Skip to content

v2.0.0
Compare
Choose a tag to compare
@github-actions github-actions released this 01 Sep 17:59
· 237 commits to master since this release
v2.0.0
2268bda
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release Notes

New features

  • New VirtualAlloc and VirtualFree events. Read more
  • New MapViewFile and UnmapViewFile events and mapped-files state. Read more
  • New DuplicateHandle event Read more
  • DNS telemetry via QueryDns and ReplyDns events Read more
  • New RegCloseKey event
  • Image signature information exposed via parameters and image.signature.type/image.signature.level filter fields Read more
  • Image format parameters and filter fields
  • Decorate non-open disposition CreateFile events with image format parameters
  • Macros for detecting loading of unsigned/untrusted modules
  • ps.sid filter field contains the raw SID value, e.g. S-1-5-18
  • Parse and append create_options parameter to CreateFile events
  • Certificate info and filter fields for LoadImage/UnloadImage events
  • Expand pe filter field set and allow lazily value extraction Read more
  • Support for expressions with bare boolean filter fields

Enhancements

  • Significant core refactoring to aim for a more sustainable codebase growth
  • Refactored many tests to embrace table-driven testing
  • Introduce a new set of parameter types such as flags, system status code, file path, address, etc.
  • Switch to golang.org/sys/windows package for the vast majority of API calls and structures
  • Use the syscall generator to produce stubs for the API calls not available through golang.org/sys/windows
  • Bump golangci-lint linters to version 1.52.2
  • Event consumer tests to verify the correctness of captured events
  • Trace controller tests to verify real-world tracing session management
  • Harden driver handle objects decoration of the file path parameters
  • Expand the size of the Ktype type to accommodate 2-bytes event hook identifiers
  • Switch to the upstream saferwall/pe package for version resource parsing
  • Only allow a single instance of the Fibratus process to be run simultaneously

Configuration changes

  • Disable initial handle snapshot to reduce overall memory utilization
  • Added RegCloseKey to the list of ignored events
  • Removed the System process image from the list of ignored processes

Deprecation

  • Remove kstream.raw-event-parsing config flag as binary event parsing is the default option now
  • Nuke TDH event parsing functionality
  • Sunset Antimalware provider as we can tap into driver loading events via LoadImage events

Bug fixes

  • Resolution of success system codes should compare the range of information values
  • Use only the rule name in the filter field deprecation log message
  • Solved yara tests hanging issues

Breaking changes

  • Convert flags event parameters to uppercase strings
  • The sid parameter and the ps.sid filter fields contain the raw SID value instead of the username/domain tuple
  • Command line parameters and filter fields contain the original, unexpanded command line
  • The major kcap file format version is increased in this version. The side-effect is the inability to replay old capture files
  • operation parameter name in the CreateFile event is renamed to create_disposition
  • share_mask parameter contains the full permission name, e.g. READ|WRITE|DELETE
  • comm parameter name in process events is renamed to cmdline
Assets 4
Loading