def test_next_cswitch_in_registry(self, thread_registry_empty_mock, kevent_mock): context_switch_registry = ContextSwitchRegistry( thread_registry_empty_mock, kevent_mock) kcs1 = ddict({ 'old_thread_wait_ideal_processor': 3, 'previous_c_state': 0, 'old_thread_state': 5, 'old_thread_priority': 8, 'reserved': 4294967294, 'spare_byte': 0, 'old_thread_wait_reason': 8, 'new_thread_wait_time': '0x0', 'old_thread_wait_mode': 1, 'new_thread_priority': 8, 'new_thread_id': '0x1fc8', 'old_thread_id': '0x2348' }) kcs2 = ddict({ 'old_thread_wait_ideal_processor': 3, 'previous_c_state': 0, 'old_thread_state': 3, 'old_thread_priority': 8, 'reserved': 4294967295, 'spare_byte': 0, 'old_thread_wait_reason': 8, 'new_thread_wait_time': '0x0', 'old_thread_wait_mode': 1, 'new_thread_priority': 5, 'new_thread_id': '0x1fc8', 'old_thread_id': '0x2348' }) context_switch_registry.next_cswitch( 1, datetime.strptime("12:05:45.233", '%H:%M:%S.%f'), kcs1) context_switch_registry.next_cswitch( 1, datetime.strptime("12:05:45.234", '%H:%M:%S.%f'), kcs2) k = (1, int(kcs1.new_thread_id, 16)) cs = context_switch_registry.context_switches()[k] assert cs assert cs.count == 2 assert cs.next_thread_prio == 5 assert cs.prev_thread_state is ThreadState.STANDBY assert cs.timestamp == datetime.strptime("12:05:45.234", '%H:%M:%S.%f') assert cs.prev_thread_wait_reason is WaitReason.FREE_PAGE
def test_next_cswitch(self, thread_registry_mock, kevent_mock): context_switch_registry = ContextSwitchRegistry( thread_registry_mock, kevent_mock) ts = datetime.strptime("12:05:45.233", '%H:%M:%S.%f') kcs1 = ddict({ 'old_thread_wait_ideal_processor': 2, 'previous_c_state': 1, 'old_thread_state': 2, 'old_thread_priority': 0, 'reserved': 777748717, 'spare_byte': 0, 'old_thread_wait_reason': 0, 'new_thread_wait_time': '0x0', 'old_thread_wait_mode': 0, 'new_thread_priority': 15, 'new_thread_id': '0x1054', 'old_thread_id': '0x0' }) new_thread_id = int(kcs1.new_thread_id, 16) context_switch_registry.next_cswitch(1, ts, kcs1) thread_registry_mock.get_thread.assert_has_calls( [call(new_thread_id), call(int(kcs1.old_thread_id, 16))]) assert ( 1, new_thread_id, ) in context_switch_registry.context_switches() cs = context_switch_registry.context_switches()[( 1, new_thread_id, )] assert cs assert cs.timestamp is ts assert cs.next_proc_name == "explorer.exe" assert cs.next_thread_wait_time == 0 assert cs.next_thread_prio == 15 assert cs.prev_thread_prio == 0 assert cs.prev_thread_state is ThreadState.RUNNING assert cs.count == 1 assert cs.prev_thread_wait_mode is WaitMode.KERNEL assert cs.prev_thread_wait_reason is WaitReason.EXECUTIVE
def __init__(self, filament, **kwargs): self._start = datetime.now() try: log_path = os.path.join(os.path.expanduser('~'), '.fibratus', 'fibratus.log') FileHandler(log_path, mode='w+').push_application() StreamHandler(sys.stdout, bubble=True).push_application() except PermissionError: panic( "ERROR - Unable to open log file for writing due to permission error" ) self.logger = Logger(Fibratus.__name__) self._config = YamlConfig() self.logger.info('Starting Fibratus...') enable_cswitch = kwargs.pop('cswitch', False) self.kcontroller = KTraceController() self.ktrace_props = KTraceProps() self.ktrace_props.enable_kflags(cswitch=enable_cswitch) self.ktrace_props.logger_name = etw.KERNEL_LOGGER_NAME enum_handles = kwargs.pop('enum_handles', True) self.handle_repository = HandleRepository() self._handles = [] # query for handles on the # start of the kernel trace if enum_handles: self.logger.info('Enumerating system handles...') self._handles = self.handle_repository.query_handles() self.logger.info('%s handles found' % len(self._handles)) self.handle_repository.free_buffers() image_meta_config = self._config.image_meta self.image_meta_registry = ImageMetaRegistry( image_meta_config.enabled, image_meta_config.imports, image_meta_config.file_info) self.thread_registry = ThreadRegistry(self.handle_repository, self._handles, self.image_meta_registry) self.kevt_streamc = KEventStreamCollector( etw.KERNEL_LOGGER_NAME.encode()) skips = self._config.skips image_skips = skips.images if 'images' in skips else [] if len(image_skips) > 0: self.logger.info("Adding skips for images %s" % image_skips) for skip in image_skips: self.kevt_streamc.add_skip(skip) self.kevent = KEvent(self.thread_registry) self._output_classes = dict(console=ConsoleOutput, amqp=AmqpOutput, smtp=SmtpOutput, elasticsearch=ElasticsearchOutput) self._outputs = self._construct_outputs() self.output_aggregator = OutputAggregator(self._outputs) self._binding_classes = dict(yara=YaraBinding) self._bindings = self._construct_bindings() if filament: filament.logger = self.logger filament.do_output_accessors(self._outputs) self._filament = filament self.fsio = FsIO(self.kevent, self._handles) self.hive_parser = HiveParser(self.kevent, self.thread_registry) self.tcpip_parser = TcpIpParser(self.kevent) self.dll_repository = DllRepository(self.kevent) self.context_switch_registry = ContextSwitchRegistry( self.thread_registry, self.kevent) self.output_kevents = {} self.filters_count = 0
def __init__(self, filament, **kwargs): try: log_path = os.path.join(os.path.expanduser('~'), '.fibratus', 'fibratus.log') FileHandler(log_path, mode='w+').push_application() except PermissionError: IO.write_console( "ERROR - Unable to open log file for writing due to permission error" ) sys.exit(0) self.logger = Logger(Fibratus.__name__) self._config = YamlConfig() self.logger.info('Starting fibratus...') enable_cswitch = kwargs.pop('cswitch', False) self.kevt_streamc = KEventStreamCollector( etw.KERNEL_LOGGER_NAME.encode()) self.kcontroller = KTraceController() self.ktrace_props = KTraceProps() self.ktrace_props.enable_kflags(cswitch=enable_cswitch) self.ktrace_props.logger_name = etw.KERNEL_LOGGER_NAME enum_handles = kwargs.pop('enum_handles', True) self.handle_repository = HandleRepository() self._handles = [] # query for handles on the # start of the kernel trace if enum_handles: self.logger.info('Enumerating system handles...') self._handles = self.handle_repository.query_handles() self.logger.info('%s handles found' % len(self._handles)) self.handle_repository.free_buffers() self.thread_registry = ThreadRegistry(self.handle_repository, self._handles) self.kevent = KEvent(self.thread_registry) self.keventq = Queue() self._adapter_classes = dict(smtp=SmtpAdapter, amqp=AmqpAdapter) self._output_adapters = self._construct_adapters() if filament: filament.keventq = self.keventq filament.logger = log_path filament.setup_adapters(self._output_adapters) self._filament = filament self.fsio = FsIO(self.kevent, self._handles) self.hive_parser = HiveParser(self.kevent, self.thread_registry) self.tcpip_parser = TcpIpParser(self.kevent) self.dll_repository = DllRepository(self.kevent) self.context_switch_registry = ContextSwitchRegistry( self.thread_registry, self.kevent) self.output_kevents = {} self.filters_count = 0