chore(kcap): Persist process flags in capture

The process state marshaller stores the new
IsWow64, IsPackaged, and IsProtected fields
into the binary blob.

Author: rabbitstack

pkg/kcap/version/version_windows.go

@@ -35,6 +35,8 @@ const (
 	ProcessSecV2
 	// ProcessSecV3 is the v3 of the process section
 	ProcessSecV3
+	// ProcessSecV4 is the v4 of the process section
+	ProcessSecV4
 )
 
 const (

pkg/kevent/marshaller_windows.go

@@ -175,11 +175,11 @@ func (e *Kevent) MarshalRaw() []byte {
 	// write process state
 	if e.PS != nil && (e.IsCreateProcess() || e.IsProcessRundown()) {
 		buf := e.PS.Marshal()
-		sec := section.New(section.Process, kcapver.ProcessSecV3, 0, uint32(len(buf)))
+		sec := section.New(section.Process, kcapver.ProcessSecV4, 0, uint32(len(buf)))
 		b = append(b, sec[:]...)
 		b = append(b, buf...)
 	} else {
-		sec := section.New(section.Process, kcapver.ProcessSecV3, 0, 0)
+		sec := section.New(section.Process, kcapver.ProcessSecV4, 0, 0)
 		b = append(b, sec[:]...)
 	}
 

pkg/ps/types/marshaller_windows.go

@@ -25,6 +25,7 @@ import (
 	kcapver "github.com/rabbitstack/fibratus/pkg/kcap/version"
 	"github.com/rabbitstack/fibratus/pkg/pe"
 	"github.com/rabbitstack/fibratus/pkg/util/bytes"
+	"github.com/rabbitstack/fibratus/pkg/util/convert"
 	"time"
 	"unsafe"
 )
@@ -109,6 +110,11 @@ func (ps *PS) Marshal() []byte {
 	b = append(b, bytes.WriteUint16(uint16(len(ps.Domain)))...)
 	b = append(b, ps.Domain...)
 
+	// write process flags
+	b = append(b, convert.Btoi(ps.IsWOW64))
+	b = append(b, convert.Btoi(ps.IsPackaged))
+	b = append(b, convert.Btoi(ps.IsProtected))
+
 	return b
 }
 
@@ -249,8 +255,19 @@ readpe:
 			// read domain
 			l = bytes.ReadUint16(b[idx+offset:])
 			buf = b[:]
+			idx += 2
+			offset += uint32(l)
 			ps.Domain = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])
 		}
+		if psec.Version() >= kcapver.ProcessSecV4 {
+			// process flags
+			ps.IsWOW64 = convert.Itob(b[idx+offset])
+			idx++
+			ps.IsPackaged = convert.Itob(b[idx+offset])
+			idx++
+			ps.IsProtected = convert.Itob(b[idx+offset])
+		}
+
 		return nil
 	}
 
@@ -285,8 +302,18 @@ readpe:
 		// read domain
 		l = bytes.ReadUint16(b[idx+offset:])
 		buf = b[:]
+		idx += 2
+		offset += uint32(l)
 		ps.Domain = string((*[1<<30 - 1]byte)(unsafe.Pointer(&buf[0]))[:l:l])
 	}
+	if psec.Version() >= kcapver.ProcessSecV4 {
+		// process flags
+		ps.IsWOW64 = convert.Itob(b[idx+offset])
+		idx++
+		ps.IsPackaged = convert.Itob(b[idx+offset])
+		idx++
+		ps.IsProtected = convert.Itob(b[idx+offset])
+	}
 
 	return nil
 }

pkg/ps/types/marshaller_windows_test.go

@@ -77,10 +77,13 @@ func TestPSMarshaler(t *testing.T) {
 				Object: 357488883434455544,
 			},
 		},
+		IsProtected: true,
+		IsWOW64:     true,
+		IsPackaged:  false,
 	}
 
 	b := ps.Marshal()
-	sec := section.New(section.Process, kcapver.ProcessSecV3, 0, 0)
+	sec := section.New(section.Process, kcapver.ProcessSecV4, 0, 0)
 	clone, err := NewFromKcap(b, sec)
 	require.NoError(t, err)
 
@@ -96,6 +99,9 @@ func TestPSMarshaler(t *testing.T) {
 	assert.Equal(t, []string{"-contentproc", `--channel="6304.3.1055809391\1014207667`, "-childID", "1", "-isForBrowser", "-prefsHandle", "2584", "-prefMapHandle", "2580", "-prefsLen", "70", "-prefMapSize", "216993", "-parentBuildID"}, clone.Args)
 	assert.Equal(t, uint32(4), clone.SessionID)
 	assert.Equal(t, map[string]string{"ProgramData": "C:\\ProgramData", "COMPUTRENAME": "archrabbit"}, clone.Envs)
+	assert.True(t, clone.IsProtected)
+	assert.True(t, clone.IsWOW64)
+	assert.False(t, clone.IsPackaged)
 
 	require.Len(t, clone.Handles, 3)