Documentation
¶
Rendered for windows/amd64
Index ¶
- Constants
- func Canonicalize(name string) string
- func ConsumeUTF16String(buf uintptr, offset, length uint16) string
- func ReadAnsiString(buf uintptr, offset, length uint16) (string, uint16)
- func ReadByte(buf uintptr, offset uint16) byte
- func ReadBytes(buf uintptr, offset uint16, nbytes uint16) []byte
- func ReadSID(buf uintptr, offset uint16) ([]byte, uint16)
- func ReadUTF16String(buf uintptr, offset, length uint16) (string, uint16)
- func ReadUint16(buf uintptr, offset uint16) uint16
- func ReadUint32(buf uintptr, offset uint16) uint32
- func ReadUint64(buf uintptr, offset uint16) uint64
- func SizeOf(kpar string) uint32
- type Hex
- type Type
- type Value
Constants ¶
View Source
const ( // NTStatus is the parameter that identifies the NTSTATUS value. NTStatus = "status" // ProcessID represents the process identifier. ProcessID = "pid" // ProcessObject field represents the address of the process object in the kernel. ProcessObject = "kproc" // ThreadID field represents the thread identifier. ThreadID = "tid" // ProcessParentID field represents the parent process identifier. ProcessParentID = "ppid" // SessionID fields represents the session identifier. SessionID = "session_id" // UserSID field is the security identifier associated to the process token under which it is run. UserSID = "sid" // ProcessName field denotes the process image name. ProcessName = "name" // Exe field denotes the full path of the executable. Exe = "exe" // Comm field represents the process command line. Comm = "comm" // DTB field denotes the address of the process directory table. DTB = "directory_table_base" // ExitStatus is the field that represents the process exit status. ExitStatus = "exit_status" // StartTime field denotes the process start time. StartTime = "start_time" // DesiredAccess field denotes the access rights for different kernel objects such as processes or threads. DesiredAccess = "desired_access" // DesiredAccessNames field denotes the list of human-readable access rights. DesiredAccessNames = "desired_access_names" // BasePrio field is the thread base priority assigned by the scheduler. BasePrio = "base_prio" // IOPrio represents the filed that indicates the thread I/O priority. IOPrio = "io_prio" // PagePrio field denotes page priority. PagePrio = "page_prio" // KstackBase field is the start address of the kernel space stack. KstackBase = "kstack" // KstackLimit field is the end address of the kernel space stack. KstackLimit = "kstack_limit" // UstackBase field is the start address of the user space stack. UstackBase = "ustack" // UstackLimit field is the end address of the user space stack. UstackLimit = "ustack_limit" // ThreadEntrypoint field is the address of the thread main function. ThreadEntrypoint = "entrypoint" // FileObject determines the field name for the file object pointer. FileObject = "file_object" // FileName represents the field that designates the absolute path of the file. FileName = "file_name" // FileCreateOptions is the field that represents the values passed in the CreateDispositions parameter to the NtCreateFile function. FileCreateOptions = "options" // FileOperation is the field that represents the values passed in the CreateOptions parameter to the NtCreateFile function. FileOperation = "operation" // FileCreated represents the name for the file creation field. FileCreated = "created" // FileAccessed represents the name for the file access field. FileAccessed = "accessed" // FileModified represents the name for the file modification field. FileModified = "modified" FileShareMask = "share_mask" // FileType represents the field name that indicates the file type. FileType = "type" // FileAttributes is the field that represents file attribute values. FileAttributes = "attributes" // FileIoSize is the filed that represents the number of bytes in file read/write operations. FileIoSize = "io_size" // FileOffset represents the file for the file offset in read/write operations. FileOffset = "offset" // FileInfoClass represents the file information class. FileInfoClass = "class" // FileKey represents the directory key identifier in EnumDirectory events. FileKey = "file_key" // FileDirectory represents the filed for the directory name in EnumDirectory events. FileDirectory = "dir" // FileIrpPtr represents the I/O request packet id. FileIrpPtr = "irp" // FileExtraInfo is the parameter that represents extra information returned by the file system for the operation. For example for a read request, the actual number of bytes that were read. FileExtraInfo = "extra_info" // RegKeyHandle identifies the parameter name for the registry key handle. RegKeyHandle = "key_handle" // RegKeyName represents the parameter name for the fully qualified key name. RegKeyName = "key_name" // RegValue identifies the parameter name that contains the value RegValue = "value" // RegValueType identifies the parameter that represents registry value type e.g (DWORD, BINARY) RegValueType = "type" // ImageBase identifies the parameter name for the base address of the process in which the image is loaded. ImageBase = "base_address" // ImageSize represents the parameter name for the size of the image in bytes. ImageSize = "image_size" // ImageCheckSum is the parameter name for image checksum. ImageCheckSum = "checksum" // ImageDefaultBase is the parameter name that represents image's base address. ImageDefaultBase = "default_address" // ImageFilename is the parameter name that denotes file name and extension of the DLL/executable image. ImageFilename = "file_name" // NetSize identifies the parameter name that represents the packet size. NetSize = "size" // NetDIP is the parameter name that denotes the destination IP address. NetDIP = "dip" // NetSIP is the parameter name that denotes the source IP address. NetSIP = "sip" // NetDport identifies the parameter name that represents destination port number. NetDport = "dport" // NetSport identifies the parameter name that represents source port number. NetSport = "sport" // NetMSS is the parameter name that represents the maximum TCP segment size. NetMSS = "mss" // NetRcvWin is the parameter name that represents TCP segment's receive window size. NetRcvWin = "rcvwin" // NetSAckopt is the parameter name that represents Selective Acknowledgment option in TCP header. NetSAckopt = "sack_opt" // NetTsopt is the parameter name that represents the time stamp option in TCP header. NetTsopt = "timestamp_opt" // NetWsopt is the parameter name that represents the window scale option in TCP header. NetWsopt = "window_scale_opt" // NetRcvWinScale is the parameter name that represents the TCP receive window scaling factor. NetRcvWinScale = "recv_winscale" // NetSendWinScale is the parameter name that represents the TCP send window scaling factor. NetSendWinScale = "send_winscale" // NetSeqNum is the parameter name that represents that represents the TCP sequence number. NetSeqNum = "seqnum" // NetConnID is the parameter name that represents a unique connection identifier. NetConnID = "connid" // NetL4Proto is the parameter name that identifies the Layer 4 protocol name. NetL4Proto = "l4_proto" // NetDportName is the field that denotes the destination port name. NetDportName = "dport_name" // NetSportName is the field that denotes the source port name. NetSportName = "sport_name" // NetSIPNames is the field that denotes the source IP address names. NetSIPNames = "sip_names" // NetDIPNames is the field that denotes the destination IP address names. NetDIPNames = "dip_names" // HandleID identifies the parameter that specifies the handle identifier. HandleID = "handle_id" // HandleObject identifies the parameter that represents the kernel object to which handle is associated. HandleObject = "handle_object" // HandleObjectName identifies the parameter that represents the kernel object name. HandleObjectName = "handle_name" // HandleObjectTypeID identifies the parameter that represents the kernel object type identifier. HandleObjectTypeID = "type_id" // HandleObjectTypeName identifies the parameter that represents the kernel object type name. HandleObjectTypeName = "handle_type" )
View Source
const (
// NA defines absent parameter's value
NA = "na"
)
Variables ¶
This section is empty.
Functions ¶
func Canonicalize ¶
Canonicalize takes an original kernel event property name and normalizes it to canonical parameter name.
func ConsumeUTF16String ¶ added in v1.6.0
ConsumeUTF16String reads the byte slice with UTF16-encoded string when the UTF16 string is located at the end of the buffer.
func ReadAnsiString ¶ added in v1.6.0
ReadAnsiString reads the ANSI string from the buffer at the specified offset and buffer length.
func ReadUTF16String ¶ added in v1.6.0
ReadUTF16String reads the UTF-16 string from the buffer at the specified offset and buffer length.
func ReadUint16 ¶ added in v1.6.0
ReadUint16 reads the uint16 value from the buffer at the specified offset.
func ReadUint32 ¶ added in v1.6.0
ReadUint32 reads the uint32 value from the buffer at the specified offset.
func ReadUint64 ¶ added in v1.6.0
ReadUint64 reads the uint64 value from the buffer at the specified offset.
Types ¶
type Hex ¶
type Hex string
Hex is the type alias for hexadecimal values
type Type ¶
type Type uint16
Type defines kernel event parameter type
const ( // Null is a null parameter type Null Type = iota // UnicodeString a string of 16-bit characters. By default, assumed to have been encoded using UTF-16LE UnicodeString // AnsiString a string of 8-bit characters AnsiString // Int8 a signed 8-bit integer Int8 // Uint8 an unsigned 8-bit integer Uint8 // Int16 a signed 16-bit integer Int16 // Uint16 an unsigned 16-bit integer Uint16 // Int32 a signed 32-bit integer Int32 // Uint32 an unsigned 32-bit integer Uint32 // Int64 a signed 64-bit integer Int64 // Uint64 an unsigned 64-bit integer Uint64 // Float an IEEE 4-byte floating-point number Float // Double an IEEE 8-byte floating-point number Double // Bool a 32-bit value where 0 is false and 1 is true Bool // Binary is a binary data of variable size. The size must be specified in the data definition as a constant or a reference to another (integer) data item.For an IP V6 address, the data should be an IN6_ADDR structure. // For a socket address, the data should be a SOCKADDR_STORAGE structure. The AF_INET, AF_INET6, and AF_LINK address families are supported Binary // GUID is a GUID structure. On output, the GUID is rendered in the registry string form, {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} GUID // Pointer an unsigned 32-bit or 64-bit pointer value. The size depends on the architecture of the computer logging the event Pointer // SID a security identifier (SID) structure that uniquely identifies a user or group SID // PID is the process identifier PID // TID is the thread identifier TID // WbemSID is the Web-Based Enterprise Management security identifier. WbemSID // HexInt8 is the hexadecimal representation of 8-bit integer HexInt8 // HexInt16 is the hexadecimal representation of 16-bit integer HexInt16 // HexInt32 is the hexadecimal representation of 32-bit integer HexInt32 // HexInt64 is the hexadecimal representation of 64-bit integer HexInt64 // Port represents the endpoint port number Port // IP is the IP address IP // IPv4 is the IPv4 address IPv4 // IPv6 is the IPv6 address IPv6 // Time represents the timestamp Time // Slice represents a collection of items Slice // Enum represents an enumeration Enum // Map represents a map Map // Object is the generic object Object // Unknown represent an unknown parameter type Unknown )
Source Files
Click to show internal directories.
Click to hide internal directories.