Documentation ¶
Overview ¶
Package kevent defines the fundamental data structures that underpin the state of every kernel event pushed from the consumer.
Index ¶
- Variables
- type Batch
- type Formatter
- type Kevent
- func (kevt *Kevent) AddMeta(k, v string)
- func (kevt Kevent) IsNetworkTCP() bool
- func (kevt Kevent) IsNetworkUDP() bool
- func (kevt *Kevent) MarshalJSON() []byte
- func (kevt *Kevent) MarshalRaw() []byte
- func (kevt *Kevent) Release()
- func (kevt *Kevent) String() string
- func (kevt *Kevent) UnmarshalRaw(b []byte, ver kcapver.Version) error
- type Kparam
- type Kparams
- func (kpars Kparams) Append(name string, typ kparams.Type, value kparams.Value) Kparams
- func (kpars Kparams) AppendFromKcap(name string, typ kparams.Type, value kparams.Value) Kparams
- func (kpars Kparams) Contains(name string) bool
- func (kpars Kparams) Find(name string) *Kparam
- func (kpars Kparams) Get(name string) (kparams.Value, error)
- func (kpars Kparams) GetDouble(name string) (float64, error)
- func (kpars Kparams) GetFloat(name string) (float32, error)
- func (kpars Kparams) GetHex(name string) (kparams.Hex, error)
- func (kpars Kparams) GetHexAsUint32(name string) (uint32, error)
- func (kpars Kparams) GetHexAsUint64(name string) (uint64, error)
- func (kpars Kparams) GetHexAsUint8(name string) (uint8, error)
- func (kpars Kparams) GetIP(name string) (net.IP, error)
- func (kpars Kparams) GetIPv4(name string) (net.IP, error)
- func (kpars Kparams) GetIPv6(name string) (net.IP, error)
- func (kpars Kparams) GetInt16(name string) (int16, error)
- func (kpars Kparams) GetInt32(name string) (int32, error)
- func (kpars Kparams) GetInt64(name string) (int64, error)
- func (kpars Kparams) GetInt8(name string) (int8, error)
- func (kpars Kparams) GetPid() (uint32, error)
- func (kpars Kparams) GetPpid() (uint32, error)
- func (kpars Kparams) GetSlice(name string) (kparams.Value, error)
- func (kpars Kparams) GetString(name string) (string, error)
- func (kpars Kparams) GetStringSlice(name string) ([]string, error)
- func (kpars Kparams) GetTid() (uint32, error)
- func (kpars Kparams) GetTime(name string) (time.Time, error)
- func (kpars Kparams) GetUint16(name string) (uint16, error)
- func (kpars Kparams) GetUint32(name string) (uint32, error)
- func (kpars Kparams) GetUint64(name string) (uint64, error)
- func (kpars Kparams) GetUint8(name string) (uint8, error)
- func (kpars Kparams) Len() int
- func (kpars Kparams) Remove(name string)
- func (kpars Kparams) Set(name string, value kparams.Value, typ kparams.Type) error
- func (kpars Kparams) String() string
- type Metadata
- type ParamCaseStyle
- type Sequencer
Constants ¶
This section is empty.
Variables ¶
var ( // SerializeHandles indicates if handles are serialized as part of the process' state SerializeHandles bool // SerializeThreads indicates if threads are serialized as part of the process' state SerializeThreads bool // SerializeImages indicates if images are serialized as part of the process' state SerializeImages bool // SerializePE indicates if PE metadata are serialized as part of the process' state SerializePE bool // SerializeEnvs indicates if the environment variables are serialized as part of the process's state SerializeEnvs bool )
var ParamKVDelimiter = "➜ "
ParamKVDelimiter specifies the character that delimits parameter's key from its value
var ParamNameCaseStyle = SnakeCase
ParamNameCaseStyle designates the case style for kernel parameter names
var TimestampFormat string
TimestampFormat is the Go valid format for the kernel event timestamp
Functions ¶
This section is empty.
Types ¶
type Batch ¶
type Batch struct {
Events []*Kevent
}
Batch contains a sequence of kernel events.
func (*Batch) MarshalJSON ¶
MarshalJSON serializes the batch of events to JSON format.
type Formatter ¶
type Formatter struct {
// contains filtered or unexported fields
}
Formatter deals with producing event's output that is dictated by the template.
func NewFormatter ¶
NewFormatter builds a new instance of event's formatter.
type Kevent ¶
type Kevent struct { // Seq is monotonically incremented kernel event sequence. Seq uint64 `json:"seq"` // PID is the identifier of the process that generated the event. PID uint32 `json:"pid"` // Tid is the thread identifier of the thread that generated the event. Tid uint32 `json:"tid"` // Type is the internal representation of the kernel event. This field should be ignored by serializers. Type ktypes.Ktype `json:"-"` // CPU designates the processor logical core where the event was originated. CPU uint8 `json:"cpu"` // Name is the human friendly name of the kernel event. Name string `json:"name"` // Category designates the category to which this event pertains. Category ktypes.Category `json:"category"` // Description is the short explanation that describes the purpose of the event. Description string `json:"description"` // Host is the machine name that reported the generated event. Host string `json:"host"` // Timestamp represents the temporal occurrence of the event. Timestamp time.Time `json:"timestamp"` // Kparams stores the collection of kernel event parameters. Kparams Kparams `json:"params"` // Metadata represents any tags that are meaningful to this event. Metadata Metadata `json:"metadata"` // PS represents process' metadata and its allocated resources such as handles, DLLs, etc. PS *pstypes.PS `json:"ps,omitempty"` }
Kevent encapsulates kernel event's payload.
func New ¶
func New(seq uint64, pid, tid uint32, cpu uint8, ktype ktypes.Ktype, ts time.Time, kpars Kparams) *Kevent
New constructs a new kernel event instance.
func NewFromKcap ¶
NewFromKcap recovers the kernel event instance from the kcapture byte buffer.
func (Kevent) IsNetworkTCP ¶
IsNetworkTCP determines whether the kevent pertains to network TCP events.
func (Kevent) IsNetworkUDP ¶
IsNetworkUDP determines whether the kevent pertains to network UDP events.
func (*Kevent) MarshalJSON ¶
MarshalJSON produces a JSON payload for this kevent.
func (*Kevent) MarshalRaw ¶
MarshalRaw produces a byte stream of the kernel event suitable for writing to disk.
type Kparam ¶
type Kparam struct { // Type is the type of the parameter. For example, `sport` parameter has the `Port` type although its value // is the uint16 numeric type. Type kparams.Type `json:"-"` // Value is the container for parameter values. To access the underlying value use the appropriate `Get` methods. Value kparams.Value `json:"value"` // Name represents the name of the parameter (e.g. pid, sport). Name string `json:"name"` }
Kparam defines the layout of the kernel event parameter.
func NewKparam ¶
NewKparam creates a new event parameter. Since the parameter type is already categorized, we can coerce the value to the appropriate representation (e.g. hex, IP address, user security identifier, etc.)
func NewKparamFromKcap ¶
NewKparamFromKcap builds a kparam instance from the restored state.
type Kparams ¶
Kparams is the type that represents the sequence of kernel event parameters
func (Kparams) AppendFromKcap ¶
AppendFromKcap adds a new parameter with specified name, type and value from the kcap state.
func (Kparams) Find ¶
Find returns the kparam with specified name. If it is not found, nil value is returned.
func (Kparams) Get ¶
Get returns the raw value for given parameter name. It is the responsibility of the caller to probe type assertion on the value before yielding its underlying type.
func (Kparams) GetDouble ¶
GetDouble returns the underlying double (float64) value from the parameter.
func (Kparams) GetHex ¶
GetHex returns the generic hexadecimal type for the specified parameter name.
func (Kparams) GetHexAsUint32 ¶
GetHexAsUint32 returns the number hexadecimal representation as uint32 value.
func (Kparams) GetHexAsUint64 ¶
GetHexAsUint64 returns the number hexadecimal representation as uint64 value.
func (Kparams) GetHexAsUint8 ¶
GetHexAsUint8 returns the number hexadecimal representation as uint8 value.
func (Kparams) GetStringSlice ¶
GetStringSlice returns the string slice from the event parameter.
type Metadata ¶
Metadata is a type alias for event metadata. Any tag, i.e. key/value pair could be attached to metadata.
type ParamCaseStyle ¶
type ParamCaseStyle uint8
ParamCaseStyle is the type definition for parameter name case style
const ( // SnakeCase is the default parameter's name case style. Multi-word parameters are delimited by underscore symbol (e.g. process_object) SnakeCase ParamCaseStyle = 1 // DotCase style uses a dot to separate multi-word parameter names (e.g. process.object) DotCase ParamCaseStyle = 2 // PascalCase renders parameter name with pascal case naming style (e.g. ProcessObject) PascalCase ParamCaseStyle = 3 // CamelCase represents parameter names with camel case naming style (e.g. processObject) CamelCase ParamCaseStyle = 4 )
type Sequencer ¶
type Sequencer struct {
// contains filtered or unexported fields
}
Sequencer is responsible for incrementing, getting and persisting the kevent sequence number in the Windows registry.
func NewSequencer ¶
func NewSequencer() *Sequencer
NewSequencer creates a fresh kevent sequencer. If the `KeventSeq` value is present under the volatile key, the current sequence number is initialized to the last stored sequence. The sequencer schedules a ticker that periodically dumps the current sequence number into the registry value.
func (*Sequencer) Increment ¶
func (s *Sequencer) Increment()
Increment increments the sequence number atomically.