7070: "arcp", + 7071: "iwg1", + 7073: "martalk", + 7080: "empowerid", + 7099: "lazy-ptop", + 7100: "font-service", + 7101: "elcn", + 7117: "rothaga", + 7121: "virprot-lm", + 7128: "scenidm", + 7129: "scenccs", + 7161: "cabsm-comm", + 7162: "caistoragemgr", + 7163: "cacsambroker", + 7164: "fsr", + 7165: "doc-server", + 7166: "aruba-server", + 7167: "casrmagent", + 7168: "cnckadserver", + 7169: "ccag-pib", + 7170: "nsrp", + 7171: "drm-production", + 7172: "metalbend", + 7173: "zsecure", + 7174: "clutild", + 7200: "fodms", + 7201: "dlip", + 7202: "pon-ictp", + 7215: "PS-Server", + 7216: "PS-Capture-Pro", + 7227: "ramp", + 7228: "citrixupp", + 7229: "citrixuppg", + 7236: "display", + 7237: "pads", + 7244: "frc-hicp", + 7262: "cnap", + 7272: "watchme-7272", + 7273: "oma-rlp", + 7274: "oma-rlp-s", + 7275: "oma-ulp", + 7276: "oma-ilp", + 7277: "oma-ilp-s", + 7278: "oma-dcdocbs", + 7279: "ctxlic", + 7280: "itactionserver1", + 7281: "itactionserver2", + 7282: "mzca-action", + 7283: "genstat", + 7365: "lcm-server", + 7391: "mindfilesys", + 7392: "mrssrendezvous", + 7393: "nfoldman", + 7394: "fse", + 7395: "winqedit", + 7397: "hexarc", + 7400: "rtps-discovery", + 7401: "rtps-dd-ut", + 7402: "rtps-dd-mt", + 7410: "ionixnetmon", + 7411: "daqstream", + 7421: "mtportmon", + 7426: "pmdmgr", + 7427: "oveadmgr", + 7428: "ovladmgr", + 7429: "opi-sock", + 7430: "xmpv7", + 7431: "pmd", + 7437: "faximum", + 7443: "oracleas-https", + 7471: "sttunnel", + 7473: "rise", + 7474: "neo4j", + 7478: "openit", + 7491: "telops-lmd", + 7500: "silhouette", + 7501: "ovbus", + 7508: "adcp", + 7509: "acplt", + 7510: "ovhpas", + 7511: "pafec-lm", + 7542: "saratoga", + 7543: "atul", + 7544: "nta-ds", + 7545: "nta-us", + 7546: "cfs", + 7547: "cwmp", + 7548: "tidp", + 7549: "nls-tl", + 7551: "controlone-con", + 7560: "sncp", + 7563: "cfw", + 7566: "vsi-omega", + 7569: "dell-eql-asm", + 7570: "aries-kfinder", + 7574: "coherence", + 7588: "sun-lm", + 7606: "mipi-debug", + 7624: "indi", + 7626: "simco", + 7627: "soap-http", + 7628: "zen-pawn", + 7629: "xdas", + 7630: "hawk", + 7631: "tesla-sys-msg", + 7633: "pmdfmgt", + 7648: "cuseeme", + 7672: "imqstomp", + 7673: "imqstomps", + 7674: "imqtunnels", + 7675: "imqtunnel", + 7676: "imqbrokerd", + 7677: "sun-user-https", + 7680: "pando-pub", + 7683: "dmt", + 7687: "bolt", + 7689: "collaber", + 7697: "klio", + 7700: "em7-secom", + 7707: "sync-em7", + 7708: "scinet", + 7720: "medimageportal", + 7724: "nsdeepfreezectl", + 7725: "nitrogen", + 7726: "freezexservice", + 7727: "trident-data", + 7728: "osvr", + 7734: "smip", + 7738: "aiagent", + 7741: "scriptview", + 7742: "msss", + 7743: "sstp-1", + 7744: "raqmon-pdu", + 7747: "prgp", + 7775: "inetfs", + 7777: "cbt", + 7778: "interwise", + 7779: "vstat", + 7781: "accu-lmgr", + 7786: "minivend", + 7787: "popup-reminders", + 7789: "office-tools", + 7794: "q3ade", + 7797: "pnet-conn", + 7798: "pnet-enc", + 7799: "altbsdp", + 7800: "asr", + 7801: "ssp-client", + 7810: "rbt-wanopt", + 7845: "apc-7845", + 7846: "apc-7846", + 7847: "csoauth", + 7869: "mobileanalyzer", + 7870: "rbt-smc", + 7871: "mdm", + 7878: "owms", + 7880: "pss", + 7887: "ubroker", + 7900: "mevent", + 7901: "tnos-sp", + 7902: "tnos-dp", + 7903: "tnos-dps", + 7913: "qo-secure", + 7932: "t2-drm", + 7933: "t2-brm", + 7962: "generalsync", + 7967: "supercell", + 7979: "micromuse-ncps", + 7980: "quest-vista", + 7981: "sossd-collect", + 7982: "sossd-agent", + 7997: "pushns", + 7999: "irdmi2", + 8000: "irdmi", + 8001: "vcom-tunnel", + 8002: "teradataordbms", + 8003: "mcreport", + 8005: "mxi", + 8006: "wpl-analytics", + 8007: "warppipe", + 8008: "http-alt", + 8019: "qbdb", + 8020: "intu-ec-svcdisc", + 8021: "intu-ec-client", + 8022: "oa-system", + 8025: "ca-audit-da", + 8026: "ca-audit-ds", + 8032: "pro-ed", + 8033: "mindprint", + 8034: "vantronix-mgmt", + 8040: "ampify", + 8041: "enguity-xccetp", + 8042: "fs-agent", + 8043: "fs-server", + 8044: "fs-mgmt", + 8051: "rocrail", + 8052: "senomix01", + 8053: "senomix02", + 8054: "senomix03", + 8055: "senomix04", + 8056: "senomix05", + 8057: "senomix06", + 8058: "senomix07", + 8059: "senomix08", + 8066: "toad-bi-appsrvr", + 8067: "infi-async", + 8070: "ucs-isc", + 8074: "gadugadu", + 8077: "mles", + 8080: "http-alt", + 8081: "sunproxyadmin", + 8082: "us-cli", + 8083: "us-srv", + 8086: "d-s-n", + 8087: "simplifymedia", + 8088: "radan-http", + 8090: "opsmessaging", + 8091: "jamlink", + 8097: "sac", + 8100: "xprint-server", + 8101: "ldoms-migr", + 8102: "kz-migr", + 8115: "mtl8000-matrix", + 8116: "cp-cluster", + 8117: "purityrpc", + 8118: "privoxy", + 8121: "apollo-data", + 8122: "apollo-admin", + 8128: "paycash-online", + 8129: "paycash-wbp", + 8130: "indigo-vrmi", + 8131: "indigo-vbcp", + 8132: "dbabble", + 8140: "puppet", + 8148: "isdd", + 8153: "quantastor", + 8160: "patrol", + 8161: "patrol-snmp", + 8162: "lpar2rrd", + 8181: "intermapper", + 8182: "vmware-fdm", + 8183: "proremote", + 8184: "itach", + 8190: "gcp-rphy", + 8191: "limnerpressure", + 8192: "spytechphone", + 8194: "blp1", + 8195: "blp2", + 8199: "vvr-data", + 8200: "trivnet1", + 8201: "trivnet2", + 8204: "lm-perfworks", + 8205: "lm-instmgr", + 8206: "lm-dta", + 8207: "lm-sserver", + 8208: "lm-webwatcher", + 8230: "rexecj", + 8243: "synapse-nhttps", + 8270: "robot-remote", + 8276: "pando-sec", + 8280: "synapse-nhttp", + 8282: "libelle", + 8292: "blp3", + 8293: "hiperscan-id", + 8294: "blp4", + 8300: "tmi", + 8301: "amberon", + 8313: "hub-open-net", + 8320: "tnp-discover", + 8321: "tnp", + 8322: "garmin-marine", + 8351: "server-find", + 8376: "cruise-enum", + 8377: "cruise-swroute", + 8378: "cruise-config", + 8379: "cruise-diags", + 8380: "cruise-update", + 8383: "m2mservices", + 8400: "cvd", + 8401: "sabarsd", + 8402: "abarsd", + 8403: "admind", + 8404: "svcloud", + 8405: "svbackup", + 8415: "dlpx-sp", + 8416: "espeech", + 8417: "espeech-rtp", + 8423: "aritts", + 8442: "cybro-a-bus", + 8443: "pcsync-https", + 8444: "pcsync-http", + 8445: "copy", + 8450: "npmp", + 8457: "nexentamv", + 8470: "cisco-avp", + 8471: "pim-port", + 8472: "otv", + 8473: "vp2p", + 8474: "noteshare", + 8500: "fmtp", + 8501: "cmtp-mgt", + 8502: "ftnmtp", + 8554: "rtsp-alt", + 8555: "d-fence", + 8567: "dof-tunnel", + 8600: "asterix", + 8610: "canon-mfnp", + 8611: "canon-bjnp1", + 8612: "canon-bjnp2", + 8613: "canon-bjnp3", + 8614: "canon-bjnp4", + 8615: "imink", + 8665: "monetra", + 8666: "monetra-admin", + 8675: "msi-cps-rm", + 8686: "sun-as-jmxrmi", + 8688: "openremote-ctrl", + 8699: "vnyx", + 8711: "nvc", + 8733: "ibus", + 8750: "dey-keyneg", + 8763: "mc-appserver", + 8764: "openqueue", + 8765: "ultraseek-http", + 8766: "amcs", + 8770: "dpap", + 8778: "uec", + 8786: "msgclnt", + 8787: "msgsrvr", + 8793: "acd-pm", + 8800: "sunwebadmin", + 8804: "truecm", + 8873: "dxspider", + 8880: "cddbp-alt", + 8881: "galaxy4d", + 8883: "secure-mqtt", + 8888: "ddi-tcp-1", + 8889: "ddi-tcp-2", + 8890: "ddi-tcp-3", + 8891: "ddi-tcp-4", + 8892: "ddi-tcp-5", + 8893: "ddi-tcp-6", + 8894: "ddi-tcp-7", + 8899: "ospf-lite", + 8900: "jmb-cds1", + 8901: "jmb-cds2", + 8910: "manyone-http", + 8911: "manyone-xml", + 8912: "wcbackup", + 8913: "dragonfly", + 8937: "twds", + 8953: "ub-dns-control", + 8954: "cumulus-admin", + 8980: "nod-provider", + 8989: "sunwebadmins", + 8990: "http-wmap", + 8991: "https-wmap", + 8997: "oracle-ms-ens", + 8998: "canto-roboflow", + 8999: "bctp", + 9000: "cslistener", + 9001: "etlservicemgr", + 9002: "dynamid", + 9005: "golem", + 9008: "ogs-server", + 9009: "pichat", + 9010: "sdr", + 9020: "tambora", + 9021: "panagolin-ident", + 9022: "paragent", + 9023: "swa-1", + 9024: "swa-2", + 9025: "swa-3", + 9026: "swa-4", + 9050: "versiera", + 9051: "fio-cmgmt", + 9060: "CardWeb-IO", + 9080: "glrpc", + 9083: "emc-pp-mgmtsvc", + 9084: "aurora", + 9085: "ibm-rsyscon", + 9086: "net2display", + 9087: "classic", + 9088: "sqlexec", + 9089: "sqlexec-ssl", + 9090: "websm", + 9091: "xmltec-xmlmail", + 9092: "XmlIpcRegSvc", + 9093: "copycat", + 9100: "hp-pdl-datastr", + 9101: "bacula-dir", + 9102: "bacula-fd", + 9103: "bacula-sd", + 9104: "peerwire", + 9105: "xadmin", + 9106: "astergate", + 9107: "astergatefax", + 9119: "mxit", + 9122: "grcmp", + 9123: "grcp", + 9131: "dddp", + 9160: "apani1", + 9161: "apani2", + 9162: "apani3", + 9163: "apani4", + 9164: "apani5", + 9191: "sun-as-jpda", + 9200: "wap-wsp", + 9201: "wap-wsp-wtp", + 9202: "wap-wsp-s", + 9203: "wap-wsp-wtp-s", + 9204: "wap-vcard", + 9205: "wap-vcal", + 9206: "wap-vcard-s", + 9207: "wap-vcal-s", + 9208: "rjcdb-vcards", + 9209: "almobile-system", + 9210: "oma-mlp", + 9211: "oma-mlp-s", + 9212: "serverviewdbms", + 9213: "serverstart", + 9214: "ipdcesgbs", + 9215: "insis", + 9216: "acme", + 9217: "fsc-port", + 9222: "teamcoherence", + 9255: "mon", + 9278: "pegasus", + 9279: "pegasus-ctl", + 9280: "pgps", + 9281: "swtp-port1", + 9282: "swtp-port2", + 9283: "callwaveiam", + 9284: "visd", + 9285: "n2h2server", + 9287: "cumulus", + 9292: "armtechdaemon", + 9293: "storview", + 9294: "armcenterhttp", + 9295: "armcenterhttps", + 9300: "vrace", + 9306: "sphinxql", + 9312: "sphinxapi", + 9318: "secure-ts", + 9321: "guibase", + 9343: "mpidcmgr", + 9344: "mphlpdmc", + 9345: "rancher", + 9346: "ctechlicensing", + 9374: "fjdmimgr", + 9380: "boxp", + 9387: "d2dconfig", + 9388: "d2ddatatrans", + 9389: "adws", + 9390: "otp", + 9396: "fjinvmgr", + 9397: "mpidcagt", + 9400: "sec-t4net-srv", + 9401: "sec-t4net-clt", + 9402: "sec-pc2fax-srv", + 9418: "git", + 9443: "tungsten-https", + 9444: "wso2esb-console", + 9445: "mindarray-ca", + 9450: "sntlkeyssrvr", + 9500: "ismserver", + 9535: "mngsuite", + 9536: "laes-bf", + 9555: "trispen-sra", + 9592: "ldgateway", + 9593: "cba8", + 9594: "msgsys", + 9595: "pds", + 9596: "mercury-disc", + 9597: "pd-admin", + 9598: "vscp", + 9599: "robix", + 9600: "micromuse-ncpw", + 9612: "streamcomm-ds", + 9614: "iadt-tls", + 9616: "erunbook-agent", + 9617: "erunbook-server", + 9618: "condor", + 9628: "odbcpathway", + 9629: "uniport", + 9630: "peoctlr", + 9631: "peocoll", + 9640: "pqsflows", + 9666: "zoomcp", + 9667: "xmms2", + 9668: "tec5-sdctp", + 9694: "client-wakeup", + 9695: "ccnx", + 9700: "board-roar", + 9747: "l5nas-parchan", + 9750: "board-voip", + 9753: "rasadv", + 9762: "tungsten-http", + 9800: "davsrc", + 9801: "sstp-2", + 9802: "davsrcs", + 9875: "sapv1", + 9876: "sd", + 9888: "cyborg-systems", + 9889: "gt-proxy", + 9898: "monkeycom", + 9900: "iua", + 9909: "domaintime", + 9911: "sype-transport", + 9925: "xybrid-cloud", + 9950: "apc-9950", + 9951: "apc-9951", + 9952: "apc-9952", + 9953: "acis", + 9954: "hinp", + 9955: "alljoyn-stm", + 9966: "odnsp", + 9978: "xybrid-rt", + 9979: "visweather", + 9981: "pumpkindb", + 9987: "dsm-scm-target", + 9988: "nsesrvr", + 9990: "osm-appsrvr", + 9991: "osm-oev", + 9992: "palace-1", + 9993: "palace-2", + 9994: "palace-3", + 9995: "palace-4", + 9996: "palace-5", + 9997: "palace-6", + 9998: "distinct32", + 9999: "distinct", + 10000: "ndmp", + 10001: "scp-config", + 10002: "documentum", + 10003: "documentum-s", + 10004: "emcrmirccd", + 10005: "emcrmird", + 10006: "netapp-sync", + 10007: "mvs-capacity", + 10008: "octopus", + 10009: "swdtp-sv", + 10010: "rxapi", + 10020: "abb-hw", + 10050: "zabbix-agent", + 10051: "zabbix-trapper", + 10055: "qptlmd", + 10080: "amanda", + 10081: "famdc", + 10100: "itap-ddtp", + 10101: "ezmeeting-2", + 10102: "ezproxy-2", + 10103: "ezrelay", + 10104: "swdtp", + 10107: "bctp-server", + 10110: "nmea-0183", + 10113: "netiq-endpoint", + 10114: "netiq-qcheck", + 10115: "netiq-endpt", + 10116: "netiq-voipa", + 10117: "iqrm", + 10125: "cimple", + 10128: "bmc-perf-sd", + 10129: "bmc-gms", + 10160: "qb-db-server", + 10161: "snmptls", + 10162: "snmptls-trap", + 10200: "trisoap", + 10201: "rsms", + 10252: "apollo-relay", + 10260: "axis-wimp-port", + 10261: "tile-ml", + 10288: "blocks", + 10321: "cosir", + 10540: "MOS-lower", + 10541: "MOS-upper", + 10542: "MOS-aux", + 10543: "MOS-soap", + 10544: "MOS-soap-opt", + 10548: "serverdocs", + 10631: "printopia", + 10800: "gap", + 10805: "lpdg", + 10809: "nbd", + 10860: "helix", + 10880: "bveapi", + 10933: "octopustentacle", + 10990: "rmiaux", + 11000: "irisa", + 11001: "metasys", + 11095: "weave", + 11103: "origo-sync", + 11104: "netapp-icmgmt", + 11105: "netapp-icdata", + 11106: "sgi-lk", + 11109: "sgi-dmfmgr", + 11110: "sgi-soap", + 11111: "vce", + 11112: "dicom", + 11161: "suncacao-snmp", + 11162: "suncacao-jmxmp", + 11163: "suncacao-rmi", + 11164: "suncacao-csa", + 11165: "suncacao-websvc", + 11172: "oemcacao-jmxmp", + 11173: "t5-straton", + 11174: "oemcacao-rmi", + 11175: "oemcacao-websvc", + 11201: "smsqp", + 11202: "dcsl-backup", + 11208: "wifree", + 11211: "memcache", + 11319: "imip", + 11320: "imip-channels", + 11321: "arena-server", + 11367: "atm-uhas", + 11371: "hkp", + 11489: "asgcypresstcps", + 11600: "tempest-port", + 11623: "emc-xsw-dconfig", + 11720: "h323callsigalt", + 11723: "emc-xsw-dcache", + 11751: "intrepid-ssl", + 11796: "lanschool", + 11876: "xoraya", + 11967: "sysinfo-sp", + 12000: "entextxid", + 12001: "entextnetwk", + 12002: "entexthigh", + 12003: "entextmed", + 12004: "entextlow", + 12005: "dbisamserver1", + 12006: "dbisamserver2", + 12007: "accuracer", + 12008: "accuracer-dbms", + 12010: "edbsrvr", + 12012: "vipera", + 12013: "vipera-ssl", + 12109: "rets-ssl", + 12121: "nupaper-ss", + 12168: "cawas", + 12172: "hivep", + 12300: "linogridengine", + 12302: "rads", + 12321: "warehouse-sss", + 12322: "warehouse", + 12345: "italk", + 12753: "tsaf", + 12865: "netperf", + 13160: "i-zipqd", + 13216: "bcslogc", + 13217: "rs-pias", + 13218: "emc-vcas-tcp", + 13223: "powwow-client", + 13224: "powwow-server", + 13400: "doip-data", + 13720: "bprd", + 13721: "bpdbm", + 13722: "bpjava-msvc", + 13724: "vnetd", + 13782: "bpcd", + 13783: "vopied", + 13785: "nbdb", + 13786: "nomdb", + 13818: "dsmcc-config", + 13819: "dsmcc-session", + 13820: "dsmcc-passthru", + 13821: "dsmcc-download", + 13822: "dsmcc-ccp", + 13823: "bmdss", + 13894: "ucontrol", + 13929: "dta-systems", + 13930: "medevolve", + 14000: "scotty-ft", + 14001: "sua", + 14033: "sage-best-com1", + 14034: "sage-best-com2", + 14141: "vcs-app", + 14142: "icpp", + 14143: "icpps", + 14145: "gcm-app", + 14149: "vrts-tdd", + 14150: "vcscmd", + 14154: "vad", + 14250: "cps", + 14414: "ca-web-update", + 14500: "xpra", + 14936: "hde-lcesrvr-1", + 14937: "hde-lcesrvr-2", + 15000: "hydap", + 15002: "onep-tls", + 15345: "xpilot", + 15363: "3link", + 15555: "cisco-snat", + 15660: "bex-xr", + 15740: "ptp", + 15999: "programmar", + 16000: "fmsas", + 16001: "fmsascon", + 16002: "gsms", + 16020: "jwpc", + 16021: "jwpc-bin", + 16161: "sun-sea-port", + 16162: "solaris-audit", + 16309: "etb4j", + 16310: "pduncs", + 16311: "pdefmns", + 16360: "netserialext1", + 16361: "netserialext2", + 16367: "netserialext3", + 16368: "netserialext4", + 16384: "connected", + 16385: "rdgs", + 16619: "xoms", + 16665: "axon-tunnel", + 16789: "cadsisvr", + 16900: "newbay-snc-mc", + 16950: "sgcip", + 16991: "intel-rci-mp", + 16992: "amt-soap-http", + 16993: "amt-soap-https", + 16994: "amt-redir-tcp", + 16995: "amt-redir-tls", + 17007: "isode-dua", + 17184: "vestasdlp", + 17185: "soundsvirtual", + 17219: "chipper", + 17220: "avtp", + 17221: "avdecc", + 17223: "isa100-gci", + 17225: "trdp-md", + 17234: "integrius-stp", + 17235: "ssh-mgmt", + 17500: "db-lsp", + 17555: "ailith", + 17729: "ea", + 17754: "zep", + 17755: "zigbee-ip", + 17756: "zigbee-ips", + 17777: "sw-orion", + 18000: "biimenu", + 18104: "radpdf", + 18136: "racf", + 18181: "opsec-cvp", + 18182: "opsec-ufp", + 18183: "opsec-sam", + 18184: "opsec-lea", + 18185: "opsec-omi", + 18186: "ohsc", + 18187: "opsec-ela", + 18241: "checkpoint-rtm", + 18242: "iclid", + 18243: "clusterxl", + 18262: "gv-pf", + 18463: "ac-cluster", + 18634: "rds-ib", + 18635: "rds-ip", + 18668: "vdmmesh", + 18769: "ique", + 18881: "infotos", + 18888: "apc-necmp", + 19000: "igrid", + 19007: "scintilla", + 19020: "j-link", + 19191: "opsec-uaa", + 19194: "ua-secureagent", + 19220: "cora", + 19283: "keysrvr", + 19315: "keyshadow", + 19398: "mtrgtrans", + 19410: "hp-sco", + 19411: "hp-sca", + 19412: "hp-sessmon", + 19539: "fxuptp", + 19540: "sxuptp", + 19541: "jcp", + 19998: "iec-104-sec", + 19999: "dnp-sec", + 20000: "dnp", + 20001: "microsan", + 20002: "commtact-http", + 20003: "commtact-https", + 20005: "openwebnet", + 20013: "ss-idi", + 20014: "opendeploy", + 20034: "nburn-id", + 20046: "tmophl7mts", + 20048: "mountd", + 20049: "nfsrdma", + 20057: "avesterra", + 20167: "tolfab", + 20202: "ipdtp-port", + 20222: "ipulse-ics", + 20480: "emwavemsg", + 20670: "track", + 20999: "athand-mmp", + 21000: "irtrans", + 21010: "notezilla-lan", + 21221: "aigairserver", + 21553: "rdm-tfs", + 21554: "dfserver", + 21590: "vofr-gateway", + 21800: "tvpm", + 21845: "webphone", + 21846: "netspeak-is", + 21847: "netspeak-cs", + 21848: "netspeak-acd", + 21849: "netspeak-cps", + 22000: "snapenetio", + 22001: "optocontrol", + 22002: "optohost002", + 22003: "optohost003", + 22004: "optohost004", + 22005: "optohost004", + 22125: "dcap", + 22128: "gsidcap", + 22222: "easyengine", + 22273: "wnn6", + 22305: "cis", + 22335: "shrewd-control", + 22343: "cis-secure", + 22347: "wibukey", + 22350: "codemeter", + 22351: "codemeter-cmwan", + 22537: "caldsoft-backup", + 22555: "vocaltec-wconf", + 22763: "talikaserver", + 22800: "aws-brf", + 22951: "brf-gw", + 23000: "inovaport1", + 23001: "inovaport2", + 23002: "inovaport3", + 23003: "inovaport4", + 23004: "inovaport5", + 23005: "inovaport6", + 23053: "gntp", + 23294: "5afe-dir", + 23333: "elxmgmt", + 23400: "novar-dbase", + 23401: "novar-alarm", + 23402: "novar-global", + 23456: "aequus", + 23457: "aequus-alt", + 23546: "areaguard-neo", + 24000: "med-ltp", + 24001: "med-fsp-rx", + 24002: "med-fsp-tx", + 24003: "med-supp", + 24004: "med-ovw", + 24005: "med-ci", + 24006: "med-net-svc", + 24242: "filesphere", + 24249: "vista-4gl", + 24321: "ild", + 24386: "intel-rci", + 24465: "tonidods", + 24554: "binkp", + 24577: "bilobit", + 24666: "sdtvwcam", + 24676: "canditv", + 24677: "flashfiler", + 24678: "proactivate", + 24680: "tcc-http", + 24754: "cslg", + 24922: "find", + 25000: "icl-twobase1", + 25001: "icl-twobase2", + 25002: "icl-twobase3", + 25003: "icl-twobase4", + 25004: "icl-twobase5", + 25005: "icl-twobase6", + 25006: "icl-twobase7", + 25007: "icl-twobase8", + 25008: "icl-twobase9", + 25009: "icl-twobase10", + 25576: "sauterdongle", + 25604: "idtp", + 25793: "vocaltec-hos", + 25900: "tasp-net", + 25901: "niobserver", + 25902: "nilinkanalyst", + 25903: "niprobe", + 26000: "quake", + 26133: "scscp", + 26208: "wnn6-ds", + 26257: "cockroach", + 26260: "ezproxy", + 26261: "ezmeeting", + 26262: "k3software-svr", + 26263: "k3software-cli", + 26486: "exoline-tcp", + 26487: "exoconfig", + 26489: "exonet", + 27345: "imagepump", + 27442: "jesmsjc", + 27504: "kopek-httphead", + 27782: "ars-vista", + 27876: "astrolink", + 27999: "tw-auth-key", + 28000: "nxlmd", + 28001: "pqsp", + 28200: "voxelstorm", + 28240: "siemensgsm", + 28589: "bosswave", + 29167: "otmp", + 29999: "bingbang", + 30000: "ndmps", + 30001: "pago-services1", + 30002: "pago-services2", + 30003: "amicon-fpsu-ra", + 30100: "rwp", + 30260: "kingdomsonline", + 30400: "gs-realtime", + 30999: "ovobs", + 31016: "ka-sddp", + 31020: "autotrac-acp", + 31400: "pace-licensed", + 31416: "xqosd", + 31457: "tetrinet", + 31620: "lm-mon", + 31685: "dsx-monitor", + 31765: "gamesmith-port", + 31948: "iceedcp-tx", + 31949: "iceedcp-rx", + 32034: "iracinghelper", + 32249: "t1distproc60", + 32400: "plex", + 32483: "apm-link", + 32635: "sec-ntb-clnt", + 32636: "DMExpress", + 32767: "filenet-powsrm", + 32768: "filenet-tms", + 32769: "filenet-rpc", + 32770: "filenet-nch", + 32771: "filenet-rmi", + 32772: "filenet-pa", + 32773: "filenet-cm", + 32774: "filenet-re", + 32775: "filenet-pch", + 32776: "filenet-peior", + 32777: "filenet-obrok", + 32801: "mlsn", + 32811: "retp", + 32896: "idmgratm", + 33060: "mysqlx", + 33123: "aurora-balaena", + 33331: "diamondport", + 33333: "dgi-serv", + 33334: "speedtrace", + 33434: "traceroute", + 33656: "snip-slave", + 34249: "turbonote-2", + 34378: "p-net-local", + 34379: "p-net-remote", + 34567: "dhanalakshmi", + 34962: "profinet-rt", + 34963: "profinet-rtm", + 34964: "profinet-cm", + 34980: "ethercat", + 35000: "heathview", + 35001: "rt-viewer", + 35002: "rt-sound", + 35003: "rt-devicemapper", + 35004: "rt-classmanager", + 35005: "rt-labtracker", + 35006: "rt-helper", + 35100: "axio-disc", + 35354: "kitim", + 35355: "altova-lm", + 35356: "guttersnex", + 35357: "openstack-id", + 36001: "allpeers", + 36524: "febooti-aw", + 36602: "observium-agent", + 36700: "mapx", + 36865: "kastenxpipe", + 37475: "neckar", + 37483: "gdrive-sync", + 37601: "eftp", + 37654: "unisys-eportal", + 38000: "ivs-database", + 38001: "ivs-insertion", + 38002: "cresco-control", + 38201: "galaxy7-data", + 38202: "fairview", + 38203: "agpolicy", + 38800: "sruth", + 38865: "secrmmsafecopya", + 39681: "turbonote-1", + 40000: "safetynetp", + 40404: "sptx", + 40841: "cscp", + 40842: "csccredir", + 40843: "csccfirewall", + 41111: "fs-qos", + 41121: "tentacle", + 41230: "z-wave-s", + 41794: "crestron-cip", + 41795: "crestron-ctp", + 41796: "crestron-cips", + 41797: "crestron-ctps", + 42508: "candp", + 42509: "candrp", + 42510: "caerpc", + 43000: "recvr-rc", + 43188: "reachout", + 43189: "ndm-agent-port", + 43190: "ip-provision", + 43191: "noit-transport", + 43210: "shaperai", + 43439: "eq3-update", + 43440: "ew-mgmt", + 43441: "ciscocsdb", + 44123: "z-wave-tunnel", + 44321: "pmcd", + 44322: "pmcdproxy", + 44323: "pmwebapi", + 44444: "cognex-dataman", + 44553: "rbr-debug", + 44818: "EtherNet-IP-2", + 44900: "m3da", + 45000: "asmp", + 45001: "asmps", + 45002: "rs-status", + 45045: "synctest", + 45054: "invision-ag", + 45514: "cloudcheck", + 45678: "eba", + 45824: "dai-shell", + 45825: "qdb2service", + 45966: "ssr-servermgr", + 46336: "inedo", + 46998: "spremotetablet", + 46999: "mediabox", + 47000: "mbus", + 47001: "winrm", + 47557: "dbbrowse", + 47624: "directplaysrvr", + 47806: "ap", + 47808: "bacnet", + 48000: "nimcontroller", + 48001: "nimspooler", + 48002: "nimhub", + 48003: "nimgtw", + 48004: "nimbusdb", + 48005: "nimbusdbctrl", + 48049: "3gpp-cbsp", + 48050: "weandsf", + 48128: "isnetserv", + 48129: "blp5", + 48556: "com-bardac-dw", + 48619: "iqobject", + 48653: "robotraconteur", + 49000: "matahari", + 49001: "nusrp", +} +var udpPortNames = map[uint16]string{ + 1: "tcpmux", + 2: "compressnet", + 3: "compressnet", + 5: "rje", + 7: "echo", + 9: "discard", + 11: "systat", + 13: "daytime", + 17: "qotd", + 18: "msp", + 19: "chargen", + 20: "ftp-data", + 21: "ftp", + 22: "ssh", + 23: "telnet", + 25: "smtp", + 27: "nsw-fe", + 29: "msg-icp", + 31: "msg-auth", + 33: "dsp", + 37: "time", + 38: "rap", + 39: "rlp", + 41: "graphics", + 42: "name", + 43: "nicname", + 44: "mpm-flags", + 45: "mpm", + 46: "mpm-snd", + 48: "auditd", + 49: "tacacs", + 50: "re-mail-ck", + 52: "xns-time", + 53: "domain", + 54: "xns-ch", + 55: "isi-gl", + 56: "xns-auth", + 58: "xns-mail", + 62: "acas", + 63: "whoispp", + 64: "covia", + 65: "tacacs-ds", + 66: "sql-net", + 67: "bootps", + 68: "bootpc", + 69: "tftp", + 70: "gopher", + 71: "netrjs-1", + 72: "netrjs-2", + 73: "netrjs-3", + 74: "netrjs-4", + 76: "deos", + 78: "vettcp", + 79: "finger", + 80: "http", + 82: "xfer", + 83: "mit-ml-dev", + 84: "ctf", + 85: "mit-ml-dev", + 86: "mfcobol", + 88: "kerberos", + 89: "su-mit-tg", + 90: "dnsix", + 91: "mit-dov", + 92: "npp", + 93: "dcp", + 94: "objcall", + 95: "supdup", + 96: "dixie", + 97: "swift-rvf", + 98: "tacnews", + 99: "metagram", + 101: "hostname", + 102: "iso-tsap", + 103: "gppitnp", + 104: "acr-nema", + 105: "cso", + 106: "3com-tsmux", + 107: "rtelnet", + 108: "snagas", + 109: "pop2", + 110: "pop3", + 111: "sunrpc", + 112: "mcidas", + 113: "auth", + 115: "sftp", + 116: "ansanotify", + 117: "uucp-path", + 118: "sqlserv", + 119: "nntp", + 120: "cfdptkt", + 121: "erpc", + 122: "smakynet", + 123: "ntp", + 124: "ansatrader", + 125: "locus-map", + 126: "nxedit", + 127: "locus-con", + 128: "gss-xlicen", + 129: "pwdgen", + 130: "cisco-fna", + 131: "cisco-tna", + 132: "cisco-sys", + 133: "statsrv", + 134: "ingres-net", + 135: "epmap", + 136: "profile", + 137: "netbios-ns", + 138: "netbios-dgm", + 139: "netbios-ssn", + 140: "emfis-data", + 141: "emfis-cntl", + 142: "bl-idm", + 143: "imap", + 144: "uma", + 145: "uaac", + 146: "iso-tp0", + 147: "iso-ip", + 148: "jargon", + 149: "aed-512", + 150: "sql-net", + 151: "hems", + 152: "bftp", + 153: "sgmp", + 154: "netsc-prod", + 155: "netsc-dev", + 156: "sqlsrv", + 157: "knet-cmp", + 158: "pcmail-srv", + 159: "nss-routing", + 160: "sgmp-traps", + 161: "snmp", + 162: "snmptrap", + 163: "cmip-man", + 164: "cmip-agent", + 165: "xns-courier", + 166: "s-net", + 167: "namp", + 168: "rsvd", + 169: "send", + 170: "print-srv", + 171: "multiplex", + 172: "cl-1", + 173: "xyplex-mux", + 174: "mailq", + 175: "vmnet", + 176: "genrad-mux", + 177: "xdmcp", + 178: "nextstep", + 179: "bgp", + 180: "ris", + 181: "unify", + 182: "audit", + 183: "ocbinder", + 184: "ocserver", + 185: "remote-kis", + 186: "kis", + 187: "aci", + 188: "mumps", + 189: "qft", + 190: "gacp", + 191: "prospero", + 192: "osu-nms", + 193: "srmp", + 194: "irc", + 195: "dn6-nlm-aud", + 196: "dn6-smm-red", + 197: "dls", + 198: "dls-mon", + 199: "smux", + 200: "src", + 201: "at-rtmp", + 202: "at-nbp", + 203: "at-3", + 204: "at-echo", + 205: "at-5", + 206: "at-zis", + 207: "at-7", + 208: "at-8", + 209: "qmtp", + 210: "z39-50", + 211: "914c-g", + 212: "anet", + 213: "ipx", + 214: "vmpwscs", + 215: "softpc", + 216: "CAIlic", + 217: "dbase", + 218: "mpp", + 219: "uarps", + 220: "imap3", + 221: "fln-spx", + 222: "rsh-spx", + 223: "cdc", + 224: "masqdialer", + 242: "direct", + 243: "sur-meas", + 244: "inbusiness", + 245: "link", + 246: "dsp3270", + 247: "subntbcst-tftp", + 248: "bhfhs", + 256: "rap", + 257: "set", + 259: "esro-gen", + 260: "openport", + 261: "nsiiops", + 262: "arcisdms", + 263: "hdap", + 264: "bgmp", + 265: "x-bone-ctl", + 266: "sst", + 267: "td-service", + 268: "td-replica", + 269: "manet", + 270: "gist", + 280: "http-mgmt", + 281: "personal-link", + 282: "cableport-ax", + 283: "rescap", + 284: "corerjd", + 286: "fxp", + 287: "k-block", + 308: "novastorbakcup", + 309: "entrusttime", + 310: "bhmds", + 311: "asip-webadmin", + 312: "vslmp", + 313: "magenta-logic", + 314: "opalis-robot", + 315: "dpsi", + 316: "decauth", + 317: "zannet", + 318: "pkix-timestamp", + 319: "ptp-event", + 320: "ptp-general", + 321: "pip", + 322: "rtsps", + 333: "texar", + 344: "pdap", + 345: "pawserv", + 346: "zserv", + 347: "fatserv", + 348: "csi-sgwp", + 349: "mftp", + 350: "matip-type-a", + 351: "matip-type-b", + 352: "dtag-ste-sb", + 353: "ndsauth", + 354: "bh611", + 355: "datex-asn", + 356: "cloanto-net-1", + 357: "bhevent", + 358: "shrinkwrap", + 359: "nsrmp", + 360: "scoi2odialog", + 361: "semantix", + 362: "srssend", + 363: "rsvp-tunnel", + 364: "aurora-cmgr", + 365: "dtk", + 366: "odmr", + 367: "mortgageware", + 368: "qbikgdp", + 369: "rpc2portmap", + 370: "codaauth2", + 371: "clearcase", + 372: "ulistproc", + 373: "legent-1", + 374: "legent-2", + 375: "hassle", + 376: "nip", + 377: "tnETOS", + 378: "dsETOS", + 379: "is99c", + 380: "is99s", + 381: "hp-collector", + 382: "hp-managed-node", + 383: "hp-alarm-mgr", + 384: "arns", + 385: "ibm-app", + 386: "asa", + 387: "aurp", + 388: "unidata-ldm", + 389: "ldap", + 390: "uis", + 391: "synotics-relay", + 392: "synotics-broker", + 393: "meta5", + 394: "embl-ndt", + 395: "netcp", + 396: "netware-ip", + 397: "mptn", + 398: "kryptolan", + 399: "iso-tsap-c2", + 400: "osb-sd", + 401: "ups", + 402: "genie", + 403: "decap", + 404: "nced", + 405: "ncld", + 406: "imsp", + 407: "timbuktu", + 408: "prm-sm", + 409: "prm-nm", + 410: "decladebug", + 411: "rmt", + 412: "synoptics-trap", + 413: "smsp", + 414: "infoseek", + 415: "bnet", + 416: "silverplatter", + 417: "onmux", + 418: "hyper-g", + 419: "ariel1", + 420: "smpte", + 421: "ariel2", + 422: "ariel3", + 423: "opc-job-start", + 424: "opc-job-track", + 425: "icad-el", + 426: "smartsdp", + 427: "svrloc", + 428: "ocs-cmu", + 429: "ocs-amu", + 430: "utmpsd", + 431: "utmpcd", + 432: "iasd", + 433: "nnsp", + 434: "mobileip-agent", + 435: "mobilip-mn", + 436: "dna-cml", + 437: "comscm", + 438: "dsfgw", + 439: "dasp", + 440: "sgcp", + 441: "decvms-sysmgt", + 442: "cvc-hostd", + 443: "https", + 444: "snpp", + 445: "microsoft-ds", + 446: "ddm-rdb", + 447: "ddm-dfm", + 448: "ddm-ssl", + 449: "as-servermap", + 450: "tserver", + 451: "sfs-smp-net", + 452: "sfs-config", + 453: "creativeserver", + 454: "contentserver", + 455: "creativepartnr", + 456: "macon-udp", + 457: "scohelp", + 458: "appleqtc", + 459: "ampr-rcmd", + 460: "skronk", + 461: "datasurfsrv", + 462: "datasurfsrvsec", + 463: "alpes", + 464: "kpasswd", + 465: "igmpv3lite", + 466: "digital-vrc", + 467: "mylex-mapd", + 468: "photuris", + 469: "rcp", + 470: "scx-proxy", + 471: "mondex", + 472: "ljk-login", + 473: "hybrid-pop", + 474: "tn-tl-w2", + 475: "tcpnethaspsrv", + 476: "tn-tl-fd1", + 477: "ss7ns", + 478: "spsc", + 479: "iafserver", + 480: "iafdbase", + 481: "ph", + 482: "bgs-nsi", + 483: "ulpnet", + 484: "integra-sme", + 485: "powerburst", + 486: "avian", + 487: "saft", + 488: "gss-http", + 489: "nest-protocol", + 490: "micom-pfs", + 491: "go-login", + 492: "ticf-1", + 493: "ticf-2", + 494: "pov-ray", + 495: "intecourier", + 496: "pim-rp-disc", + 497: "retrospect", + 498: "siam", + 499: "iso-ill", + 500: "isakmp", + 501: "stmf", + 502: "mbap", + 503: "intrinsa", + 504: "citadel", + 505: "mailbox-lm", + 506: "ohimsrv", + 507: "crs", + 508: "xvttp", + 509: "snare", + 510: "fcp", + 511: "passgo", + 512: "comsat", + 513: "who", + 514: "syslog", + 515: "printer", + 516: "videotex", + 517: "talk", + 518: "ntalk", + 519: "utime", + 520: "router", + 521: "ripng", + 522: "ulp", + 523: "ibm-db2", + 524: "ncp", + 525: "timed", + 526: "tempo", + 527: "stx", + 528: "custix", + 529: "irc-serv", + 530: "courier", + 531: "conference", + 532: "netnews", + 533: "netwall", + 534: "windream", + 535: "iiop", + 536: "opalis-rdv", + 537: "nmsp", + 538: "gdomap", + 539: "apertus-ldp", + 540: "uucp", + 541: "uucp-rlogin", + 542: "commerce", + 543: "klogin", + 544: "kshell", + 545: "appleqtcsrvr", + 546: "dhcpv6-client", + 547: "dhcpv6-server", + 548: "afpovertcp", + 549: "idfp", + 550: "new-rwho", + 551: "cybercash", + 552: "devshr-nts", + 553: "pirp", + 554: "rtsp", + 555: "dsf", + 556: "remotefs", + 557: "openvms-sysipc", + 558: "sdnskmp", + 559: "teedtap", + 560: "rmonitor", + 561: "monitor", + 562: "chshell", + 563: "nntps", + 564: "9pfs", + 565: "whoami", + 566: "streettalk", + 567: "banyan-rpc", + 568: "ms-shuttle", + 569: "ms-rome", + 570: "meter", + 571: "meter", + 572: "sonar", + 573: "banyan-vip", + 574: "ftp-agent", + 575: "vemmi", + 576: "ipcd", + 577: "vnas", + 578: "ipdd", + 579: "decbsrv", + 580: "sntp-heartbeat", + 581: "bdp", + 582: "scc-security", + 583: "philips-vc", + 584: "keyserver", + 586: "password-chg", + 587: "submission", + 588: "cal", + 589: "eyelink", + 590: "tns-cml", + 591: "http-alt", + 592: "eudora-set", + 593: "http-rpc-epmap", + 594: "tpip", + 595: "cab-protocol", + 596: "smsd", + 597: "ptcnameservice", + 598: "sco-websrvrmg3", + 599: "acp", + 600: "ipcserver", + 601: "syslog-conn", + 602: "xmlrpc-beep", + 603: "idxp", + 604: "tunnel", + 605: "soap-beep", + 606: "urm", + 607: "nqs", + 608: "sift-uft", + 609: "npmp-trap", + 610: "npmp-local", + 611: "npmp-gui", + 612: "hmmp-ind", + 613: "hmmp-op", + 614: "sshell", + 615: "sco-inetmgr", + 616: "sco-sysmgr", + 617: "sco-dtmgr", + 618: "dei-icda", + 619: "compaq-evm", + 620: "sco-websrvrmgr", + 621: "escp-ip", + 622: "collaborator", + 623: "asf-rmcp", + 624: "cryptoadmin", + 625: "dec-dlm", + 626: "asia", + 627: "passgo-tivoli", + 628: "qmqp", + 629: "3com-amp3", + 630: "rda", + 631: "ipp", + 632: "bmpp", + 633: "servstat", + 634: "ginad", + 635: "rlzdbase", + 636: "ldaps", + 637: "lanserver", + 638: "mcns-sec", + 639: "msdp", + 640: "entrust-sps", + 641: "repcmd", + 642: "esro-emsdp", + 643: "sanity", + 644: "dwr", + 645: "pssc", + 646: "ldp", + 647: "dhcp-failover", + 648: "rrp", + 649: "cadview-3d", + 650: "obex", + 651: "ieee-mms", + 652: "hello-port", + 653: "repscmd", + 654: "aodv", + 655: "tinc", + 656: "spmp", + 657: "rmc", + 658: "tenfold", + 660: "mac-srvr-admin", + 661: "hap", + 662: "pftp", + 663: "purenoise", + 664: "asf-secure-rmcp", + 665: "sun-dr", + 666: "mdqs", + 667: "disclose", + 668: "mecomm", + 669: "meregister", + 670: "vacdsm-sws", + 671: "vacdsm-app", + 672: "vpps-qua", + 673: "cimplex", + 674: "acap", + 675: "dctp", + 676: "vpps-via", + 677: "vpp", + 678: "ggf-ncp", + 679: "mrm", + 680: "entrust-aaas", + 681: "entrust-aams", + 682: "xfr", + 683: "corba-iiop", + 684: "corba-iiop-ssl", + 685: "mdc-portmapper", + 686: "hcp-wismar", + 687: "asipregistry", + 688: "realm-rusd", + 689: "nmap", + 690: "vatp", + 691: "msexch-routing", + 692: "hyperwave-isp", + 693: "connendp", + 694: "ha-cluster", + 695: "ieee-mms-ssl", + 696: "rushd", + 697: "uuidgen", + 698: "olsr", + 699: "accessnetwork", + 700: "epp", + 701: "lmp", + 702: "iris-beep", + 704: "elcsd", + 705: "agentx", + 706: "silc", + 707: "borland-dsj", + 709: "entrust-kmsh", + 710: "entrust-ash", + 711: "cisco-tdp", + 712: "tbrpf", + 713: "iris-xpc", + 714: "iris-xpcs", + 715: "iris-lwz", + 716: "pana", + 729: "netviewdm1", + 730: "netviewdm2", + 731: "netviewdm3", + 741: "netgw", + 742: "netrcs", + 744: "flexlm", + 747: "fujitsu-dev", + 748: "ris-cm", + 749: "kerberos-adm", + 750: "loadav", + 751: "pump", + 752: "qrh", + 753: "rrh", + 754: "tell", + 758: "nlogin", + 759: "con", + 760: "ns", + 761: "rxe", + 762: "quotad", + 763: "cycleserv", + 764: "omserv", + 765: "webster", + 767: "phonebook", + 769: "vid", + 770: "cadlock", + 771: "rtip", + 772: "cycleserv2", + 773: "notify", + 774: "acmaint-dbd", + 775: "acmaint-transd", + 776: "wpages", + 777: "multiling-http", + 780: "wpgs", + 800: "mdbs-daemon", + 801: "device", + 802: "mbap-s", + 810: "fcp-udp", + 828: "itm-mcell-s", + 829: "pkix-3-ca-ra", + 830: "netconf-ssh", + 831: "netconf-beep", + 832: "netconfsoaphttp", + 833: "netconfsoapbeep", + 847: "dhcp-failover2", + 848: "gdoi", + 853: "domain-s", + 854: "dlep", + 860: "iscsi", + 861: "owamp-control", + 862: "twamp-control", + 873: "rsync", + 886: "iclcnet-locate", + 887: "iclcnet-svinfo", + 888: "accessbuilder", + 900: "omginitialrefs", + 901: "smpnameres", + 902: "ideafarm-door", + 903: "ideafarm-panic", + 910: "kink", + 911: "xact-backup", + 912: "apex-mesh", + 913: "apex-edge", + 989: "ftps-data", + 990: "ftps", + 991: "nas", + 992: "telnets", + 993: "imaps", + 995: "pop3s", + 996: "vsinet", + 997: "maitrd", + 998: "puparp", + 999: "applix", + 1000: "cadlock2", + 1010: "surf", + 1021: "exp1", + 1022: "exp2", + 1025: "blackjack", + 1026: "cap", + 1027: "6a44", + 1029: "solid-mux", + 1033: "netinfo-local", + 1034: "activesync", + 1035: "mxxrlogin", + 1036: "nsstp", + 1037: "ams", + 1038: "mtqp", + 1039: "sbl", + 1040: "netarx", + 1041: "danf-ak2", + 1042: "afrog", + 1043: "boinc-client", + 1044: "dcutility", + 1045: "fpitp", + 1046: "wfremotertm", + 1047: "neod1", + 1048: "neod2", + 1049: "td-postman", + 1050: "cma", + 1051: "optima-vnet", + 1052: "ddt", + 1053: "remote-as", + 1054: "brvread", + 1055: "ansyslmd", + 1056: "vfo", + 1057: "startron", + 1058: "nim", + 1059: "nimreg", + 1060: "polestar", + 1061: "kiosk", + 1062: "veracity", + 1063: "kyoceranetdev", + 1064: "jstel", + 1065: "syscomlan", + 1066: "fpo-fns", + 1067: "instl-boots", + 1068: "instl-bootc", + 1069: "cognex-insight", + 1070: "gmrupdateserv", + 1071: "bsquare-voip", + 1072: "cardax", + 1073: "bridgecontrol", + 1074: "warmspotMgmt", + 1075: "rdrmshc", + 1076: "dab-sti-c", + 1077: "imgames", + 1078: "avocent-proxy", + 1079: "asprovatalk", + 1080: "socks", + 1081: "pvuniwien", + 1082: "amt-esd-prot", + 1083: "ansoft-lm-1", + 1084: "ansoft-lm-2", + 1085: "webobjects", + 1086: "cplscrambler-lg", + 1087: "cplscrambler-in", + 1088: "cplscrambler-al", + 1089: "ff-annunc", + 1090: "ff-fms", + 1091: "ff-sm", + 1092: "obrpd", + 1093: "proofd", + 1094: "rootd", + 1095: "nicelink", + 1096: "cnrprotocol", + 1097: "sunclustermgr", + 1098: "rmiactivation", + 1099: "rmiregistry", + 1100: "mctp", + 1101: "pt2-discover", + 1102: "adobeserver-1", + 1103: "adobeserver-2", + 1104: "xrl", + 1105: "ftranhc", + 1106: "isoipsigport-1", + 1107: "isoipsigport-2", + 1108: "ratio-adp", + 1110: "nfsd-keepalive", + 1111: "lmsocialserver", + 1112: "icp", + 1113: "ltp-deepspace", + 1114: "mini-sql", + 1115: "ardus-trns", + 1116: "ardus-cntl", + 1117: "ardus-mtrns", + 1118: "sacred", + 1119: "bnetgame", + 1120: "bnetfile", + 1121: "rmpp", + 1122: "availant-mgr", + 1123: "murray", + 1124: "hpvmmcontrol", + 1125: "hpvmmagent", + 1126: "hpvmmdata", + 1127: "kwdb-commn", + 1128: "saphostctrl", + 1129: "saphostctrls", + 1130: "casp", + 1131: "caspssl", + 1132: "kvm-via-ip", + 1133: "dfn", + 1134: "aplx", + 1135: "omnivision", + 1136: "hhb-gateway", + 1137: "trim", + 1138: "encrypted-admin", + 1139: "evm", + 1140: "autonoc", + 1141: "mxomss", + 1142: "edtools", + 1143: "imyx", + 1144: "fuscript", + 1145: "x9-icue", + 1146: "audit-transfer", + 1147: "capioverlan", + 1148: "elfiq-repl", + 1149: "bvtsonar", + 1150: "blaze", + 1151: "unizensus", + 1152: "winpoplanmess", + 1153: "c1222-acse", + 1154: "resacommunity", + 1155: "nfa", + 1156: "iascontrol-oms", + 1157: "iascontrol", + 1158: "dbcontrol-oms", + 1159: "oracle-oms", + 1160: "olsv", + 1161: "health-polling", + 1162: "health-trap", + 1163: "sddp", + 1164: "qsm-proxy", + 1165: "qsm-gui", + 1166: "qsm-remote", + 1167: "cisco-ipsla", + 1168: "vchat", + 1169: "tripwire", + 1170: "atc-lm", + 1171: "atc-appserver", + 1172: "dnap", + 1173: "d-cinema-rrp", + 1174: "fnet-remote-ui", + 1175: "dossier", + 1176: "indigo-server", + 1177: "dkmessenger", + 1178: "sgi-storman", + 1179: "b2n", + 1180: "mc-client", + 1181: "3comnetman", + 1182: "accelenet-data", + 1183: "llsurfup-http", + 1184: "llsurfup-https", + 1185: "catchpole", + 1186: "mysql-cluster", + 1187: "alias", + 1188: "hp-webadmin", + 1189: "unet", + 1190: "commlinx-avl", + 1191: "gpfs", + 1192: "caids-sensor", + 1193: "fiveacross", + 1194: "openvpn", + 1195: "rsf-1", + 1196: "netmagic", + 1197: "carrius-rshell", + 1198: "cajo-discovery", + 1199: "dmidi", + 1200: "scol", + 1201: "nucleus-sand", + 1202: "caiccipc", + 1203: "ssslic-mgr", + 1204: "ssslog-mgr", + 1205: "accord-mgc", + 1206: "anthony-data", + 1207: "metasage", + 1208: "seagull-ais", + 1209: "ipcd3", + 1210: "eoss", + 1211: "groove-dpp", + 1212: "lupa", + 1213: "mpc-lifenet", + 1214: "kazaa", + 1215: "scanstat-1", + 1216: "etebac5", + 1217: "hpss-ndapi", + 1218: "aeroflight-ads", + 1219: "aeroflight-ret", + 1220: "qt-serveradmin", + 1221: "sweetware-apps", + 1222: "nerv", + 1223: "tgp", + 1224: "vpnz", + 1225: "slinkysearch", + 1226: "stgxfws", + 1227: "dns2go", + 1228: "florence", + 1229: "zented", + 1230: "periscope", + 1231: "menandmice-lpm", + 1232: "first-defense", + 1233: "univ-appserver", + 1234: "search-agent", + 1235: "mosaicsyssvc1", + 1236: "bvcontrol", + 1237: "tsdos390", + 1238: "hacl-qs", + 1239: "nmsd", + 1240: "instantia", + 1241: "nessus", + 1242: "nmasoverip", + 1243: "serialgateway", + 1244: "isbconference1", + 1245: "isbconference2", + 1246: "payrouter", + 1247: "visionpyramid", + 1248: "hermes", + 1249: "mesavistaco", + 1250: "swldy-sias", + 1251: "servergraph", + 1252: "bspne-pcc", + 1253: "q55-pcc", + 1254: "de-noc", + 1255: "de-cache-query", + 1256: "de-server", + 1257: "shockwave2", + 1258: "opennl", + 1259: "opennl-voice", + 1260: "ibm-ssd", + 1261: "mpshrsv", + 1262: "qnts-orb", + 1263: "dka", + 1264: "prat", + 1265: "dssiapi", + 1266: "dellpwrappks", + 1267: "epc", + 1268: "propel-msgsys", + 1269: "watilapp", + 1270: "opsmgr", + 1271: "excw", + 1272: "cspmlockmgr", + 1273: "emc-gateway", + 1274: "t1distproc", + 1275: "ivcollector", + 1277: "miva-mqs", + 1278: "dellwebadmin-1", + 1279: "dellwebadmin-2", + 1280: "pictrography", + 1281: "healthd", + 1282: "emperion", + 1283: "productinfo", + 1284: "iee-qfx", + 1285: "neoiface", + 1286: "netuitive", + 1287: "routematch", + 1288: "navbuddy", + 1289: "jwalkserver", + 1290: "winjaserver", + 1291: "seagulllms", + 1292: "dsdn", + 1293: "pkt-krb-ipsec", + 1294: "cmmdriver", + 1295: "ehtp", + 1296: "dproxy", + 1297: "sdproxy", + 1298: "lpcp", + 1299: "hp-sci", + 1300: "h323hostcallsc", + 1301: "ci3-software-1", + 1302: "ci3-software-2", + 1303: "sftsrv", + 1304: "boomerang", + 1305: "pe-mike", + 1306: "re-conn-proto", + 1307: "pacmand", + 1308: "odsi", + 1309: "jtag-server", + 1310: "husky", + 1311: "rxmon", + 1312: "sti-envision", + 1313: "bmc-patroldb", + 1314: "pdps", + 1315: "els", + 1316: "exbit-escp", + 1317: "vrts-ipcserver", + 1318: "krb5gatekeeper", + 1319: "amx-icsp", + 1320: "amx-axbnet", + 1321: "pip", + 1322: "novation", + 1323: "brcd", + 1324: "delta-mcp", + 1325: "dx-instrument", + 1326: "wimsic", + 1327: "ultrex", + 1328: "ewall", + 1329: "netdb-export", + 1330: "streetperfect", + 1331: "intersan", + 1332: "pcia-rxp-b", + 1333: "passwrd-policy", + 1334: "writesrv", + 1335: "digital-notary", + 1336: "ischat", + 1337: "menandmice-dns", + 1338: "wmc-log-svc", + 1339: "kjtsiteserver", + 1340: "naap", + 1341: "qubes", + 1342: "esbroker", + 1343: "re101", + 1344: "icap", + 1345: "vpjp", + 1346: "alta-ana-lm", + 1347: "bbn-mmc", + 1348: "bbn-mmx", + 1349: "sbook", + 1350: "editbench", + 1351: "equationbuilder", + 1352: "lotusnote", + 1353: "relief", + 1354: "XSIP-network", + 1355: "intuitive-edge", + 1356: "cuillamartin", + 1357: "pegboard", + 1358: "connlcli", + 1359: "ftsrv", + 1360: "mimer", + 1361: "linx", + 1362: "timeflies", + 1363: "ndm-requester", + 1364: "ndm-server", + 1365: "adapt-sna", + 1366: "netware-csp", + 1367: "dcs", + 1368: "screencast", + 1369: "gv-us", + 1370: "us-gv", + 1371: "fc-cli", + 1372: "fc-ser", + 1373: "chromagrafx", + 1374: "molly", + 1375: "bytex", + 1376: "ibm-pps", + 1377: "cichlid", + 1378: "elan", + 1379: "dbreporter", + 1380: "telesis-licman", + 1381: "apple-licman", + 1382: "udt-os", + 1383: "gwha", + 1384: "os-licman", + 1385: "atex-elmd", + 1386: "checksum", + 1387: "cadsi-lm", + 1388: "objective-dbc", + 1389: "iclpv-dm", + 1390: "iclpv-sc", + 1391: "iclpv-sas", + 1392: "iclpv-pm", + 1393: "iclpv-nls", + 1394: "iclpv-nlc", + 1395: "iclpv-wsm", + 1396: "dvl-activemail", + 1397: "audio-activmail", + 1398: "video-activmail", + 1399: "cadkey-licman", + 1400: "cadkey-tablet", + 1401: "goldleaf-licman", + 1402: "prm-sm-np", + 1403: "prm-nm-np", + 1404: "igi-lm", + 1405: "ibm-res", + 1406: "netlabs-lm", + 1408: "sophia-lm", + 1409: "here-lm", + 1410: "hiq", + 1411: "af", + 1412: "innosys", + 1413: "innosys-acl", + 1414: "ibm-mqseries", + 1415: "dbstar", + 1416: "novell-lu6-2", + 1417: "timbuktu-srv1", + 1418: "timbuktu-srv2", + 1419: "timbuktu-srv3", + 1420: "timbuktu-srv4", + 1421: "gandalf-lm", + 1422: "autodesk-lm", + 1423: "essbase", + 1424: "hybrid", + 1425: "zion-lm", + 1426: "sais", + 1427: "mloadd", + 1428: "informatik-lm", + 1429: "nms", + 1430: "tpdu", + 1431: "rgtp", + 1432: "blueberry-lm", + 1433: "ms-sql-s", + 1434: "ms-sql-m", + 1435: "ibm-cics", + 1436: "saism", + 1437: "tabula", + 1438: "eicon-server", + 1439: "eicon-x25", + 1440: "eicon-slp", + 1441: "cadis-1", + 1442: "cadis-2", + 1443: "ies-lm", + 1444: "marcam-lm", + 1445: "proxima-lm", + 1446: "ora-lm", + 1447: "apri-lm", + 1448: "oc-lm", + 1449: "peport", + 1450: "dwf", + 1451: "infoman", + 1452: "gtegsc-lm", + 1453: "genie-lm", + 1454: "interhdl-elmd", + 1455: "esl-lm", + 1456: "dca", + 1457: "valisys-lm", + 1458: "nrcabq-lm", + 1459: "proshare1", + 1460: "proshare2", + 1461: "ibm-wrless-lan", + 1462: "world-lm", + 1463: "nucleus", + 1464: "msl-lmd", + 1465: "pipes", + 1466: "oceansoft-lm", + 1467: "csdmbase", + 1468: "csdm", + 1469: "aal-lm", + 1470: "uaiact", + 1471: "csdmbase", + 1472: "csdm", + 1473: "openmath", + 1474: "telefinder", + 1475: "taligent-lm", + 1476: "clvm-cfg", + 1477: "ms-sna-server", + 1478: "ms-sna-base", + 1479: "dberegister", + 1480: "pacerforum", + 1481: "airs", + 1482: "miteksys-lm", + 1483: "afs", + 1484: "confluent", + 1485: "lansource", + 1486: "nms-topo-serv", + 1487: "localinfosrvr", + 1488: "docstor", + 1489: "dmdocbroker", + 1490: "insitu-conf", + 1492: "stone-design-1", + 1493: "netmap-lm", + 1494: "ica", + 1495: "cvc", + 1496: "liberty-lm", + 1497: "rfx-lm", + 1498: "sybase-sqlany", + 1499: "fhc", + 1500: "vlsi-lm", + 1501: "saiscm", + 1502: "shivadiscovery", + 1503: "imtc-mcs", + 1504: "evb-elm", + 1505: "funkproxy", + 1506: "utcd", + 1507: "symplex", + 1508: "diagmond", + 1509: "robcad-lm", + 1510: "mvx-lm", + 1511: "3l-l1", + 1512: "wins", + 1513: "fujitsu-dtc", + 1514: "fujitsu-dtcns", + 1515: "ifor-protocol", + 1516: "vpad", + 1517: "vpac", + 1518: "vpvd", + 1519: "vpvc", + 1520: "atm-zip-office", + 1521: "ncube-lm", + 1522: "ricardo-lm", + 1523: "cichild-lm", + 1524: "ingreslock", + 1525: "orasrv", + 1526: "pdap-np", + 1527: "tlisrv", + 1528: "ngr-t", + 1529: "coauthor", + 1530: "rap-service", + 1531: "rap-listen", + 1532: "miroconnect", + 1533: "virtual-places", + 1534: "micromuse-lm", + 1535: "ampr-info", + 1536: "ampr-inter", + 1537: "sdsc-lm", + 1538: "3ds-lm", + 1539: "intellistor-lm", + 1540: "rds", + 1541: "rds2", + 1542: "gridgen-elmd", + 1543: "simba-cs", + 1544: "aspeclmd", + 1545: "vistium-share", + 1546: "abbaccuray", + 1547: "laplink", + 1548: "axon-lm", + 1549: "shivasound", + 1550: "3m-image-lm", + 1551: "hecmtl-db", + 1552: "pciarray", + 1553: "sna-cs", + 1554: "caci-lm", + 1555: "livelan", + 1556: "veritas-pbx", + 1557: "arbortext-lm", + 1558: "xingmpeg", + 1559: "web2host", + 1560: "asci-val", + 1561: "facilityview", + 1562: "pconnectmgr", + 1563: "cadabra-lm", + 1564: "pay-per-view", + 1565: "winddlb", + 1566: "corelvideo", + 1567: "jlicelmd", + 1568: "tsspmap", + 1569: "ets", + 1570: "orbixd", + 1571: "rdb-dbs-disp", + 1572: "chip-lm", + 1573: "itscomm-ns", + 1574: "mvel-lm", + 1575: "oraclenames", + 1576: "moldflow-lm", + 1577: "hypercube-lm", + 1578: "jacobus-lm", + 1579: "ioc-sea-lm", + 1580: "tn-tl-r2", + 1581: "mil-2045-47001", + 1582: "msims", + 1583: "simbaexpress", + 1584: "tn-tl-fd2", + 1585: "intv", + 1586: "ibm-abtact", + 1587: "pra-elmd", + 1588: "triquest-lm", + 1589: "vqp", + 1590: "gemini-lm", + 1591: "ncpm-pm", + 1592: "commonspace", + 1593: "mainsoft-lm", + 1594: "sixtrak", + 1595: "radio", + 1596: "radio-bc", + 1597: "orbplus-iiop", + 1598: "picknfs", + 1599: "simbaservices", + 1600: "issd", + 1601: "aas", + 1602: "inspect", + 1603: "picodbc", + 1604: "icabrowser", + 1605: "slp", + 1606: "slm-api", + 1607: "stt", + 1608: "smart-lm", + 1609: "isysg-lm", + 1610: "taurus-wh", + 1611: "ill", + 1612: "netbill-trans", + 1613: "netbill-keyrep", + 1614: "netbill-cred", + 1615: "netbill-auth", + 1616: "netbill-prod", + 1617: "nimrod-agent", + 1618: "skytelnet", + 1619: "xs-openstorage", + 1620: "faxportwinport", + 1621: "softdataphone", + 1622: "ontime", + 1623: "jaleosnd", + 1624: "udp-sr-port", + 1625: "svs-omagent", + 1626: "shockwave", + 1627: "t128-gateway", + 1628: "lontalk-norm", + 1629: "lontalk-urgnt", + 1630: "oraclenet8cman", + 1631: "visitview", + 1632: "pammratc", + 1633: "pammrpc", + 1634: "loaprobe", + 1635: "edb-server1", + 1636: "isdc", + 1637: "islc", + 1638: "ismc", + 1639: "cert-initiator", + 1640: "cert-responder", + 1641: "invision", + 1642: "isis-am", + 1643: "isis-ambc", + 1644: "saiseh", + 1645: "sightline", + 1646: "sa-msg-port", + 1647: "rsap", + 1648: "concurrent-lm", + 1649: "kermit", + 1650: "nkd", + 1651: "shiva-confsrvr", + 1652: "xnmp", + 1653: "alphatech-lm", + 1654: "stargatealerts", + 1655: "dec-mbadmin", + 1656: "dec-mbadmin-h", + 1657: "fujitsu-mmpdc", + 1658: "sixnetudr", + 1659: "sg-lm", + 1660: "skip-mc-gikreq", + 1661: "netview-aix-1", + 1662: "netview-aix-2", + 1663: "netview-aix-3", + 1664: "netview-aix-4", + 1665: "netview-aix-5", + 1666: "netview-aix-6", + 1667: "netview-aix-7", + 1668: "netview-aix-8", + 1669: "netview-aix-9", + 1670: "netview-aix-10", + 1671: "netview-aix-11", + 1672: "netview-aix-12", + 1673: "proshare-mc-1", + 1674: "proshare-mc-2", + 1675: "pdp", + 1676: "netcomm2", + 1677: "groupwise", + 1678: "prolink", + 1679: "darcorp-lm", + 1680: "microcom-sbp", + 1681: "sd-elmd", + 1682: "lanyon-lantern", + 1683: "ncpm-hip", + 1684: "snaresecure", + 1685: "n2nremote", + 1686: "cvmon", + 1687: "nsjtp-ctrl", + 1688: "nsjtp-data", + 1689: "firefox", + 1690: "ng-umds", + 1691: "empire-empuma", + 1692: "sstsys-lm", + 1693: "rrirtr", + 1694: "rrimwm", + 1695: "rrilwm", + 1696: "rrifmm", + 1697: "rrisat", + 1698: "rsvp-encap-1", + 1699: "rsvp-encap-2", + 1700: "mps-raft", + 1701: "l2f", + 1702: "deskshare", + 1703: "hb-engine", + 1704: "bcs-broker", + 1705: "slingshot", + 1706: "jetform", + 1707: "vdmplay", + 1708: "gat-lmd", + 1709: "centra", + 1710: "impera", + 1711: "pptconference", + 1712: "registrar", + 1713: "conferencetalk", + 1714: "sesi-lm", + 1715: "houdini-lm", + 1716: "xmsg", + 1717: "fj-hdnet", + 1718: "h323gatedisc", + 1719: "h323gatestat", + 1720: "h323hostcall", + 1721: "caicci", + 1722: "hks-lm", + 1723: "pptp", + 1724: "csbphonemaster", + 1725: "iden-ralp", + 1726: "iberiagames", + 1727: "winddx", + 1728: "telindus", + 1729: "citynl", + 1730: "roketz", + 1731: "msiccp", + 1732: "proxim", + 1733: "siipat", + 1734: "cambertx-lm", + 1735: "privatechat", + 1736: "street-stream", + 1737: "ultimad", + 1738: "gamegen1", + 1739: "webaccess", + 1740: "encore", + 1741: "cisco-net-mgmt", + 1742: "3Com-nsd", + 1743: "cinegrfx-lm", + 1744: "ncpm-ft", + 1745: "remote-winsock", + 1746: "ftrapid-1", + 1747: "ftrapid-2", + 1748: "oracle-em1", + 1749: "aspen-services", + 1750: "sslp", + 1751: "swiftnet", + 1752: "lofr-lm", + 1754: "oracle-em2", + 1755: "ms-streaming", + 1756: "capfast-lmd", + 1757: "cnhrp", + 1758: "tftp-mcast", + 1759: "spss-lm", + 1760: "www-ldap-gw", + 1761: "cft-0", + 1762: "cft-1", + 1763: "cft-2", + 1764: "cft-3", + 1765: "cft-4", + 1766: "cft-5", + 1767: "cft-6", + 1768: "cft-7", + 1769: "bmc-net-adm", + 1770: "bmc-net-svc", + 1771: "vaultbase", + 1772: "essweb-gw", + 1773: "kmscontrol", + 1774: "global-dtserv", + 1776: "femis", + 1777: "powerguardian", + 1778: "prodigy-intrnet", + 1779: "pharmasoft", + 1780: "dpkeyserv", + 1781: "answersoft-lm", + 1782: "hp-hcip", + 1784: "finle-lm", + 1785: "windlm", + 1786: "funk-logger", + 1787: "funk-license", + 1788: "psmond", + 1789: "hello", + 1790: "nmsp", + 1791: "ea1", + 1792: "ibm-dt-2", + 1793: "rsc-robot", + 1794: "cera-bcm", + 1795: "dpi-proxy", + 1796: "vocaltec-admin", + 1797: "uma", + 1798: "etp", + 1799: "netrisk", + 1800: "ansys-lm", + 1801: "msmq", + 1802: "concomp1", + 1803: "hp-hcip-gwy", + 1804: "enl", + 1805: "enl-name", + 1806: "musiconline", + 1807: "fhsp", + 1808: "oracle-vp2", + 1809: "oracle-vp1", + 1810: "jerand-lm", + 1811: "scientia-sdb", + 1812: "radius", + 1813: "radius-acct", + 1814: "tdp-suite", + 1815: "mmpft", + 1816: "harp", + 1817: "rkb-oscs", + 1818: "etftp", + 1819: "plato-lm", + 1820: "mcagent", + 1821: "donnyworld", + 1822: "es-elmd", + 1823: "unisys-lm", + 1824: "metrics-pas", + 1825: "direcpc-video", + 1826: "ardt", + 1827: "asi", + 1828: "itm-mcell-u", + 1829: "optika-emedia", + 1830: "net8-cman", + 1831: "myrtle", + 1832: "tht-treasure", + 1833: "udpradio", + 1834: "ardusuni", + 1835: "ardusmul", + 1836: "ste-smsc", + 1837: "csoft1", + 1838: "talnet", + 1839: "netopia-vo1", + 1840: "netopia-vo2", + 1841: "netopia-vo3", + 1842: "netopia-vo4", + 1843: "netopia-vo5", + 1844: "direcpc-dll", + 1845: "altalink", + 1846: "tunstall-pnc", + 1847: "slp-notify", + 1848: "fjdocdist", + 1849: "alpha-sms", + 1850: "gsi", + 1851: "ctcd", + 1852: "virtual-time", + 1853: "vids-avtp", + 1854: "buddy-draw", + 1855: "fiorano-rtrsvc", + 1856: "fiorano-msgsvc", + 1857: "datacaptor", + 1858: "privateark", + 1859: "gammafetchsvr", + 1860: "sunscalar-svc", + 1861: "lecroy-vicp", + 1862: "mysql-cm-agent", + 1863: "msnp", + 1864: "paradym-31port", + 1865: "entp", + 1866: "swrmi", + 1867: "udrive", + 1868: "viziblebrowser", + 1869: "transact", + 1870: "sunscalar-dns", + 1871: "canocentral0", + 1872: "canocentral1", + 1873: "fjmpjps", + 1874: "fjswapsnp", + 1875: "westell-stats", + 1876: "ewcappsrv", + 1877: "hp-webqosdb", + 1878: "drmsmc", + 1879: "nettgain-nms", + 1880: "vsat-control", + 1881: "ibm-mqseries2", + 1882: "ecsqdmn", + 1883: "mqtt", + 1884: "idmaps", + 1885: "vrtstrapserver", + 1886: "leoip", + 1887: "filex-lport", + 1888: "ncconfig", + 1889: "unify-adapter", + 1890: "wilkenlistener", + 1891: "childkey-notif", + 1892: "childkey-ctrl", + 1893: "elad", + 1894: "o2server-port", + 1896: "b-novative-ls", + 1897: "metaagent", + 1898: "cymtec-port", + 1899: "mc2studios", + 1900: "ssdp", + 1901: "fjicl-tep-a", + 1902: "fjicl-tep-b", + 1903: "linkname", + 1904: "fjicl-tep-c", + 1905: "sugp", + 1906: "tpmd", + 1907: "intrastar", + 1908: "dawn", + 1909: "global-wlink", + 1910: "ultrabac", + 1911: "mtp", + 1912: "rhp-iibp", + 1913: "armadp", + 1914: "elm-momentum", + 1915: "facelink", + 1916: "persona", + 1917: "noagent", + 1918: "can-nds", + 1919: "can-dch", + 1920: "can-ferret", + 1921: "noadmin", + 1922: "tapestry", + 1923: "spice", + 1924: "xiip", + 1925: "discovery-port", + 1926: "egs", + 1927: "videte-cipc", + 1928: "emsd-port", + 1929: "bandwiz-system", + 1930: "driveappserver", + 1931: "amdsched", + 1932: "ctt-broker", + 1933: "xmapi", + 1934: "xaapi", + 1935: "macromedia-fcs", + 1936: "jetcmeserver", + 1937: "jwserver", + 1938: "jwclient", + 1939: "jvserver", + 1940: "jvclient", + 1941: "dic-aida", + 1942: "res", + 1943: "beeyond-media", + 1944: "close-combat", + 1945: "dialogic-elmd", + 1946: "tekpls", + 1947: "sentinelsrm", + 1948: "eye2eye", + 1949: "ismaeasdaqlive", + 1950: "ismaeasdaqtest", + 1951: "bcs-lmserver", + 1952: "mpnjsc", + 1953: "rapidbase", + 1954: "abr-api", + 1955: "abr-secure", + 1956: "vrtl-vmf-ds", + 1957: "unix-status", + 1958: "dxadmind", + 1959: "simp-all", + 1960: "nasmanager", + 1961: "bts-appserver", + 1962: "biap-mp", + 1963: "webmachine", + 1964: "solid-e-engine", + 1965: "tivoli-npm", + 1966: "slush", + 1967: "sns-quote", + 1968: "lipsinc", + 1969: "lipsinc1", + 1970: "netop-rc", + 1971: "netop-school", + 1972: "intersys-cache", + 1973: "dlsrap", + 1974: "drp", + 1975: "tcoflashagent", + 1976: "tcoregagent", + 1977: "tcoaddressbook", + 1978: "unisql", + 1979: "unisql-java", + 1980: "pearldoc-xact", + 1981: "p2pq", + 1982: "estamp", + 1983: "lhtp", + 1984: "bb", + 1985: "hsrp", + 1986: "licensedaemon", + 1987: "tr-rsrb-p1", + 1988: "tr-rsrb-p2", + 1989: "tr-rsrb-p3", + 1990: "stun-p1", + 1991: "stun-p2", + 1992: "stun-p3", + 1993: "snmp-tcp-port", + 1994: "stun-port", + 1995: "perf-port", + 1996: "tr-rsrb-port", + 1997: "gdp-port", + 1998: "x25-svc-port", + 1999: "tcp-id-port", + 2000: "cisco-sccp", + 2001: "wizard", + 2002: "globe", + 2003: "brutus", + 2004: "emce", + 2005: "oracle", + 2006: "raid-cd", + 2007: "raid-am", + 2008: "terminaldb", + 2009: "whosockami", + 2010: "pipe-server", + 2011: "servserv", + 2012: "raid-ac", + 2013: "raid-cd", + 2014: "raid-sf", + 2015: "raid-cs", + 2016: "bootserver", + 2017: "bootclient", + 2018: "rellpack", + 2019: "about", + 2020: "xinupageserver", + 2021: "xinuexpansion1", + 2022: "xinuexpansion2", + 2023: "xinuexpansion3", + 2024: "xinuexpansion4", + 2025: "xribs", + 2026: "scrabble", + 2027: "shadowserver", + 2028: "submitserver", + 2029: "hsrpv6", + 2030: "device2", + 2031: "mobrien-chat", + 2032: "blackboard", + 2033: "glogger", + 2034: "scoremgr", + 2035: "imsldoc", + 2036: "e-dpnet", + 2037: "applus", + 2038: "objectmanager", + 2039: "prizma", + 2040: "lam", + 2041: "interbase", + 2042: "isis", + 2043: "isis-bcast", + 2044: "rimsl", + 2045: "cdfunc", + 2046: "sdfunc", + 2047: "dls", + 2048: "dls-monitor", + 2049: "shilp", + 2050: "av-emb-config", + 2051: "epnsdp", + 2052: "clearvisn", + 2053: "lot105-ds-upd", + 2054: "weblogin", + 2055: "iop", + 2056: "omnisky", + 2057: "rich-cp", + 2058: "newwavesearch", + 2059: "bmc-messaging", + 2060: "teleniumdaemon", + 2061: "netmount", + 2062: "icg-swp", + 2063: "icg-bridge", + 2064: "icg-iprelay", + 2065: "dlsrpn", + 2066: "aura", + 2067: "dlswpn", + 2068: "avauthsrvprtcl", + 2069: "event-port", + 2070: "ah-esp-encap", + 2071: "acp-port", + 2072: "msync", + 2073: "gxs-data-port", + 2074: "vrtl-vmf-sa", + 2075: "newlixengine", + 2076: "newlixconfig", + 2077: "tsrmagt", + 2078: "tpcsrvr", + 2079: "idware-router", + 2080: "autodesk-nlm", + 2081: "kme-trap-port", + 2082: "infowave", + 2083: "radsec", + 2084: "sunclustergeo", + 2085: "ada-cip", + 2086: "gnunet", + 2087: "eli", + 2088: "ip-blf", + 2089: "sep", + 2090: "lrp", + 2091: "prp", + 2092: "descent3", + 2093: "nbx-cc", + 2094: "nbx-au", + 2095: "nbx-ser", + 2096: "nbx-dir", + 2097: "jetformpreview", + 2098: "dialog-port", + 2099: "h2250-annex-g", + 2100: "amiganetfs", + 2101: "rtcm-sc104", + 2102: "zephyr-srv", + 2103: "zephyr-clt", + 2104: "zephyr-hm", + 2105: "minipay", + 2106: "mzap", + 2107: "bintec-admin", + 2108: "comcam", + 2109: "ergolight", + 2110: "umsp", + 2111: "dsatp", + 2112: "idonix-metanet", + 2113: "hsl-storm", + 2114: "newheights", + 2115: "kdm", + 2116: "ccowcmr", + 2117: "mentaclient", + 2118: "mentaserver", + 2119: "gsigatekeeper", + 2120: "qencp", + 2121: "scientia-ssdb", + 2122: "caupc-remote", + 2123: "gtp-control", + 2124: "elatelink", + 2125: "lockstep", + 2126: "pktcable-cops", + 2127: "index-pc-wb", + 2128: "net-steward", + 2129: "cs-live", + 2130: "xds", + 2131: "avantageb2b", + 2132: "solera-epmap", + 2133: "zymed-zpp", + 2134: "avenue", + 2135: "gris", + 2136: "appworxsrv", + 2137: "connect", + 2138: "unbind-cluster", + 2139: "ias-auth", + 2140: "ias-reg", + 2141: "ias-admind", + 2142: "tdmoip", + 2143: "lv-jc", + 2144: "lv-ffx", + 2145: "lv-pici", + 2146: "lv-not", + 2147: "lv-auth", + 2148: "veritas-ucl", + 2149: "acptsys", + 2150: "dynamic3d", + 2151: "docent", + 2152: "gtp-user", + 2153: "ctlptc", + 2154: "stdptc", + 2155: "brdptc", + 2156: "trp", + 2157: "xnds", + 2158: "touchnetplus", + 2159: "gdbremote", + 2160: "apc-2160", + 2161: "apc-2161", + 2162: "navisphere", + 2163: "navisphere-sec", + 2164: "ddns-v3", + 2165: "x-bone-api", + 2166: "iwserver", + 2167: "raw-serial", + 2168: "easy-soft-mux", + 2169: "brain", + 2170: "eyetv", + 2171: "msfw-storage", + 2172: "msfw-s-storage", + 2173: "msfw-replica", + 2174: "msfw-array", + 2175: "airsync", + 2176: "rapi", + 2177: "qwave", + 2178: "bitspeer", + 2179: "vmrdp", + 2180: "mc-gt-srv", + 2181: "eforward", + 2182: "cgn-stat", + 2183: "cgn-config", + 2184: "nvd", + 2185: "onbase-dds", + 2186: "gtaua", + 2187: "ssmd", + 2190: "tivoconnect", + 2191: "tvbus", + 2192: "asdis", + 2193: "drwcs", + 2197: "mnp-exchange", + 2198: "onehome-remote", + 2199: "onehome-help", + 2200: "ici", + 2201: "ats", + 2202: "imtc-map", + 2203: "b2-runtime", + 2204: "b2-license", + 2205: "jps", + 2206: "hpocbus", + 2207: "hpssd", + 2208: "hpiod", + 2209: "rimf-ps", + 2210: "noaaport", + 2211: "emwin", + 2212: "leecoposserver", + 2213: "kali", + 2214: "rpi", + 2215: "ipcore", + 2216: "vtu-comms", + 2217: "gotodevice", + 2218: "bounzza", + 2219: "netiq-ncap", + 2220: "netiq", + 2221: "ethernet-ip-s", + 2222: "EtherNet-IP-1", + 2223: "rockwell-csp2", + 2224: "efi-mg", + 2226: "di-drm", + 2227: "di-msg", + 2228: "ehome-ms", + 2229: "datalens", + 2230: "queueadm", + 2231: "wimaxasncp", + 2232: "ivs-video", + 2233: "infocrypt", + 2234: "directplay", + 2235: "sercomm-wlink", + 2236: "nani", + 2237: "optech-port1-lm", + 2238: "aviva-sna", + 2239: "imagequery", + 2240: "recipe", + 2241: "ivsd", + 2242: "foliocorp", + 2243: "magicom", + 2244: "nmsserver", + 2245: "hao", + 2246: "pc-mta-addrmap", + 2247: "antidotemgrsvr", + 2248: "ums", + 2249: "rfmp", + 2250: "remote-collab", + 2251: "dif-port", + 2252: "njenet-ssl", + 2253: "dtv-chan-req", + 2254: "seispoc", + 2255: "vrtp", + 2256: "pcc-mfp", + 2257: "simple-tx-rx", + 2258: "rcts", + 2260: "apc-2260", + 2261: "comotionmaster", + 2262: "comotionback", + 2263: "ecwcfg", + 2264: "apx500api-1", + 2265: "apx500api-2", + 2266: "mfserver", + 2267: "ontobroker", + 2268: "amt", + 2269: "mikey", + 2270: "starschool", + 2271: "mmcals", + 2272: "mmcal", + 2273: "mysql-im", + 2274: "pcttunnell", + 2275: "ibridge-data", + 2276: "ibridge-mgmt", + 2277: "bluectrlproxy", + 2278: "s3db", + 2279: "xmquery", + 2280: "lnvpoller", + 2281: "lnvconsole", + 2282: "lnvalarm", + 2283: "lnvstatus", + 2284: "lnvmaps", + 2285: "lnvmailmon", + 2286: "nas-metering", + 2287: "dna", + 2288: "netml", + 2289: "dict-lookup", + 2290: "sonus-logging", + 2291: "eapsp", + 2292: "mib-streaming", + 2293: "npdbgmngr", + 2294: "konshus-lm", + 2295: "advant-lm", + 2296: "theta-lm", + 2297: "d2k-datamover1", + 2298: "d2k-datamover2", + 2299: "pc-telecommute", + 2300: "cvmmon", + 2301: "cpq-wbem", + 2302: "binderysupport", + 2303: "proxy-gateway", + 2304: "attachmate-uts", + 2305: "mt-scaleserver", + 2306: "tappi-boxnet", + 2307: "pehelp", + 2308: "sdhelp", + 2309: "sdserver", + 2310: "sdclient", + 2311: "messageservice", + 2312: "wanscaler", + 2313: "iapp", + 2314: "cr-websystems", + 2315: "precise-sft", + 2316: "sent-lm", + 2317: "attachmate-g32", + 2318: "cadencecontrol", + 2319: "infolibria", + 2320: "siebel-ns", + 2321: "rdlap", + 2322: "ofsd", + 2323: "3d-nfsd", + 2324: "cosmocall", + 2325: "ansysli", + 2326: "idcp", + 2327: "xingcsm", + 2328: "netrix-sftm", + 2329: "nvd", + 2330: "tscchat", + 2331: "agentview", + 2332: "rcc-host", + 2333: "snapp", + 2334: "ace-client", + 2335: "ace-proxy", + 2336: "appleugcontrol", + 2337: "ideesrv", + 2338: "norton-lambert", + 2339: "3com-webview", + 2340: "wrs-registry", + 2341: "xiostatus", + 2342: "manage-exec", + 2343: "nati-logos", + 2344: "fcmsys", + 2345: "dbm", + 2346: "redstorm-join", + 2347: "redstorm-find", + 2348: "redstorm-info", + 2349: "redstorm-diag", + 2350: "psbserver", + 2351: "psrserver", + 2352: "pslserver", + 2353: "pspserver", + 2354: "psprserver", + 2355: "psdbserver", + 2356: "gxtelmd", + 2357: "unihub-server", + 2358: "futrix", + 2359: "flukeserver", + 2360: "nexstorindltd", + 2361: "tl1", + 2362: "digiman", + 2363: "mediacntrlnfsd", + 2364: "oi-2000", + 2365: "dbref", + 2366: "qip-login", + 2367: "service-ctrl", + 2368: "opentable", + 2370: "l3-hbmon", + 2372: "lanmessenger", + 2381: "compaq-https", + 2382: "ms-olap3", + 2383: "ms-olap4", + 2384: "sd-capacity", + 2385: "sd-data", + 2386: "virtualtape", + 2387: "vsamredirector", + 2388: "mynahautostart", + 2389: "ovsessionmgr", + 2390: "rsmtp", + 2391: "3com-net-mgmt", + 2392: "tacticalauth", + 2393: "ms-olap1", + 2394: "ms-olap2", + 2395: "lan900-remote", + 2396: "wusage", + 2397: "ncl", + 2398: "orbiter", + 2399: "fmpro-fdal", + 2400: "opequus-server", + 2401: "cvspserver", + 2402: "taskmaster2000", + 2403: "taskmaster2000", + 2404: "iec-104", + 2405: "trc-netpoll", + 2406: "jediserver", + 2407: "orion", + 2409: "sns-protocol", + 2410: "vrts-registry", + 2411: "netwave-ap-mgmt", + 2412: "cdn", + 2413: "orion-rmi-reg", + 2414: "beeyond", + 2415: "codima-rtp", + 2416: "rmtserver", + 2417: "composit-server", + 2418: "cas", + 2419: "attachmate-s2s", + 2420: "dslremote-mgmt", + 2421: "g-talk", + 2422: "crmsbits", + 2423: "rnrp", + 2424: "kofax-svr", + 2425: "fjitsuappmgr", + 2426: "vcmp", + 2427: "mgcp-gateway", + 2428: "ott", + 2429: "ft-role", + 2430: "venus", + 2431: "venus-se", + 2432: "codasrv", + 2433: "codasrv-se", + 2434: "pxc-epmap", + 2435: "optilogic", + 2436: "topx", + 2437: "unicontrol", + 2438: "msp", + 2439: "sybasedbsynch", + 2440: "spearway", + 2441: "pvsw-inet", + 2442: "netangel", + 2443: "powerclientcsf", + 2444: "btpp2sectrans", + 2445: "dtn1", + 2446: "bues-service", + 2447: "ovwdb", + 2448: "hpppssvr", + 2449: "ratl", + 2450: "netadmin", + 2451: "netchat", + 2452: "snifferclient", + 2453: "madge-ltd", + 2454: "indx-dds", + 2455: "wago-io-system", + 2456: "altav-remmgt", + 2457: "rapido-ip", + 2458: "griffin", + 2459: "community", + 2460: "ms-theater", + 2461: "qadmifoper", + 2462: "qadmifevent", + 2463: "lsi-raid-mgmt", + 2464: "direcpc-si", + 2465: "lbm", + 2466: "lbf", + 2467: "high-criteria", + 2468: "qip-msgd", + 2469: "mti-tcs-comm", + 2470: "taskman-port", + 2471: "seaodbc", + 2472: "c3", + 2473: "aker-cdp", + 2474: "vitalanalysis", + 2475: "ace-server", + 2476: "ace-svr-prop", + 2477: "ssm-cvs", + 2478: "ssm-cssps", + 2479: "ssm-els", + 2480: "powerexchange", + 2481: "giop", + 2482: "giop-ssl", + 2483: "ttc", + 2484: "ttc-ssl", + 2485: "netobjects1", + 2486: "netobjects2", + 2487: "pns", + 2488: "moy-corp", + 2489: "tsilb", + 2490: "qip-qdhcp", + 2491: "conclave-cpp", + 2492: "groove", + 2493: "talarian-mqs", + 2494: "bmc-ar", + 2495: "fast-rem-serv", + 2496: "dirgis", + 2497: "quaddb", + 2498: "odn-castraq", + 2499: "unicontrol", + 2500: "rtsserv", + 2501: "rtsclient", + 2502: "kentrox-prot", + 2503: "nms-dpnss", + 2504: "wlbs", + 2505: "ppcontrol", + 2506: "jbroker", + 2507: "spock", + 2508: "jdatastore", + 2509: "fjmpss", + 2510: "fjappmgrbulk", + 2511: "metastorm", + 2512: "citrixima", + 2513: "citrixadmin", + 2514: "facsys-ntp", + 2515: "facsys-router", + 2516: "maincontrol", + 2517: "call-sig-trans", + 2518: "willy", + 2519: "globmsgsvc", + 2520: "pvsw", + 2521: "adaptecmgr", + 2522: "windb", + 2523: "qke-llc-v3", + 2524: "optiwave-lm", + 2525: "ms-v-worlds", + 2526: "ema-sent-lm", + 2527: "iqserver", + 2528: "ncr-ccl", + 2529: "utsftp", + 2530: "vrcommerce", + 2531: "ito-e-gui", + 2532: "ovtopmd", + 2533: "snifferserver", + 2534: "combox-web-acc", + 2535: "madcap", + 2536: "btpp2audctr1", + 2537: "upgrade", + 2538: "vnwk-prapi", + 2539: "vsiadmin", + 2540: "lonworks", + 2541: "lonworks2", + 2542: "udrawgraph", + 2543: "reftek", + 2544: "novell-zen", + 2545: "sis-emt", + 2546: "vytalvaultbrtp", + 2547: "vytalvaultvsmp", + 2548: "vytalvaultpipe", + 2549: "ipass", + 2550: "ads", + 2551: "isg-uda-server", + 2552: "call-logging", + 2553: "efidiningport", + 2554: "vcnet-link-v10", + 2555: "compaq-wcp", + 2556: "nicetec-nmsvc", + 2557: "nicetec-mgmt", + 2558: "pclemultimedia", + 2559: "lstp", + 2560: "labrat", + 2561: "mosaixcc", + 2562: "delibo", + 2563: "cti-redwood", + 2564: "hp-3000-telnet", + 2565: "coord-svr", + 2566: "pcs-pcw", + 2567: "clp", + 2568: "spamtrap", + 2569: "sonuscallsig", + 2570: "hs-port", + 2571: "cecsvc", + 2572: "ibp", + 2573: "trustestablish", + 2574: "blockade-bpsp", + 2575: "hl7", + 2576: "tclprodebugger", + 2577: "scipticslsrvr", + 2578: "rvs-isdn-dcp", + 2579: "mpfoncl", + 2580: "tributary", + 2581: "argis-te", + 2582: "argis-ds", + 2583: "mon", + 2584: "cyaserv", + 2585: "netx-server", + 2586: "netx-agent", + 2587: "masc", + 2588: "privilege", + 2589: "quartus-tcl", + 2590: "idotdist", + 2591: "maytagshuffle", + 2592: "netrek", + 2593: "mns-mail", + 2594: "dts", + 2595: "worldfusion1", + 2596: "worldfusion2", + 2597: "homesteadglory", + 2598: "citriximaclient", + 2599: "snapd", + 2600: "hpstgmgr", + 2601: "discp-client", + 2602: "discp-server", + 2603: "servicemeter", + 2604: "nsc-ccs", + 2605: "nsc-posa", + 2606: "netmon", + 2607: "connection", + 2608: "wag-service", + 2609: "system-monitor", + 2610: "versa-tek", + 2611: "lionhead", + 2612: "qpasa-agent", + 2613: "smntubootstrap", + 2614: "neveroffline", + 2615: "firepower", + 2616: "appswitch-emp", + 2617: "cmadmin", + 2618: "priority-e-com", + 2619: "bruce", + 2620: "lpsrecommender", + 2621: "miles-apart", + 2622: "metricadbc", + 2623: "lmdp", + 2624: "aria", + 2625: "blwnkl-port", + 2626: "gbjd816", + 2627: "moshebeeri", + 2628: "dict", + 2629: "sitaraserver", + 2630: "sitaramgmt", + 2631: "sitaradir", + 2632: "irdg-post", + 2633: "interintelli", + 2634: "pk-electronics", + 2635: "backburner", + 2636: "solve", + 2637: "imdocsvc", + 2638: "sybaseanywhere", + 2639: "aminet", + 2640: "ami-control", + 2641: "hdl-srv", + 2642: "tragic", + 2643: "gte-samp", + 2644: "travsoft-ipx-t", + 2645: "novell-ipx-cmd", + 2646: "and-lm", + 2647: "syncserver", + 2648: "upsnotifyprot", + 2649: "vpsipport", + 2650: "eristwoguns", + 2651: "ebinsite", + 2652: "interpathpanel", + 2653: "sonus", + 2654: "corel-vncadmin", + 2655: "unglue", + 2656: "kana", + 2657: "sns-dispatcher", + 2658: "sns-admin", + 2659: "sns-query", + 2660: "gcmonitor", + 2661: "olhost", + 2662: "bintec-capi", + 2663: "bintec-tapi", + 2664: "patrol-mq-gm", + 2665: "patrol-mq-nm", + 2666: "extensis", + 2667: "alarm-clock-s", + 2668: "alarm-clock-c", + 2669: "toad", + 2670: "tve-announce", + 2671: "newlixreg", + 2672: "nhserver", + 2673: "firstcall42", + 2674: "ewnn", + 2675: "ttc-etap", + 2676: "simslink", + 2677: "gadgetgate1way", + 2678: "gadgetgate2way", + 2679: "syncserverssl", + 2680: "pxc-sapxom", + 2681: "mpnjsomb", + 2683: "ncdloadbalance", + 2684: "mpnjsosv", + 2685: "mpnjsocl", + 2686: "mpnjsomg", + 2687: "pq-lic-mgmt", + 2688: "md-cg-http", + 2689: "fastlynx", + 2690: "hp-nnm-data", + 2691: "itinternet", + 2692: "admins-lms", + 2694: "pwrsevent", + 2695: "vspread", + 2696: "unifyadmin", + 2697: "oce-snmp-trap", + 2698: "mck-ivpip", + 2699: "csoft-plusclnt", + 2700: "tqdata", + 2701: "sms-rcinfo", + 2702: "sms-xfer", + 2703: "sms-chat", + 2704: "sms-remctrl", + 2705: "sds-admin", + 2706: "ncdmirroring", + 2707: "emcsymapiport", + 2708: "banyan-net", + 2709: "supermon", + 2710: "sso-service", + 2711: "sso-control", + 2712: "aocp", + 2713: "raventbs", + 2714: "raventdm", + 2715: "hpstgmgr2", + 2716: "inova-ip-disco", + 2717: "pn-requester", + 2718: "pn-requester2", + 2719: "scan-change", + 2720: "wkars", + 2721: "smart-diagnose", + 2722: "proactivesrvr", + 2723: "watchdog-nt", + 2724: "qotps", + 2725: "msolap-ptp2", + 2726: "tams", + 2727: "mgcp-callagent", + 2728: "sqdr", + 2729: "tcim-control", + 2730: "nec-raidplus", + 2731: "fyre-messanger", + 2732: "g5m", + 2733: "signet-ctf", + 2734: "ccs-software", + 2735: "netiq-mc", + 2736: "radwiz-nms-srv", + 2737: "srp-feedback", + 2738: "ndl-tcp-ois-gw", + 2739: "tn-timing", + 2740: "alarm", + 2741: "tsb", + 2742: "tsb2", + 2743: "murx", + 2744: "honyaku", + 2745: "urbisnet", + 2746: "cpudpencap", + 2747: "fjippol-swrly", + 2748: "fjippol-polsvr", + 2749: "fjippol-cnsl", + 2750: "fjippol-port1", + 2751: "fjippol-port2", + 2752: "rsisysaccess", + 2753: "de-spot", + 2754: "apollo-cc", + 2755: "expresspay", + 2756: "simplement-tie", + 2757: "cnrp", + 2758: "apollo-status", + 2759: "apollo-gms", + 2760: "sabams", + 2761: "dicom-iscl", + 2762: "dicom-tls", + 2763: "desktop-dna", + 2764: "data-insurance", + 2765: "qip-audup", + 2766: "compaq-scp", + 2767: "uadtc", + 2768: "uacs", + 2769: "exce", + 2770: "veronica", + 2771: "vergencecm", + 2772: "auris", + 2773: "rbakcup1", + 2774: "rbakcup2", + 2775: "smpp", + 2776: "ridgeway1", + 2777: "ridgeway2", + 2778: "gwen-sonya", + 2779: "lbc-sync", + 2780: "lbc-control", + 2781: "whosells", + 2782: "everydayrc", + 2783: "aises", + 2784: "www-dev", + 2785: "aic-np", + 2786: "aic-oncrpc", + 2787: "piccolo", + 2788: "fryeserv", + 2789: "media-agent", + 2790: "plgproxy", + 2791: "mtport-regist", + 2792: "f5-globalsite", + 2793: "initlsmsad", + 2795: "livestats", + 2796: "ac-tech", + 2797: "esp-encap", + 2798: "tmesis-upshot", + 2799: "icon-discover", + 2800: "acc-raid", + 2801: "igcp", + 2802: "veritas-udp1", + 2803: "btprjctrl", + 2804: "dvr-esm", + 2805: "wta-wsp-s", + 2806: "cspuni", + 2807: "cspmulti", + 2808: "j-lan-p", + 2809: "corbaloc", + 2810: "netsteward", + 2811: "gsiftp", + 2812: "atmtcp", + 2813: "llm-pass", + 2814: "llm-csv", + 2815: "lbc-measure", + 2816: "lbc-watchdog", + 2817: "nmsigport", + 2818: "rmlnk", + 2819: "fc-faultnotify", + 2820: "univision", + 2821: "vrts-at-port", + 2822: "ka0wuc", + 2823: "cqg-netlan", + 2824: "cqg-netlan-1", + 2826: "slc-systemlog", + 2827: "slc-ctrlrloops", + 2828: "itm-lm", + 2829: "silkp1", + 2830: "silkp2", + 2831: "silkp3", + 2832: "silkp4", + 2833: "glishd", + 2834: "evtp", + 2835: "evtp-data", + 2836: "catalyst", + 2837: "repliweb", + 2838: "starbot", + 2839: "nmsigport", + 2840: "l3-exprt", + 2841: "l3-ranger", + 2842: "l3-hawk", + 2843: "pdnet", + 2844: "bpcp-poll", + 2845: "bpcp-trap", + 2846: "aimpp-hello", + 2847: "aimpp-port-req", + 2848: "amt-blc-port", + 2849: "fxp", + 2850: "metaconsole", + 2851: "webemshttp", + 2852: "bears-01", + 2853: "ispipes", + 2854: "infomover", + 2856: "cesdinv", + 2857: "simctlp", + 2858: "ecnp", + 2859: "activememory", + 2860: "dialpad-voice1", + 2861: "dialpad-voice2", + 2862: "ttg-protocol", + 2863: "sonardata", + 2864: "astromed-main", + 2865: "pit-vpn", + 2866: "iwlistener", + 2867: "esps-portal", + 2868: "npep-messaging", + 2869: "icslap", + 2870: "daishi", + 2871: "msi-selectplay", + 2872: "radix", + 2874: "dxmessagebase1", + 2875: "dxmessagebase2", + 2876: "sps-tunnel", + 2877: "bluelance", + 2878: "aap", + 2879: "ucentric-ds", + 2880: "synapse", + 2881: "ndsp", + 2882: "ndtp", + 2883: "ndnp", + 2884: "flashmsg", + 2885: "topflow", + 2886: "responselogic", + 2887: "aironetddp", + 2888: "spcsdlobby", + 2889: "rsom", + 2890: "cspclmulti", + 2891: "cinegrfx-elmd", + 2892: "snifferdata", + 2893: "vseconnector", + 2894: "abacus-remote", + 2895: "natuslink", + 2896: "ecovisiong6-1", + 2897: "citrix-rtmp", + 2898: "appliance-cfg", + 2899: "powergemplus", + 2900: "quicksuite", + 2901: "allstorcns", + 2902: "netaspi", + 2903: "suitcase", + 2904: "m2ua", + 2906: "caller9", + 2907: "webmethods-b2b", + 2908: "mao", + 2909: "funk-dialout", + 2910: "tdaccess", + 2911: "blockade", + 2912: "epicon", + 2913: "boosterware", + 2914: "gamelobby", + 2915: "tksocket", + 2916: "elvin-server", + 2917: "elvin-client", + 2918: "kastenchasepad", + 2919: "roboer", + 2920: "roboeda", + 2921: "cesdcdman", + 2922: "cesdcdtrn", + 2923: "wta-wsp-wtp-s", + 2924: "precise-vip", + 2926: "mobile-file-dl", + 2927: "unimobilectrl", + 2928: "redstone-cpss", + 2929: "amx-webadmin", + 2930: "amx-weblinx", + 2931: "circle-x", + 2932: "incp", + 2933: "4-tieropmgw", + 2934: "4-tieropmcli", + 2935: "qtp", + 2936: "otpatch", + 2937: "pnaconsult-lm", + 2938: "sm-pas-1", + 2939: "sm-pas-2", + 2940: "sm-pas-3", + 2941: "sm-pas-4", + 2942: "sm-pas-5", + 2943: "ttnrepository", + 2944: "megaco-h248", + 2945: "h248-binary", + 2946: "fjsvmpor", + 2947: "gpsd", + 2948: "wap-push", + 2949: "wap-pushsecure", + 2950: "esip", + 2951: "ottp", + 2952: "mpfwsas", + 2953: "ovalarmsrv", + 2954: "ovalarmsrv-cmd", + 2955: "csnotify", + 2956: "ovrimosdbman", + 2957: "jmact5", + 2958: "jmact6", + 2959: "rmopagt", + 2960: "dfoxserver", + 2961: "boldsoft-lm", + 2962: "iph-policy-cli", + 2963: "iph-policy-adm", + 2964: "bullant-srap", + 2965: "bullant-rap", + 2966: "idp-infotrieve", + 2967: "ssc-agent", + 2968: "enpp", + 2969: "essp", + 2970: "index-net", + 2971: "netclip", + 2972: "pmsm-webrctl", + 2973: "svnetworks", + 2974: "signal", + 2975: "fjmpcm", + 2976: "cns-srv-port", + 2977: "ttc-etap-ns", + 2978: "ttc-etap-ds", + 2979: "h263-video", + 2980: "wimd", + 2981: "mylxamport", + 2982: "iwb-whiteboard", + 2983: "netplan", + 2984: "hpidsadmin", + 2985: "hpidsagent", + 2986: "stonefalls", + 2987: "identify", + 2988: "hippad", + 2989: "zarkov", + 2990: "boscap", + 2991: "wkstn-mon", + 2992: "avenyo", + 2993: "veritas-vis1", + 2994: "veritas-vis2", + 2995: "idrs", + 2996: "vsixml", + 2997: "rebol", + 2998: "realsecure", + 2999: "remoteware-un", + 3000: "hbci", + 3002: "exlm-agent", + 3003: "cgms", + 3004: "csoftragent", + 3005: "geniuslm", + 3006: "ii-admin", + 3007: "lotusmtap", + 3008: "midnight-tech", + 3009: "pxc-ntfy", + 3010: "ping-pong", + 3011: "trusted-web", + 3012: "twsdss", + 3013: "gilatskysurfer", + 3014: "broker-service", + 3015: "nati-dstp", + 3016: "notify-srvr", + 3017: "event-listener", + 3018: "srvc-registry", + 3019: "resource-mgr", + 3020: "cifs", + 3021: "agriserver", + 3022: "csregagent", + 3023: "magicnotes", + 3024: "nds-sso", + 3025: "arepa-raft", + 3026: "agri-gateway", + 3027: "LiebDevMgmt-C", + 3028: "LiebDevMgmt-DM", + 3029: "LiebDevMgmt-A", + 3030: "arepa-cas", + 3031: "eppc", + 3032: "redwood-chat", + 3033: "pdb", + 3034: "osmosis-aeea", + 3035: "fjsv-gssagt", + 3036: "hagel-dump", + 3037: "hp-san-mgmt", + 3038: "santak-ups", + 3039: "cogitate", + 3040: "tomato-springs", + 3041: "di-traceware", + 3042: "journee", + 3043: "brp", + 3044: "epp", + 3045: "responsenet", + 3046: "di-ase", + 3047: "hlserver", + 3048: "pctrader", + 3049: "nsws", + 3050: "gds-db", + 3051: "galaxy-server", + 3052: "apc-3052", + 3053: "dsom-server", + 3054: "amt-cnf-prot", + 3055: "policyserver", + 3056: "cdl-server", + 3057: "goahead-fldup", + 3058: "videobeans", + 3059: "qsoft", + 3060: "interserver", + 3061: "cautcpd", + 3062: "ncacn-ip-tcp", + 3063: "ncadg-ip-udp", + 3064: "rprt", + 3065: "slinterbase", + 3066: "netattachsdmp", + 3067: "fjhpjp", + 3068: "ls3bcast", + 3069: "ls3", + 3070: "mgxswitch", + 3072: "csd-monitor", + 3073: "vcrp", + 3074: "xbox", + 3075: "orbix-locator", + 3076: "orbix-config", + 3077: "orbix-loc-ssl", + 3078: "orbix-cfg-ssl", + 3079: "lv-frontpanel", + 3080: "stm-pproc", + 3081: "tl1-lv", + 3082: "tl1-raw", + 3083: "tl1-telnet", + 3084: "itm-mccs", + 3085: "pcihreq", + 3086: "jdl-dbkitchen", + 3087: "asoki-sma", + 3088: "xdtp", + 3089: "ptk-alink", + 3090: "stss", + 3091: "1ci-smcs", + 3093: "rapidmq-center", + 3094: "rapidmq-reg", + 3095: "panasas", + 3096: "ndl-aps", + 3098: "umm-port", + 3099: "chmd", + 3100: "opcon-xps", + 3101: "hp-pxpib", + 3102: "slslavemon", + 3103: "autocuesmi", + 3104: "autocuetime", + 3105: "cardbox", + 3106: "cardbox-http", + 3107: "business", + 3108: "geolocate", + 3109: "personnel", + 3110: "sim-control", + 3111: "wsynch", + 3112: "ksysguard", + 3113: "cs-auth-svr", + 3114: "ccmad", + 3115: "mctet-master", + 3116: "mctet-gateway", + 3117: "mctet-jserv", + 3118: "pkagent", + 3119: "d2000kernel", + 3120: "d2000webserver", + 3122: "vtr-emulator", + 3123: "edix", + 3124: "beacon-port", + 3125: "a13-an", + 3127: "ctx-bridge", + 3128: "ndl-aas", + 3129: "netport-id", + 3130: "icpv2", + 3131: "netbookmark", + 3132: "ms-rule-engine", + 3133: "prism-deploy", + 3134: "ecp", + 3135: "peerbook-port", + 3136: "grubd", + 3137: "rtnt-1", + 3138: "rtnt-2", + 3139: "incognitorv", + 3140: "ariliamulti", + 3141: "vmodem", + 3142: "rdc-wh-eos", + 3143: "seaview", + 3144: "tarantella", + 3145: "csi-lfap", + 3146: "bears-02", + 3147: "rfio", + 3148: "nm-game-admin", + 3149: "nm-game-server", + 3150: "nm-asses-admin", + 3151: "nm-assessor", + 3152: "feitianrockey", + 3153: "s8-client-port", + 3154: "ccmrmi", + 3155: "jpegmpeg", + 3156: "indura", + 3157: "e3consultants", + 3158: "stvp", + 3159: "navegaweb-port", + 3160: "tip-app-server", + 3161: "doc1lm", + 3162: "sflm", + 3163: "res-sap", + 3164: "imprs", + 3165: "newgenpay", + 3166: "sossecollector", + 3167: "nowcontact", + 3168: "poweronnud", + 3169: "serverview-as", + 3170: "serverview-asn", + 3171: "serverview-gf", + 3172: "serverview-rm", + 3173: "serverview-icc", + 3174: "armi-server", + 3175: "t1-e1-over-ip", + 3176: "ars-master", + 3177: "phonex-port", + 3178: "radclientport", + 3179: "h2gf-w-2m", + 3180: "mc-brk-srv", + 3181: "bmcpatrolagent", + 3182: "bmcpatrolrnvu", + 3183: "cops-tls", + 3184: "apogeex-port", + 3185: "smpppd", + 3186: "iiw-port", + 3187: "odi-port", + 3188: "brcm-comm-port", + 3189: "pcle-infex", + 3190: "csvr-proxy", + 3191: "csvr-sslproxy", + 3192: "firemonrcc", + 3193: "spandataport", + 3194: "magbind", + 3195: "ncu-1", + 3196: "ncu-2", + 3197: "embrace-dp-s", + 3198: "embrace-dp-c", + 3199: "dmod-workspace", + 3200: "tick-port", + 3201: "cpq-tasksmart", + 3202: "intraintra", + 3203: "netwatcher-mon", + 3204: "netwatcher-db", + 3205: "isns", + 3206: "ironmail", + 3207: "vx-auth-port", + 3208: "pfu-prcallback", + 3209: "netwkpathengine", + 3210: "flamenco-proxy", + 3211: "avsecuremgmt", + 3212: "surveyinst", + 3213: "neon24x7", + 3214: "jmq-daemon-1", + 3215: "jmq-daemon-2", + 3216: "ferrari-foam", + 3217: "unite", + 3218: "smartpackets", + 3219: "wms-messenger", + 3220: "xnm-ssl", + 3221: "xnm-clear-text", + 3222: "glbp", + 3223: "digivote", + 3224: "aes-discovery", + 3225: "fcip-port", + 3226: "isi-irp", + 3227: "dwnmshttp", + 3228: "dwmsgserver", + 3229: "global-cd-port", + 3230: "sftdst-port", + 3231: "vidigo", + 3232: "mdtp", + 3233: "whisker", + 3234: "alchemy", + 3235: "mdap-port", + 3236: "apparenet-ts", + 3237: "apparenet-tps", + 3238: "apparenet-as", + 3239: "apparenet-ui", + 3240: "triomotion", + 3241: "sysorb", + 3242: "sdp-id-port", + 3243: "timelot", + 3244: "onesaf", + 3245: "vieo-fe", + 3246: "dvt-system", + 3247: "dvt-data", + 3248: "procos-lm", + 3249: "ssp", + 3250: "hicp", + 3251: "sysscanner", + 3252: "dhe", + 3253: "pda-data", + 3254: "pda-sys", + 3255: "semaphore", + 3256: "cpqrpm-agent", + 3257: "cpqrpm-server", + 3258: "ivecon-port", + 3259: "epncdp2", + 3260: "iscsi-target", + 3261: "winshadow", + 3262: "necp", + 3263: "ecolor-imager", + 3264: "ccmail", + 3265: "altav-tunnel", + 3266: "ns-cfg-server", + 3267: "ibm-dial-out", + 3268: "msft-gc", + 3269: "msft-gc-ssl", + 3270: "verismart", + 3271: "csoft-prev", + 3272: "user-manager", + 3273: "sxmp", + 3274: "ordinox-server", + 3275: "samd", + 3276: "maxim-asics", + 3277: "awg-proxy", + 3278: "lkcmserver", + 3279: "admind", + 3280: "vs-server", + 3281: "sysopt", + 3282: "datusorb", + 3283: "Apple Remote Desktop (Net Assistant)", + 3284: "4talk", + 3285: "plato", + 3286: "e-net", + 3287: "directvdata", + 3288: "cops", + 3289: "enpc", + 3290: "caps-lm", + 3291: "sah-lm", + 3292: "cart-o-rama", + 3293: "fg-fps", + 3294: "fg-gip", + 3295: "dyniplookup", + 3296: "rib-slm", + 3297: "cytel-lm", + 3298: "deskview", + 3299: "pdrncs", + 3302: "mcs-fastmail", + 3303: "opsession-clnt", + 3304: "opsession-srvr", + 3305: "odette-ftp", + 3306: "mysql", + 3307: "opsession-prxy", + 3308: "tns-server", + 3309: "tns-adv", + 3310: "dyna-access", + 3311: "mcns-tel-ret", + 3312: "appman-server", + 3313: "uorb", + 3314: "uohost", + 3315: "cdid", + 3316: "aicc-cmi", + 3317: "vsaiport", + 3318: "ssrip", + 3319: "sdt-lmd", + 3320: "officelink2000", + 3321: "vnsstr", + 3326: "sftu", + 3327: "bbars", + 3328: "egptlm", + 3329: "hp-device-disc", + 3330: "mcs-calypsoicf", + 3331: "mcs-messaging", + 3332: "mcs-mailsvr", + 3333: "dec-notes", + 3334: "directv-web", + 3335: "directv-soft", + 3336: "directv-tick", + 3337: "directv-catlg", + 3338: "anet-b", + 3339: "anet-l", + 3340: "anet-m", + 3341: "anet-h", + 3342: "webtie", + 3343: "ms-cluster-net", + 3344: "bnt-manager", + 3345: "influence", + 3346: "trnsprntproxy", + 3347: "phoenix-rpc", + 3348: "pangolin-laser", + 3349: "chevinservices", + 3350: "findviatv", + 3351: "btrieve", + 3352: "ssql", + 3353: "fatpipe", + 3354: "suitjd", + 3355: "ordinox-dbase", + 3356: "upnotifyps", + 3357: "adtech-test", + 3358: "mpsysrmsvr", + 3359: "wg-netforce", + 3360: "kv-server", + 3361: "kv-agent", + 3362: "dj-ilm", + 3363: "nati-vi-server", + 3364: "creativeserver", + 3365: "contentserver", + 3366: "creativepartnr", + 3372: "tip2", + 3373: "lavenir-lm", + 3374: "cluster-disc", + 3375: "vsnm-agent", + 3376: "cdbroker", + 3377: "cogsys-lm", + 3378: "wsicopy", + 3379: "socorfs", + 3380: "sns-channels", + 3381: "geneous", + 3382: "fujitsu-neat", + 3383: "esp-lm", + 3384: "hp-clic", + 3385: "qnxnetman", + 3386: "gprs-sig", + 3387: "backroomnet", + 3388: "cbserver", + 3389: "ms-wbt-server", + 3390: "dsc", + 3391: "savant", + 3392: "efi-lm", + 3393: "d2k-tapestry1", + 3394: "d2k-tapestry2", + 3395: "dyna-lm", + 3396: "printer-agent", + 3397: "cloanto-lm", + 3398: "mercantile", + 3399: "csms", + 3400: "csms2", + 3401: "filecast", + 3402: "fxaengine-net", + 3405: "nokia-ann-ch1", + 3406: "nokia-ann-ch2", + 3407: "ldap-admin", + 3408: "BESApi", + 3409: "networklens", + 3410: "networklenss", + 3411: "biolink-auth", + 3412: "xmlblaster", + 3413: "svnet", + 3414: "wip-port", + 3415: "bcinameservice", + 3416: "commandport", + 3417: "csvr", + 3418: "rnmap", + 3419: "softaudit", + 3420: "ifcp-port", + 3421: "bmap", + 3422: "rusb-sys-port", + 3423: "xtrm", + 3424: "xtrms", + 3425: "agps-port", + 3426: "arkivio", + 3427: "websphere-snmp", + 3428: "twcss", + 3429: "gcsp", + 3430: "ssdispatch", + 3431: "ndl-als", + 3432: "osdcp", + 3433: "opnet-smp", + 3434: "opencm", + 3435: "pacom", + 3436: "gc-config", + 3437: "autocueds", + 3438: "spiral-admin", + 3439: "hri-port", + 3440: "ans-console", + 3441: "connect-client", + 3442: "connect-server", + 3443: "ov-nnm-websrv", + 3444: "denali-server", + 3445: "monp", + 3446: "3comfaxrpc", + 3447: "directnet", + 3448: "dnc-port", + 3449: "hotu-chat", + 3450: "castorproxy", + 3451: "asam", + 3452: "sabp-signal", + 3453: "pscupd", + 3454: "mira", + 3455: "prsvp", + 3456: "vat", + 3457: "vat-control", + 3458: "d3winosfi", + 3459: "integral", + 3460: "edm-manager", + 3461: "edm-stager", + 3462: "edm-std-notify", + 3463: "edm-adm-notify", + 3464: "edm-mgr-sync", + 3465: "edm-mgr-cntrl", + 3466: "workflow", + 3467: "rcst", + 3468: "ttcmremotectrl", + 3469: "pluribus", + 3470: "jt400", + 3471: "jt400-ssl", + 3472: "jaugsremotec-1", + 3473: "jaugsremotec-2", + 3474: "ttntspauto", + 3475: "genisar-port", + 3476: "nppmp", + 3477: "ecomm", + 3478: "stun", + 3479: "twrpc", + 3480: "plethora", + 3481: "cleanerliverc", + 3482: "vulture", + 3483: "slim-devices", + 3484: "gbs-stp", + 3485: "celatalk", + 3486: "ifsf-hb-port", + 3487: "ltcudp", + 3488: "fs-rh-srv", + 3489: "dtp-dia", + 3490: "colubris", + 3491: "swr-port", + 3492: "tvdumtray-port", + 3493: "nut", + 3494: "ibm3494", + 3495: "seclayer-tcp", + 3496: "seclayer-tls", + 3497: "ipether232port", + 3498: "dashpas-port", + 3499: "sccip-media", + 3500: "rtmp-port", + 3501: "isoft-p2p", + 3502: "avinstalldisc", + 3503: "lsp-ping", + 3504: "ironstorm", + 3505: "ccmcomm", + 3506: "apc-3506", + 3507: "nesh-broker", + 3508: "interactionweb", + 3509: "vt-ssl", + 3510: "xss-port", + 3511: "webmail-2", + 3512: "aztec", + 3513: "arcpd", + 3514: "must-p2p", + 3515: "must-backplane", + 3516: "smartcard-port", + 3517: "802-11-iapp", + 3518: "artifact-msg", + 3519: "galileo", + 3520: "galileolog", + 3521: "mc3ss", + 3522: "nssocketport", + 3523: "odeumservlink", + 3524: "ecmport", + 3525: "eisport", + 3526: "starquiz-port", + 3527: "beserver-msg-q", + 3528: "jboss-iiop", + 3529: "jboss-iiop-ssl", + 3530: "gf", + 3531: "joltid", + 3532: "raven-rmp", + 3533: "raven-rdp", + 3534: "urld-port", + 3535: "ms-la", + 3536: "snac", + 3537: "ni-visa-remote", + 3538: "ibm-diradm", + 3539: "ibm-diradm-ssl", + 3540: "pnrp-port", + 3541: "voispeed-port", + 3542: "hacl-monitor", + 3543: "qftest-lookup", + 3544: "teredo", + 3545: "camac", + 3547: "symantec-sim", + 3548: "interworld", + 3549: "tellumat-nms", + 3550: "ssmpp", + 3551: "apcupsd", + 3552: "taserver", + 3553: "rbr-discovery", + 3554: "questnotify", + 3555: "razor", + 3556: "sky-transport", + 3557: "personalos-001", + 3558: "mcp-port", + 3559: "cctv-port", + 3560: "iniserve-port", + 3561: "bmc-onekey", + 3562: "sdbproxy", + 3563: "watcomdebug", + 3564: "esimport", + 3567: "dof-eps", + 3568: "dof-tunnel-sec", + 3569: "mbg-ctrl", + 3570: "mccwebsvr-port", + 3571: "megardsvr-port", + 3572: "megaregsvrport", + 3573: "tag-ups-1", + 3574: "dmaf-caster", + 3575: "ccm-port", + 3576: "cmc-port", + 3577: "config-port", + 3578: "data-port", + 3579: "ttat3lb", + 3580: "nati-svrloc", + 3581: "kfxaclicensing", + 3582: "press", + 3583: "canex-watch", + 3584: "u-dbap", + 3585: "emprise-lls", + 3586: "emprise-lsc", + 3587: "p2pgroup", + 3588: "sentinel", + 3589: "isomair", + 3590: "wv-csp-sms", + 3591: "gtrack-server", + 3592: "gtrack-ne", + 3593: "bpmd", + 3594: "mediaspace", + 3595: "shareapp", + 3596: "iw-mmogame", + 3597: "a14", + 3598: "a15", + 3599: "quasar-server", + 3600: "trap-daemon", + 3601: "visinet-gui", + 3602: "infiniswitchcl", + 3603: "int-rcv-cntrl", + 3604: "bmc-jmx-port", + 3605: "comcam-io", + 3606: "splitlock", + 3607: "precise-i3", + 3608: "trendchip-dcp", + 3609: "cpdi-pidas-cm", + 3610: "echonet", + 3611: "six-degrees", + 3612: "hp-dataprotect", + 3613: "alaris-disc", + 3614: "sigma-port", + 3615: "start-network", + 3616: "cd3o-protocol", + 3617: "sharp-server", + 3618: "aairnet-1", + 3619: "aairnet-2", + 3620: "ep-pcp", + 3621: "ep-nsp", + 3622: "ff-lr-port", + 3623: "haipe-discover", + 3624: "dist-upgrade", + 3625: "volley", + 3626: "bvcdaemon-port", + 3627: "jamserverport", + 3628: "ept-machine", + 3629: "escvpnet", + 3630: "cs-remote-db", + 3631: "cs-services", + 3632: "distcc", + 3633: "wacp", + 3634: "hlibmgr", + 3635: "sdo", + 3636: "servistaitsm", + 3637: "scservp", + 3638: "ehp-backup", + 3639: "xap-ha", + 3640: "netplay-port1", + 3641: "netplay-port2", + 3642: "juxml-port", + 3643: "audiojuggler", + 3644: "ssowatch", + 3645: "cyc", + 3646: "xss-srv-port", + 3647: "splitlock-gw", + 3648: "fjcp", + 3649: "nmmp", + 3650: "prismiq-plugin", + 3651: "xrpc-registry", + 3652: "vxcrnbuport", + 3653: "tsp", + 3654: "vaprtm", + 3655: "abatemgr", + 3656: "abatjss", + 3657: "immedianet-bcn", + 3658: "ps-ams", + 3659: "apple-sasl", + 3660: "can-nds-ssl", + 3661: "can-ferret-ssl", + 3662: "pserver", + 3663: "dtp", + 3664: "ups-engine", + 3665: "ent-engine", + 3666: "eserver-pap", + 3667: "infoexch", + 3668: "dell-rm-port", + 3669: "casanswmgmt", + 3670: "smile", + 3671: "efcp", + 3672: "lispworks-orb", + 3673: "mediavault-gui", + 3674: "wininstall-ipc", + 3675: "calltrax", + 3676: "va-pacbase", + 3677: "roverlog", + 3678: "ipr-dglt", + 3679: "Escale (Newton Dock)", + 3680: "npds-tracker", + 3681: "bts-x73", + 3682: "cas-mapi", + 3683: "bmc-ea", + 3684: "faxstfx-port", + 3685: "dsx-agent", + 3686: "tnmpv2", + 3687: "simple-push", + 3688: "simple-push-s", + 3689: "daap", + 3690: "svn", + 3691: "magaya-network", + 3692: "intelsync", + 3695: "bmc-data-coll", + 3696: "telnetcpcd", + 3697: "nw-license", + 3698: "sagectlpanel", + 3699: "kpn-icw", + 3700: "lrs-paging", + 3701: "netcelera", + 3702: "ws-discovery", + 3703: "adobeserver-3", + 3704: "adobeserver-4", + 3705: "adobeserver-5", + 3706: "rt-event", + 3707: "rt-event-s", + 3708: "sun-as-iiops", + 3709: "ca-idms", + 3710: "portgate-auth", + 3711: "edb-server2", + 3712: "sentinel-ent", + 3713: "tftps", + 3714: "delos-dms", + 3715: "anoto-rendezv", + 3716: "wv-csp-sms-cir", + 3717: "wv-csp-udp-cir", + 3718: "opus-services", + 3719: "itelserverport", + 3720: "ufastro-instr", + 3721: "xsync", + 3722: "xserveraid", + 3723: "sychrond", + 3724: "blizwow", + 3725: "na-er-tip", + 3726: "array-manager", + 3727: "e-mdu", + 3728: "e-woa", + 3729: "fksp-audit", + 3730: "client-ctrl", + 3731: "smap", + 3732: "m-wnn", + 3733: "multip-msg", + 3734: "synel-data", + 3735: "pwdis", + 3736: "rs-rmi", + 3738: "versatalk", + 3739: "launchbird-lm", + 3740: "heartbeat", + 3741: "wysdma", + 3742: "cst-port", + 3743: "ipcs-command", + 3744: "sasg", + 3745: "gw-call-port", + 3746: "linktest", + 3747: "linktest-s", + 3748: "webdata", + 3749: "cimtrak", + 3750: "cbos-ip-port", + 3751: "gprs-cube", + 3752: "vipremoteagent", + 3753: "nattyserver", + 3754: "timestenbroker", + 3755: "sas-remote-hlp", + 3756: "canon-capt", + 3757: "grf-port", + 3758: "apw-registry", + 3759: "exapt-lmgr", + 3760: "adtempusclient", + 3761: "gsakmp", + 3762: "gbs-smp", + 3763: "xo-wave", + 3764: "mni-prot-rout", + 3765: "rtraceroute", + 3767: "listmgr-port", + 3768: "rblcheckd", + 3769: "haipe-otnk", + 3770: "cindycollab", + 3771: "paging-port", + 3772: "ctp", + 3773: "ctdhercules", + 3774: "zicom", + 3775: "ispmmgr", + 3776: "dvcprov-port", + 3777: "jibe-eb", + 3778: "c-h-it-port", + 3779: "cognima", + 3780: "nnp", + 3781: "abcvoice-port", + 3782: "iso-tp0s", + 3783: "bim-pem", + 3784: "bfd-control", + 3785: "bfd-echo", + 3786: "upstriggervsw", + 3787: "fintrx", + 3788: "isrp-port", + 3789: "remotedeploy", + 3790: "quickbooksrds", + 3791: "tvnetworkvideo", + 3792: "sitewatch", + 3793: "dcsoftware", + 3794: "jaus", + 3795: "myblast", + 3796: "spw-dialer", + 3797: "idps", + 3798: "minilock", + 3799: "radius-dynauth", + 3800: "pwgpsi", + 3801: "ibm-mgr", + 3802: "vhd", + 3803: "soniqsync", + 3804: "iqnet-port", + 3805: "tcpdataserver", + 3806: "wsmlb", + 3807: "spugna", + 3808: "sun-as-iiops-ca", + 3809: "apocd", + 3810: "wlanauth", + 3811: "amp", + 3812: "neto-wol-server", + 3813: "rap-ip", + 3814: "neto-dcs", + 3815: "lansurveyorxml", + 3816: "sunlps-http", + 3817: "tapeware", + 3818: "crinis-hb", + 3819: "epl-slp", + 3820: "scp", + 3821: "pmcp", + 3822: "acp-discovery", + 3823: "acp-conduit", + 3824: "acp-policy", + 3825: "ffserver", + 3826: "warmux", + 3827: "netmpi", + 3828: "neteh", + 3829: "neteh-ext", + 3830: "cernsysmgmtagt", + 3831: "dvapps", + 3832: "xxnetserver", + 3833: "aipn-auth", + 3834: "spectardata", + 3835: "spectardb", + 3836: "markem-dcp", + 3837: "mkm-discovery", + 3838: "sos", + 3839: "amx-rms", + 3840: "flirtmitmir", + 3842: "nhci", + 3843: "quest-agent", + 3844: "rnm", + 3845: "v-one-spp", + 3846: "an-pcp", + 3847: "msfw-control", + 3848: "item", + 3849: "spw-dnspreload", + 3850: "qtms-bootstrap", + 3851: "spectraport", + 3852: "sse-app-config", + 3853: "sscan", + 3854: "stryker-com", + 3855: "opentrac", + 3856: "informer", + 3857: "trap-port", + 3858: "trap-port-mom", + 3859: "nav-port", + 3860: "sasp", + 3861: "winshadow-hd", + 3862: "giga-pocket", + 3863: "asap-udp", + 3865: "xpl", + 3866: "dzdaemon", + 3867: "dzoglserver", + 3869: "ovsam-mgmt", + 3870: "ovsam-d-agent", + 3871: "avocent-adsap", + 3872: "oem-agent", + 3873: "fagordnc", + 3874: "sixxsconfig", + 3875: "pnbscada", + 3876: "dl-agent", + 3877: "xmpcr-interface", + 3878: "fotogcad", + 3879: "appss-lm", + 3880: "igrs", + 3881: "idac", + 3882: "msdts1", + 3883: "vrpn", + 3884: "softrack-meter", + 3885: "topflow-ssl", + 3886: "nei-management", + 3887: "ciphire-data", + 3888: "ciphire-serv", + 3889: "dandv-tester", + 3890: "ndsconnect", + 3891: "rtc-pm-port", + 3892: "pcc-image-port", + 3893: "cgi-starapi", + 3894: "syam-agent", + 3895: "syam-smc", + 3896: "sdo-tls", + 3897: "sdo-ssh", + 3898: "senip", + 3899: "itv-control", + 3900: "udt-os", + 3901: "nimsh", + 3902: "nimaux", + 3903: "charsetmgr", + 3904: "omnilink-port", + 3905: "mupdate", + 3906: "topovista-data", + 3907: "imoguia-port", + 3908: "hppronetman", + 3909: "surfcontrolcpa", + 3910: "prnrequest", + 3911: "prnstatus", + 3912: "gbmt-stars", + 3913: "listcrt-port", + 3914: "listcrt-port-2", + 3915: "agcat", + 3916: "wysdmc", + 3917: "aftmux", + 3918: "pktcablemmcops", + 3919: "hyperip", + 3920: "exasoftport1", + 3921: "herodotus-net", + 3922: "sor-update", + 3923: "symb-sb-port", + 3924: "mpl-gprs-port", + 3925: "zmp", + 3926: "winport", + 3927: "natdataservice", + 3928: "netboot-pxe", + 3929: "smauth-port", + 3930: "syam-webserver", + 3931: "msr-plugin-port", + 3932: "dyn-site", + 3933: "plbserve-port", + 3934: "sunfm-port", + 3935: "sdp-portmapper", + 3936: "mailprox", + 3937: "dvbservdsc", + 3938: "dbcontrol-agent", + 3939: "aamp", + 3940: "xecp-node", + 3941: "homeportal-web", + 3942: "srdp", + 3943: "tig", + 3944: "sops", + 3945: "emcads", + 3946: "backupedge", + 3947: "ccp", + 3948: "apdap", + 3949: "drip", + 3950: "namemunge", + 3951: "pwgippfax", + 3952: "i3-sessionmgr", + 3953: "xmlink-connect", + 3954: "adrep", + 3955: "p2pcommunity", + 3956: "gvcp", + 3957: "mqe-broker", + 3958: "mqe-agent", + 3959: "treehopper", + 3960: "bess", + 3961: "proaxess", + 3962: "sbi-agent", + 3963: "thrp", + 3964: "sasggprs", + 3965: "ati-ip-to-ncpe", + 3966: "bflckmgr", + 3967: "ppsms", + 3968: "ianywhere-dbns", + 3969: "landmarks", + 3970: "lanrevagent", + 3971: "lanrevserver", + 3972: "iconp", + 3973: "progistics", + 3974: "citysearch", + 3975: "airshot", + 3976: "opswagent", + 3977: "opswmanager", + 3978: "secure-cfg-svr", + 3979: "smwan", + 3980: "acms", + 3981: "starfish", + 3982: "eis", + 3983: "eisp", + 3984: "mapper-nodemgr", + 3985: "mapper-mapethd", + 3986: "mapper-ws-ethd", + 3987: "centerline", + 3988: "dcs-config", + 3989: "bv-queryengine", + 3990: "bv-is", + 3991: "bv-smcsrv", + 3992: "bv-ds", + 3993: "bv-agent", + 3995: "iss-mgmt-ssl", + 3996: "abcsoftware", + 3997: "agentsease-db", + 3998: "dnx", + 3999: "nvcnet", + 4000: "terabase", + 4001: "newoak", + 4002: "pxc-spvr-ft", + 4003: "pxc-splr-ft", + 4004: "pxc-roid", + 4005: "pxc-pin", + 4006: "pxc-spvr", + 4007: "pxc-splr", + 4008: "netcheque", + 4009: "chimera-hwm", + 4010: "samsung-unidex", + 4011: "altserviceboot", + 4012: "pda-gate", + 4013: "acl-manager", + 4014: "taiclock", + 4015: "talarian-mcast1", + 4016: "talarian-mcast2", + 4017: "talarian-mcast3", + 4018: "talarian-mcast4", + 4019: "talarian-mcast5", + 4020: "trap", + 4021: "nexus-portal", + 4022: "dnox", + 4023: "esnm-zoning", + 4024: "tnp1-port", + 4025: "partimage", + 4026: "as-debug", + 4027: "bxp", + 4028: "dtserver-port", + 4029: "ip-qsig", + 4030: "jdmn-port", + 4031: "suucp", + 4032: "vrts-auth-port", + 4033: "sanavigator", + 4034: "ubxd", + 4035: "wap-push-http", + 4036: "wap-push-https", + 4037: "ravehd", + 4038: "fazzt-ptp", + 4039: "fazzt-admin", + 4040: "yo-main", + 4041: "houston", + 4042: "ldxp", + 4043: "nirp", + 4044: "ltp", + 4045: "npp", + 4046: "acp-proto", + 4047: "ctp-state", + 4049: "wafs", + 4050: "cisco-wafs", + 4051: "cppdp", + 4052: "interact", + 4053: "ccu-comm-1", + 4054: "ccu-comm-2", + 4055: "ccu-comm-3", + 4056: "lms", + 4057: "wfm", + 4058: "kingfisher", + 4059: "dlms-cosem", + 4060: "dsmeter-iatc", + 4061: "ice-location", + 4062: "ice-slocation", + 4063: "ice-router", + 4064: "ice-srouter", + 4065: "avanti-cdp", + 4066: "pmas", + 4067: "idp", + 4068: "ipfltbcst", + 4069: "minger", + 4070: "tripe", + 4071: "aibkup", + 4072: "zieto-sock", + 4073: "iRAPP", + 4074: "cequint-cityid", + 4075: "perimlan", + 4076: "seraph", + 4077: "ascomalarm", + 4079: "santools", + 4080: "lorica-in", + 4081: "lorica-in-sec", + 4082: "lorica-out", + 4083: "lorica-out-sec", + 4084: "fortisphere-vm", + 4086: "ftsync", + 4089: "opencore", + 4090: "omasgport", + 4091: "ewinstaller", + 4092: "ewdgs", + 4093: "pvxpluscs", + 4094: "sysrqd", + 4095: "xtgui", + 4096: "bre", + 4097: "patrolview", + 4098: "drmsfsd", + 4099: "dpcp", + 4100: "igo-incognito", + 4101: "brlp-0", + 4102: "brlp-1", + 4103: "brlp-2", + 4104: "brlp-3", + 4105: "shofar", + 4106: "synchronite", + 4107: "j-ac", + 4108: "accel", + 4109: "izm", + 4110: "g2tag", + 4111: "xgrid", + 4112: "apple-vpns-rp", + 4113: "aipn-reg", + 4114: "jomamqmonitor", + 4115: "cds", + 4116: "smartcard-tls", + 4117: "hillrserv", + 4118: "netscript", + 4119: "assuria-slm", + 4121: "e-builder", + 4122: "fprams", + 4123: "z-wave", + 4124: "tigv2", + 4125: "opsview-envoy", + 4126: "ddrepl", + 4127: "unikeypro", + 4128: "nufw", + 4129: "nuauth", + 4130: "fronet", + 4131: "stars", + 4132: "nuts-dem", + 4133: "nuts-bootp", + 4134: "nifty-hmi", + 4135: "cl-db-attach", + 4136: "cl-db-request", + 4137: "cl-db-remote", + 4138: "nettest", + 4139: "thrtx", + 4140: "cedros-fds", + 4141: "oirtgsvc", + 4142: "oidocsvc", + 4143: "oidsr", + 4145: "vvr-control", + 4146: "tgcconnect", + 4147: "vrxpservman", + 4148: "hhb-handheld", + 4149: "agslb", + 4150: "PowerAlert-nsa", + 4151: "menandmice-noh", + 4152: "idig-mux", + 4153: "mbl-battd", + 4154: "atlinks", + 4155: "bzr", + 4156: "stat-results", + 4157: "stat-scanner", + 4158: "stat-cc", + 4159: "nss", + 4160: "jini-discovery", + 4161: "omscontact", + 4162: "omstopology", + 4163: "silverpeakpeer", + 4164: "silverpeakcomm", + 4165: "altcp", + 4166: "joost", + 4167: "ddgn", + 4168: "pslicser", + 4169: "iadt-disc", + 4172: "pcoip", + 4173: "mma-discovery", + 4174: "sm-disc", + 4177: "wello", + 4178: "storman", + 4179: "MaxumSP", + 4180: "httpx", + 4181: "macbak", + 4182: "pcptcpservice", + 4183: "cyborgnet", + 4184: "universe-suite", + 4185: "wcpp", + 4188: "vatata", + 4191: "dsmipv6", + 4192: "azeti-bd", + 4197: "hctl", + 4199: "eims-admin", + 4300: "corelccam", + 4301: "d-data", + 4302: "d-data-control", + 4303: "srcp", + 4304: "owserver", + 4305: "batman", + 4306: "pinghgl", + 4307: "trueconf", + 4308: "compx-lockview", + 4309: "dserver", + 4310: "mirrtex", + 4320: "fdt-rcatp", + 4321: "rwhois", + 4322: "trim-event", + 4323: "trim-ice", + 4325: "geognosisman", + 4326: "geognosis", + 4327: "jaxer-web", + 4328: "jaxer-manager", + 4333: "ahsp", + 4340: "gaia", + 4341: "lisp-data", + 4342: "lisp-control", + 4343: "unicall", + 4344: "vinainstall", + 4345: "m4-network-as", + 4346: "elanlm", + 4347: "lansurveyor", + 4348: "itose", + 4349: "fsportmap", + 4350: "net-device", + 4351: "plcy-net-svcs", + 4352: "pjlink", + 4353: "f5-iquery", + 4354: "qsnet-trans", + 4355: "qsnet-workst", + 4356: "qsnet-assist", + 4357: "qsnet-cond", + 4358: "qsnet-nucl", + 4359: "omabcastltkm", + 4361: "nacnl", + 4362: "afore-vdp-disc", + 4366: "shadowstream", + 4368: "wxbrief", + 4369: "epmd", + 4370: "elpro-tunnel", + 4371: "l2c-disc", + 4372: "l2c-data", + 4373: "remctl", + 4375: "tolteces", + 4376: "bip", + 4377: "cp-spxsvr", + 4378: "cp-spxdpy", + 4379: "ctdb", + 4389: "xandros-cms", + 4390: "wiegand", + 4394: "apwi-disc", + 4395: "omnivisionesx", + 4400: "ds-srv", + 4401: "ds-srvr", + 4402: "ds-clnt", + 4403: "ds-user", + 4404: "ds-admin", + 4405: "ds-mail", + 4406: "ds-slp", + 4412: "smallchat", + 4413: "avi-nms-disc", + 4416: "pjj-player-disc", + 4418: "axysbridge", + 4420: "nvm-express", + 4425: "netrockey6", + 4426: "beacon-port-2", + 4430: "rsqlserver", + 4432: "l-acoustics", + 4441: "netblox", + 4442: "saris", + 4443: "pharos", + 4444: "krb524", + 4445: "upnotifyp", + 4446: "n1-fwp", + 4447: "n1-rmgmt", + 4448: "asc-slmd", + 4449: "privatewire", + 4450: "camp", + 4451: "ctisystemmsg", + 4452: "ctiprogramload", + 4453: "nssalertmgr", + 4454: "nssagentmgr", + 4455: "prchat-user", + 4456: "prchat-server", + 4457: "prRegister", + 4458: "mcp", + 4484: "hpssmgmt", + 4486: "icms", + 4488: "awacs-ice", + 4500: "ipsec-nat-t", + 4534: "armagetronad", + 4535: "ehs", + 4536: "ehs-ssl", + 4537: "wssauthsvc", + 4538: "swx-gate", + 4545: "worldscores", + 4546: "sf-lm", + 4547: "lanner-lm", + 4548: "synchromesh", + 4549: "aegate", + 4550: "gds-adppiw-db", + 4551: "ieee-mih", + 4552: "menandmice-mon", + 4554: "msfrs", + 4555: "rsip", + 4556: "dtn-bundle", + 4557: "mtcevrunqss", + 4558: "mtcevrunqman", + 4559: "hylafax", + 4566: "kwtc", + 4567: "tram", + 4568: "bmc-reporting", + 4569: "iax", + 4591: "l3t-at-an", + 4592: "hrpd-ith-at-an", + 4593: "ipt-anri-anri", + 4594: "ias-session", + 4595: "ias-paging", + 4596: "ias-neighbor", + 4597: "a21-an-1xbs", + 4598: "a16-an-an", + 4599: "a17-an-an", + 4600: "piranha1", + 4601: "piranha2", + 4621: "ventoso", + 4658: "playsta2-app", + 4659: "playsta2-lob", + 4660: "smaclmgr", + 4661: "kar2ouche", + 4662: "oms", + 4663: "noteit", + 4664: "ems", + 4665: "contclientms", + 4666: "eportcomm", + 4667: "mmacomm", + 4668: "mmaeds", + 4669: "eportcommdata", + 4670: "light", + 4671: "acter", + 4672: "rfa", + 4673: "cxws", + 4674: "appiq-mgmt", + 4675: "dhct-status", + 4676: "dhct-alerts", + 4677: "bcs", + 4678: "traversal", + 4679: "mgesupervision", + 4680: "mgemanagement", + 4681: "parliant", + 4682: "finisar", + 4683: "spike", + 4684: "rfid-rp1", + 4685: "autopac", + 4686: "msp-os", + 4687: "nst", + 4688: "mobile-p2p", + 4689: "altovacentral", + 4690: "prelude", + 4691: "mtn", + 4692: "conspiracy", + 4700: "netxms-agent", + 4701: "netxms-mgmt", + 4702: "netxms-sync", + 4711: "trinity-dist", + 4725: "truckstar", + 4726: "a26-fap-fgw", + 4727: "fcis-disc", + 4728: "capmux", + 4729: "gsmtap", + 4730: "gearman", + 4732: "ohmtrigger", + 4737: "ipdr-sp", + 4738: "solera-lpn", + 4739: "ipfix", + 4740: "ipfixs", + 4741: "lumimgrd", + 4742: "sicct-sdp", + 4743: "openhpid", + 4744: "ifsp", + 4745: "fmp", + 4746: "intelliadm-disc", + 4747: "buschtrommel", + 4749: "profilemac", + 4750: "ssad", + 4751: "spocp", + 4752: "snap", + 4753: "simon-disc", + 4754: "gre-in-udp", + 4755: "gre-udp-dtls", + 4784: "bfd-multi-ctl", + 4785: "cncp", + 4789: "vxlan", + 4790: "vxlan-gpe", + 4791: "roce", + 4800: "iims", + 4801: "iwec", + 4802: "ilss", + 4803: "notateit-disc", + 4804: "aja-ntv4-disc", + 4827: "htcp", + 4837: "varadero-0", + 4838: "varadero-1", + 4839: "varadero-2", + 4840: "opcua-udp", + 4841: "quosa", + 4842: "gw-asv", + 4843: "opcua-tls", + 4844: "gw-log", + 4845: "wcr-remlib", + 4846: "contamac-icm", + 4847: "wfc", + 4848: "appserv-http", + 4849: "appserv-https", + 4850: "sun-as-nodeagt", + 4851: "derby-repli", + 4867: "unify-debug", + 4868: "phrelay", + 4869: "phrelaydbg", + 4870: "cc-tracking", + 4871: "wired", + 4876: "tritium-can", + 4877: "lmcs", + 4878: "inst-discovery", + 4881: "socp-t", + 4882: "socp-c", + 4884: "hivestor", + 4885: "abbs", + 4894: "lyskom", + 4899: "radmin-port", + 4900: "hfcs", + 4914: "bones", + 4936: "an-signaling", + 4937: "atsc-mh-ssc", + 4940: "eq-office-4940", + 4941: "eq-office-4941", + 4942: "eq-office-4942", + 4949: "munin", + 4950: "sybasesrvmon", + 4951: "pwgwims", + 4952: "sagxtsds", + 4969: "ccss-qmm", + 4970: "ccss-qsm", + 4980: "ctxs-vpp", + 4986: "mrip", + 4987: "smar-se-port1", + 4988: "smar-se-port2", + 4989: "parallel", + 4990: "busycal", + 4991: "vrt", + 4999: "hfcs-manager", + 5000: "commplex-main", + 5001: "commplex-link", + 5002: "rfe", + 5003: "fmpro-internal", + 5004: "avt-profile-1", + 5005: "avt-profile-2", + 5006: "wsm-server", + 5007: "wsm-server-ssl", + 5008: "synapsis-edge", + 5009: "winfs", + 5010: "telelpathstart", + 5011: "telelpathattack", + 5012: "nsp", + 5013: "fmpro-v6", + 5014: "onpsocket", + 5020: "zenginkyo-1", + 5021: "zenginkyo-2", + 5022: "mice", + 5023: "htuilsrv", + 5024: "scpi-telnet", + 5025: "scpi-raw", + 5026: "strexec-d", + 5027: "strexec-s", + 5029: "infobright", + 5030: "surfpass", + 5031: "dmp", + 5042: "asnaacceler8db", + 5043: "swxadmin", + 5044: "lxi-evntsvc", + 5046: "vpm-udp", + 5047: "iscape", + 5049: "ivocalize", + 5050: "mmcc", + 5051: "ita-agent", + 5052: "ita-manager", + 5053: "rlm-disc", + 5055: "unot", + 5056: "intecom-ps1", + 5057: "intecom-ps2", + 5058: "locus-disc", + 5059: "sds", + 5060: "sip", + 5061: "sips", + 5062: "na-localise", + 5064: "ca-1", + 5065: "ca-2", + 5066: "stanag-5066", + 5067: "authentx", + 5069: "i-net-2000-npr", + 5070: "vtsas", + 5071: "powerschool", + 5072: "ayiya", + 5073: "tag-pm", + 5074: "alesquery", + 5078: "pixelpusher", + 5079: "cp-spxrpts", + 5080: "onscreen", + 5081: "sdl-ets", + 5082: "qcp", + 5083: "qfp", + 5084: "llrp", + 5085: "encrypted-llrp", + 5092: "magpie", + 5093: "sentinel-lm", + 5094: "hart-ip", + 5099: "sentlm-srv2srv", + 5100: "socalia", + 5101: "talarian-udp", + 5102: "oms-nonsecure", + 5104: "tinymessage", + 5105: "hughes-ap", + 5111: "taep-as-svc", + 5112: "pm-cmdsvr", + 5116: "emb-proj-cmd", + 5120: "barracuda-bbs", + 5133: "nbt-pc", + 5136: "minotaur-sa", + 5137: "ctsd", + 5145: "rmonitor-secure", + 5150: "atmp", + 5151: "esri-sde", + 5152: "sde-discovery", + 5154: "bzflag", + 5155: "asctrl-agent", + 5164: "vpa-disc", + 5165: "ife-icorp", + 5166: "winpcs", + 5167: "scte104", + 5168: "scte30", + 5190: "aol", + 5191: "aol-1", + 5192: "aol-2", + 5193: "aol-3", + 5200: "targus-getdata", + 5201: "targus-getdata1", + 5202: "targus-getdata2", + 5203: "targus-getdata3", + 5223: "hpvirtgrp", + 5224: "hpvirtctrl", + 5225: "hp-server", + 5226: "hp-status", + 5227: "perfd", + 5234: "eenet", + 5235: "galaxy-network", + 5236: "padl2sim", + 5237: "mnet-discovery", + 5245: "downtools-disc", + 5246: "capwap-control", + 5247: "capwap-data", + 5248: "caacws", + 5249: "caaclang2", + 5250: "soagateway", + 5251: "caevms", + 5252: "movaz-ssc", + 5264: "3com-njack-1", + 5265: "3com-njack-2", + 5270: "cartographerxmp", + 5271: "cuelink-disc", + 5272: "pk", + 5282: "transmit-port", + 5298: "presence", + 5299: "nlg-data", + 5300: "hacl-hb", + 5301: "hacl-gs", + 5302: "hacl-cfg", + 5303: "hacl-probe", + 5304: "hacl-local", + 5305: "hacl-test", + 5306: "sun-mc-grp", + 5307: "sco-aip", + 5308: "cfengine", + 5309: "jprinter", + 5310: "outlaws", + 5312: "permabit-cs", + 5313: "rrdp", + 5314: "opalis-rbt-ipc", + 5315: "hacl-poll", + 5343: "kfserver", + 5344: "xkotodrcp", + 5349: "stuns", + 5350: "pcp-multicast", + 5351: "pcp", + 5352: "dns-llq", + 5353: "mdns", + 5354: "mdnsresponder", + 5355: "llmnr", + 5356: "ms-smlbiz", + 5357: "wsdapi", + 5358: "wsdapi-s", + 5359: "ms-alerter", + 5360: "ms-sideshow", + 5361: "ms-s-sideshow", + 5362: "serverwsd2", + 5363: "net-projection", + 5364: "kdnet", + 5397: "stresstester", + 5398: "elektron-admin", + 5399: "securitychase", + 5400: "excerpt", + 5401: "excerpts", + 5402: "mftp", + 5403: "hpoms-ci-lstn", + 5404: "hpoms-dps-lstn", + 5405: "netsupport", + 5406: "systemics-sox", + 5407: "foresyte-clear", + 5408: "foresyte-sec", + 5409: "salient-dtasrv", + 5410: "salient-usrmgr", + 5411: "actnet", + 5412: "continuus", + 5413: "wwiotalk", + 5414: "statusd", + 5415: "ns-server", + 5416: "sns-gateway", + 5417: "sns-agent", + 5418: "mcntp", + 5419: "dj-ice", + 5420: "cylink-c", + 5421: "netsupport2", + 5422: "salient-mux", + 5423: "virtualuser", + 5424: "beyond-remote", + 5425: "br-channel", + 5426: "devbasic", + 5427: "sco-peer-tta", + 5428: "telaconsole", + 5429: "base", + 5430: "radec-corp", + 5431: "park-agent", + 5432: "postgresql", + 5433: "pyrrho", + 5434: "sgi-arrayd", + 5435: "sceanics", + 5436: "pmip6-cntl", + 5437: "pmip6-data", + 5443: "spss", + 5450: "tiepie-disc", + 5453: "surebox", + 5454: "apc-5454", + 5455: "apc-5455", + 5456: "apc-5456", + 5461: "silkmeter", + 5462: "ttl-publisher", + 5463: "ttlpriceproxy", + 5464: "quailnet", + 5465: "netops-broker", + 5474: "apsolab-rpc", + 5500: "fcp-addr-srvr1", + 5501: "fcp-addr-srvr2", + 5502: "fcp-srvr-inst1", + 5503: "fcp-srvr-inst2", + 5504: "fcp-cics-gw1", + 5505: "checkoutdb", + 5506: "amc", + 5553: "sgi-eventmond", + 5554: "sgi-esphttp", + 5555: "personal-agent", + 5556: "freeciv", + 5567: "dof-dps-mc-sec", + 5568: "sdt", + 5569: "rdmnet-device", + 5573: "sdmmp", + 5580: "tmosms0", + 5581: "tmosms1", + 5582: "fac-restore", + 5583: "tmo-icon-sync", + 5584: "bis-web", + 5585: "bis-sync", + 5597: "ininmessaging", + 5598: "mctfeed", + 5599: "esinstall", + 5600: "esmmanager", + 5601: "esmagent", + 5602: "a1-msc", + 5603: "a1-bs", + 5604: "a3-sdunode", + 5605: "a4-sdunode", + 5627: "ninaf", + 5628: "htrust", + 5629: "symantec-sfdb", + 5630: "precise-comm", + 5631: "pcanywheredata", + 5632: "pcanywherestat", + 5633: "beorl", + 5634: "xprtld", + 5670: "zre-disc", + 5671: "amqps", + 5672: "amqp", + 5673: "jms", + 5674: "hyperscsi-port", + 5675: "v5ua", + 5676: "raadmin", + 5677: "questdb2-lnchr", + 5678: "rrac", + 5679: "dccm", + 5680: "auriga-router", + 5681: "ncxcp", + 5682: "brightcore", + 5683: "coap", + 5684: "coaps", + 5687: "gog-multiplayer", + 5688: "ggz", + 5689: "qmvideo", + 5713: "proshareaudio", + 5714: "prosharevideo", + 5715: "prosharedata", + 5716: "prosharerequest", + 5717: "prosharenotify", + 5718: "dpm", + 5719: "dpm-agent", + 5720: "ms-licensing", + 5721: "dtpt", + 5722: "msdfsr", + 5723: "omhs", + 5724: "omsdk", + 5728: "io-dist-group", + 5729: "openmail", + 5730: "unieng", + 5741: "ida-discover1", + 5742: "ida-discover2", + 5743: "watchdoc-pod", + 5744: "watchdoc", + 5745: "fcopy-server", + 5746: "fcopys-server", + 5747: "tunatic", + 5748: "tunalyzer", + 5750: "rscd", + 5755: "openmailg", + 5757: "x500ms", + 5766: "openmailns", + 5767: "s-openmail", + 5768: "openmailpxy", + 5769: "spramsca", + 5770: "spramsd", + 5771: "netagent", + 5777: "dali-port", + 5781: "3par-evts", + 5782: "3par-mgmt", + 5783: "3par-mgmt-ssl", + 5784: "ibar", + 5785: "3par-rcopy", + 5786: "cisco-redu", + 5787: "waascluster", + 5793: "xtreamx", + 5794: "spdp", + 5813: "icmpd", + 5814: "spt-automation", + 5859: "wherehoo", + 5863: "ppsuitemsg", + 5900: "rfb", + 5910: "cm", + 5911: "cpdlc", + 5912: "fis", + 5913: "ads-c", + 5963: "indy", + 5968: "mppolicy-v5", + 5969: "mppolicy-mgr", + 5984: "couchdb", + 5985: "wsman", + 5986: "wsmans", + 5987: "wbem-rmi", + 5988: "wbem-http", + 5989: "wbem-https", + 5990: "wbem-exp-https", + 5991: "nuxsl", + 5992: "consul-insight", + 5999: "cvsup", + 6064: "ndl-ahp-svc", + 6065: "winpharaoh", + 6066: "ewctsp", + 6069: "trip", + 6070: "messageasap", + 6071: "ssdtp", + 6072: "diagnose-proc", + 6073: "directplay8", + 6074: "max", + 6080: "gue", + 6081: "geneve", + 6082: "p25cai", + 6083: "miami-bcast", + 6085: "konspire2b", + 6086: "pdtp", + 6087: "ldss", + 6088: "doglms-notify", + 6100: "synchronet-db", + 6101: "synchronet-rtc", + 6102: "synchronet-upd", + 6103: "rets", + 6104: "dbdb", + 6105: "primaserver", + 6106: "mpsserver", + 6107: "etc-control", + 6108: "sercomm-scadmin", + 6109: "globecast-id", + 6110: "softcm", + 6111: "spc", + 6112: "dtspcd", + 6118: "tipc", + 6122: "bex-webadmin", + 6123: "backup-express", + 6124: "pnbs", + 6133: "nbt-wol", + 6140: "pulsonixnls", + 6141: "meta-corp", + 6142: "aspentec-lm", + 6143: "watershed-lm", + 6144: "statsci1-lm", + 6145: "statsci2-lm", + 6146: "lonewolf-lm", + 6147: "montage-lm", + 6148: "ricardo-lm", + 6149: "tal-pod", + 6160: "ecmp-data", + 6161: "patrol-ism", + 6162: "patrol-coll", + 6163: "pscribe", + 6200: "lm-x", + 6201: "thermo-calc", + 6209: "qmtps", + 6222: "radmind", + 6241: "jeol-nsddp-1", + 6242: "jeol-nsddp-2", + 6243: "jeol-nsddp-3", + 6244: "jeol-nsddp-4", + 6251: "tl1-raw-ssl", + 6252: "tl1-ssh", + 6253: "crip", + 6268: "grid", + 6269: "grid-alt", + 6300: "bmc-grx", + 6301: "bmc-ctd-ldap", + 6306: "ufmp", + 6315: "scup-disc", + 6316: "abb-escp", + 6317: "nav-data", + 6320: "repsvc", + 6321: "emp-server1", + 6322: "emp-server2", + 6324: "hrd-ns-disc", + 6343: "sflow", + 6346: "gnutella-svc", + 6347: "gnutella-rtr", + 6350: "adap", + 6355: "pmcs", + 6360: "metaedit-mu", + 6363: "ndn", + 6370: "metaedit-se", + 6382: "metatude-mds", + 6389: "clariion-evr01", + 6390: "metaedit-ws", + 6417: "faxcomservice", + 6419: "svdrp-disc", + 6420: "nim-vdrshell", + 6421: "nim-wan", + 6443: "sun-sr-https", + 6444: "sge-qmaster", + 6445: "sge-execd", + 6446: "mysql-proxy", + 6455: "skip-cert-recv", + 6456: "skip-cert-send", + 6464: "ieee11073-20701", + 6471: "lvision-lm", + 6480: "sun-sr-http", + 6481: "servicetags", + 6482: "ldoms-mgmt", + 6483: "SunVTS-RMI", + 6484: "sun-sr-jms", + 6485: "sun-sr-iiop", + 6486: "sun-sr-iiops", + 6487: "sun-sr-iiop-aut", + 6488: "sun-sr-jmx", + 6489: "sun-sr-admin", + 6500: "boks", + 6501: "boks-servc", + 6502: "boks-servm", + 6503: "boks-clntd", + 6505: "badm-priv", + 6506: "badm-pub", + 6507: "bdir-priv", + 6508: "bdir-pub", + 6509: "mgcs-mfp-port", + 6510: "mcer-port", + 6511: "dccp-udp", + 6514: "syslog-tls", + 6515: "elipse-rec", + 6543: "lds-distrib", + 6544: "lds-dump", + 6547: "apc-6547", + 6548: "apc-6548", + 6549: "apc-6549", + 6550: "fg-sysupdate", + 6551: "sum", + 6558: "xdsxdm", + 6566: "sane-port", + 6568: "rp-reputation", + 6579: "affiliate", + 6580: "parsec-master", + 6581: "parsec-peer", + 6582: "parsec-game", + 6583: "joaJewelSuite", + 6619: "odette-ftps", + 6620: "kftp-data", + 6621: "kftp", + 6622: "mcftp", + 6623: "ktelnet", + 6626: "wago-service", + 6627: "nexgen", + 6628: "afesc-mc", + 6629: "nexgen-aux", + 6633: "cisco-vpath-tun", + 6634: "mpls-pm", + 6635: "mpls-udp", + 6636: "mpls-udp-dtls", + 6653: "openflow", + 6657: "palcom-disc", + 6670: "vocaltec-gold", + 6671: "p4p-portal", + 6672: "vision-server", + 6673: "vision-elmd", + 6678: "vfbp-disc", + 6679: "osaut", + 6689: "tsa", + 6696: "babel", + 6701: "kti-icad-srvr", + 6702: "e-design-net", + 6703: "e-design-web", + 6714: "ibprotocol", + 6715: "fibotrader-com", + 6767: "bmc-perf-agent", + 6768: "bmc-perf-mgrd", + 6769: "adi-gxp-srvprt", + 6770: "plysrv-http", + 6771: "plysrv-https", + 6784: "bfd-lag", + 6785: "dgpf-exchg", + 6786: "smc-jmx", + 6787: "smc-admin", + 6788: "smc-http", + 6790: "hnmp", + 6791: "hnm", + 6801: "acnet", + 6831: "ambit-lm", + 6841: "netmo-default", + 6842: "netmo-http", + 6850: "iccrushmore", + 6868: "acctopus-st", + 6888: "muse", + 6935: "ethoscan", + 6936: "xsmsvc", + 6946: "bioserver", + 6951: "otlp", + 6961: "jmact3", + 6962: "jmevt2", + 6963: "swismgr1", + 6964: "swismgr2", + 6965: "swistrap", + 6966: "swispol", + 6969: "acmsoda", + 6997: "MobilitySrv", + 6998: "iatp-highpri", + 6999: "iatp-normalpri", + 7000: "afs3-fileserver", + 7001: "afs3-callback", + 7002: "afs3-prserver", + 7003: "afs3-vlserver", + 7004: "afs3-kaserver", + 7005: "afs3-volser", + 7006: "afs3-errors", + 7007: "afs3-bos", + 7008: "afs3-update", + 7009: "afs3-rmtsys", + 7010: "ups-onlinet", + 7011: "talon-disc", + 7012: "talon-engine", + 7013: "microtalon-dis", + 7014: "microtalon-com", + 7015: "talon-webserver", + 7016: "spg", + 7017: "grasp", + 7019: "doceri-view", + 7020: "dpserve", + 7021: "dpserveadmin", + 7022: "ctdp", + 7023: "ct2nmcs", + 7024: "vmsvc", + 7025: "vmsvc-2", + 7030: "op-probe", + 7040: "quest-disc", + 7070: "arcp", + 7071: "iwg1", + 7080: "empowerid", + 7088: "zixi-transport", + 7095: "jdp-disc", + 7099: "lazy-ptop", + 7100: "font-service", + 7101: "elcn", + 7107: "aes-x170", + 7121: "virprot-lm", + 7128: "scenidm", + 7129: "scenccs", + 7161: "cabsm-comm", + 7162: "caistoragemgr", + 7163: "cacsambroker", + 7164: "fsr", + 7165: "doc-server", + 7166: "aruba-server", + 7169: "ccag-pib", + 7170: "nsrp", + 7171: "drm-production", + 7174: "clutild", + 7181: "janus-disc", + 7200: "fodms", + 7201: "dlip", + 7227: "ramp", + 7235: "aspcoordination", + 7244: "frc-hicp-disc", + 7262: "cnap", + 7272: "watchme-7272", + 7273: "oma-rlp", + 7274: "oma-rlp-s", + 7275: "oma-ulp", + 7276: "oma-ilp", + 7277: "oma-ilp-s", + 7278: "oma-dcdocbs", + 7279: "ctxlic", + 7280: "itactionserver1", + 7281: "itactionserver2", + 7282: "mzca-alert", + 7365: "lcm-server", + 7391: "mindfilesys", + 7392: "mrssrendezvous", + 7393: "nfoldman", + 7394: "fse", + 7395: "winqedit", + 7397: "hexarc", + 7400: "rtps-discovery", + 7401: "rtps-dd-ut", + 7402: "rtps-dd-mt", + 7410: "ionixnetmon", + 7411: "daqstream", + 7421: "mtportmon", + 7426: "pmdmgr", + 7427: "oveadmgr", + 7428: "ovladmgr", + 7429: "opi-sock", + 7430: "xmpv7", + 7431: "pmd", + 7437: "faximum", + 7443: "oracleas-https", + 7473: "rise", + 7491: "telops-lmd", + 7500: "silhouette", + 7501: "ovbus", + 7510: "ovhpas", + 7511: "pafec-lm", + 7542: "saratoga", + 7543: "atul", + 7544: "nta-ds", + 7545: "nta-us", + 7546: "cfs", + 7547: "cwmp", + 7548: "tidp", + 7549: "nls-tl", + 7550: "cloudsignaling", + 7560: "sncp", + 7566: "vsi-omega", + 7570: "aries-kfinder", + 7574: "coherence-disc", + 7588: "sun-lm", + 7606: "mipi-debug", + 7624: "indi", + 7627: "soap-http", + 7628: "zen-pawn", + 7629: "xdas", + 7633: "pmdfmgt", + 7648: "cuseeme", + 7674: "imqtunnels", + 7675: "imqtunnel", + 7676: "imqbrokerd", + 7677: "sun-user-https", + 7680: "pando-pub", + 7689: "collaber", + 7697: "klio", + 7707: "sync-em7", + 7708: "scinet", + 7720: "medimageportal", + 7724: "nsdeepfreezectl", + 7725: "nitrogen", + 7726: "freezexservice", + 7727: "trident-data", + 7728: "osvr", + 7734: "smip", + 7738: "aiagent", + 7741: "scriptview", + 7743: "sstp-1", + 7744: "raqmon-pdu", + 7747: "prgp", + 7777: "cbt", + 7778: "interwise", + 7779: "vstat", + 7781: "accu-lmgr", + 7784: "s-bfd", + 7786: "minivend", + 7787: "popup-reminders", + 7789: "office-tools", + 7794: "q3ade", + 7797: "pnet-conn", + 7798: "pnet-enc", + 7799: "altbsdp", + 7800: "asr", + 7801: "ssp-client", + 7802: "vns-tp", + 7810: "rbt-wanopt", + 7845: "apc-7845", + 7846: "apc-7846", + 7872: "mipv6tls", + 7880: "pss", + 7887: "ubroker", + 7900: "mevent", + 7901: "tnos-sp", + 7902: "tnos-dp", + 7903: "tnos-dps", + 7913: "qo-secure", + 7932: "t2-drm", + 7933: "t2-brm", + 7962: "generalsync", + 7967: "supercell", + 7979: "micromuse-ncps", + 7980: "quest-vista", + 7982: "sossd-disc", + 7998: "usicontentpush", + 7999: "irdmi2", + 8000: "irdmi", + 8001: "vcom-tunnel", + 8002: "teradataordbms", + 8003: "mcreport", + 8005: "mxi", + 8006: "wpl-disc", + 8007: "warppipe", + 8008: "http-alt", + 8019: "qbdb", + 8020: "intu-ec-svcdisc", + 8021: "intu-ec-client", + 8022: "oa-system", + 8025: "ca-audit-da", + 8026: "ca-audit-ds", + 8032: "pro-ed", + 8033: "mindprint", + 8034: "vantronix-mgmt", + 8040: "ampify", + 8041: "enguity-xccetp", + 8052: "senomix01", + 8053: "senomix02", + 8054: "senomix03", + 8055: "senomix04", + 8056: "senomix05", + 8057: "senomix06", + 8058: "senomix07", + 8059: "senomix08", + 8060: "aero", + 8074: "gadugadu", + 8080: "http-alt", + 8081: "sunproxyadmin", + 8082: "us-cli", + 8083: "us-srv", + 8086: "d-s-n", + 8087: "simplifymedia", + 8088: "radan-http", + 8097: "sac", + 8100: "xprint-server", + 8115: "mtl8000-matrix", + 8116: "cp-cluster", + 8118: "privoxy", + 8121: "apollo-data", + 8122: "apollo-admin", + 8128: "paycash-online", + 8129: "paycash-wbp", + 8130: "indigo-vrmi", + 8131: "indigo-vbcp", + 8132: "dbabble", + 8148: "isdd", + 8149: "eor-game", + 8160: "patrol", + 8161: "patrol-snmp", + 8182: "vmware-fdm", + 8184: "itach", + 8192: "spytechphone", + 8194: "blp1", + 8195: "blp2", + 8199: "vvr-data", + 8200: "trivnet1", + 8201: "trivnet2", + 8202: "aesop", + 8204: "lm-perfworks", + 8205: "lm-instmgr", + 8206: "lm-dta", + 8207: "lm-sserver", + 8208: "lm-webwatcher", + 8230: "rexecj", + 8231: "hncp-udp-port", + 8232: "hncp-dtls-port", + 8243: "synapse-nhttps", + 8276: "pando-sec", + 8280: "synapse-nhttp", + 8282: "libelle-disc", + 8292: "blp3", + 8294: "blp4", + 8300: "tmi", + 8301: "amberon", + 8320: "tnp-discover", + 8321: "tnp", + 8322: "garmin-marine", + 8351: "server-find", + 8376: "cruise-enum", + 8377: "cruise-swroute", + 8378: "cruise-config", + 8379: "cruise-diags", + 8380: "cruise-update", + 8383: "m2mservices", + 8384: "marathontp", + 8400: "cvd", + 8401: "sabarsd", + 8402: "abarsd", + 8403: "admind", + 8416: "espeech", + 8417: "espeech-rtp", + 8442: "cybro-a-bus", + 8443: "pcsync-https", + 8444: "pcsync-http", + 8445: "copy-disc", + 8450: "npmp", + 8472: "otv", + 8473: "vp2p", + 8474: "noteshare", + 8500: "fmtp", + 8501: "cmtp-av", + 8503: "lsp-self-ping", + 8554: "rtsp-alt", + 8555: "d-fence", + 8567: "dof-tunnel", + 8600: "asterix", + 8609: "canon-cpp-disc", + 8610: "canon-mfnp", + 8611: "canon-bjnp1", + 8612: "canon-bjnp2", + 8613: "canon-bjnp3", + 8614: "canon-bjnp4", + 8675: "msi-cps-rm-disc", + 8686: "sun-as-jmxrmi", + 8732: "dtp-net", + 8733: "ibus", + 8763: "mc-appserver", + 8764: "openqueue", + 8765: "ultraseek-http", + 8766: "amcs", + 8770: "dpap", + 8786: "msgclnt", + 8787: "msgsrvr", + 8793: "acd-pm", + 8800: "sunwebadmin", + 8804: "truecm", + 8805: "pfcp", + 8808: "ssports-bcast", + 8873: "dxspider", + 8880: "cddbp-alt", + 8883: "secure-mqtt", + 8888: "ddi-udp-1", + 8889: "ddi-udp-2", + 8890: "ddi-udp-3", + 8891: "ddi-udp-4", + 8892: "ddi-udp-5", + 8893: "ddi-udp-6", + 8894: "ddi-udp-7", + 8899: "ospf-lite", + 8900: "jmb-cds1", + 8901: "jmb-cds2", + 8910: "manyone-http", + 8911: "manyone-xml", + 8912: "wcbackup", + 8913: "dragonfly", + 8954: "cumulus-admin", + 8980: "nod-provider", + 8981: "nod-client", + 8989: "sunwebadmins", + 8990: "http-wmap", + 8991: "https-wmap", + 8999: "bctp", + 9000: "cslistener", + 9001: "etlservicemgr", + 9002: "dynamid", + 9007: "ogs-client", + 9009: "pichat", + 9020: "tambora", + 9021: "panagolin-ident", + 9022: "paragent", + 9023: "swa-1", + 9024: "swa-2", + 9025: "swa-3", + 9026: "swa-4", + 9060: "CardWeb-RT", + 9080: "glrpc", + 9084: "aurora", + 9085: "ibm-rsyscon", + 9086: "net2display", + 9087: "classic", + 9088: "sqlexec", + 9089: "sqlexec-ssl", + 9090: "websm", + 9091: "xmltec-xmlmail", + 9092: "XmlIpcRegSvc", + 9100: "hp-pdl-datastr", + 9101: "bacula-dir", + 9102: "bacula-fd", + 9103: "bacula-sd", + 9104: "peerwire", + 9105: "xadmin", + 9106: "astergate-disc", + 9119: "mxit", + 9131: "dddp", + 9160: "apani1", + 9161: "apani2", + 9162: "apani3", + 9163: "apani4", + 9164: "apani5", + 9191: "sun-as-jpda", + 9200: "wap-wsp", + 9201: "wap-wsp-wtp", + 9202: "wap-wsp-s", + 9203: "wap-wsp-wtp-s", + 9204: "wap-vcard", + 9205: "wap-vcal", + 9206: "wap-vcard-s", + 9207: "wap-vcal-s", + 9208: "rjcdb-vcards", + 9209: "almobile-system", + 9210: "oma-mlp", + 9211: "oma-mlp-s", + 9212: "serverviewdbms", + 9213: "serverstart", + 9214: "ipdcesgbs", + 9215: "insis", + 9216: "acme", + 9217: "fsc-port", + 9222: "teamcoherence", + 9255: "mon", + 9277: "traingpsdata", + 9278: "pegasus", + 9279: "pegasus-ctl", + 9280: "pgps", + 9281: "swtp-port1", + 9282: "swtp-port2", + 9283: "callwaveiam", + 9284: "visd", + 9285: "n2h2server", + 9286: "n2receive", + 9287: "cumulus", + 9292: "armtechdaemon", + 9293: "storview", + 9294: "armcenterhttp", + 9295: "armcenterhttps", + 9300: "vrace", + 9318: "secure-ts", + 9321: "guibase", + 9343: "mpidcmgr", + 9344: "mphlpdmc", + 9346: "ctechlicensing", + 9374: "fjdmimgr", + 9380: "boxp", + 9396: "fjinvmgr", + 9397: "mpidcagt", + 9400: "sec-t4net-srv", + 9401: "sec-t4net-clt", + 9402: "sec-pc2fax-srv", + 9418: "git", + 9443: "tungsten-https", + 9444: "wso2esb-console", + 9450: "sntlkeyssrvr", + 9500: "ismserver", + 9522: "sma-spw", + 9535: "mngsuite", + 9536: "laes-bf", + 9555: "trispen-sra", + 9592: "ldgateway", + 9593: "cba8", + 9594: "msgsys", + 9595: "pds", + 9596: "mercury-disc", + 9597: "pd-admin", + 9598: "vscp", + 9599: "robix", + 9600: "micromuse-ncpw", + 9612: "streamcomm-ds", + 9618: "condor", + 9628: "odbcpathway", + 9629: "uniport", + 9632: "mc-comm", + 9667: "xmms2", + 9668: "tec5-sdctp", + 9694: "client-wakeup", + 9695: "ccnx", + 9700: "board-roar", + 9747: "l5nas-parchan", + 9750: "board-voip", + 9753: "rasadv", + 9762: "tungsten-http", + 9800: "davsrc", + 9801: "sstp-2", + 9802: "davsrcs", + 9875: "sapv1", + 9878: "kca-service", + 9888: "cyborg-systems", + 9889: "gt-proxy", + 9898: "monkeycom", + 9899: "sctp-tunneling", + 9900: "iua", + 9901: "enrp", + 9903: "multicast-ping", + 9909: "domaintime", + 9911: "sype-transport", + 9950: "apc-9950", + 9951: "apc-9951", + 9952: "apc-9952", + 9953: "acis", + 9955: "alljoyn-mcm", + 9956: "alljoyn", + 9966: "odnsp", + 9987: "dsm-scm-target", + 9990: "osm-appsrvr", + 9991: "osm-oev", + 9992: "palace-1", + 9993: "palace-2", + 9994: "palace-3", + 9995: "palace-4", + 9996: "palace-5", + 9997: "palace-6", + 9998: "distinct32", + 9999: "distinct", + 10000: "ndmp", + 10001: "scp-config", + 10002: "documentum", + 10003: "documentum-s", + 10007: "mvs-capacity", + 10008: "octopus", + 10009: "swdtp-sv", + 10050: "zabbix-agent", + 10051: "zabbix-trapper", + 10080: "amanda", + 10081: "famdc", + 10100: "itap-ddtp", + 10101: "ezmeeting-2", + 10102: "ezproxy-2", + 10103: "ezrelay", + 10104: "swdtp", + 10107: "bctp-server", + 10110: "nmea-0183", + 10111: "nmea-onenet", + 10113: "netiq-endpoint", + 10114: "netiq-qcheck", + 10115: "netiq-endpt", + 10116: "netiq-voipa", + 10117: "iqrm", + 10128: "bmc-perf-sd", + 10160: "qb-db-server", + 10161: "snmpdtls", + 10162: "snmpdtls-trap", + 10200: "trisoap", + 10201: "rscs", + 10252: "apollo-relay", + 10253: "eapol-relay", + 10260: "axis-wimp-port", + 10288: "blocks", + 10439: "bngsync", + 10500: "hip-nat-t", + 10540: "MOS-lower", + 10541: "MOS-upper", + 10542: "MOS-aux", + 10543: "MOS-soap", + 10544: "MOS-soap-opt", + 10800: "gap", + 10805: "lpdg", + 10810: "nmc-disc", + 10860: "helix", + 10880: "bveapi", + 10990: "rmiaux", + 11000: "irisa", + 11001: "metasys", + 10023: "cefd-vmp", + 11095: "weave", + 11106: "sgi-lk", + 11108: "myq-termlink", + 11111: "vce", + 11112: "dicom", + 11161: "suncacao-snmp", + 11162: "suncacao-jmxmp", + 11163: "suncacao-rmi", + 11164: "suncacao-csa", + 11165: "suncacao-websvc", + 11171: "snss", + 11201: "smsqp", + 11208: "wifree", + 11211: "memcache", + 11319: "imip", + 11320: "imip-channels", + 11321: "arena-server", + 11367: "atm-uhas", + 11371: "hkp", + 11430: "lsdp", + 11600: "tempest-port", + 11720: "h323callsigalt", + 11723: "emc-xsw-dcache", + 11751: "intrepid-ssl", + 11796: "lanschool-mpt", + 11876: "xoraya", + 11877: "x2e-disc", + 11967: "sysinfo-sp", + 12000: "entextxid", + 12001: "entextnetwk", + 12002: "entexthigh", + 12003: "entextmed", + 12004: "entextlow", + 12005: "dbisamserver1", + 12006: "dbisamserver2", + 12007: "accuracer", + 12008: "accuracer-dbms", + 12009: "ghvpn", + 12012: "vipera", + 12013: "vipera-ssl", + 12109: "rets-ssl", + 12121: "nupaper-ss", + 12168: "cawas", + 12172: "hivep", + 12300: "linogridengine", + 12321: "warehouse-sss", + 12322: "warehouse", + 12345: "italk", + 12753: "tsaf", + 13160: "i-zipqd", + 13216: "bcslogc", + 13217: "rs-pias", + 13218: "emc-vcas-udp", + 13223: "powwow-client", + 13224: "powwow-server", + 13400: "doip-disc", + 13720: "bprd", + 13721: "bpdbm", + 13722: "bpjava-msvc", + 13724: "vnetd", + 13782: "bpcd", + 13783: "vopied", + 13785: "nbdb", + 13786: "nomdb", + 13818: "dsmcc-config", + 13819: "dsmcc-session", + 13820: "dsmcc-passthru", + 13821: "dsmcc-download", + 13822: "dsmcc-ccp", + 13894: "ucontrol", + 13929: "dta-systems", + 14000: "scotty-ft", + 14001: "sua", + 14002: "scotty-disc", + 14033: "sage-best-com1", + 14034: "sage-best-com2", + 14141: "vcs-app", + 14142: "icpp", + 14145: "gcm-app", + 14149: "vrts-tdd", + 14154: "vad", + 14250: "cps", + 14414: "ca-web-update", + 14936: "hde-lcesrvr-1", + 14937: "hde-lcesrvr-2", + 15000: "hydap", + 15118: "v2g-secc", + 15345: "xpilot", + 15363: "3link", + 15555: "cisco-snat", + 15660: "bex-xr", + 15740: "ptp", + 15998: "2ping", + 16003: "alfin", + 16161: "sun-sea-port", + 16309: "etb4j", + 16310: "pduncs", + 16311: "pdefmns", + 16360: "netserialext1", + 16361: "netserialext2", + 16367: "netserialext3", + 16368: "netserialext4", + 16384: "connected", + 16666: "vtp", + 16900: "newbay-snc-mc", + 16950: "sgcip", + 16991: "intel-rci-mp", + 16992: "amt-soap-http", + 16993: "amt-soap-https", + 16994: "amt-redir-tcp", + 16995: "amt-redir-tls", + 17007: "isode-dua", + 17185: "soundsvirtual", + 17219: "chipper", + 17220: "avtp", + 17221: "avdecc", + 17222: "cpsp", + 17224: "trdp-pd", + 17225: "trdp-md", + 17234: "integrius-stp", + 17235: "ssh-mgmt", + 17500: "db-lsp-disc", + 17729: "ea", + 17754: "zep", + 17755: "zigbee-ip", + 17756: "zigbee-ips", + 18000: "biimenu", + 18181: "opsec-cvp", + 18182: "opsec-ufp", + 18183: "opsec-sam", + 18184: "opsec-lea", + 18185: "opsec-omi", + 18186: "ohsc", + 18187: "opsec-ela", + 18241: "checkpoint-rtm", + 18262: "gv-pf", + 18463: "ac-cluster", + 18634: "rds-ib", + 18635: "rds-ip", + 18668: "vdmmesh-disc", + 18769: "ique", + 18881: "infotos", + 18888: "apc-necmp", + 19000: "igrid", + 19007: "scintilla", + 19191: "opsec-uaa", + 19194: "ua-secureagent", + 19220: "cora-disc", + 19283: "keysrvr", + 19315: "keyshadow", + 19398: "mtrgtrans", + 19410: "hp-sco", + 19411: "hp-sca", + 19412: "hp-sessmon", + 19539: "fxuptp", + 19540: "sxuptp", + 19541: "jcp", + 19788: "mle", + 19999: "dnp-sec", + 20000: "dnp", + 20001: "microsan", + 20002: "commtact-http", + 20003: "commtact-https", + 20005: "openwebnet", + 20012: "ss-idi-disc", + 20014: "opendeploy", + 20034: "nburn-id", + 20046: "tmophl7mts", + 20048: "mountd", + 20049: "nfsrdma", + 20167: "tolfab", + 20202: "ipdtp-port", + 20222: "ipulse-ics", + 20480: "emwavemsg", + 20670: "track", + 20999: "athand-mmp", + 21000: "irtrans", + 21554: "dfserver", + 21590: "vofr-gateway", + 21800: "tvpm", + 21845: "webphone", + 21846: "netspeak-is", + 21847: "netspeak-cs", + 21848: "netspeak-acd", + 21849: "netspeak-cps", + 22000: "snapenetio", + 22001: "optocontrol", + 22002: "optohost002", + 22003: "optohost003", + 22004: "optohost004", + 22005: "optohost004", + 22273: "wnn6", + 22305: "cis", + 22335: "shrewd-stream", + 22343: "cis-secure", + 22347: "wibukey", + 22350: "codemeter", + 22555: "vocaltec-phone", + 22763: "talikaserver", + 22800: "aws-brf", + 22951: "brf-gw", + 23000: "inovaport1", + 23001: "inovaport2", + 23002: "inovaport3", + 23003: "inovaport4", + 23004: "inovaport5", + 23005: "inovaport6", + 23272: "s102", + 23294: "5afe-disc", + 23333: "elxmgmt", + 23400: "novar-dbase", + 23401: "novar-alarm", + 23402: "novar-global", + 24000: "med-ltp", + 24001: "med-fsp-rx", + 24002: "med-fsp-tx", + 24003: "med-supp", + 24004: "med-ovw", + 24005: "med-ci", + 24006: "med-net-svc", + 24242: "filesphere", + 24249: "vista-4gl", + 24321: "ild", + 24322: "hid", + 24386: "intel-rci", + 24465: "tonidods", + 24554: "binkp", + 24577: "bilobit-update", + 24676: "canditv", + 24677: "flashfiler", + 24678: "proactivate", + 24680: "tcc-http", + 24850: "assoc-disc", + 24922: "find", + 25000: "icl-twobase1", + 25001: "icl-twobase2", + 25002: "icl-twobase3", + 25003: "icl-twobase4", + 25004: "icl-twobase5", + 25005: "icl-twobase6", + 25006: "icl-twobase7", + 25007: "icl-twobase8", + 25008: "icl-twobase9", + 25009: "icl-twobase10", + 25793: "vocaltec-hos", + 25900: "tasp-net", + 25901: "niobserver", + 25902: "nilinkanalyst", + 25903: "niprobe", + 25954: "bf-game", + 25955: "bf-master", + 26000: "quake", + 26133: "scscp", + 26208: "wnn6-ds", + 26260: "ezproxy", + 26261: "ezmeeting", + 26262: "k3software-svr", + 26263: "k3software-cli", + 26486: "exoline-udp", + 26487: "exoconfig", + 26489: "exonet", + 27345: "imagepump", + 27442: "jesmsjc", + 27504: "kopek-httphead", + 27782: "ars-vista", + 27999: "tw-auth-key", + 28000: "nxlmd", + 28119: "a27-ran-ran", + 28200: "voxelstorm", + 28240: "siemensgsm", + 29167: "otmp", + 30001: "pago-services1", + 30002: "pago-services2", + 30003: "amicon-fpsu-ra", + 30004: "amicon-fpsu-s", + 30260: "kingdomsonline", + 30832: "samsung-disc", + 30999: "ovobs", + 31016: "ka-kdp", + 31029: "yawn", + 31416: "xqosd", + 31457: "tetrinet", + 31620: "lm-mon", + 31765: "gamesmith-port", + 31948: "iceedcp-tx", + 31949: "iceedcp-rx", + 32034: "iracinghelper", + 32249: "t1distproc60", + 32483: "apm-link", + 32635: "sec-ntb-clnt", + 32636: "DMExpress", + 32767: "filenet-powsrm", + 32768: "filenet-tms", + 32769: "filenet-rpc", + 32770: "filenet-nch", + 32771: "filenet-rmi", + 32772: "filenet-pa", + 32773: "filenet-cm", + 32774: "filenet-re", + 32775: "filenet-pch", + 32776: "filenet-peior", + 32777: "filenet-obrok", + 32801: "mlsn", + 32896: "idmgratm", + 33123: "aurora-balaena", + 33331: "diamondport", + 33334: "speedtrace-disc", + 33434: "traceroute", + 33656: "snip-slave", + 34249: "turbonote-2", + 34378: "p-net-local", + 34379: "p-net-remote", + 34567: "edi_service", + 34962: "profinet-rt", + 34963: "profinet-rtm", + 34964: "profinet-cm", + 34980: "ethercat", + 35001: "rt-viewer", + 35004: "rt-classmanager", + 35100: "axio-disc", + 35355: "altova-lm-disc", + 36001: "allpeers", + 36411: "wlcp", + 36865: "kastenxpipe", + 37475: "neckar", + 37654: "unisys-eportal", + 38002: "crescoctrl-disc", + 38201: "galaxy7-data", + 38202: "fairview", + 38203: "agpolicy", + 39681: "turbonote-1", + 40000: "safetynetp", + 40023: "k-patentssensor", + 40841: "cscp", + 40842: "csccredir", + 40843: "csccfirewall", + 40853: "ortec-disc", + 41111: "fs-qos", + 41230: "z-wave-s", + 41794: "crestron-cip", + 41795: "crestron-ctp", + 42508: "candp", + 42509: "candrp", + 42510: "caerpc", + 43000: "recvr-rc-disc", + 43188: "reachout", + 43189: "ndm-agent-port", + 43190: "ip-provision", + 43210: "shaperai-disc", + 43439: "eq3-config", + 43440: "ew-disc-cmd", + 43441: "ciscocsdb", + 44321: "pmcd", + 44322: "pmcdproxy", + 44544: "domiq", + 44553: "rbr-debug", + 44600: "asihpi", + 44818: "EtherNet-IP-2", + 44900: "m3da-disc", + 45000: "asmp-mon", + 45054: "invision-ag", + 45514: "cloudcheck-ping", + 45678: "eba", + 45825: "qdb2service", + 45966: "ssr-servermgr", + 46999: "mediabox", + 47000: "mbus", + 47100: "jvl-mactalk", + 47557: "dbbrowse", + 47624: "directplaysrvr", + 47806: "ap", + 47808: "bacnet", + 47809: "presonus-ucnet", + 48000: "nimcontroller", + 48001: "nimspooler", + 48002: "nimhub", + 48003: "nimgtw", + 48128: "isnetserv", + 48129: "blp5", + 48556: "com-bardac-dw", + 48619: "iqobject", + 48653: "robotraconteur", + 49001: "nusdp-disc", +} +var sctpPortNames = map[uint16]string{ + 9: "discard", + 20: "ftp-data", + 21: "ftp", + 22: "ssh", + 80: "http", + 179: "bgp", + 443: "https", + 1021: "exp1", + 1022: "exp2", + 1167: "cisco-ipsla", + 1720: "h323hostcall", + 2049: "nfs", + 2225: "rcip-itu", + 2904: "m2ua", + 2905: "m3ua", + 2944: "megaco-h248", + 2945: "h248-binary", + 3097: "itu-bicc-stc", + 3565: "m2pa", + 3863: "asap-sctp", + 3864: "asap-sctp-tls", + 3868: "diameter", + 4333: "ahsp", + 4502: "a25-fap-fgw", + 4711: "trinity-dist", + 4739: "ipfix", + 4740: "ipfixs", + 5060: "sip", + 5061: "sips", + 5090: "car", + 5091: "cxtp", + 5215: "noteza", + 5445: "smbdirect", + 5672: "amqp", + 5675: "v5ua", + 5868: "diameters", + 5910: "cm", + 5911: "cpdlc", + 5912: "fis", + 5913: "ads-c", + 6704: "frc-hp", + 6705: "frc-mp", + 6706: "frc-lp", + 6970: "conductor-mpx", + 7626: "simco", + 7701: "nfapi", + 7728: "osvr", + 8471: "pim-port", + 9082: "lcs-ap", + 9084: "aurora", + 9900: "iua", + 9901: "enrp-sctp", + 9902: "enrp-sctp-tls", + 11997: "wmereceiving", + 11998: "wmedistribution", + 11999: "wmereporting", + 14001: "sua", + 20049: "nfsrdma", + 25471: "rna", + 29118: "sgsap", + 29168: "sbcap", + 29169: "iuhsctpassoc", + 30100: "rwp", + 36412: "s1-control", + 36422: "x2-control", + 36423: "slmap", + 36424: "nq-ap", + 36443: "m2ap", + 36444: "m3ap", + 36462: "xw-control", + 38412: "ng-control", + 38422: "xn-control", + 38472: "f1-control", +} diff --git a/pkg/util/rest/rest.go b/pkg/util/rest/rest.go new file mode 100644 index 000000000..a0fda2e27 --- /dev/null +++ b/pkg/util/rest/rest.go @@ -0,0 +1,125 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package rest + +import ( + "errors" + "github.com/rabbitstack/fibratus/pkg/api" + "io/ioutil" + "net" + "net/http" + "path" + "strings" + "time" +) + +var transport *http.Transport + +type opts struct { + addr string + uri string + contentType string + timeout time.Duration +} + +// Option represents the option for the HTTP client. +type Option func(o *opts) + +// WithTransport sets the preferred transport for the HTTP client. +func WithTransport(addr string) Option { + return func(o *opts) { + o.addr = addr + if strings.HasPrefix(addr, `npipe:///`) { + transport = &http.Transport{ + DialContext: api.DialPipe(addr), + } + } else { + transport = &http.Transport{ + DialContext: (&net.Dialer{}).DialContext, + } + } + } +} + +// WithURI initializes the URI where the request is sent. +func WithURI(uri string) Option { + return func(o *opts) { + o.uri = uri + } +} + +// WithContentType sets the content type header for the HTTP requests. +func WithContentType(contentType string) Option { + return func(o *opts) { + o.contentType = contentType + } +} + +// Get performs the GET request. +func Get(opts ...Option) ([]byte, error) { + return request("GET", opts...) +} + +func request(method string, options ...Option) ([]byte, error) { + var opts opts + for _, opt := range options { + opt(&opts) + } + + if transport == nil { + return nil, errors.New("transport is not initialized") + } + + timeout := opts.timeout + if timeout == 0 { + timeout = time.Second * 10 + } + + contentType := opts.contentType + if contentType == "" { + contentType = "application/json" + } + + client := http.Client{ + Transport: transport, + Timeout: timeout, + } + + scheme := "http://" + addr := opts.addr + if strings.HasPrefix(addr, `npipe:///`) { + addr = strings.TrimPrefix(addr, `npipe:///`) + } + req, err := http.NewRequest(method, scheme+path.Join(addr, opts.uri), nil) + if err != nil { + return nil, err + } + req.Header.Add("Content-Type", contentType) + resp, err := client.Do(req) + if err != nil { + return nil, err + } + defer resp.Body.Close() + + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + return nil, err + } + return body, nil +} diff --git a/pkg/util/rest/rest_test.go b/pkg/util/rest/rest_test.go new file mode 100644 index 000000000..8ce301800 --- /dev/null +++ b/pkg/util/rest/rest_test.go @@ -0,0 +1,79 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package rest + +import ( + "fmt" + "github.com/rabbitstack/fibratus/pkg/api" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "net/http" + "net/http/httptest" + "os/user" + "strings" + "testing" +) + +func TestGet(t *testing.T) { + mux := http.NewServeMux() + mux.HandleFunc("/config", func(w http.ResponseWriter, r *http.Request) { + w.Write([]byte("test")) + }) + + srv := httptest.NewServer(mux) + defer srv.Close() + + resp, err := Get(WithURI("config"), WithTransport(fmt.Sprintf("localhost:%s", port(srv.URL)))) + require.NoError(t, err) + require.NotNil(t, resp) + assert.Equal(t, "test", string(resp)) +} + +func TestGetPipe(t *testing.T) { + usr, err := user.Current() + require.NoError(t, err) + descriptor := "D:P(A;;GA;;;" + usr.Uid + ")" + listener, err := api.MakePipeListener(`npipe:///fibratus`, descriptor) + require.NoError(t, err) + + mux := http.NewServeMux() + + mux.HandleFunc("/config", func(w http.ResponseWriter, r *http.Request) { + w.Write([]byte("test")) + }) + + srv := httptest.NewUnstartedServer(mux) + srv.Listener = listener + + srv.Start() + defer srv.Close() + + resp, err := Get(WithURI("config"), WithTransport(`npipe:///fibratus`)) + require.NoError(t, err) + require.NotNil(t, resp) + assert.Equal(t, "test", string(resp)) +} + +func port(s string) string { + i := strings.LastIndex(s, ":") + if i == 0 { + return "" + } + return s[i+1:] +} diff --git a/pkg/util/spinner/spinner.go b/pkg/util/spinner/spinner.go new file mode 100644 index 000000000..f8761d6f4 --- /dev/null +++ b/pkg/util/spinner/spinner.go @@ -0,0 +1,33 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package spinner + +import ( + "github.com/briandowns/spinner" + "time" +) + +// Show creates a new spinner and starts it. +func Show(prefix string) *spinner.Spinner { + s := spinner.New(spinner.CharSets[14], 100*time.Millisecond) // Build our spinner + s.Prefix = "> " + prefix + " " + s.HideCursor = true + s.Start() + return s +} diff --git a/pkg/util/term/fb.go b/pkg/util/term/fb.go new file mode 100644 index 000000000..4cec27bce --- /dev/null +++ b/pkg/util/term/fb.go @@ -0,0 +1,175 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package term + +import ( + "fmt" + "io" + "syscall" + "unicode/utf16" + "unsafe" +) + +var ( + createConsoleScreenBuffer = kernel32.NewProc("CreateConsoleScreenBuffer") + setConsoleActiveScreenBuffer = kernel32.NewProc("SetConsoleActiveScreenBuffer") +) + +const consoleTextModeBuffer = 0x1 + +// FrameBuffer is a special type of the I/O writer that outputs the character stream to the +// active console screen buffer. +type FrameBuffer struct { + handle syscall.Handle +} + +// NewFrameBuffer builds a fresh frame buffer. +func NewFrameBuffer() (io.Writer, error) { + handle, _, err := createConsoleScreenBuffer.Call( + uintptr(syscall.GENERIC_READ|syscall.GENERIC_WRITE), + uintptr(0), + uintptr(0), + uintptr(consoleTextModeBuffer), + uintptr(0), + uintptr(0), + ) + if handle == 0 { + return nil, fmt.Errorf("unable to create screen buffer: %v", err) + } + fb := &FrameBuffer{ + handle: syscall.Handle(handle), + } + errno, _, err := setConsoleActiveScreenBuffer.Call(uintptr(handle)) + if errno == 0 { + return nil, fmt.Errorf("couldn't activate console screen buffer") + } + showCursor(fb.handle, false) + return fb, nil +} + +// Write draws the character buffer to the screen frame buffer. +func (fb FrameBuffer) Write(p []byte) (int, error) { + bufferInfo, err := getScreenBufferInfo(fb.handle) + if err != nil { + return 0, err + } + if len(p) == 1 { + return 0, nil + } + + rows := int(bufferInfo.size.y) + cols := int(bufferInfo.size.x) + + chars := make([]charInfo, cols*rows) + + var x int + var y int + var newLine bool + + for _, char := range string(p) { + c := char + if c == '\n' || c == '\r' { + newLine = true + } + r, c := utf16.EncodeRune(c) + if r == 0xFFFD { + c = char + } + y++ + // if the last column has been reached and a new line was encountered at + // that position then we'll stop the iteration and reset the column number + if y == cols { + y = 0 + if newLine { + newLine = false + continue + } + } + if newLine { + newLine = false + space := y + // keep filling the rectangle with spaces until we reach the last column. Then + // we'll reset the column and stop the current iteration + for space <= cols { + if space-1 > len(chars)-1 { + continue + } + chars[space-1].char = uint16(' ') + space++ + x++ + } + y = 0 + continue + } + + if x > len(chars)-1 { + continue + } + + chars[x].char = uint16(c) + chars[x].attr = bufferInfo.attributes + x++ + } + + // clear the current frame buffer screen + fb.cls(bufferInfo) + // the following block of code does the heavy lifting of writing the + // character buffer to the screen frame buffer that we previously created + cord := point{} + size := point{x: int16(cols), y: int16(rows)} + rect := rect{left: 0, top: 0, right: int16(cols) - 1, bottom: int16(rows) - 1} + _, _, _ = writeConsoleOutput.Call( + uintptr(fb.handle), + uintptr(unsafe.Pointer(&chars[0])), + size.uintptr(), + cord.uintptr(), + uintptr(unsafe.Pointer(&rect)), + ) + + return 0, nil +} + +// Close closes this frame buffer. +func (fb *FrameBuffer) Close() error { + return syscall.Close(fb.handle) +} + +// cls clears the frame buffer content. +func (fb *FrameBuffer) cls(bufferInfo *consoleScreenBufferInfo) { + var w uint16 + var cursor point + rows := bufferInfo.size.x + cols := bufferInfo.size.y + + _, _, _ = fillConsoleOutputCharacter.Call( + uintptr(fb.handle), + uintptr(' '), + uintptr(rows*cols), + *(*uintptr)(unsafe.Pointer(&cursor)), + uintptr(unsafe.Pointer(&w)), + ) + + _, _, _ = fillConsoleOutputAttribute.Call( + uintptr(fb.handle), + uintptr(bufferInfo.attributes), + uintptr(rows*cols), + *(*uintptr)(unsafe.Pointer(&cursor)), + uintptr(unsafe.Pointer(&w)), + ) +} diff --git a/pkg/util/term/term.go b/pkg/util/term/term.go new file mode 100644 index 000000000..813ac7a09 --- /dev/null +++ b/pkg/util/term/term.go @@ -0,0 +1,95 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package term + +import ( + "os" + "syscall" + "unsafe" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32.dll") + + setConsoleCursorInfo = kernel32.NewProc("SetConsoleCursorInfo") + getConsoleScreenBufferInfo = kernel32.NewProc("GetConsoleScreenBufferInfo") + writeConsoleOutput = kernel32.NewProc("WriteConsoleOutputW") + + fillConsoleOutputCharacter = kernel32.NewProc("FillConsoleOutputCharacterW") + fillConsoleOutputAttribute = kernel32.NewProc("FillConsoleOutputAttribute") +) + +type point struct { + x int16 + y int16 +} + +func (p point) uintptr() uintptr { return uintptr(*(*int32)(unsafe.Pointer(&p))) } + +type rect struct { + left, top int16 + right, bottom int16 +} + +func (r *rect) uintptr() uintptr { return uintptr(unsafe.Pointer(r)) } + +type charInfo struct { + char uint16 + attr uint16 +} + +type consoleScreenBufferInfo struct { + size point + cursorPos point + attributes uint16 + window rect + maxWindowSize point +} + +type consoleCursorInfo struct { + size uint32 + visible bool +} + +// getScreenBufferInfo retrieves information about the specified console screen buffer. +func getScreenBufferInfo(cons syscall.Handle) (*consoleScreenBufferInfo, error) { + var bi consoleScreenBufferInfo + errno, _, err := getConsoleScreenBufferInfo.Call(uintptr(cons), uintptr(unsafe.Pointer(&bi))) + if errno == 0 { + return nil, err + } + return &bi, nil +} + +// GetColumns gets the number of character columns. +func GetColumns() int { + bufferInfo, err := getScreenBufferInfo(syscall.Handle(os.Stdout.Fd())) + if err != nil { + return 0 + } + return int(bufferInfo.size.x) +} + +// showCursor shows/hides the cursor. +func showCursor(cons syscall.Handle, visible bool) { + var ci consoleCursorInfo + ci.size = 100 + ci.visible = visible + _, _, _ = setConsoleCursorInfo.Call(uintptr(cons), uintptr(unsafe.Pointer(&ci))) +} diff --git a/pkg/util/tls/tls.go b/pkg/util/tls/tls.go new file mode 100644 index 000000000..fb878a30c --- /dev/null +++ b/pkg/util/tls/tls.go @@ -0,0 +1,63 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package tls + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "io/ioutil" +) + +// MakeConfig builds a TLS config from the certificate, private/public key and the CA cert files. +func MakeConfig(certFile, keyFile, caFile string, insecureSkipVerify bool) (*tls.Config, error) { + if certFile == "" && keyFile == "" && caFile == "" { + return nil, nil + } + + var cert tls.Certificate + tlsConfig := &tls.Config{ + InsecureSkipVerify: insecureSkipVerify, + } + + // load certificate/key + if certFile != "" && keyFile == "" { + var err error + cert, err = tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + return nil, err + } + tlsConfig.Certificates = []tls.Certificate{cert} + } + // load certificate issuing authority + if caFile != "" { + cpool := x509.NewCertPool() + caCert, err := ioutil.ReadFile(caFile) + if err != nil { + return nil, err + } + ok := cpool.AppendCertsFromPEM(caCert) + if !ok { + return nil, fmt.Errorf("fail to load certificate authority: %s", caFile) + } + tlsConfig.RootCAs = cpool + } + + return tlsConfig, nil +} diff --git a/pkg/util/typesize/typesize.go b/pkg/util/typesize/typesize.go new file mode 100644 index 000000000..265eb74f5 --- /dev/null +++ b/pkg/util/typesize/typesize.go @@ -0,0 +1,26 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package typesize + +import "unsafe" + +var ptr uintptr + +// Pointer returns the pointer size on this machine. +func Pointer() uintptr { return unsafe.Sizeof(ptr) } diff --git a/pkg/yara/_fixtures/rules/dll.yar b/pkg/yara/_fixtures/rules/dll.yar new file mode 100644 index 000000000..b0ec2eaa3 --- /dev/null +++ b/pkg/yara/_fixtures/rules/dll.yar @@ -0,0 +1,10 @@ +rule DLL : dll +{ + meta: + severity = "Critical" + date = "2020-07" + strings: + $c0 = "Go" fullword ascii + condition: + $c0 +} \ No newline at end of file diff --git a/pkg/yara/_fixtures/rules/notepad.yar b/pkg/yara/_fixtures/rules/notepad.yar new file mode 100644 index 000000000..08606ba24 --- /dev/null +++ b/pkg/yara/_fixtures/rules/notepad.yar @@ -0,0 +1,21 @@ +rule Notepad : notepad +{ + meta: + severity = "Normal" + date = "2016-07" + strings: + $c0 = "Notepad" fullword ascii + condition: + $c0 +} + +rule NotepadCompany +{ + meta: + severity = "Normal" + date = "2016-07" + strings: + $c0 = "Microsoft" fullword ascii + condition: + $c0 +} \ No newline at end of file diff --git a/pkg/yara/_fixtures/yara-test.dll b/pkg/yara/_fixtures/yara-test.dll new file mode 100644 index 000000000..937a81ad0 Binary files /dev/null and b/pkg/yara/_fixtures/yara-test.dll differ diff --git a/pkg/yara/config/config.go b/pkg/yara/config/config.go new file mode 100644 index 000000000..206841c43 --- /dev/null +++ b/pkg/yara/config/config.go @@ -0,0 +1,159 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package config + +import ( + "github.com/mitchellh/mapstructure" + "github.com/spf13/pflag" + "github.com/spf13/viper" + "path/filepath" + "strings" + "time" +) + +const ( + enabled = "yara.enabled" + alertVia = "yara.alert-via" + alertTextTemplate = "yara.alert-template.text" + alertTitleTemplate = "yara.alert-template.title" + fastScanMode = "yara.fastscan" + scanTimeout = "yara.scan-timeout" + skipFiles = "yara.skip-files" + excludedProcesses = "yara.excluded-procs" + excludedFiles = "yara.excluded-files" +) + +// RulePath contains the rule path information. +type RulePath struct { + Path string `json:"path" yaml:"path" mapstructure:"path"` + Namespace string `json:"namespace" yaml:"namespace" mapstructure:"namespace"` +} + +// RuleString contains the in-place strings for the rule definition. +type RuleString struct { + String string `json:"string" yaml:"string" mapstructure:"string"` + Namespace string `json:"namespace" yaml:"namespace" mapstructure:"namespace"` +} + +// Rule contains rule-specific settings. +type Rule struct { + // Paths defines the location of the yara rules + Paths []RulePath `json:"yara.rule.paths" yaml:"yara.rule.paths" mapstructure:"paths"` + // Strings contains the raw rule definitions + Strings []RuleString `json:"yara.rule.strings" yaml:"yara.rule.strings" mapstructure:"strings"` +} + +// Config stores YARA watcher specific configuration. +type Config struct { + // Enabled indicates if YARA watcher is enabled. + Enabled bool `json:"yara.enabled" yaml:"yara.enabled"` + // Rule contains rule-specific settings. + Rule Rule `json:"yara.rule" yaml:"yara.rule" mapstructure:"rule"` + // AlertVia defines which alert sender is used to emit the alert on rule matches. + AlertVia string `json:"yara.alert-via" yaml:"yara.alert-via"` + // AlertTemplate defines the template that is used to render the text of the alert. + AlertTextTemplate string `json:"yara.alert-text-template" yaml:"yara.alert-text-template"` + // AlertTitle represents the template for the alert title + AlertTitleTemplate string `json:"yara.alert-title-template" yaml:"yara.alert-title-template"` + // FastScanMode avoids multiple matches of the same string when not necessary. + FastScanMode bool `json:"yara.fastscan" yaml:"yara.fastscan"` + // ScanTimeout sets the timeout for the scanner. If the timeout is reached, the scan operation is cancelled. + ScanTimeout time.Duration `json:"yara.scan-timeout" yaml:"yara.scan-timeout"` + // SkipFiles indicates whether file scanning is disabled + SkipFiles bool `json:"yara.skip-files" yaml:"yara.skip-files"` + // ExcludedProcesses contains the list of the process' image names that shouldn't be scanned + ExcludedProcesses []string `json:"yara.excluded-procs" yaml:"yara.excluded-procs"` + // ExcludedProcesses contains the list of the file names that shouldn't be scanned + ExcludedFiles []string `json:"yara.excluded-files" yaml:"yara.excluded-files"` +} + +// InitFromViper initializes Yara config from Viper. +func (c *Config) InitFromViper(v *viper.Viper) { + c.Enabled = v.GetBool(enabled) + c.AlertVia = v.GetString(alertVia) + c.AlertTextTemplate = v.GetString(alertTextTemplate) + c.AlertTitleTemplate = v.GetString(alertTitleTemplate) + c.FastScanMode = v.GetBool(fastScanMode) + c.ScanTimeout = v.GetDuration(scanTimeout) + c.SkipFiles = v.GetBool(skipFiles) + c.ExcludedFiles = v.GetStringSlice(excludedFiles) + c.ExcludedProcesses = v.GetStringSlice(excludedProcesses) + + all := v.AllSettings() + if _, ok := all["yara"]; !ok { + return + } + if _, ok := all["yara"].(map[string]interface{}); !ok { + return + } + + var r Rule + _ = decode(all["yara"].(map[string]interface{})["rule"], &r) + c.Rule = r +} + +// AddFlags registers persistent flags. +func AddFlags(flags *pflag.FlagSet) { + flags.Bool(enabled, false, "Specifies if Yara scanner is enabled") + flags.String(alertVia, "mail", "Defines which alert sender is used to emit the alert on rule matches") + flags.String(alertTextTemplate, "", "Defines the template that is used to render the text of the alert") + flags.String(alertTitleTemplate, "", "Defines the template that is used to render the title of the alert") + flags.Bool(fastScanMode, true, "Avoids multiple matches of the same string when not necessary") + flags.Duration(scanTimeout, time.Second*10, "Specifies the timeout for the scanner. If the timeout is reached, the scan operation is cancelled") + flags.Bool(skipFiles, true, "Indicates whether file scanning is disabled") + flags.StringSlice(excludedFiles, []string{}, "Contains the list of the comma-separated file names that shouldn't be scanned") + flags.StringSlice(excludedProcesses, []string{}, "Contains the list of the comma-separated process' image names that shouldn't be scanned") +} + +// ShouldSkipProcess determines whether the specified process name is rejected by the scanner. +func (c Config) ShouldSkipProcess(ps string) bool { + for _, proc := range c.ExcludedProcesses { + if strings.ToLower(proc) == strings.ToLower(ps) { + return true + } + } + return false +} + +// ShouldSkipFile determines whether the specified file name is rejected by the scanner. +func (c Config) ShouldSkipFile(file string) bool { + for _, f := range c.ExcludedFiles { + if strings.ToLower(f) == strings.ToLower(filepath.Base(file)) { + return true + } + } + return false +} + +func decode(input, output interface{}) error { + var decoderConfig = &mapstructure.DecoderConfig{ + Metadata: nil, + Result: output, + WeaklyTypedInput: true, + DecodeHook: mapstructure.ComposeDecodeHookFunc( + mapstructure.StringToTimeDurationHookFunc(), + mapstructure.StringToSliceHookFunc(","), + ), + } + decoder, err := mapstructure.NewDecoder(decoderConfig) + if err != nil { + return err + } + return decoder.Decode(input) +} diff --git a/pkg/yara/scanner.go b/pkg/yara/scanner.go new file mode 100644 index 000000000..01a2105d2 --- /dev/null +++ b/pkg/yara/scanner.go @@ -0,0 +1,385 @@ +// +build yara + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package yara + +import ( + "bytes" + "expvar" + "fmt" + "github.com/hillu/go-yara" + "github.com/rabbitstack/fibratus/pkg/alertsender" + "github.com/rabbitstack/fibratus/pkg/ps" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + "github.com/rabbitstack/fibratus/pkg/util/multierror" + "github.com/rabbitstack/fibratus/pkg/yara/config" + log "github.com/sirupsen/logrus" + "html/template" + "os" + "path/filepath" + "time" +) + +const alertTitleTmpl = `{{if .PS }}YARA alert on process {{ .PS.Name }}{{ else }}YARA alert on file {{ .Filename }}{{ end }}` + +const alertTextTmpl = ` + {{ if .PS }} + Possible malicious process, {{ .PS.Name }} ({{ .PS.PID }}), detected at {{ .Timestamp }}. + + Rule matches + {{- with .Matches }} + {{ range . }} + Rule: {{ .Rule }} + Namespace: {{ .Namespace }} + Meta: {{ .Meta }} + Tags: {{ .Tags }} + {{ end }} + {{- end }} + + Process information + + Name: {{ .PS.Name }} + PID: {{ .PS.PID }} + PPID: {{ .PS.Ppid }} + Comm: {{ .PS.Comm }} + Cwd: {{ .PS.Cwd }} + SID: {{ .PS.SID }} + Session ID: {{ .PS.SessionID }} + {{ if .PS.Envs }} + Env: + {{- with .PS.Envs }} + {{- range $k, $v := . }} + {{ $k }}: {{ $v }} + {{- end }} + {{- end }} + {{ end }} + Threads: + {{- with .PS.Threads }} + {{- range . }} + {{ . }} + {{- end }} + {{- end }} + Modules: + {{- with .PS.Modules }} + {{- range . }} + {{ . }} + {{- end }} + {{- end }} + {{ if .PS.Handles }} + Handles: + {{- with .PS.Handles }} + {{- range . }} + {{ . }} + {{- end }} + {{- end }} + {{ end }} + + {{ if .PS.PE }} + Entrypoint: {{ .PS.PE.EntryPoint }} + Image base: {{ .PS.PE.ImageBase }} + Build date: {{ .PS.PE.LinkTime }} + + Number of symbols: {{ .PS.PE.NumberOfSymbols }} + Number of sections: {{ .PS.PE.NumberOfSections }} + + Sections: + {{- with .PS.PE.Sections }} + {{- range . }} + {{ . }} + {{- end }} + {{- end }} + {{ if .PS.PE.Symbols }} + Symbols: + {{- with .PS.PE.Symbols }} + {{- range . }} + {{ . }} + {{- end }} + {{- end }} + {{ end }} + {{ if .PS.PE.Imports }} + Imports: + {{- with .PS.PE.Imports }} + {{- range . }} + {{ . }} + {{- end }} + {{- end }} + {{ end }} + {{ if .PS.PE.VersionResources }} + Resources: + {{- with .PS.PE.VersionResources }} + {{- range $k, $v := . }} + {{ $k }}: {{ $v }} + {{- end }} + {{- end }} + {{ end }} + {{ end }} + + {{ else }} + + Possible malicious file, {{ .Filename }}, detected at {{ .Timestamp }}. + + Rule matches + {{ with .Matches }} + {{ range . }} + Rule: {{ .Rule }} + Namespace: {{ .Namespace }} + Meta: {{ .Meta }} + Tags: {{ .Tags }} + {{ end }} + {{ end }} + + {{ end }} +` + +var ( + // ruleMatches computes all the rule matches + ruleMatches = expvar.NewInt("yara.rule.matches") + // rulesInCompiler keeps the counter of the number of rules in the compiler + rulesInCompiler = expvar.NewInt("yara.rules.in.compiler") + // totalScans computes the number of process/file scans + totalScans = expvar.NewInt("yara.total.scans") +) + +type scanner struct { + c *yara.Compiler + s *yara.Scanner + config config.Config + + psnap ps.Snapshotter +} + +// AlertContext contains the process state or file name along with all the rule matches. +type AlertContext struct { + PS *pstypes.PS + Filename string + Matches []yara.MatchRule + Timestamp string +} + +const tsLayout = "02 Jan 2006 15:04:05 MST" + +// NewScanner creates a new YARA scanner. +func NewScanner(psnap ps.Snapshotter, config config.Config) (Scanner, error) { + c, err := yara.NewCompiler() + if err != nil { + return nil, fmt.Errorf("unable to create yara compiler: %v", err) + } + // add yara rules from file system paths by walking the dirs recursively + for _, dir := range config.Rule.Paths { + f, err := os.Stat(dir.Path) + if err != nil { + log.Warnf("cannot access %q rule path: %v", dir.Path, err) + continue + } + if !f.IsDir() { + continue + } + err = filepath.Walk(dir.Path, func(path string, fi os.FileInfo, err error) error { + if filepath.Ext(path) != ".yar" { + return nil + } + f, err := os.Open(path) + if err != nil { + log.Warnf("cannot open the rule %q: %v", path, err) + return nil + } + err = c.AddFile(f, dir.Namespace) + _ = f.Close() + if err != nil { + log.Warnf("couldn't add %s rule: %v", fi.Name(), err) + return nil + } + rulesInCompiler.Add(1) + + return nil + }) + if err != nil { + log.Warnf("couldn't walk %s path: %v", dir.Path, err) + } + } + + // add yara rules from config strings + for _, s := range config.Rule.Strings { + err := c.AddString(s.String, s.Namespace) + if err != nil { + log.Warnf("couldn't add %s rule string: %v", s.String, err) + continue + } + rulesInCompiler.Add(1) + } + + if len(c.Errors) > 0 { + return nil, parseCompilerErrors(c.Errors) + } + + r, err := c.GetRules() + if err != nil { + return nil, fmt.Errorf("couldn't compile yara rules: %v", err) + } + s, err := yara.NewScanner(r) + if err != nil { + return nil, fmt.Errorf("fail to create yara scanner: %v", err) + } + + // set scan flags + var flags yara.ScanFlags + if config.FastScanMode { + flags |= yara.ScanFlagsFastMode + } + s.SetFlags(flags) + s.SetTimeout(config.ScanTimeout) + + return &scanner{ + c: c, + s: s, + config: config, + psnap: psnap, + }, nil +} + +func parseCompilerErrors(errors []yara.CompilerMessage) error { + errs := make([]error, len(errors)) + for i, err := range errors { + errs[i] = fmt.Errorf("%s, filename: %s line: %d", err.Text, err.Filename, err.Line) + } + return multierror.Wrap(errs) +} + +func (s scanner) ScanProc(pid uint32) error { + proc := s.psnap.Find(pid) + if proc == nil { + return fmt.Errorf("cannot scan proc. pid %d does not exist in snapshotter", pid) + } + + if s.config.ShouldSkipProcess(proc.Name) { + return nil + } + + matches, err := s.s.ScanProc(int(pid)) + if err != nil { + return fmt.Errorf("yara scan failed on proc %s (%d): %v", proc.Name, pid, err) + } + totalScans.Add(1) + if len(matches) == 0 { + return nil + } + ruleMatches.Add(int64(len(matches))) + + ctx := AlertContext{ + PS: proc, + Matches: matches, + Timestamp: time.Now().Format(tsLayout), + } + return s.send(ctx) +} + +func (s scanner) ScanFile(filename string) error { + if s.config.SkipFiles || s.config.ShouldSkipFile(filename) { + return nil + } + matches, err := s.s.ScanFile(filename) + if err != nil { + return fmt.Errorf("yara scan failed on %s file: %v", filename, err) + } + totalScans.Add(1) + if len(matches) == 0 { + return nil + } + ruleMatches.Add(int64(len(matches))) + + ctx := AlertContext{ + Filename: filename, + Matches: matches, + Timestamp: time.Now().Format(tsLayout), + } + + return s.send(ctx) +} + +func (s scanner) send(ctx AlertContext) error { + if s.config.AlertTitleTemplate == "" { + s.config.AlertTitleTemplate = alertTitleTmpl + } + if s.config.AlertTextTemplate == "" { + s.config.AlertTextTemplate = alertTextTmpl + } + // build a new yara alert template from the config options + // or use a default template string. We'll feed the alertsender + // with the output of the parsed template. Template content is + // rendered by employing the Go templating engine. For more + // details see https://golang.org/pkg/text/template/ + title, err := executeTmpl(s.config.AlertTitleTemplate, ctx) + if err != nil { + return err + } + text, err := executeTmpl(s.config.AlertTextTemplate, ctx) + if err != nil { + return err + } + + // fetch the alert sender that is specified in the config + sender := alertsender.Find(alertsender.ToType(s.config.AlertVia)) + if sender == nil { + return fmt.Errorf("%q alert sender is not initialized", s.config.AlertVia) + } + + alert := alertsender.NewAlert( + title, + text, + tagsFromMatches(ctx.Matches), + alertsender.Normal, + ) + + log.Infof("emitting yara alert via %q sender: %s", s.config.AlertVia, alert) + + return sender.Send(alert) +} + +func executeTmpl(body string, ctx AlertContext) (string, error) { + var writer bytes.Buffer + + tmpl, err := template.New("yara").Parse(body) + if err != nil { + return "", fmt.Errorf("template syntax error: %v", err) + } + err = tmpl.Execute(&writer, ctx) + if err != nil { + return "", fmt.Errorf("couldn't execute template: %v", err) + } + + return writer.String(), nil +} + +func tagsFromMatches(matches []yara.MatchRule) []string { + tags := make([]string, 0) + for _, match := range matches { + tags = append(tags, match.Tags...) + } + return tags +} + +func (s scanner) Close() { + if s.c != nil { + s.c.Destroy() + } + if s.s != nil { + s.s.Destroy() + } +} diff --git a/pkg/yara/scanner_test.go b/pkg/yara/scanner_test.go new file mode 100644 index 000000000..bc51f899b --- /dev/null +++ b/pkg/yara/scanner_test.go @@ -0,0 +1,185 @@ +// +build yara + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package yara + +import ( + "github.com/rabbitstack/fibratus/pkg/alertsender" + htypes "github.com/rabbitstack/fibratus/pkg/handle/types" + "github.com/rabbitstack/fibratus/pkg/kevent/kparams" + "github.com/rabbitstack/fibratus/pkg/pe" + "github.com/rabbitstack/fibratus/pkg/ps" + pstypes "github.com/rabbitstack/fibratus/pkg/ps/types" + "github.com/rabbitstack/fibratus/pkg/syscall/handle" + "github.com/rabbitstack/fibratus/pkg/syscall/process" + "github.com/rabbitstack/fibratus/pkg/yara/config" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" + "github.com/stretchr/testify/require" + "os" + "path/filepath" + "syscall" + "testing" + "time" +) + +var yaraAlert *alertsender.Alert + +type mockSender struct{} + +func (s *mockSender) Send(a alertsender.Alert) error { + yaraAlert = &a + return nil +} + +func makeSender(config alertsender.Config) (alertsender.Sender, error) { + return &mockSender{}, nil +} + +func init() { + alertsender.Register(alertsender.Noop, makeSender) +} + +func TestScan(t *testing.T) { + psnap := new(ps.SnapshotterMock) + require.NoError(t, alertsender.LoadAll([]alertsender.Config{{Type: alertsender.Noop}})) + + s, err := NewScanner(psnap, config.Config{ + Enabled: true, + AlertVia: "noop", + Rule: config.Rule{ + Paths: []config.RulePath{ + { + Namespace: "default", + Path: "_fixtures/rules", + }, + }, + }, + }) + require.NoError(t, err) + + var si syscall.StartupInfo + var pi syscall.ProcessInformation + + argv := syscall.StringToUTF16Ptr(filepath.Join(os.Getenv("windir"), "notepad.exe")) + + err = syscall.CreateProcess( + nil, + argv, + nil, + nil, + true, + 0, + nil, + nil, + &si, + &pi) + require.NoError(t, err) + defer syscall.TerminateProcess(pi.Process, uint32(257)) + + proc := &pstypes.PS{ + Name: "notepad.exe", + PID: pi.ProcessId, + Ppid: 2434, + Exe: `C:\Windows\notepad.exe`, + Comm: `C:\Windows\notepad.exe`, + SID: "archrabbit\\SYSTEM", + Cwd: `C:\Windows\`, + SessionID: 1, + Threads: map[uint32]pstypes.Thread{ + 3453: {Tid: 3453, Entrypoint: kparams.Hex("0x7ffe2557ff80"), IOPrio: 2, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + 3455: {Tid: 3455, Entrypoint: kparams.Hex("0x5efe2557ff80"), IOPrio: 3, PagePrio: 5, KstackBase: kparams.Hex("0xffffc307810d6000"), KstackLimit: kparams.Hex("0xffffc307810cf000"), UstackLimit: kparams.Hex("0x5260000"), UstackBase: kparams.Hex("0x525f000")}, + }, + Envs: map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, + Modules: []pstypes.Module{ + {Name: "kernel32.dll", Size: 12354, Checksum: 23123343, BaseAddress: kparams.Hex("fff23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, + {Name: "user32.dll", Size: 212354, Checksum: 33123343, BaseAddress: kparams.Hex("fef23fff"), DefaultBaseAddress: kparams.Hex("fff124fd")}, + }, + Handles: []htypes.Handle{ + {Num: handle.Handle(0xffffd105e9baaf70), + Name: `\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b677c565-6ca5-45d3-b618-736b4e09b036}`, + Type: "Key", + Object: 777488883434455544, + Pid: uint32(1023), + }, + { + Num: handle.Handle(0xffffd105e9adaf70), + Name: `\RPC Control\OLEA61B27E13E028C4EA6C286932E80`, + Type: "ALPC Port", + Pid: uint32(1023), + MD: &htypes.AlpcPortInfo{ + Seqno: 1, + Context: 0x0, + Flags: 0x0, + }, + Object: 457488883434455544, + }, + { + Num: handle.Handle(0xeaffd105e9adaf30), + Name: `C:\Users\bunny`, + Type: "File", + Pid: uint32(1023), + MD: &htypes.FileInfo{ + IsDirectory: true, + }, + Object: 357488883434455544, + }, + }, + PE: &pe.PE{ + NumberOfSections: 2, + NumberOfSymbols: 10, + EntryPoint: "0x20110", + ImageBase: "0x140000000", + LinkTime: time.Now(), + Sections: []pe.Sec{ + {Name: ".text", Size: 132608, Entropy: 6.368381, Md5: "db23dce3911a42e987041d98abd4f7cd"}, + {Name: ".rdata", Size: 35840, Entropy: 5.996976, Md5: "ffa5c960b421ca9887e54966588e97e8"}, + }, + Symbols: []string{"SelectObject", "GetTextFaceW", "EnumFontsW", "TextOutW", "GetProcessHeap"}, + Imports: []string{"GDI32.dll", "USER32.dll", "msvcrt.dll", "api-ms-win-core-libraryloader-l1-2-0.dl"}, + VersionResources: map[string]string{"CompanyName": "Microsoft Corporation", "FileDescription": "Notepad", "FileVersion": "10.0.18362.693"}, + }, + } + psnap.On("Find", mock.Anything).Return(proc) + + for { + if process.IsAlive(handle.Handle(pi.Process)) { + break + } + time.Sleep(time.Millisecond * 100) + } + + // test attaching on pid + require.NoError(t, s.ScanProc(pi.ProcessId)) + require.NotNil(t, yaraAlert) + + assert.Equal(t, "YARA alert on process notepad.exe", yaraAlert.Title) + assert.NotEmpty(t, yaraAlert.Text) + assert.Contains(t, yaraAlert.Tags, "notepad") + + // test file scanning on DLL that merely contains + // the fmt.Println("Go Yara DLL Test") statement + require.NoError(t, s.ScanFile("_fixtures/yara-test.dll")) + require.NotNil(t, yaraAlert) + + assert.Equal(t, "YARA alert on file _fixtures/yara-test.dll", yaraAlert.Title) + assert.Contains(t, yaraAlert.Tags, "dll") + +} diff --git a/pkg/yara/scanner_unsupported.go b/pkg/yara/scanner_unsupported.go new file mode 100644 index 000000000..14cd8622b --- /dev/null +++ b/pkg/yara/scanner_unsupported.go @@ -0,0 +1,32 @@ +// +build !yara + +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package yara + +import ( + kerrors "github.com/rabbitstack/fibratus/pkg/errors" + "github.com/rabbitstack/fibratus/pkg/ps" + "github.com/rabbitstack/fibratus/pkg/yara/config" +) + +// NewScanner returns unsupported scanner error. +func NewScanner(psnap ps.Snapshotter, config config.Config) (Scanner, error) { + return nil, kerrors.ErrFeatureUnsupported("yara") +} diff --git a/pkg/yara/types.go b/pkg/yara/types.go new file mode 100644 index 000000000..ee425725a --- /dev/null +++ b/pkg/yara/types.go @@ -0,0 +1,31 @@ +/* + * Copyright 2019-2020 by Nedim Sabic Sabic + * https://www.fibratus.io + * All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package yara + +// Scanner watches for certain kernel events such as process creation or image loading and +// triggers the scanning either of the target process or image file. If matches occur, an +// alert is emitted via specified alert sender. +type Scanner interface { + // ScanProc scans process memory. + ScanProc(pid uint32) error + // ScanFile scans the specified file in the file system. + ScanFile(filename string) error + // Close disposes any resources allocated by scanner. + Close() +} diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 92cea75ff..000000000 --- a/requirements.txt +++ /dev/null @@ -1,17 +0,0 @@ -cython==0.23.4 -docopt==0.6.2 -ptable==0.9.2 -logbook==0.12.5 -apscheduler==3.0.5 -pefile - -pika==0.10.0 -elasticsearch==5.0.0 - -anyconfig==0.6.0 -pyaml==15.8.2 -pykwalify==1.6.0 - -pytest==2.9.1 -pytest-cov==2.2.1 -codecov diff --git a/schema.yml b/schema.yml deleted file mode 100644 index 54844efb5..000000000 --- a/schema.yml +++ /dev/null @@ -1,132 +0,0 @@ -type: map -mapping: - - image_meta: - type: map - mapping: - enabled: - type: bool - required: True - imports: - type: bool - file_info: - type: bool - - skips: - type: map - required: True - mapping: - images: - type: seq - sequence: - - type: str - - output: - type: seq - required: True - sequence: - - type: map - mapping: - - console: - type: map - mapping: - format: - type: str - enum: ['pretty', 'json'] - - amqp: - type: map - mapping: - host: - type: str - port: - type: int - username: - type: str - password: - type: str - vhost: - type: str - exchange: - type: str - required: True - routingkey: - type: str - required: True - - smtp: - type: map - mapping: - host: - type: str - required: True - port: - type: int - password: - type: str - from: - type: str - pattern: .+@.+ - to: - type: seq - sequence: - - type: str - pattern: .+@.+ - - elasticsearch: - type: map - mapping: - hosts: - type: seq - required: True - sequence: - - type: str - required: True - index: - type: str - required: True - index_type: - type: str - enum: ['fixed', 'daily'] - daily_index_format: - type: str - document: - type: str - required: True - bulk: - type: bool - username: - type: str - password: - type: str - ssl: - type: bool - - fs: - type: map - mapping: - path: - type: str - required: True - mode: - type: str - enum: ['r', 'w', 'x', 'a', 'r+', 'w+'] - format: - type: str - enum: ['json'] - - binding: - type: seq - sequence: - - type: map - mapping: - - yara: - type: map - mapping: - path: - type: str - required: True - - diff --git a/setup.py b/setup.py deleted file mode 100644 index 7a57ed49c..000000000 --- a/setup.py +++ /dev/null @@ -1,84 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import re -import os -import shutil -from os.path import expanduser -from setuptools import setup, find_packages -from setuptools.extension import Extension -from Cython.Distutils import build_ext -try: - from pip._internal.req import parse_requirements -except ImportError: - from pip.req import parse_requirements - -from fibratus.version import VERSION - - -def copy_artifacts(): - home_dir = expanduser('~') - here = os.path.abspath(os.path.dirname(__file__)) - fibratus_dir = os.path.join(home_dir, '.fibratus') - if not os.path.exists(fibratus_dir): - os.mkdir(fibratus_dir) - shutil.copy(os.path.join(here, 'fibratus.yml'), fibratus_dir) - shutil.copy(os.path.join(here, 'schema.yml'), fibratus_dir) - shutil.copytree(os.path.join(here, 'filaments'), os.path.join(fibratus_dir, 'filaments')) - -kstreamc_ext = Extension('kstreamc', - ['kstream/kstreamc.pyx'], - libraries=["tdh", "advapi32", "ole32", "ws2_32"], - language='c++') - -install_reqs = parse_requirements('requirements.txt', session=False) -reqs = [str(ir.req) for ir in install_reqs if not re.match('pytest|codecov', str(ir.req))] - -copy_artifacts() - -setup( - name="fibratus", - version=VERSION, - author="Nedim Sabic (RabbitStack)", - author_email="bhnedo@hotmail.com", - description="Tool for exploration and tracing of the Windows kernel", - long_description="Fibratus is a tool which is able to capture the most of the Windows kernel activity - " - "process/thread creation and termination, file system I/O, registry, network activity, " - "DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates " - "the machinery to start the kernel event stream collector, set kernel event filters or " - "run the lightweight Python modules called filaments. You can use filaments to extend " - "Fibratus with your own arsenal of tools.", - license="Apache", - keywords="windows kernel, tracing, system exploration, syscalls", - platforms=["Windows"], - url="https://github.com/rabbitstack/fibratus", - classifiers=[ - 'Development Status :: 5 - Production/Stable', - 'Topic :: System', - 'License :: OSI Approved :: Apache Software License', - 'Programming Language :: Python :: 3', - 'Programming Language :: Python :: 3.2', - 'Programming Language :: Python :: 3.3', - 'Programming Language :: Python :: 3.4' - ], - ext_modules=[kstreamc_ext], - cmdclass={"build_ext": build_ext}, - packages=find_packages(), - install_requires=reqs, - entry_points={ - 'console_scripts': [ - 'fibratus=fibratus.cli:main', - ], - } -) diff --git a/tests/__init__.py b/tests/__init__.py deleted file mode 100644 index b4b9e2a2a..000000000 --- a/tests/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. \ No newline at end of file diff --git a/tests/fixtures/__init__.py b/tests/fixtures/__init__.py deleted file mode 100644 index c41bcbd9f..000000000 --- a/tests/fixtures/__init__.py +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. diff --git a/tests/fixtures/fibratus.yml b/tests/fixtures/fibratus.yml deleted file mode 100644 index 9290cad8f..000000000 --- a/tests/fixtures/fibratus.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -image_meta: - enabled: false - imports: false - file_info: false - -skips: - images: - - svchost.exe - - smss.exe - - services.exe - - taskmgr.exe - - dwm.exe - - vprot.exe - - lsass.exe - - sihost.exe - - system - -output: - - console: - format: json - - amqp: - host: 127.0.0.1 - port: 5672 - username: guest - password: guest - vhost: / - exchange: amq.direct - routingkey: fibratus - - smtp: - host: smtp.gmail.com - port: 587 - from: info@github.io - password: secret - to: - - fibratus@github.io - - netmutatus@github.io - - elasticsearch: - hosts: - - localhost:9200 - index: kernelstream - document: threads - bulk: True - username: elastic - password: changeme - ssl: True - - fs: - path: D:\\ - mode: a - format: json - -binding: - - yara: - path: D:\\yara-rules \ No newline at end of file diff --git a/tests/fixtures/filaments/__init__.py b/tests/fixtures/filaments/__init__.py deleted file mode 100644 index c41bcbd9f..000000000 --- a/tests/fixtures/filaments/__init__.py +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. diff --git a/tests/fixtures/filaments/test_filament_no_on_next_kevent.py b/tests/fixtures/filaments/test_filament_no_on_next_kevent.py deleted file mode 100644 index 0b8057d82..000000000 --- a/tests/fixtures/filaments/test_filament_no_on_next_kevent.py +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Test filament description -""" - - -def on_init(): - pass diff --git a/tests/fixtures/filaments/test_filament_nodoc.py b/tests/fixtures/filaments/test_filament_nodoc.py deleted file mode 100644 index 0d88913b2..000000000 --- a/tests/fixtures/filaments/test_filament_nodoc.py +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -def on_init(): - pass - - -def on_next_kevent(kevent): - pass \ No newline at end of file diff --git a/tests/fixtures/filaments/test_filament_wrong_on_next_kevent.py b/tests/fixtures/filaments/test_filament_wrong_on_next_kevent.py deleted file mode 100644 index 1364e458a..000000000 --- a/tests/fixtures/filaments/test_filament_wrong_on_next_kevent.py +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -""" -Test filament description -""" - - -def on_init(): - pass - - -def on_next_kevent(kevent, thread): - pass \ No newline at end of file diff --git a/tests/fixtures/schema.yml b/tests/fixtures/schema.yml deleted file mode 100644 index bdc93fdb8..000000000 --- a/tests/fixtures/schema.yml +++ /dev/null @@ -1,127 +0,0 @@ -type: map -mapping: - - image_meta: - type: map - mapping: - enabled: - type: bool - required: True - imports: - type: bool - file_info: - type: bool - - skips: - type: map - required: True - mapping: - images: - type: seq - sequence: - - type: str - - output: - type: seq - required: True - sequence: - - type: map - mapping: - - console: - type: map - mapping: - format: - type: str - enum: ['pretty', 'json'] - - amqp: - type: map - mapping: - host: - type: str - port: - type: int - username: - type: str - password: - type: str - vhost: - type: str - exchange: - type: str - required: True - routingkey: - type: str - required: True - - smtp: - type: map - mapping: - host: - type: str - required: True - port: - type: int - password: - type: str - from: - type: str - pattern: .+@.+ - to: - type: seq - sequence: - - type: str - pattern: .+@.+ - - elasticsearch: - type: map - mapping: - hosts: - type: seq - required: True - sequence: - - type: str - required: True - index: - type: str - required: True - document: - type: str - required: True - bulk: - type: bool - username: - type: str - password: - type: str - ssl: - type: bool - - fs: - type: map - mapping: - path: - type: str - required: True - mode: - type: str - enum: ['r', 'w', 'x', 'a', 'r+', 'w+'] - format: - type: str - enum: ['json'] - - binding: - type: seq - sequence: - - type: map - mapping: - - yara: - type: map - mapping: - path: - type: str - required: True - - diff --git a/tests/pytest.ini b/tests/pytest.ini deleted file mode 100644 index 59147a1ee..000000000 --- a/tests/pytest.ini +++ /dev/null @@ -1,3 +0,0 @@ -[pytest] -python_files = *.py -addopts = -sv --cov-report html --cov-report xml --cov=fibratus \ No newline at end of file diff --git a/tests/unit/__init__.py b/tests/unit/__init__.py deleted file mode 100644 index 23b74303e..000000000 --- a/tests/unit/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. \ No newline at end of file diff --git a/tests/unit/apidefs/__init__.py b/tests/unit/apidefs/__init__.py deleted file mode 100644 index c41bcbd9f..000000000 --- a/tests/unit/apidefs/__init__.py +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. diff --git a/tests/unit/apidefs/declarer.py b/tests/unit/apidefs/declarer.py deleted file mode 100644 index 28d23ce51..000000000 --- a/tests/unit/apidefs/declarer.py +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from ctypes import c_uint -import os - -import fibratus.apidefs.declarer as declarer - - -class TestDeclarer(): - - def test_declare_function(self): - get_current_process_id = declarer.declare(declarer.KERNEL, 'GetCurrentProcessId', [], c_uint) - - assert callable(get_current_process_id) - assert get_current_process_id.restype == c_uint - assert get_current_process_id.argtypes is None - - # check the function result - pid = os.getpid() - assert get_current_process_id() == pid \ No newline at end of file diff --git a/tests/unit/binding/__init__.py b/tests/unit/binding/__init__.py deleted file mode 100644 index d7ce39087..000000000 --- a/tests/unit/binding/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2017 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. \ No newline at end of file diff --git a/tests/unit/binding/yar.py b/tests/unit/binding/yar.py deleted file mode 100644 index 65698239d..000000000 --- a/tests/unit/binding/yar.py +++ /dev/null @@ -1,81 +0,0 @@ -# Copyright 2017 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import Mock, patch, MagicMock - -from fibratus.kevent import KEvent -from logbook import Logger -import pytest -import os - -from fibratus.errors import BindingError -from fibratus.output.amqp import AmqpOutput -from fibratus.thread import ThreadInfo - - -@pytest.fixture(scope='module') -def outputs(): - return dict(amqp=Mock(spec_set=AmqpOutput)) - - -class TestYaraBinding(object): - - def test_init(self, outputs): - with patch.dict('sys.modules', **{ - 'yara': MagicMock(), - }): - from fibratus.binding.yar import YaraBinding - with patch('os.path.exists', return_value=True), \ - patch('os.path.isdir', return_value=True), \ - patch('glob.glob', return_value=['silent_banker.yar']), \ - patch('yara.compile') as yara_compile_mock: - YaraBinding(outputs, - Mock(spec_set=Logger), output='amqp', path='C:\\yara-rules') - yara_compile_mock.assert_called_with(os.path.join('C:\\yara-rules', 'silent_banker.yar')) - - def test_init_invalid_path(self, outputs): - with patch.dict('sys.modules', **{ - 'yara': None, - }): - from fibratus.binding.yar import YaraBinding - with patch('os.path.exists', return_value=False), \ - patch('os.path.isdir', return_value=False): - with pytest.raises(BindingError) as e: - YaraBinding(outputs, - Mock(spec_set=Logger), output='amqp', path='C:\\yara-rules-invalid') - assert 'C:\\yara-rules-invalid rules path does not exist' in str(e.value) - - def test_init_yara_python_not_installed(self, outputs): - with patch.dict('sys.modules', **{ - 'yara': None, - }): - from fibratus.binding.yar import YaraBinding - with pytest.raises(BindingError) as e: - YaraBinding(outputs, - Mock(spec_set=Logger), output='amqp', path='C:\\yara-rules') - assert 'yara-python package is not installed' in str(e.value) - - def test_run(self, outputs): - with patch.dict('sys.modules', **{ - 'yara': MagicMock(), - }): - from fibratus.binding.yar import YaraBinding - with patch('os.path.exists', return_value=True), \ - patch('os.path.isdir', return_value=True), \ - patch('glob.glob', return_value=['silent_banker.yar']), \ - patch('yara.compile'): - yara_binding = YaraBinding(outputs, - Mock(spec_set=Logger), output='amqp', path='C:\\yara-rules') - yara_binding.run(thread_info=Mock(spec_set=ThreadInfo), kevent=Mock(spec_set=KEvent)) - assert yara_binding._rules.match.called diff --git a/tests/unit/cli.py b/tests/unit/cli.py deleted file mode 100644 index c41bcbd9f..000000000 --- a/tests/unit/cli.py +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. diff --git a/tests/unit/config.py b/tests/unit/config.py deleted file mode 100644 index dff1c938d..000000000 --- a/tests/unit/config.py +++ /dev/null @@ -1,76 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import patch -from fibratus.config import YamlConfig - -import os - -__CONFIG_PATH__ = os.path.join(os.path.dirname(__file__), '..', 'fixtures', 'fibratus.yml') -__SCHEMA_FILE__ = os.path.join(os.path.dirname(__file__), '..', 'fixtures', 'schema.yml') - - -class TestYamlConfig(): - - def test_load_yaml(self): - config = YamlConfig(__CONFIG_PATH__) - config.load(False) - assert config.yaml - - def test_load_validate(self): - config = YamlConfig(__CONFIG_PATH__) - config.default_schema_path = __SCHEMA_FILE__ - config.load() - - def test_load_yaml_not_found(self): - with patch('sys.exit') as sys_exit: - YamlConfig('C:\\fibratus.yml').load(False) - sys_exit.assert_called_once() - - def test_outputs(self): - config = YamlConfig(__CONFIG_PATH__) - config.load(False) - outputs = config.outputs - assert outputs - assert isinstance(outputs, list) - assert len(outputs) > 0 - - def test_enum_outputs(self): - config = YamlConfig(__CONFIG_PATH__) - config.load(False) - output_names = ['amqp', 'smtp', 'console', 'elasticsearch', 'fs'] - outputs = config.outputs - if outputs: - for output in outputs: - output_name = next(iter(list(output.keys())), None) - assert output_name in output_names - - def test_image_skips(self): - config = YamlConfig(__CONFIG_PATH__) - config.load(False) - image_skips = config.skips.images - assert image_skips - assert isinstance(image_skips, list) - assert 'smss.exe' in image_skips - - def test_bindings(self): - config = YamlConfig(__CONFIG_PATH__) - config.load(False) - bindings = config.bindings - binding_names = ['yara'] - assert bindings - for binding in bindings: - assert isinstance(binding, dict) - binding_name = next(iter(list(binding.keys())), None) - assert binding_name in binding_names \ No newline at end of file diff --git a/tests/unit/context_switch.py b/tests/unit/context_switch.py deleted file mode 100644 index b4e0fa14e..000000000 --- a/tests/unit/context_switch.py +++ /dev/null @@ -1,97 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import Mock, call - -from datetime import datetime -import pytest - -from fibratus.context_switch import ContextSwitchRegistry, ThreadState, WaitMode, WaitReason -from fibratus.kevent import KEvent -from fibratus.thread import ThreadRegistry, ThreadInfo -from fibratus.common import DotD as ddict - - -@pytest.fixture(scope='module') -def thread_registry_mock(): - thread_registry = Mock(spec_set=ThreadRegistry) - thread_info1 = ThreadInfo(456, int('0x1054', 16), 22, 'explorer.exe', 'C:\\Windows\\EXPLORER.exe') - thread_info2 = ThreadInfo(1, int('0x0', 16), 2, 'system.exe', 'C:\\Windows\\system.exe') - thread_registry.get_thread.side_effect = [thread_info1, thread_info2] - return thread_registry - - -@pytest.fixture(scope='module') -def thread_registry_empty_mock(): - return Mock(spec_set=ThreadRegistry) - - -@pytest.fixture(scope='module') -def kevent_mock(): - return Mock(spec_set=KEvent) - - -class TestContextSwitchRegistry(object): - - def test_next_cswitch(self, thread_registry_mock, kevent_mock): - - context_switch_registry = ContextSwitchRegistry(thread_registry_mock, kevent_mock) - ts = datetime.strptime("12:05:45.233", '%H:%M:%S.%f') - kcs1 = ddict({'old_thread_wait_ideal_processor': 2, 'previous_c_state': 1, 'old_thread_state': 2, - 'old_thread_priority': 0, 'reserved': 777748717, 'spare_byte': 0, - 'old_thread_wait_reason': 0, 'new_thread_wait_time': '0x0', 'old_thread_wait_mode': 0, - 'new_thread_priority': 15, 'new_thread_id': '0x1054', 'old_thread_id': '0x0'}) - new_thread_id = int(kcs1.new_thread_id, 16) - context_switch_registry.next_cswitch(1, ts, kcs1) - - thread_registry_mock.get_thread.assert_has_calls([call(new_thread_id), - call(int(kcs1.old_thread_id, 16))]) - - assert (1, new_thread_id,) in context_switch_registry.context_switches() - cs = context_switch_registry.context_switches()[(1, new_thread_id,)] - assert cs - - assert cs.timestamp is ts - assert cs.next_proc_name == "explorer.exe" - assert cs.next_thread_wait_time == 0 - assert cs.next_thread_prio == 15 - assert cs.prev_thread_prio == 0 - assert cs.prev_thread_state is ThreadState.RUNNING - assert cs.count == 1 - assert cs.prev_thread_wait_mode is WaitMode.KERNEL - assert cs.prev_thread_wait_reason is WaitReason.EXECUTIVE - - def test_next_cswitch_in_registry(self, thread_registry_empty_mock, kevent_mock): - context_switch_registry = ContextSwitchRegistry(thread_registry_empty_mock, kevent_mock) - - kcs1 = ddict({'old_thread_wait_ideal_processor': 3, 'previous_c_state': 0, 'old_thread_state': 5, - 'old_thread_priority': 8, 'reserved': 4294967294, 'spare_byte': 0, - 'old_thread_wait_reason': 8, 'new_thread_wait_time': '0x0', 'old_thread_wait_mode': 1, - 'new_thread_priority': 8, 'new_thread_id': '0x1fc8', 'old_thread_id': '0x2348'}) - kcs2 = ddict({'old_thread_wait_ideal_processor': 3, 'previous_c_state': 0, 'old_thread_state': 3, - 'old_thread_priority': 8, 'reserved': 4294967295, 'spare_byte': 0, - 'old_thread_wait_reason': 8, 'new_thread_wait_time': '0x0', 'old_thread_wait_mode': 1, - 'new_thread_priority': 5, 'new_thread_id': '0x1fc8', 'old_thread_id': '0x2348'}) - - context_switch_registry.next_cswitch(1, datetime.strptime("12:05:45.233", '%H:%M:%S.%f'), kcs1) - context_switch_registry.next_cswitch(1, datetime.strptime("12:05:45.234", '%H:%M:%S.%f'), kcs2) - - k = (1, int(kcs1.new_thread_id, 16)) - cs = context_switch_registry.context_switches()[k] - assert cs - assert cs.count == 2 - assert cs.next_thread_prio == 5 - assert cs.prev_thread_state is ThreadState.STANDBY - assert cs.timestamp == datetime.strptime("12:05:45.234", '%H:%M:%S.%f') - assert cs.prev_thread_wait_reason is WaitReason.FREE_PAGE diff --git a/tests/unit/controller.py b/tests/unit/controller.py deleted file mode 100644 index 4489ea4ab..000000000 --- a/tests/unit/controller.py +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from fibratus.controller import KTraceController - - -def ktrace_controller(): - return KTraceController() - - -class TestKTraceController: - pass \ No newline at end of file diff --git a/tests/unit/dll.py b/tests/unit/dll.py deleted file mode 100644 index ae12b5977..000000000 --- a/tests/unit/dll.py +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import Mock -from fibratus.dll import DllRepository -from fibratus.kevent import KEvent - - -def dll_repo(): - return DllRepository(Mock(spec_set=KEvent)) - - -class TestDllRepository(): - pass \ No newline at end of file diff --git a/tests/unit/filament.py b/tests/unit/filament.py deleted file mode 100644 index 73f8d647a..000000000 --- a/tests/unit/filament.py +++ /dev/null @@ -1,174 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import os -from unittest.mock import Mock, patch - -import pytest -from apscheduler.schedulers.background import BackgroundScheduler - -import fibratus.filament as fil -from fibratus.errors import FilamentError -from fibratus.filament import Filament -from fibratus.output.amqp import AmqpOutput -from fibratus.term import AnsiTerm -from tests.fixtures.filaments import test_filament - - -@pytest.fixture(scope='module') -def ansi_term_mock(): - return Mock(spec_set=AnsiTerm) - - -@pytest.fixture() -def filament(ansi_term_mock): - fil.FILAMENTS_DIR = os.path.join(os.path.dirname(__file__), '..', 'fixtures\\filaments') - f = Filament() - f._ansi_term = ansi_term_mock - f.scheduler = Mock(spec_set=BackgroundScheduler) - return f - - -class TestFilament(object): - - def test_load_filament(self, filament): - with patch('os.listdir', return_value=['top_connections.py', 'test_filament.py']): - filament.load_filament('test_filament') - assert filament._filament_module - assert isinstance(filament._filament_module, type(test_filament)) - assert filament._filament_module.__doc__ - assert 'test_filament' in filament.name - - f = filament.filament_module - assert hasattr(f, 'set_filter') - assert hasattr(f, 'set_interval') - assert hasattr(f, 'columns') - assert hasattr(f, 'title') - assert hasattr(f, 'sort_by') - assert hasattr(f, 'limit') - assert hasattr(f, 'add_row') - assert hasattr(f, 'render_tabular') - - f.set_filter('CreateProcess', 'CreateThread') - assert 'CreateProcess' in filament._filters - assert 'CreateThread' in filament._filters - - f.set_interval(1) - assert filament._interval == 1 - - f.columns(['IP', 'Port', 'Process']) - assert filament._cols == ['IP', 'Port', 'Process'] - - f.limit(20) - assert filament._limit == 20 - - f.add_row(['192.168.1.3', '80', 'chrome.exe']) - - f.sort_by('Port') - assert 'Port' in filament._sort_by - assert filament._sort_desc - - f.title('Top outbound connections') - - def test_load_filament_not_found(self, filament): - with patch('os.listdir', return_value=['top_connections.py', 'test_filament.py']): - with pytest.raises(FilamentError): - filament.load_filament('filament_notfound') - - def test_load_filament_nodoc(self, filament): - with patch('os.listdir', return_value=['top_connections.py', 'test_filament_nodoc.py']): - with pytest.raises(FilamentError) as e: - filament.load_filament('test_filament_nodoc') - assert "Please provide a short description for the filament" in str(e.value) - - def test_load_filament_no_on_next_kevent_method(self, filament): - with patch('os.listdir', return_value=['top_connections.py', 'test_filament_no_on_next_kevent.py']): - with pytest.raises(FilamentError) as e: - filament.load_filament('test_filament_no_on_next_kevent') - assert 'Missing required on_next_kevent method on filament' in str(e.value) - - def test_load_filament_wrong_on_next_kevent(self, filament): - with patch('os.listdir', return_value=['test_filament_wrong_on_next_kevent.py']): - with pytest.raises(FilamentError) as e: - filament.load_filament('test_filament_wrong_on_next_kevent') - assert 'one argument' in str(e.value) - - def test_close(self, filament): - filament.close() - - def test_set_invalid_interval(self, filament): - with patch('os.listdir', return_value=['top_connections.py', 'test_filament_invalid_interval.py']): - with pytest.raises(FilamentError): - filament.load_filament('test_filament_invalid_interval') - - def test_add_row_invalid_type(self, filament): - with patch('os.listdir', return_value=['test_filament.py']): - filament.load_filament('test_filament') - f = filament.filament_module - with pytest.raises(FilamentError): - f.add_row({'ip': '192.168.4.31'}) - - def test_sort_by_no_columns(self, filament): - with patch('os.listdir', return_value=['test_filament.py']): - filament.load_filament('test_filament') - f = filament.filament_module - with pytest.raises(FilamentError) as e: - f.sort_by('Port') - assert 'Expected at least 1 column but 0 found' in str(e.value) - - def test_sort_by_column_not_found(self, filament): - with patch('os.listdir', return_value=['test_filament.py']): - filament.load_filament('test_filament') - f = filament.filament_module - f.columns(['IP', 'Port', 'Process']) - with pytest.raises(FilamentError) as e: - f.sort_by('File') - assert 'File column does not exist' in str(e.value) - - def test_limit_no_columns(self, filament): - with patch('os.listdir', return_value=['test_filament.py']): - filament.load_filament('test_filament') - f = filament.filament_module - with pytest.raises(FilamentError): - f.limit(20) - - def test_limit_non_integer(self, filament): - with patch('os.listdir', return_value=['test_filament.py']): - filament.load_filament('test_filament') - f = filament.filament_module - f.columns(['IP', 'Port', 'Process']) - with pytest.raises(FilamentError): - f.limit('20') - - def test_do_output_accessors(self, filament): - with patch('os.listdir', return_value=['test_filament.py']): - filament.load_filament('test_filament') - outputs = {'amqp': Mock(spec_set=AmqpOutput)} - filament.do_output_accessors(outputs) - assert getattr(filament.filament_module, 'amqp') - - def test_set_columns_not_list(self, filament): - with patch('os.listdir', return_value=['test_filament.py']): - filament.load_filament('test_filament') - with pytest.raises(FilamentError): - filament.filament_module.columns(('IP', 'Port')) - - def test_render_tabular(self, filament, ansi_term_mock): - with patch('os.listdir', return_value=['test_filament.py']): - filament.load_filament('test_filament') - filament.filament_module.columns(['IP', 'Port']) - filament.render_tabular() - ansi_term_mock.setup_console.assert_called_once() - ansi_term_mock.write_output.assert_called_once() diff --git a/tests/unit/fs.py b/tests/unit/fs.py deleted file mode 100644 index 1c461f5be..000000000 --- a/tests/unit/fs.py +++ /dev/null @@ -1,153 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import Mock - -import pytest - - -from fibratus.common import DotD as dd, NA -from fibratus.fs import FsIO, FileOps -from fibratus.handle import HandleInfo, HandleType -from fibratus.kevent import KEvent -from fibratus.kevent_types import CREATE_FILE, DELETE_FILE, WRITE_FILE, RENAME_FILE, SET_FILE_INFORMATION -from fibratus.thread import ThreadRegistry - - -@pytest.fixture(scope='module') -def kevent(): - return KEvent(Mock(spec_set=ThreadRegistry)) - - -@pytest.fixture(scope='module') -def fsio(kevent): - handles = [HandleInfo(3080, 18446738026482168384, HandleType.DIRECTORY, - "\\Device\\HarddiskVolume2\\Users\\Nedo\\AppData\\Local\\VirtualStore", 640), - HandleInfo(2010, 18446738023471035392, HandleType.FILE, - "\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll", 640)] - fsio = FsIO(kevent, handles) - fsio.file_pool[18446738026474426144] = '\\Device\\HarddiskVolume2\\fibratus.log' - return fsio - - -class TestFsIO(): - - def test_init_fsio(self, fsio): - assert len(fsio.file_handles) == 2 - - @pytest.mark.parametrize('expected_op, kfsio', - [(FileOps.SUPERSEDE, dd({"file_object": 18446738026482168384, "ttid": 1484, - "process_id": 859, - "create_options": 1223456, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "irp_ptr": 18446738026471032392, "share_access": 1, "file_attributes": 0})), - (FileOps.OPEN, dd({"file_object": 18446738026482168384, "ttid": 1484, "process_id": 859, - "create_options": 18874368, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "irp_ptr": 18446738026471032392, "share_access": 2, "file_attributes": 0})), - (FileOps.CREATE, dd({"file_object": 18446738026482168384, "ttid": 1484, "process_id": 859, - "create_options": 33554532, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "irp_ptr": 18446738026471032392, "share_access": 4, "file_attributes": 0})), - (FileOps.OPEN_IF, dd({"file_object": 18446738026482168384, "ttid": 1484, - "process_id": 859, - "create_options": 58651617, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "irp_ptr": 18446738026471032392, "share_access": 3, "file_attributes": 0})), - (FileOps.OVERWRITE, dd({"file_object": 18446738026482168384, "ttid": 1484, - "process_id": 859, - "create_options": 78874400, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "irp_ptr": 18446738026471032392, "share_access": 5, "file_attributes": 0})), - (FileOps.OVERWRITE_IF, dd({"file_object": 18446738026482168384, "ttid": 1484, - "process_id": 859, - "create_options": 83886112, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "irp_ptr": 18446738026471032392, "share_access": 6, "file_attributes": 0}))]) - def test_create_file_operation(self, expected_op, kfsio, fsio, kevent): - - fsio.parse_fsio(CREATE_FILE, kfsio) - - kparams = kevent.params - assert kparams.file == kfsio.open_path - assert kparams.tid == kfsio.ttid - assert kparams.pid == kfsio.process_id - assert kparams.operation == expected_op.name - - @pytest.mark.parametrize('expected_share_mask, kfsio', - [('r--', dd({"file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "process_id": 859, - "irp_ptr": 18446738026471032392, "share_access": 1, "file_attributes": 0})), - ('-w-', dd({"file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "process_id": 859, - "irp_ptr": 18446738026471032392, "share_access": 2, "file_attributes": 0})), - ('--d', dd({"file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "process_id": 859, - "irp_ptr": 18446738026471032392, "share_access": 4, "file_attributes": 0})), - ('rw-', dd({"file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "process_id": 859, - "irp_ptr": 18446738026471032392, "share_access": 3, "file_attributes": 0})), - ('r-d', dd({"file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "process_id": 859, - "irp_ptr": 18446738026471032392, "share_access": 5, "file_attributes": 0})), - ('-wd', dd({"file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "process_id": 859, - "irp_ptr": 18446738026471032392, "share_access": 6, "file_attributes": 0})), - ('rwd', dd({"file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "process_id": 859, - "irp_ptr": 18446738026471032392, "share_access": 7, "file_attributes": 0})), - ('---', dd({"file_object": 18446738026482168384, "ttid": 1484, "create_options": 18874368, - "open_path": "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll", - "process_id": 859, - "irp_ptr": 18446738026471032392, "share_access": -1, "file_attributes": 0}))]) - def test_create_file_share_mask(self, expected_share_mask, kfsio, fsio, kevent): - fsio.parse_fsio(CREATE_FILE, kfsio) - assert kevent.params.share_mask == expected_share_mask - - def test_delete_file(self, fsio, kevent): - kfsio = dd({"file_object": 18446738026474426144, "ttid": 1956, "process_id": 859, "irp_ptr": 18446738026471032392}) - fsio.parse_fsio(DELETE_FILE, kfsio) - assert kevent.params.tid == kfsio.ttid - assert kevent.params.file == '\\Device\\HarddiskVolume2\\fibratus.log' - - def test_write_file(self, fsio, kevent): - kfsio = dd({"file_object": 18446738026474426144, "process_id": 859, "io_flags": 0, "io_size": 8296, - "offset": 75279, "ttid": 1956}) - fsio.parse_fsio(WRITE_FILE, kfsio) - assert kevent.params.tid == kfsio.ttid - assert kevent.params.file == NA - assert kevent.params.io_size == kfsio.io_size / 1024 - - def test_rename_file(self, fsio, kevent): - kfsio = dd({"file_object": 18446738023471035392, "ttid": 1956, "process_id": 859, "irp_ptr": 18446738026471032392}) - fsio.parse_fsio(RENAME_FILE, kfsio) - assert kevent.params.tid == kfsio.ttid - assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll' - - def test_set_file_information(self, fsio, kevent): - kfsio = dd( - {"file_object": 18446738023471035392, "ttid": 1956, "info_class": 20, "process_id": 859, - "irp_ptr": 18446738026471032392}) - fsio.parse_fsio(SET_FILE_INFORMATION, kfsio) - assert kevent.params.tid == kfsio.ttid - assert kevent.params.info_class == 20 - assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll' diff --git a/tests/unit/handle.py b/tests/unit/handle.py deleted file mode 100644 index 2d56bf198..000000000 --- a/tests/unit/handle.py +++ /dev/null @@ -1,80 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -from unittest.mock import patch, call - -import pytest - -from fibratus.apidefs.process import PROCESS_DUP_HANDLE -from fibratus.handle import HandleRepository, HandleType -from fibratus.common import DotD as dd - - -def raw_handles(): - handles = {} - handles[18446738026470543136] = dd(obj=18446738026470543136, handle=12, pid=3472, access_mask=1048608, obj_type_index=28) - handles[18446738026474344592] = dd(obj=18446738026474344592, handle=16, pid=3472, access_mask=2031617, obj_type_index=36) - handles[18446738026474569824] = dd(obj=18446738026474569824, handle=204, pid=920, access_mask=1048578, obj_type_index=17) - handles[18446738026469227424] = dd(obj=18446738026469227424, handle=116, pid=920, access_mask=2031619, obj_type_index=12) - handles[18446735964891181152] = dd(obj=18446735964891181152, handle=108, pid=1616, access_mask=983551, obj_type_index=5) - return handles - - -def query_handle_side_effects(): - return [dd(contents=dd(type_name=dd(buffer="FILE"))), dd(contents=dd(buffer="\Device\HarddiskVolume2"))] \ - * len(raw_handles()) - - -@pytest.fixture(scope='module') -def handle_repo(): - return HandleRepository() - - -class TestHandleRepository(): - - def test_init_handle_repository(self, handle_repo): - handle_types = handle_repo._handle_types - assert isinstance(handle_types, list) - assert HandleType.FILE.name in handle_types - - @patch('fibratus.handle.HandleRepository._enum_handles', return_value=raw_handles()) - @patch('fibratus.handle.open_process', side_effect=[None, 200, 301, 120, 343]) - @patch('fibratus.handle.duplicate_handle', side_effect=[1, 1, 1, 0]) - @patch('fibratus.handle.HandleRepository._query_handle', side_effect=query_handle_side_effects()) - @patch('fibratus.handle.close_handle') - @patch('fibratus.handle.get_current_process', return_value=os.getpid()) - @patch('fibratus.handle.cast', return_value=dd(value='FILE')) - @patch('fibratus.handle.byref', return_value=0x100) - def test_query_handles(self, byref_mock, cast_mock, get_current_process_mock, close_handle_mock, - query_handle_mock, duplicate_handle_mock, open_process_mock, - enum_handles_mock, handle_repo): - handles = handle_repo.query_handles() - assert enum_handles_mock.called - assert get_current_process_mock.called - - open_process_expected_calls = [call(PROCESS_DUP_HANDLE, False, 3472), call(PROCESS_DUP_HANDLE, False, 3472), - call(PROCESS_DUP_HANDLE, False, 920), - call(PROCESS_DUP_HANDLE, False, 920), - call(PROCESS_DUP_HANDLE, False, 1616)] - open_process_mock.assert_has_calls(open_process_expected_calls, any_order=True) - - assert duplicate_handle_mock.call_count == 4 - assert query_handle_mock.call_count == 6 - assert close_handle_mock.call_count == 7 - - assert len(handles) == 3 - assert len([h for h in handles if h.handle_type == HandleType.FILE]) > 0 \ No newline at end of file diff --git a/tests/unit/image_meta.py b/tests/unit/image_meta.py deleted file mode 100644 index c01dc3a51..000000000 --- a/tests/unit/image_meta.py +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest import mock -import os -import pytest - -from fibratus.image_meta import ImageMetaRegistry - - -@pytest.fixture(scope='module') -def image_meta_registry(): - image_meta_registry = ImageMetaRegistry(imports=True, file_info=True) - return image_meta_registry - - -@pytest.fixture(scope='module') -def image_path(): - return '%s\\notepad.exe' % os.environ['WINDIR'] - - -class TestImageMetaRegistry(object): - - @pytest.mark.skip(reason="failing on appveyor") - def test_add_image_meta(self, image_meta_registry, image_path): - image_meta_registry.add_image_meta(image_path) - image_meta = image_meta_registry.get_image_meta(image_path) - assert image_meta - - assert image_meta.arch - assert image_meta.timestamp - assert image_meta.num_sections > 0 - - assert len(image_meta.sections) > 0 - section_names = [se['name'] for se in image_meta.sections] - - assert '.text' in section_names - - assert len(image_meta.imports) > 0 - assert 'KERNEL32.dll' in image_meta.imports - - assert 'Microsoft Corporation' in image_meta.org - assert image_meta.description - assert image_meta.version - assert 'Notepad' in image_meta.internal_name - assert image_meta.copyright diff --git a/tests/unit/kevent.py b/tests/unit/kevent.py deleted file mode 100644 index e835acd31..000000000 --- a/tests/unit/kevent.py +++ /dev/null @@ -1,113 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import Mock, patch - -import pytest -from fibratus.apidefs.process import THREAD_QUERY_INFORMATION -from fibratus.common import DotD - -from fibratus.kevent import KEvent, KEvents, Category -from fibratus.thread import ThreadRegistry, ThreadInfo - - -@pytest.fixture(scope='module') -def thread_registry_mock(): - thread_registry = Mock(spec_set=ThreadRegistry) - thread_registry.get_thread.side_effect = [ThreadInfo(436, 1024, 23, 'svchost.exe', - 'C:\\Windows\\system32\\svchost.exe -k RPCSS'), - None, - None, - ThreadInfo(836, 564, 23, 'svchost.exe', - 'C:\\Windows\\system32\\svchost.exe -k RPCSS'), - None, - ThreadInfo(836, 564, 23, 'svchost.exe', - 'C:\\Windows\\system32\\svchost.exe -k RPCSS'), - None, None] - return thread_registry - - -@pytest.fixture() -def kevent(thread_registry_mock): - return KEvent(thread_registry_mock) - - -class TestKEvent(object): - - def test_get_thread_pid_not_none(self, kevent, thread_registry_mock): - kevent.pid = 436 - assert kevent.thread - thread_registry_mock.get_thread.assert_called_with(kevent.pid) - - def test_get_thread_pid_not_none_and_not_found_in_registry(self, kevent, thread_registry_mock): - kevent.pid = 436 - assert kevent.thread is None - thread_registry_mock.get_thread.assert_called_with(kevent.pid) - - def test_get_thread_pid_not_none_find_by_thread(self, kevent, thread_registry_mock): - kevent.pid = 436 - kevent.tid = 564 - assert kevent.thread - thread_registry_mock.get_thread.assert_called_with(kevent.tid) - - def test_get_thread_pid_none(self, kevent, thread_registry_mock): - kevent.tid = 564 - assert kevent.thread - thread_registry_mock.get_thread.assert_called_with(kevent.tid) - - @patch('fibratus.kevent.open_thread', return_value=25) - @patch('fibratus.kevent.get_process_id_of_thread') - @patch('fibratus.kevent.close_handle') - def test_get_thread_pid_none(self, close_handle_mock, get_process_id_of_thread_mock, open_thread_mock, - kevent): - kevent.tid = 245 - kevent.get_thread() - open_thread_mock.assert_called_with(THREAD_QUERY_INFORMATION, - False, kevent.tid) - get_process_id_of_thread_mock.assert_called_with(25) - close_handle_mock.assert_called_with(25) - - def test_kevents_all(self): - kevents = KEvents.all() - assert isinstance(kevents, list) - assert len(kevents) > 0 - - def test_kevents_meta_info(self): - kevents_meta_info = KEvents.meta_info() - assert isinstance(kevents_meta_info, dict) - cat, description = kevents_meta_info[KEvents.CREATE_PROCESS] - assert cat == Category.PROCESS - assert description - - def test_set_kevent_name(self, kevent): - kevent.name = KEvents.CREATE_PROCESS - assert kevent.name == KEvents.CREATE_PROCESS - assert kevent.category == Category.PROCESS.name - - def test_set_kevent_ts(self, kevent): - kevent.ts = '2016-11-29 12:31:48.210000' - assert kevent.ts.second == 48 - assert kevent.ts.minute == 31 - assert kevent.ts.hour == 12 - - def test_set_kevent_cpu_id(self, kevent): - kevent.cpuid = 2 - assert kevent.cpuid == 2 - - def test_set_kevent_params(self, kevent): - kevent.params = {'exe': 'svchost.exe', 'comm': 'C:\\Windows\\system32\\svchost.exe -k RPCSS'} - assert isinstance(kevent.params, DotD) - assert kevent.params.exe == 'svchost.exe' - diff --git a/tests/unit/kevent_types.py b/tests/unit/kevent_types.py deleted file mode 100644 index 28d11b1e8..000000000 --- a/tests/unit/kevent_types.py +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import pytest -from fibratus.kevent_types import * - - -@pytest.mark.parametrize('name, expected_kevent', - [(KEvents.CREATE_PROCESS, CREATE_PROCESS), - (KEvents.TERMINATE_PROCESS, TERMINATE_PROCESS), - (KEvents.CREATE_THREAD, CREATE_THREAD), - (KEvents.TERMINATE_THREAD, TERMINATE_THREAD), - (KEvents.REG_SET_VALUE, REG_SET_VALUE), - (KEvents.REG_QUERY_KEY, REG_QUERY_KEY), - (KEvents.REG_OPEN_KEY, REG_OPEN_KEY), - (KEvents.REG_QUERY_VALUE, REG_QUERY_VALUE), - (KEvents.REG_DELETE_KEY, REG_DELETE_KEY), - (KEvents.REG_DELETE_VALUE, REG_DELETE_VALUE), - (KEvents.REG_CREATE_KEY, REG_CREATE_KEY), - (KEvents.SEND, [SEND_SOCKET_UDPV4, SEND_SOCKET_TCPV4])]) -def test_kname_to_tuple(name, expected_kevent): - assert kname_to_tuple(name) == expected_kevent - - -def test_kname_to_tuple_unknown_kevent(): - with pytest.raises(UnknownKeventTypeError): - kname_to_tuple('Exec') - - -def test_ktuple_to_name(): - pass \ No newline at end of file diff --git a/tests/unit/output/__init__.py b/tests/unit/output/__init__.py deleted file mode 100644 index b4b9e2a2a..000000000 --- a/tests/unit/output/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. \ No newline at end of file diff --git a/tests/unit/output/aggregator.py b/tests/unit/output/aggregator.py deleted file mode 100644 index d50763fc9..000000000 --- a/tests/unit/output/aggregator.py +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import Mock - -import pytest - -from fibratus.kevent import KEvent -from fibratus.output.aggregator import OutputAggregator -from fibratus.output.amqp import AmqpOutput -from fibratus.output.console import ConsoleOutput - - -@pytest.fixture(scope='module') -def outputs(): - return dict(amqp=Mock(spec_set=AmqpOutput), console=Mock(spec_set=ConsoleOutput)) - - -@pytest.fixture(scope='module') -def output_aggregator(outputs): - return OutputAggregator(outputs) - - -@pytest.fixture(scope='module') -def kevent(): - kevent_mock = Mock(spec_set=KEvent) - kevent_mock.get_thread.return_value = (343, 'svchost.exe') - return kevent_mock - - -class TestOutputAggregator(object): - - def test_aggregate(self, output_aggregator, kevent, outputs): - output_aggregator.aggregate(kevent) - for _, output in outputs.items(): - assert output.emit.call_count == 1 - diff --git a/tests/unit/output/amqp.py b/tests/unit/output/amqp.py deleted file mode 100644 index 8868dab1a..000000000 --- a/tests/unit/output/amqp.py +++ /dev/null @@ -1,84 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import json -from unittest.mock import patch - -import pika -import pytest - -from fibratus.errors import InvalidPayloadError -from fibratus.output.amqp import AmqpOutput - - -@pytest.fixture(scope='module') -def amqp_adapter(): - config = { - 'username': 'fibratus', - 'host': '127.0.0.1', - 'port': 5672, - 'vhost': '/', - 'exchange': 'test', - 'routingkey': 'fibratus' - } - return AmqpOutput(**config) - - -class TestAmqpOutput(object): - - def test_init(self, amqp_adapter): - assert 'fibratus' in amqp_adapter.username - assert 'guest' in amqp_adapter._password - assert '127.0.0.1' in amqp_adapter.host - assert amqp_adapter.port == 5672 - assert '/' in amqp_adapter.vhost - assert 'test' in amqp_adapter.exchange - assert 'fibratus' in amqp_adapter.routingkey - assert amqp_adapter.delivery_mode == 1 - - @patch('pika.BlockingConnection', spec_set=pika.BlockingConnection) - def test_emit(self, connection_mock, amqp_adapter): - body = {'kevent_type': 'CreateProcess'} - amqp_adapter.emit(body) - connection_mock.channel.assert_called_once() - amqp_adapter._channel.basic_publish.assert_called_with('test', 'fibratus', - json.dumps(body), - amqp_adapter._basic_props) - - @patch('pika.BlockingConnection', spec_set=pika.BlockingConnection) - def test_emit_invalid_payload(self, connection_mock, amqp_adapter): - body = ['CrateProcess', 'TerminateProcess'] - with pytest.raises(InvalidPayloadError) as e: - connection_mock.channel.assert_called_once() - amqp_adapter.emit(body) - assert "invalid payload for AMQP message. dict expected but found" == str(e.value) - amqp_adapter._channel.basic_publish.assert_not_called() - - @patch('pika.BlockingConnection', spec_set=pika.BlockingConnection) - def test_emit_override_exchange_and_rk(self, connection_mock, amqp_adapter): - body = {'kevent_type': 'CreateProcess'} - amqp_adapter.emit(body, exchange='test.override', routingkey='fibratus.override') - amqp_adapter._channel.basic_publish.assert_called_with('test.override', 'fibratus.override', - json.dumps(body), - amqp_adapter._basic_props) - - @pytest.mark.parametrize('body', [{'kevent_type': 'CreateProcess'}, {'kevent_type': 'TerminateProcess'}, - {'kevent_type': 'WriteFile'}, {'kevent_type': 'Recv'}]) - @patch('pika.BlockingConnection', spec_set=pika.BlockingConnection) - def test_emit_multiple(self, connection_mock, body, amqp_adapter): - amqp_adapter.emit(body, exchange='test.override', routingkey='fibratus.override') - connection_mock.channel.assert_called_once() - amqp_adapter._channel.basic_publish.assert_called_with('test.override', 'fibratus.override', - json.dumps(body), - amqp_adapter._basic_props) diff --git a/tests/unit/output/elasticsearch.py b/tests/unit/output/elasticsearch.py deleted file mode 100644 index a774cb542..000000000 --- a/tests/unit/output/elasticsearch.py +++ /dev/null @@ -1,137 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import patch -from datetime import datetime - -import time -import elasticsearch -import pytest -from unittest.mock import Mock - -from fibratus.errors import InvalidPayloadError -from fibratus.output.elasticsearch import ElasticsearchOutput - - -@pytest.fixture(scope='module') -def elasticsearch_adapter(): - config = { - 'hosts': [ - 'localhost:9200', - 'rabbitstack:9200' - ], - 'index': 'kernelstream', - 'document': 'threads', - } - return ElasticsearchOutput(**config) - - -@pytest.fixture(scope='module') -def elasticsearch_bulk_adapter(): - config = { - 'hosts': [ - 'localhost:9200', - 'rabbitstack:9200' - ], - 'index': 'kernelstream', - 'document': 'threads', - 'bulk': True, - 'username': 'elastic', - 'password': 'changeme' - } - return ElasticsearchOutput(**config) - - -@pytest.fixture(scope='module') -def elasticsearch_adapter_daily_index(): - config = { - 'hosts': [ - 'localhost:9200', - 'rabbitstack:9200' - ], - 'index': 'kernelstream', - 'document': 'threads', - 'index_type': 'daily' - } - return ElasticsearchOutput(**config) - - -mock_time = Mock() -mock_time.return_value = time.mktime(datetime(2017, 12, 16).timetuple()) - - -class TestElasticsearchOutput(object): - - def test_init(self, elasticsearch_adapter): - assert isinstance(elasticsearch_adapter.hosts, list) - assert len(elasticsearch_adapter.hosts) > 0 - assert {'host': 'localhost', 'port': 9200} in elasticsearch_adapter.hosts - assert elasticsearch_adapter.index_name == 'kernelstream' - assert elasticsearch_adapter.document_type == 'threads' - assert not elasticsearch_adapter.bulk - - def test_emit(self, elasticsearch_adapter): - body = {'kevent_type': 'CreateProcess', 'params': {'name': 'smss.exe'}} - assert elasticsearch_adapter._elasticsearch is None - with patch('elasticsearch.Elasticsearch', spec_set=elasticsearch.Elasticsearch) as es_client_mock: - elasticsearch_adapter.emit(body) - es_client_mock.assert_called_with([{'host': 'localhost', 'port': 9200}, - {'host': 'rabbitstack', 'port': 9200}], use_ssl=False) - elasticsearch_adapter._elasticsearch.index.assert_called_with('kernelstream', 'threads', body=body) - - @patch('time.time', mock_time) - def test_emit_daily_index(self, elasticsearch_adapter_daily_index): - body = {'kevent_type': 'CreateProcess', 'params': {'name': 'smss.exe'}} - assert elasticsearch_adapter_daily_index._elasticsearch is None - assert elasticsearch_adapter_daily_index.index_type == 'daily' - with patch('elasticsearch.Elasticsearch', spec_set=elasticsearch.Elasticsearch) as es_client_mock: - elasticsearch_adapter_daily_index.emit(body) - es_client_mock.assert_called_with([{'host': 'localhost', 'port': 9200}, - {'host': 'rabbitstack', 'port': 9200}], use_ssl=False) - #elasticsearch_adapter_daily_index._elasticsearch.index.assert_called_with('kernelstream-2017.12.16', 'threads', body=body) - - @patch('elasticsearch.Elasticsearch', spec_set=elasticsearch.Elasticsearch) - def test_emit_invalid_payload(self, es_client_mock, elasticsearch_adapter): - body = ['CreateProcess', 'TerminateProcess'] - with pytest.raises(InvalidPayloadError) as e: - elasticsearch_adapter.emit(body) - assert "invalid payload for document. dict expected but found" == str(e.value) - assert es_client_mock.index.assert_not_called() - - @patch('elasticsearch.Elasticsearch', spec_set=elasticsearch.Elasticsearch) - @patch('elasticsearch.helpers.bulk') - def test_emit_bulk(self, es_bulk_mock, es_client_mock, elasticsearch_bulk_adapter): - body = [{'kevent_type': 'CreateProcess', 'params': {'name': 'smss.exe'}}, - {'kevent_type': 'TerminateProcess', 'params': {'name': 'smss.exe'}}] - elasticsearch_bulk_adapter.emit(body) - es_client_mock.assert_called_with([{'host': 'localhost', 'port': 9200}, - {'host': 'rabbitstack', 'port': 9200}], use_ssl=False, - http_auth=('elastic', 'changeme',)) - expected_body = [{'_index': 'kernelstream', '_type': 'threads', '_source': - {'kevent_type': 'CreateProcess', 'params': {'name': 'smss.exe'}}}, - {'_index': 'kernelstream', '_type': 'threads', '_source': - {'kevent_type': 'TerminateProcess', 'params': {'name': 'smss.exe'}}}] - es_bulk_mock.assert_called_once_with(elasticsearch_bulk_adapter._elasticsearch, expected_body) - - @patch('elasticsearch.Elasticsearch', spec_set=elasticsearch.Elasticsearch) - @patch('elasticsearch.helpers.bulk') - def test_emit_bulk_invalid_payload(self, es_bulk_mock, es_client_mock, elasticsearch_bulk_adapter): - body = ({'kevent_type': 'CreateProcess', 'params': {'name': 'smss.exe'}}, - {'kevent_type': 'TerminateProcess', 'params': {'name': 'smss.exe'}},) - with pytest.raises(InvalidPayloadError) as e: - elasticsearch_bulk_adapter.emit(body) - assert "invalid payload for bulk indexing. list expected but found" == str(e.value) - assert es_bulk_mock.assert_not_called() - - diff --git a/tests/unit/output/fs.py b/tests/unit/output/fs.py deleted file mode 100644 index dfb59462f..000000000 --- a/tests/unit/output/fs.py +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2017 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from io import TextIOBase - -from fibratus.output.fs import FsOutput -from unittest.mock import patch, Mock -import time -import os -import json - - -class TestFsOutput(object): - - def test_init(self): - with patch('io.open', return_value=Mock(spec_set=TextIOBase)) as stream_mock: - fs_output = FsOutput(path='C:\\', mode='a', format='json') - filename = os.path.join(fs_output.path, '%s.fibra' % time.strftime('%x').replace('/', '-')) - stream_mock.assert_called_with(filename, 'a') - assert 'C:\\' in fs_output.path - assert 'a' in fs_output.mode - assert 'json' in fs_output.format - - def test_emit(self): - with patch('io.open', return_value=Mock(spec_set=TextIOBase)): - fs_output = FsOutput(path='C:\\', mode='a', format='json') - body = {'kevent_type': 'CreateProcess'} - fs_output.emit(body) - fs_output.stream.write.assert_called_with(json.dumps(body) + '\n') \ No newline at end of file diff --git a/tests/unit/output/smtp.py b/tests/unit/output/smtp.py deleted file mode 100644 index 6b3342788..000000000 --- a/tests/unit/output/smtp.py +++ /dev/null @@ -1,68 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -import smtplib -from unittest.mock import patch, Mock - -import pytest -from logbook import Logger - -from fibratus.output.smtp import SmtpOutput - - -@pytest.fixture(scope='module') -def smtp_adapter(): - config = { - 'host': 'smtp.gmail.com', - 'from': 'fibratus@fibratus.io', - 'password': 'secret', - 'to': ['fibratus@fibratus.io', 'netmutatus@netmutatus.io'] - } - return SmtpOutput(**config) - - -class TestSmtpOutput(object): - - def test_init(self, smtp_adapter): - assert 'smtp.gmail.com' in smtp_adapter.host - assert 'fibratus@fibratus.io' in smtp_adapter.sender - assert set(['fibratus@fibratus.io', 'netmutatus@netmutatus.io']) == set(smtp_adapter.to) - assert smtp_adapter.port == 587 - - def test_emit(self, smtp_adapter): - body = 'Anomalous network activity detected from notepad.exe process' - with patch('smtplib.SMTP'): - smtp_adapter.emit(body, subject='Anomalous network activity detected') - assert smtp_adapter._smtp.ehlo.call_count == 2 - smtp_adapter._smtp.starttls.assert_called_once() - smtp_adapter._smtp.login.assert_called_with('fibratus@fibratus.io', 'secret') - message = 'From: fibratus@fibratus.io' \ - 'To: fibratus@fibratus.io, netmutatus@netmutatus.io' \ - 'Subject: Anomalous network activity detected' \ - 'Anomalous network activity detected from notepad.exe process' - - smtp_adapter._smtp.login.sendmail('fibratus@fibratus.io', ['fibratus@fibratus.io', - 'netmutatus@netmutatus.io'], - message) - smtp_adapter._smtp.quit.assert_called_once() - - def test_emit_invalid_credentials(self, smtp_adapter): - body = 'Anomalous network activity detected from notpead.exe process' - smtp_adapter.logger = Mock(spec_set=Logger) - with patch('smtplib.SMTP'): - smtp_adapter._smtp.login.side_effect = smtplib.SMTPAuthenticationError(534, 'Invalid smtp credentials') - smtp_adapter.emit(body, subject='Anomalous network activity detected') - smtp_adapter.logger.error.assert_called_with('Invalid SMTP credentials for ' - 'fibratus@fibratus.io account') - smtp_adapter._smtp.quit.assert_called_once() diff --git a/tests/unit/registry.py b/tests/unit/registry.py deleted file mode 100644 index 823efa8e0..000000000 --- a/tests/unit/registry.py +++ /dev/null @@ -1,199 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import Mock, patch - -import pytest - -from fibratus.apidefs.registry import HKEY_LOCAL_MACHINE, HKEY_USERS -from fibratus.common import DotD as dd, NA -from fibratus.handle import HandleInfo, HandleType -from fibratus.kevent import KEvent -from fibratus.kevent_types import * -from fibratus.registry import HiveParser, Kcb -from fibratus.thread import ThreadRegistry, ThreadInfo - - -@pytest.fixture(scope='module') -def kevent_mock(): - return Mock(spec_set=KEvent) - - -@pytest.fixture(scope='module') -def thread_registry_mock(): - thread_registry = Mock(spec_set=ThreadRegistry) - thread_info = ThreadInfo(896, 2916, 22, 'explorer.exe', 'C:\\Windows\\EXPLORER.exe') - thread_info.handles.append(HandleInfo(836, 18446735964859105184, HandleType.KEY, - "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" - "\\Software\Microsoft\\Windows\\Shell\\Bags\\59\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}", - 896)) - thread_registry.get_thread.return_value = thread_info - return thread_registry - - -@pytest.fixture(scope='module') -def hive_parser(kevent_mock, thread_registry_mock): - kcb1 = dd({"index": 0, "process_id": 1224, "status": 0, "key_handle": 18446735964840821928, - "key_name": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\" - "{4a33e644-94a8-11e5-a0c5-806e6f6e6963}\\", - "thread_id": 1484, "initial_time": 24218562806}) - kcb2 = dd({'initial_time': 0, 'index': 0, 'thread_id': 620, 'status': 0, 'key_handle': 18446735964896987168, - 'key_name': '\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\HDAudBus', 'process_id': 3820}) - kcb3 = dd({"index": 0, "process_id": 896, "status": 0, "key_handle": 18446735964812642928, - "key_name": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}" - "\\InprocServer32", "thread_id": 2916, "initial_time": 0}) - hive_parser = HiveParser(kevent_mock, thread_registry_mock) - hive_parser.add_kcb(kcb1) - hive_parser.add_kcb(kcb2) - hive_parser.add_kcb(kcb3) - return hive_parser - - -class TestHiveParser(): - - def test_add_kcb(self, hive_parser): - kcb = dd({'initial_time': 0, 'index': 0, 'thread_id': 620, - 'status': 0, 'key_handle': 18446735964879434920, - 'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM', 'process_id': 3820}) - hive_parser.add_kcb(kcb) - assert kcb.key_handle in hive_parser.kcblocks - - kcblock = hive_parser.kcblocks[kcb.key_handle] - assert isinstance(kcblock, Kcb) - assert kcblock.key == kcb.key_name - - def test_remove_kcb(self, hive_parser): - kcb = dd({'initial_time': 0, 'index': 0, 'thread_id': 620, - 'status': 0, 'key_handle': 18446735964879434920, - 'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM', 'process_id': 3820}) - hive_parser.remove_kcb(kcb.key_handle) - assert kcb.key_handle not in hive_parser.kcblocks - - @pytest.mark.parametrize('kevent_type', [REG_OPEN_KEY, REG_CREATE_KEY, REG_QUERY_KEY, REG_DELETE_KEY]) - def test_parse_hive_key_kevent_full_node_name(self, kevent_type, hive_parser, kevent_mock): - regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, - "key_name": "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe" - "\\Drives\\C\\DefaultIcon", "thread_id": 2164, "initial_time": 24218563385}) - hive_parser.parse_hive(kevent_type, regkevt) - kparams = kevent_mock.params - - assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' - assert kparams['key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon' - assert kparams['status'] == regkevt.status - assert kparams['pid'] == regkevt.process_id - assert kparams['tid'] == regkevt.thread_id - - @pytest.mark.parametrize('kevent_type', [REG_OPEN_KEY, REG_CREATE_KEY, REG_QUERY_KEY, REG_DELETE_KEY]) - def test_parse_hive_key_kevent_kcb_lookup_match(self, kevent_type, hive_parser, kevent_mock): - regkevt = dd({"index": 2, "process_id": 896, "status": 0, "key_handle": 18446735964812642928, - "key_name": "ThreadingModel", "thread_id": 2916, "initial_time": 24219715376}) - hive_parser.parse_hive(kevent_type, regkevt) - kparams = kevent_mock.params - - assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' - assert kparams['key'] == 'SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}' \ - '\\InprocServer32\\ThreadingModel' - assert kparams['status'] == regkevt.status - assert kparams['pid'] == regkevt.process_id - assert kparams['tid'] == regkevt.thread_id - - def test_parse_hive_key_handles_lookup(self, hive_parser, kevent_mock, thread_registry_mock): - regkevt = dd({"index": 0, "process_id": 896, "status": 3221225524, - "key_handle": 18446735964819421216, - "key_name": "Bags\\59\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}", - "thread_id": 2916, "initial_time": 24219715717}) - hive_parser.parse_hive(REG_OPEN_KEY, regkevt) - - thread_registry_mock.get_thread.assert_called_with(regkevt.process_id) - - kcb = hive_parser.kcblocks[regkevt.key_handle] - assert kcb and isinstance(kcb, Kcb) - - assert kcb.key == "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \ - "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \ - "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}" - assert kevent_mock.params['hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES' - assert kevent_mock.params['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \ - "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \ - "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}" - - def test_parse_hive_set_value_kevent_full_node_name(self, hive_parser, kevent_mock): - regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, - "key_name": "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe" - "\\Drives\\C\\DefaultIcon", "thread_id": 2164, "initial_time": 24218563385}) - with patch('fibratus.registry.HiveParser._query_value', return_value=('open', 'REG_SZ')) \ - as query_value_mock: - hive_parser.parse_hive(REG_SET_VALUE, regkevt) - kparams = kevent_mock.params - query_value_mock.assert_called_with(HKEY_LOCAL_MACHINE, - 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C', - 'DefaultIcon') - - assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' - assert kparams['key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon' - assert kparams['status'] == regkevt.status - assert kparams['pid'] == regkevt.process_id - assert kparams['tid'] == regkevt.thread_id - assert kparams['value_type'] == 'REG_SZ' - assert kparams['value'] == 'open' - - def test_parse_hive_set_value_kevent_full_node_name(self, hive_parser, kevent_mock): - regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, - "key_name": "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES" - "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams", - "thread_id": 2164, "initial_time": 24218563385}) - with patch('fibratus.registry.HiveParser._query_value', return_value=('0x12', 'REG_DWORD')) \ - as query_value_mock: - hive_parser.parse_hive(REG_QUERY_VALUE, regkevt) - kparams = kevent_mock.params - query_value_mock.assert_called_with(HKEY_USERS, - "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES" - "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion" - "\\TrayNotify", - 'IconStreams') - assert kparams['hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES' - assert kparams['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \ - "\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams" - assert kparams['status'] == regkevt.status - assert kparams['pid'] == regkevt.process_id - assert kparams['tid'] == regkevt.thread_id - assert kparams['value_type'] == 'REG_DWORD' - assert kparams['value'] == '0x12' - - def test_parse_hive_delete_value(self, hive_parser, kevent_mock): - regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0, - "key_name": "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe" - "\\Drives\\C\\DefaultIcon", "thread_id": 2164, "initial_time": 24218563385}) - - hive_parser.parse_hive(REG_DELETE_VALUE, regkevt) - - kparams = kevent_mock.params - - assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE' - assert kparams['key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon' - assert kparams['status'] == regkevt.status - assert kparams['pid'] == regkevt.process_id - assert kparams['tid'] == regkevt.thread_id - - def test_parse_hive_na(self, hive_parser, kevent_mock): - regkevt = dd({"index": 2, "process_id": 896, "status": 0, "key_handle": 19446735964812642920, - "key_name": "ThreadingModel", "thread_id": 2916, "initial_time": 24219715376}) - hive_parser.parse_hive(REG_OPEN_KEY, regkevt) - kparams = kevent_mock.params - - assert kparams['hive'] == NA - assert kparams['key'] == '..\\ThreadingModel' - - diff --git a/tests/unit/tcpip/__init__.py b/tests/unit/tcpip/__init__.py deleted file mode 100644 index c41bcbd9f..000000000 --- a/tests/unit/tcpip/__init__.py +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2015/2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. diff --git a/tests/unit/tcpip/tcpip.py b/tests/unit/tcpip/tcpip.py deleted file mode 100644 index 89a6474af..000000000 --- a/tests/unit/tcpip/tcpip.py +++ /dev/null @@ -1,151 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# http://rabbitstack.github.io - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import Mock - -import pytest - -from fibratus.common import DotD as dd -from fibratus.kevent import KEvent -from fibratus.kevent_types import SEND_SOCKET_TCPV4, SEND_SOCKET_UDPV4, RECV_SOCKET_TCPV4, RECV_SOCKET_UDPV4, \ - ACCEPT_SOCKET_TCPV4, CONNECT_SOCKET_TCPV4, DISCONNECT_SOCKET_TCPV4, RECONNECT_SOCKET_TCPV4 -from fibratus.tcpip.tcpip import TcpIpParser - - -@pytest.fixture(scope='module') -def kevent_mock(): - return Mock(spec_set=KEvent) - - -@pytest.fixture(scope='module') -def tcpip_parser(kevent_mock): - return TcpIpParser(kevent_mock) - - -class TestTcpIpParser(): - - @pytest.mark.parametrize('ktcpip, l4_proto, l5_proto, kevent_type', [ - (dd({"saddr": "10.0.2.15", "sport": 49279, "daddr": "216.58.211.238", - "dport": 443, "pid": 1848, "connid": 0, "size": 63, "seqnum": 0}), 'TCP', 'https', SEND_SOCKET_TCPV4), - (dd({"saddr": "10.0.2.15", "sport": 49279, "daddr": "216.58.211.238", - "dport": 53, "pid": 1848, "connid": 0, "size": 63, "seqnum": 0}), 'UDP', 'domain', SEND_SOCKET_UDPV4)]) - def test_parse_send(self, ktcpip, l4_proto, l5_proto, - kevent_type, tcpip_parser, - kevent_mock): - - tcpip_parser.parse_tcpip(kevent_type, ktcpip) - kparams = kevent_mock.params - - assert kparams['pid'] == ktcpip.pid - assert kparams['ip_src'] == ktcpip.saddr - assert kparams['ip_dst'] == ktcpip.daddr - assert kparams['sport'] == ktcpip.sport - assert kparams['dport'] == ktcpip.dport - assert kparams['packet_size'] == ktcpip.size - assert kparams['l4_proto'] == l4_proto - assert kparams['protocol'] == l5_proto - - @pytest.mark.parametrize('ktcpip, l4_proto, l5_proto, kevent_type', [ - (dd({'seqnum': 0, 'connid': 0, 'sport': 49720, 'daddr': '91.226.88.5', - 'saddr': '10.0.2.15', 'size': 266, 'pid': 1380, 'dport': 443}), 'TCP', 'https', RECV_SOCKET_TCPV4), - (dd({"saddr": "10.0.2.15", "sport": 49279, "daddr": "216.58.211.238", - "dport": 53, "pid": 1848, "connid": 0, "size": 63, "seqnum": 0}), 'UDP', 'domain', RECV_SOCKET_UDPV4)]) - def test_parse_recv(self, ktcpip, l4_proto, l5_proto, - kevent_type, tcpip_parser, - kevent_mock): - - tcpip_parser.parse_tcpip(kevent_type, ktcpip) - kparams = kevent_mock.params - - assert kparams['pid'] == ktcpip.pid - assert kparams['ip_src'] == ktcpip.saddr - assert kparams['ip_dst'] == ktcpip.daddr - assert kparams['sport'] == ktcpip.sport - assert kparams['dport'] == ktcpip.dport - assert kparams['packet_size'] == ktcpip.size - assert kparams['l4_proto'] == l4_proto - assert kparams['protocol'] == l5_proto - - def test_parse_recv_dport_na(self, tcpip_parser, kevent_mock): - ktcpip = dd({'seqnum': 0, 'connid': 0, 'sport': 25, 'daddr': '91.226.88.5', - 'saddr': '10.0.2.15', 'size': 266, 'pid': 1380, 'dport': 51234}) - tcpip_parser.parse_tcpip(RECV_SOCKET_TCPV4, ktcpip) - kparams = kevent_mock.params - assert kparams['protocol'] == 'smtp' - - def test_parse_accept(self, tcpip_parser, kevent_mock): - ktcpip = dd({'connid': 0, 'sndwinscale': 0, 'rcvwinscale': 0, 'saddr': '10.0.2.15', - 'sport': 22, 'rcvwin': 64240, 'tsopt': 0, 'pid': 1380, 'seqnum': 0, - 'daddr': '216.58.211.206', 'size': 0, 'mss': 1460, 'dport': 49804, 'wsopt': 0, 'sackopt': 0}) - - tcpip_parser.parse_tcpip(ACCEPT_SOCKET_TCPV4, ktcpip) - kparams = kevent_mock.params - - assert kparams['pid'] == ktcpip.pid - assert kparams['ip_src'] == ktcpip.saddr - assert kparams['ip_dst'] == ktcpip.daddr - assert kparams['sport'] == ktcpip.sport - assert kparams['dport'] == ktcpip.dport - assert kparams['rwin'] == ktcpip.rcvwin - assert kparams['protocol'] == 'ssh' - - def test_parse_connect(self, tcpip_parser, kevent_mock): - ktcpip = dd({'connid': 0, 'sndwinscale': 0, 'rcvwinscale': 0, 'saddr': '10.0.2.15', - 'sport': 49804, 'rcvwin': 64240, 'tsopt': 0, 'pid': 1380, 'seqnum': 0, - 'daddr': '216.58.211.206', 'size': 0, 'mss': 1460, 'dport': 443, 'wsopt': 0, 'sackopt': 0}) - - tcpip_parser.parse_tcpip(CONNECT_SOCKET_TCPV4, ktcpip) - kparams = kevent_mock.params - - assert kparams['pid'] == ktcpip.pid - assert kparams['ip_src'] == ktcpip.saddr - assert kparams['ip_dst'] == ktcpip.daddr - assert kparams['sport'] == ktcpip.sport - assert kparams['dport'] == ktcpip.dport - assert kparams['rwin'] == ktcpip.rcvwin - assert kparams['protocol'] == 'https' - - def test_parse_disconnect(self, tcpip_parser, kevent_mock): - ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15', - 'sport': 49804, 'pid': 1380, - 'daddr': '216.58.211.206', 'dport': 443,}) - - tcpip_parser.parse_tcpip(DISCONNECT_SOCKET_TCPV4, ktcpip) - kparams = kevent_mock.params - - assert kparams['pid'] == ktcpip.pid - assert kparams['ip_src'] == ktcpip.saddr - assert kparams['ip_dst'] == ktcpip.daddr - assert kparams['sport'] == ktcpip.sport - assert kparams['dport'] == ktcpip.dport - - def test_parse_reconnect(self, tcpip_parser, kevent_mock): - ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15', - 'sport': 49804, 'pid': 1380, - 'daddr': '216.58.211.206', 'dport': 443,}) - - tcpip_parser.parse_tcpip(RECONNECT_SOCKET_TCPV4, ktcpip) - kparams = kevent_mock.params - - assert kparams['pid'] == ktcpip.pid - assert kparams['ip_src'] == ktcpip.saddr - assert kparams['ip_dst'] == ktcpip.daddr - assert kparams['sport'] == ktcpip.sport - assert kparams['dport'] == ktcpip.dport - - - - - diff --git a/tests/unit/term.py b/tests/unit/term.py deleted file mode 100644 index ad9d981d2..000000000 --- a/tests/unit/term.py +++ /dev/null @@ -1,129 +0,0 @@ -# Copyright 2016 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import patch - -import pytest - -from fibratus.apidefs.sys import STD_OUTPUT_HANDLE, GENERIC_READ, GENERIC_WRITE, \ - FILE_SHARE_READ, CONSOLE_TEXTMODE_BUFFER, FILE_SHARE_WRITE, INVALID_HANDLE_VALUE, COORD, SMALL_RECT, CHAR_INFO, \ - CONSOLE_SCREEN_BUFFER_INFO -from fibratus.errors import TermInitializationError -from fibratus.term import AnsiTerm - - -class TestAnsiTerm(object): - - @patch('fibratus.term.get_std_handle', return_value=1) - @patch('fibratus.term.get_console_screen_buffer_info') - @patch('fibratus.term.get_console_cursor_info') - @patch('fibratus.term.create_console_screen_buffer', return_value=2) - @patch('fibratus.term.set_console_cursor_info') - @patch('fibratus.term.set_console_active_screen_buffer') - def test_setup_console(self, set_console_active_screen_buffer_mock, - set_console_cursor_info_mock, - create_console_screen_buffer_mock, - get_console_cursor_info_mock, - get_console_screen_buffer_info_mock, - get_std_handle_mock): - - with patch('fibratus.term.byref', side_effect=[1, 2, 3]): - ansi_term = AnsiTerm() - ansi_term.setup_console() - - get_std_handle_mock.assert_called_with(STD_OUTPUT_HANDLE) - get_console_screen_buffer_info_mock.assert_called_with(1, 1) - get_console_cursor_info_mock.assert_called_with(1, 2) - - create_console_screen_buffer_mock.assert_called_with(GENERIC_READ | GENERIC_WRITE, - FILE_SHARE_READ | FILE_SHARE_WRITE, - None, - CONSOLE_TEXTMODE_BUFFER, - None) - - set_console_cursor_info_mock.assert_called_with(2, 3) - set_console_active_screen_buffer_mock.assert_called_with(2) - - @patch('fibratus.term.get_std_handle', return_value=INVALID_HANDLE_VALUE) - def test_setup_console_invalid_std_console(self, get_std_handle_mock): - - ansi_term = AnsiTerm() - with pytest.raises(TermInitializationError): - ansi_term.setup_console() - get_std_handle_mock.assert_called_with(STD_OUTPUT_HANDLE) - - @patch('fibratus.term.get_std_handle', return_value=1) - @patch('fibratus.term.get_console_screen_buffer_info') - @patch('fibratus.term.get_console_cursor_info') - @patch('fibratus.term.create_console_screen_buffer', return_value=INVALID_HANDLE_VALUE) - def test_setup_console_invalid_frame_buffer(self, create_console_screen_buffer_mock, - get_console_cursor_info_mock, - get_console_screen_buffer_info_mock, - get_std_handle_mock): - - ansi_term = AnsiTerm() - with pytest.raises(TermInitializationError): - ansi_term.setup_console() - create_console_screen_buffer_mock.assert_called_with(GENERIC_READ | GENERIC_WRITE, - FILE_SHARE_READ | FILE_SHARE_WRITE, - None, - CONSOLE_TEXTMODE_BUFFER, - None) - - @patch('fibratus.term.get_std_handle', return_value=1) - @patch('fibratus.term.get_console_screen_buffer_info') - @patch('fibratus.term.get_console_cursor_info') - @patch('fibratus.term.create_console_screen_buffer', return_value=2) - @patch('fibratus.term.set_console_cursor_info') - @patch('fibratus.term.set_console_active_screen_buffer') - def test_restore_console(self, set_console_active_screen_buffer_mock, - set_console_cursor_info_mock, - create_console_screen_buffer_mock, - get_console_cursor_info_mock, - get_console_screen_buffer_info_mock, - get_std_handle_mock): - - ansi_term = AnsiTerm() - ansi_term.setup_console() - with patch('fibratus.term.byref', return_value=2): - ansi_term.restore_console() - set_console_active_screen_buffer_mock.assert_called_with(1) - set_console_cursor_info_mock.assert_called_with(1, 2) - - @patch('fibratus.term.get_std_handle', return_value=1) - @patch('fibratus.term.get_console_screen_buffer_info') - @patch('fibratus.term.get_console_cursor_info') - @patch('fibratus.term.create_console_screen_buffer', return_value=2) - @patch('fibratus.term.set_console_cursor_info') - @patch('fibratus.term.set_console_active_screen_buffer') - @patch('fibratus.term.write_console_output') - def test_write_output(self, write_console_output_mock, - set_console_active_screen_buffer_mock, - set_console_cursor_info_mock, - create_console_screen_buffer_mock, - get_console_cursor_info_mock, - get_console_screen_buffer_info_mock, - get_std_handle_mock): - ansi_term = AnsiTerm() - - buffer_info = CONSOLE_SCREEN_BUFFER_INFO() - buffer_info.size.x = 200 - buffer_info.size.y = 300 - - with patch.object(CONSOLE_SCREEN_BUFFER_INFO, '__new__', return_value=buffer_info): - ansi_term.setup_console() - ansi_term.write_output('Top inbound packets\n') - write_console_output_mock.assert_called_once() - - diff --git a/tests/unit/thread.py b/tests/unit/thread.py deleted file mode 100644 index ccbc2d47a..000000000 --- a/tests/unit/thread.py +++ /dev/null @@ -1,250 +0,0 @@ -# Copyright 2015 by Nedim Sabic (RabbitStack) -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -from unittest.mock import patch, Mock - -import pytest -import os - -from fibratus.apidefs.cdefs import ERROR_ACCESS_DENIED -from fibratus.apidefs.process import PROCESS_QUERY_INFORMATION, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_VM_READ -from fibratus.handle import HandleRepository, HandleInfo -from fibratus.image_meta import ImageMetaRegistry -from fibratus.kevent_types import CREATE_PROCESS, CREATE_THREAD, ENUM_PROCESS, ENUM_THREAD, TERMINATE_THREAD, \ - TERMINATE_PROCESS -from fibratus.common import DotD as dd -from fibratus.thread import ThreadRegistry, ThreadInfo - - -@pytest.fixture(scope='module') -def handle_repo_mock(): - handle_repo = Mock(spec_set=HandleRepository) - handle_repo.query_handles.return_value = [HandleInfo(20, 18446738026501927904, 'FILE', - 'C:\\Windows\\System32\\kernel32.dll', - 0x2d8)] - return handle_repo - - -@pytest.fixture(scope='module') -def image_meta_registry_mock(): - imeta_meta_registry_mock = Mock(spec_set=ImageMetaRegistry) - imeta_meta_registry_mock.get_image_meta.return_value = None - return imeta_meta_registry_mock - - -@pytest.fixture(scope='module') -def thread_registry(handle_repo_mock, image_meta_registry_mock): - p1 = {"session_id": 0, "command_line": "C:\\Windows\\system32\\services.exe", "process_id": "0x1e4", - "unique_process_key": 18446738026492816176, "exit_status": 259, - "parent_id": "0x17c", - "image_file_name": "services.exe", - "directory_table_base": 4299976704, - "user_sid": None} - t1 = {"user_stack_base": 14483456, "io_priority": 2, "teb_base": 8796092874752, "process_id": "0x1e4", - "stack_limit": 18446735827441688576, "t_thread_id": "0x238", "base_priority": 9, - "win32_start_addr": 2009573488, "page_priority": 5, - "stack_base": 18446735827441713152, "user_stack_limit": 14450688, - "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"} - t2 = {"user_stack_base": 16580608, "io_priority": 2, "teb_base": 8796092669952, "process_id": "0x1e4", - "stack_limit": 18446735827442425856, "t_thread_id": "0x254", "base_priority": 9, - "win32_start_addr": 8791752742020, "page_priority": 5, - "stack_base": 18446735827442450432, "user_stack_limit": 16547840, - "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"} - - thread_registry = ThreadRegistry(handle_repo_mock, [], image_meta_registry_mock) - thread_registry.add_thread(ENUM_PROCESS, dd(p1)) - thread_registry.add_thread(ENUM_THREAD, dd(t1)) - thread_registry.add_thread(ENUM_THREAD, dd(t2)) - - return thread_registry - - -class TestThreadRegistry: - - def test_init_thread_registry(self, thread_registry): - - assert len(thread_registry.threads) == 3 - proc = thread_registry.threads[int('0x1e4', 16)] - assert proc - assert isinstance(proc, ThreadInfo) - assert proc.child_count == 2 - - def test_enum_process(self, thread_registry, handle_repo_mock): - - kti = dd({"session_id": 0, "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS", - "process_id": "0x2d8", - "unique_process_key": 18446738026496154416, - "exit_status": 259, "user_sid": None, "parent_id": "0x1e4", - "image_file_name": "svchost.exe", "directory_table_base": 3716534272}) - thread_registry.add_thread(ENUM_PROCESS, kti) - process_id = int(kti.process_id, 16) - - handle_repo_mock.query_handles.assert_not_called() - - t = thread_registry.get_thread(process_id) - assert t - - assert t.pid == process_id - assert t.ppid == int(kti.parent_id, 16) - assert t.name == kti.image_file_name - assert t.exe == 'C:\\Windows\\system32\\svchost.exe' - assert t.comm == kti.command_line - assert len(t.args) > 0 - assert ['-k', 'RPCSS'] == t.args - assert '-k' in t.args - assert 'RPCSS' in t.args - - def test_create_process(self, thread_registry, handle_repo_mock): - - kti = dd({"session_id": 4294967295, "command_line": "\\SystemRoot\\System32\\smss.exe", - "process_id": "0xfc", "unique_process_key": 18446738026484345648, "exit_status": 259, - "user_sid": None, "parent_id": "0x4", "image_file_name": "smss.exe", - "directory_table_base": 4508921856}) - thread_registry.add_thread(CREATE_PROCESS, kti) - process_id = int(kti.process_id, 16) - - t = thread_registry.get_thread(process_id) - sys_root = os.path.expandvars("%SystemRoot%") - assert t - assert t.pid == process_id - assert t.ppid == int(kti.parent_id, 16) - assert t.name == kti.image_file_name - assert t.exe == '%s\\System32\\smss.exe' % sys_root - assert t.comm == kti.command_line - assert len(t.args) == 0 - - def test_create_thread(self, thread_registry): - - kti = dd({"user_stack_base": 18874368, "io_priority": 2, "teb_base": 8796092882944, - "process_id": "0x1e4", "stack_limit": 18446735827462836224, - "t_thread_id": "0x57c", "base_priority": 9, "win32_start_addr": 2009592544, - "page_priority": 5, "stack_base": 18446735827462860800, - "user_stack_limit": 18841600, "thread_flags": 0, - "affinity": 15, "sub_process_tag": "0x0"}) - thread_registry.add_thread(CREATE_THREAD, kti) - thread_id = int(kti.t_thread_id, 16) - t = thread_registry.get_thread(thread_id) - assert t - assert t.tid == thread_id - assert t.pid == t.ppid == int(kti.process_id, 16) - assert t.kstack_base == hex(kti.stack_base) - assert t.ustack_base == hex(kti.user_stack_base) - assert t.base_priority == kti.base_priority - assert t.io_priority == kti.io_priority - assert t.child_count == 0 - - @patch('fibratus.thread.open_process', return_value=13) - @patch('fibratus.thread.close_handle', return_value=None) - def test_create_thread_registry_proc_lookup_failed(self, close_handle_mock, open_process_mock, - thread_registry, handle_repo_mock): - - kti = dd({"user_stack_base": 10289152, "io_priority": 2, "teb_base": 8796092874752, - "process_id": "0x330", "stack_limit": 18446735827443150848, "t_thread_id": "0x338", - "base_priority": 8, "win32_start_addr": 2009573488, - "page_priority": 5, "stack_base": 18446735827443175424, "user_stack_limit": 10256384, - "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"}) - thread_id = int(kti.t_thread_id, 16) - process_id = int(kti.process_id, 16) - - with patch('fibratus.thread.ThreadRegistry._query_process_info', return_value=dd(name='Dwm.exe', - comm='C:\\Windows\\system32\\Dwm.exe', - parent_pid=0x748)) as query_process_info_mock: - thread_registry.add_thread(CREATE_THREAD, kti) - open_process_mock.assert_called_with(PROCESS_QUERY_INFORMATION | - PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ, - False, process_id) - query_process_info_mock.assert_called_with(13) - close_handle_mock.assert_called_with(13) - - handle_repo_mock.query_handles.assert_called_with(process_id) - - proc = thread_registry.get_thread(process_id) - assert proc - assert proc.name == 'dwm.exe' - t = thread_registry.get_thread(thread_id) - assert t - assert t.name == 'dwm.exe' - - - @patch('fibratus.thread.open_process', side_effect=[None, 29]) - @patch('fibratus.thread.close_handle', return_value=None) - @patch('fibratus.thread.get_last_error', return_value=ERROR_ACCESS_DENIED) - def test_create_thread_registry_proc_lookup_failed_invalid_handle(self, get_last_error, close_handle_mock, - open_process_mock, - thread_registry, handle_repo_mock): - - kti = dd({"user_stack_base": 1835008, "io_priority": 2, "teb_base": 8796092878848, - "process_id": "0x4c8", "stack_limit": 18446735827446923264, "t_thread_id": "0x4dc", - "base_priority": 8, "win32_start_addr": 4286166856, "page_priority": 5, - "stack_base": 18446735827446964224, - "user_stack_limit": 1744896, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"}) - thread_id = int(kti.t_thread_id, 16) - process_id = int(kti.process_id, 16) - - with patch('fibratus.thread.ThreadRegistry._query_process_info', return_value=dd(name='explorer.exe', - comm='C:\\Windows\\Explorer.EXE', - parent_pid=0x4c8)) as query_process_info_mock: - thread_registry.add_thread(CREATE_THREAD, kti) - assert get_last_error.call_count == 1 - open_process_mock.assert_called_with(PROCESS_QUERY_LIMITED_INFORMATION, - False, process_id) - - query_process_info_mock.assert_called_with(29, False) - close_handle_mock.assert_called_with(29) - - handle_repo_mock.query_handles.assert_called_with(process_id) - - proc = thread_registry.get_thread(process_id) - assert proc - assert proc.name == 'explorer.exe' - t = thread_registry.get_thread(thread_id) - assert t - assert t.name == 'explorer.exe' - assert t.comm == 'C:\\Windows\\Explorer.EXE' - - def test_terminate_thread(self, thread_registry): - - kti = dd({"user_stack_base": 18874368, "io_priority": 2, "teb_base": 8796092882944, - "process_id": "0x1e4", "stack_limit": 18446735827462836224, - "t_thread_id": "0x57c", "base_priority": 9, "win32_start_addr": 2009592544, - "page_priority": 5, "stack_base": 18446735827462860800, - "user_stack_limit": 18841600, "thread_flags": 0, - "affinity": 15, "sub_process_tag": "0x0"}) - - thread_id = int(kti.t_thread_id, 16) - process_id = int(kti.process_id, 16) - proc = thread_registry.get_thread(process_id) - - child_count = proc.child_count - t = thread_registry.get_thread(thread_id) - assert t - thread_registry.remove_thread(TERMINATE_THREAD, kti) - - t = thread_registry.get_thread(thread_id) - assert t is None - assert proc.child_count == child_count - 1 - - def test_terminate_process(self, thread_registry): - kti = dd({"session_id": 0, "command_line": "C:\\Windows\\system32\\services.exe", "process_id": "0x1e4", - "unique_process_key": 18446738026492816176, "exit_status": 259, - "parent_id": "0x17c", - "image_file_name": "services.exe", - "directory_table_base": 4299976704, - "user_sid": None}) - process_id = int(kti.process_id, 16) - proc = thread_registry.get_thread(process_id) - assert proc - thread_registry.remove_thread(TERMINATE_PROCESS, kti) - proc = thread_registry.get_thread(process_id) - assert proc is None \ No newline at end of file