def test_next_cswitch_in_registry(self, thread_registry_empty_mock,
kevent_mock):
context_switch_registry = ContextSwitchRegistry(
thread_registry_empty_mock, kevent_mock)
kcs1 = ddict({
'old_thread_wait_ideal_processor': 3,
'previous_c_state': 0,
'old_thread_state': 5,
'old_thread_priority': 8,
'reserved': 4294967294,
'spare_byte': 0,
'old_thread_wait_reason': 8,
'new_thread_wait_time': '0x0',
'old_thread_wait_mode': 1,
'new_thread_priority': 8,
'new_thread_id': '0x1fc8',
'old_thread_id': '0x2348'
})
kcs2 = ddict({
'old_thread_wait_ideal_processor': 3,
'previous_c_state': 0,
'old_thread_state': 3,
'old_thread_priority': 8,
'reserved': 4294967295,
'spare_byte': 0,
'old_thread_wait_reason': 8,
'new_thread_wait_time': '0x0',
'old_thread_wait_mode': 1,
'new_thread_priority': 5,
'new_thread_id': '0x1fc8',
'old_thread_id': '0x2348'
})
context_switch_registry.next_cswitch(
1, datetime.strptime("12:05:45.233", '%H:%M:%S.%f'), kcs1)
context_switch_registry.next_cswitch(
1, datetime.strptime("12:05:45.234", '%H:%M:%S.%f'), kcs2)
k = (1, int(kcs1.new_thread_id, 16))
cs = context_switch_registry.context_switches()[k]
assert cs
assert cs.count == 2
assert cs.next_thread_prio == 5
assert cs.prev_thread_state is ThreadState.STANDBY
assert cs.timestamp == datetime.strptime("12:05:45.234", '%H:%M:%S.%f')
assert cs.prev_thread_wait_reason is WaitReason.FREE_PAGE
def test_next_cswitch(self, thread_registry_mock, kevent_mock):
context_switch_registry = ContextSwitchRegistry(
thread_registry_mock, kevent_mock)
ts = datetime.strptime("12:05:45.233", '%H:%M:%S.%f')
kcs1 = ddict({
'old_thread_wait_ideal_processor': 2,
'previous_c_state': 1,
'old_thread_state': 2,
'old_thread_priority': 0,
'reserved': 777748717,
'spare_byte': 0,
'old_thread_wait_reason': 0,
'new_thread_wait_time': '0x0',
'old_thread_wait_mode': 0,
'new_thread_priority': 15,
'new_thread_id': '0x1054',
'old_thread_id': '0x0'
})
new_thread_id = int(kcs1.new_thread_id, 16)
context_switch_registry.next_cswitch(1, ts, kcs1)
thread_registry_mock.get_thread.assert_has_calls(
[call(new_thread_id),
call(int(kcs1.old_thread_id, 16))])
assert (
1,
new_thread_id,
) in context_switch_registry.context_switches()
cs = context_switch_registry.context_switches()[(
1,
new_thread_id,
)]
assert cs
assert cs.timestamp is ts
assert cs.next_proc_name == "explorer.exe"
assert cs.next_thread_wait_time == 0
assert cs.next_thread_prio == 15
assert cs.prev_thread_prio == 0
assert cs.prev_thread_state is ThreadState.RUNNING
assert cs.count == 1
assert cs.prev_thread_wait_mode is WaitMode.KERNEL
assert cs.prev_thread_wait_reason is WaitReason.EXECUTIVE
def __init__(self, filament, **kwargs):
self._start = datetime.now()
try:
log_path = os.path.join(os.path.expanduser('~'), '.fibratus',
'fibratus.log')
FileHandler(log_path, mode='w+').push_application()
StreamHandler(sys.stdout, bubble=True).push_application()
except PermissionError:
panic(
"ERROR - Unable to open log file for writing due to permission error"
)
self.logger = Logger(Fibratus.__name__)
self._config = YamlConfig()
self.logger.info('Starting Fibratus...')
enable_cswitch = kwargs.pop('cswitch', False)
self.kcontroller = KTraceController()
self.ktrace_props = KTraceProps()
self.ktrace_props.enable_kflags(cswitch=enable_cswitch)
self.ktrace_props.logger_name = etw.KERNEL_LOGGER_NAME
enum_handles = kwargs.pop('enum_handles', True)
self.handle_repository = HandleRepository()
self._handles = []
# query for handles on the
# start of the kernel trace
if enum_handles:
self.logger.info('Enumerating system handles...')
self._handles = self.handle_repository.query_handles()
self.logger.info('%s handles found' % len(self._handles))
self.handle_repository.free_buffers()
image_meta_config = self._config.image_meta
self.image_meta_registry = ImageMetaRegistry(
image_meta_config.enabled, image_meta_config.imports,
image_meta_config.file_info)
self.thread_registry = ThreadRegistry(self.handle_repository,
self._handles,
self.image_meta_registry)
self.kevt_streamc = KEventStreamCollector(
etw.KERNEL_LOGGER_NAME.encode())
skips = self._config.skips
image_skips = skips.images if 'images' in skips else []
if len(image_skips) > 0:
self.logger.info("Adding skips for images %s" % image_skips)
for skip in image_skips:
self.kevt_streamc.add_skip(skip)
self.kevent = KEvent(self.thread_registry)
self._output_classes = dict(console=ConsoleOutput,
amqp=AmqpOutput,
smtp=SmtpOutput,
elasticsearch=ElasticsearchOutput)
self._outputs = self._construct_outputs()
self.output_aggregator = OutputAggregator(self._outputs)
self._binding_classes = dict(yara=YaraBinding)
self._bindings = self._construct_bindings()
if filament:
filament.logger = self.logger
filament.do_output_accessors(self._outputs)
self._filament = filament
self.fsio = FsIO(self.kevent, self._handles)
self.hive_parser = HiveParser(self.kevent, self.thread_registry)
self.tcpip_parser = TcpIpParser(self.kevent)
self.dll_repository = DllRepository(self.kevent)
self.context_switch_registry = ContextSwitchRegistry(
self.thread_registry, self.kevent)
self.output_kevents = {}
self.filters_count = 0
def __init__(self, filament, **kwargs):
try:
log_path = os.path.join(os.path.expanduser('~'), '.fibratus',
'fibratus.log')
FileHandler(log_path, mode='w+').push_application()
except PermissionError:
IO.write_console(
"ERROR - Unable to open log file for writing due to permission error"
)
sys.exit(0)
self.logger = Logger(Fibratus.__name__)
self._config = YamlConfig()
self.logger.info('Starting fibratus...')
enable_cswitch = kwargs.pop('cswitch', False)
self.kevt_streamc = KEventStreamCollector(
etw.KERNEL_LOGGER_NAME.encode())
self.kcontroller = KTraceController()
self.ktrace_props = KTraceProps()
self.ktrace_props.enable_kflags(cswitch=enable_cswitch)
self.ktrace_props.logger_name = etw.KERNEL_LOGGER_NAME
enum_handles = kwargs.pop('enum_handles', True)
self.handle_repository = HandleRepository()
self._handles = []
# query for handles on the
# start of the kernel trace
if enum_handles:
self.logger.info('Enumerating system handles...')
self._handles = self.handle_repository.query_handles()
self.logger.info('%s handles found' % len(self._handles))
self.handle_repository.free_buffers()
self.thread_registry = ThreadRegistry(self.handle_repository,
self._handles)
self.kevent = KEvent(self.thread_registry)
self.keventq = Queue()
self._adapter_classes = dict(smtp=SmtpAdapter, amqp=AmqpAdapter)
self._output_adapters = self._construct_adapters()
if filament:
filament.keventq = self.keventq
filament.logger = log_path
filament.setup_adapters(self._output_adapters)
self._filament = filament
self.fsio = FsIO(self.kevent, self._handles)
self.hive_parser = HiveParser(self.kevent, self.thread_registry)
self.tcpip_parser = TcpIpParser(self.kevent)
self.dll_repository = DllRepository(self.kevent)
self.context_switch_registry = ContextSwitchRegistry(
self.thread_registry, self.kevent)
self.output_kevents = {}
self.filters_count = 0