chore: Sunset Antimalware provider consumer (rabbitstack#177)

* Deprecate Antimalware provider as it was exclusively used as a datasource for driver load/unload events which can be detected by regular LoadImage/UnloadImage events * Remove Antimalware provider leftovers from config
A-new · Jun 28, 2023 · 761bd56 · 761bd56
1 parent 4d0c014
commit 761bd56
Show file tree

Hide file tree

Showing 14 changed files with 28 additions and 72 deletions.
diff --git a/configs/fibratus.yml b/configs/fibratus.yml
@@ -187,10 +187,6 @@ kstream:
   # Determines whether kernel Audit API calls events are collected
   #enable-audit-api: true
 
-  # Determines whether the Microsoft Antimalware Engine events are collected. For the
-  # events to be collected it is necessary to enable Windows Defender realtime protection.
-  #enable-antimalware-engine: true
-
   # Determines which events are dropped either by the event name or the process' image
   # name that triggered the event.
   blacklist:

diff --git a/pkg/config/config_windows.go b/pkg/config/config_windows.go
@@ -344,7 +344,6 @@ func (c *Config) addFlags() {
 		c.flags.Bool(enableHandleKevents, false, "Determines whether object manager kernel events (handle creation/destruction) are collected by Kernel Logger provider")
 		c.flags.Bool(enableMemKevents, true, "Determines whether memory manager kernel events are collected by Kernel Logger provider")
 		c.flags.Bool(enableAuditAPIEvents, true, "Determines whether kernel audit API calls events are published")
-		c.flags.Bool(enableAntimalwareEngineEvents, true, "Determines whether antimalware engine events are published")
 		c.flags.Int(bufferSize, int(maxBufferSize), "Represents the amount of memory allocated for each event tracing session buffer, in kilobytes. The buffer size affects the rate at which buffers fill and must be flushed (small buffer size requires less memory but it increases the rate at which buffers must be flushed)")
 		c.flags.Int(minBuffers, int(defaultMinBuffers), "Determines the minimum number of buffers allocated for the event tracing session's buffer pool")
 		c.flags.Int(maxBuffers, int(defaultMaxBuffers), "Determines the maximum number of buffers allocated for the event tracing session's buffer pool")

diff --git a/pkg/config/kstream.go b/pkg/config/kstream.go
@@ -32,19 +32,18 @@ import (
 )
 
 const (
-	enableThreadKevents           = "kstream.enable-thread"
-	enableRegistryKevents         = "kstream.enable-registry"
-	enableNetKevents              = "kstream.enable-net"
-	enableFileIOKevents           = "kstream.enable-fileio"
-	enableImageKevents            = "kstream.enable-image"
-	enableHandleKevents           = "kstream.enable-handle"
-	enableMemKevents              = "kstream.enable-mem"
-	enableAuditAPIEvents          = "kstream.enable-audit-api"
-	enableAntimalwareEngineEvents = "kstream.enable-antimalware-engine"
-	bufferSize                    = "kstream.buffer-size"
-	minBuffers                    = "kstream.min-buffers"
-	maxBuffers                    = "kstream.max-buffers"
-	flushInterval                 = "kstream.flush-interval"
+	enableThreadKevents   = "kstream.enable-thread"
+	enableRegistryKevents = "kstream.enable-registry"
+	enableNetKevents      = "kstream.enable-net"
+	enableFileIOKevents   = "kstream.enable-fileio"
+	enableImageKevents    = "kstream.enable-image"
+	enableHandleKevents   = "kstream.enable-handle"
+	enableMemKevents      = "kstream.enable-mem"
+	enableAuditAPIEvents  = "kstream.enable-audit-api"
+	bufferSize            = "kstream.buffer-size"
+	minBuffers            = "kstream.min-buffers"
+	maxBuffers            = "kstream.max-buffers"
+	flushInterval         = "kstream.flush-interval"
 
 	excludedEvents = "kstream.blacklist.events"
 	excludedImages = "kstream.blacklist.images"
@@ -76,8 +75,6 @@ type KstreamConfig struct {
 	EnableMemKevents bool `json:"enable-memory" yaml:"enable-memory"`
 	// EnableAuditAPIEvents indicates if kernel audit API calls events are enabled
 	EnableAuditAPIEvents bool `json:"enable-audit-api" yaml:"enable-audit-api"`
-	// EnableAntimalwareEngineEvents indicates if Antimalware Engine events are enabled
-	EnableAntimalwareEngineEvents bool `json:"enable-antimalware-engine" yaml:"enable-antimalware-engine"`
 	// BufferSize represents the amount of memory allocated for each event tracing session buffer, in kilobytes.
 	// The buffer size affects the rate at which buffers fill and must be flushed (small buffer size requires
 	// less memory, but it increases the rate at which buffers must be flushed).
@@ -106,7 +103,6 @@ func (c *KstreamConfig) initFromViper(v *viper.Viper) {
 	c.EnableHandleKevents = v.GetBool(enableHandleKevents)
 	c.EnableMemKevents = v.GetBool(enableMemKevents)
 	c.EnableAuditAPIEvents = v.GetBool(enableAuditAPIEvents)
-	c.EnableAntimalwareEngineEvents = v.GetBool(enableAntimalwareEngineEvents)
 	c.BufferSize = uint32(v.GetInt(bufferSize))
 	c.MinBuffers = uint32(v.GetInt(minBuffers))
 	c.MaxBuffers = uint32(v.GetInt(maxBuffers))

diff --git a/pkg/config/schema_windows.go b/pkg/config/schema_windows.go
@@ -163,7 +163,6 @@ var schema = `
 				"enable-net": 		{"type": "boolean"},
 				"enable-mem": 		{"type": "boolean"},
 				"enable-audit-api": {"type": "boolean"},
-				"enable-antimalware-engine": {"type": "boolean"},
 				"min-buffers": 		{"type": "integer", "minimum": 1, "maximum": {{ .MinBuffers }}},
 				"max-buffers": 		{"type": "integer", "minimum": 2, "maximum": {{ .MaxBuffers }}},
 				"buffer-size":		{"type": "integer", "maximum": {{ .MaxBufferSize }}},

diff --git a/pkg/kevent/kevent_windows.go b/pkg/kevent/kevent_windows.go
@@ -519,9 +519,6 @@ func (e *Kevent) Summary() string {
 		handleName := e.GetParamAsString(kparams.HandleObjectName)
 		return printSummary(e, fmt.Sprintf("closed <code>%s</code> handle of <code>%s</code> type",
 			handleName, handleType))
-	case ktypes.LoadDriver:
-		driver := e.GetParamAsString(kparams.ImageFilename)
-		return printSummary(e, fmt.Sprintf("loaded <code>%s</code> driver", driver))
 	case ktypes.VirtualAlloc:
 		addr := e.GetParamAsString(kparams.MemBaseAddress)
 		return printSummary(e, fmt.Sprintf("allocated memory at <code>%s</code> address", addr))

diff --git a/pkg/kevent/kparam_windows.go b/pkg/kevent/kparam_windows.go
@@ -663,9 +663,6 @@ func (e *Kevent) produceParams(evt *etw.EventRecord) {
 		e.AppendParam(kparams.NetSIP, kparams.IPv6, sip)
 		e.AppendParam(kparams.NetDport, kparams.Port, dport)
 		e.AppendParam(kparams.NetSport, kparams.Port, sport)
-	case ktypes.LoadDriver:
-		filename := evt.ConsumeUTF16String(4)
-		e.AppendParam(kparams.ImageFilename, kparams.FileDosPath, filename)
 	case ktypes.VirtualAlloc, ktypes.VirtualFree:
 		var (
 			baseAddress uint64

diff --git a/pkg/kevent/ktypes/ktypes_windows.go b/pkg/kevent/ktypes/ktypes_windows.go
@@ -155,17 +155,14 @@ var (
 	// VirtualFree represents virtual memory release event
 	VirtualFree = pack(windows.GUID{Data1: 0x3d6fa8d3, Data2: 0xfe05, Data3: 0x11d0, Data4: [8]byte{0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c}}, 99)
 
-	// LoadDriver represents kernel driver loading event.
-	LoadDriver = pack(windows.GUID{Data1: 0xa002690, Data2: 0x3839, Data3: 0x4e3a, Data4: [8]byte{0xb3, 0xb6, 0x96, 0xd8, 0xdf, 0x86, 0x8d, 0x99}}, 10)
-
 	// UnknownKtype designates unknown kernel event type
 	UnknownKtype = pack(windows.GUID{}, 0)
 )
 
 // NewFromEventRecord creates a new event type from ETW event record.
 func NewFromEventRecord(ev *etw.EventRecord) Ktype {
 	switch ev.Header.ProviderID {
-	case etw.KernelAuditAPICallsGUID, etw.AntimalwareEngineGUID:
+	case etw.KernelAuditAPICallsGUID:
 		return pack(ev.Header.ProviderID, uint8(ev.Header.EventDescriptor.ID))
 	default:
 		return pack(ev.Header.ProviderID, ev.Header.EventDescriptor.Opcode)
@@ -270,8 +267,6 @@ func (k Ktype) String() string {
 		return "VirtualAlloc"
 	case VirtualFree:
 		return "VirtualFree"
-	case LoadDriver:
-		return "LoadDriver"
 	default:
 		return ""
 	}
@@ -304,8 +299,6 @@ func (k Ktype) Category() Category {
 		return Handle
 	case VirtualAlloc, VirtualFree:
 		return Mem
-	case LoadDriver:
-		return Driver
 	default:
 		return Unknown
 	}
@@ -386,8 +379,6 @@ func (k Ktype) Description() string {
 		return "Closes the handle"
 	case DuplicateHandle:
 		return "Duplicates the handle"
-	case LoadDriver:
-		return "Loads the kernel driver"
 	case VirtualAlloc:
 		return "Reserves, commits, or changes the state of a region of memory within the process virtual address space"
 	case VirtualFree:

diff --git a/pkg/kevent/ktypes/metainfo_windows.go b/pkg/kevent/ktypes/metainfo_windows.go
@@ -79,7 +79,6 @@ var kevents = map[Ktype]KeventInfo{
 	CreateHandle:       {"CreateHandle", Handle, "Creates a new handle"},
 	CloseHandle:        {"CloseHandle", Handle, "Closes the handle"},
 	DuplicateHandle:    {"DuplicateHandle", Handle, "Duplicates the handle"},
-	LoadDriver:         {"LoadDriver", Driver, "Loads the kernel driver"},
 	VirtualAlloc:       {"VirtualAlloc", Mem, "Reserves, commits, or changes the state of a region of memory within the process virtual address space"},
 	VirtualFree:        {"VirtualFree", Mem, "Releases or decommits a region of memory within the process virtual address space"},
 	MapViewFile:        {"MapViewFile", File, "Maps a view of a file mapping into the address space of a calling process"},
@@ -131,7 +130,6 @@ var ktypes = map[string]Ktype{
 	"CreateHandle":       CreateHandle,
 	"CloseHandle":        CloseHandle,
 	"DuplicateHandle":    DuplicateHandle,
-	"LoadDriver":         LoadDriver,
 	"VirtualAlloc":       VirtualAlloc,
 	"VirtualFree":        VirtualFree,
 	"MapViewFile":        MapViewFile,

diff --git a/pkg/kstream/controller_windows.go b/pkg/kstream/controller_windows.go
@@ -100,12 +100,6 @@ func NewController(cfg config.KstreamConfig) *Controller {
 			0x0, // no keywords, so we accept all events
 			cfg.EnableAuditAPIEvents,
 		},
-		{
-			etw.AntimalwareEngineSession,
-			etw.AntimalwareEngineGUID,
-			0x0,
-			cfg.EnableAntimalwareEngineEvents,
-		},
 	}
 	controller := &Controller{
 		kstreamConfig: cfg,

diff --git a/pkg/kstream/kstreamc_windows.go b/pkg/kstream/kstreamc_windows.go
@@ -112,9 +112,6 @@ func (k *consumer) Open() error {
 	if k.config.Kstream.EnableAuditAPIEvents {
 		traces = append(traces, etw.KernelAuditAPICallsSession)
 	}
-	if k.config.Kstream.EnableAntimalwareEngineEvents {
-		traces = append(traces, etw.AntimalwareEngineSession)
-	}
 
 	for _, name := range traces {
 		trace, err := k.openTrace(name)

diff --git a/pkg/outputs/eventlog/eventlog.go b/pkg/outputs/eventlog/eventlog.go
@@ -235,8 +235,6 @@ func ktypeToEventID(kevt *kevent.Kevent) uint32 {
 		return 46
 	case ktypes.RegCloseKey:
 		return 47
-	case ktypes.LoadDriver:
-		return 48
 	case ktypes.VirtualAlloc:
 		return 49
 	case ktypes.VirtualFree:

diff --git a/pkg/outputs/eventlog/mc/fibratus.mc b/pkg/outputs/eventlog/mc/fibratus.mc
@@ -211,11 +211,6 @@ SymbolicName=CloseKey
 Language=English
 CloseKey closes the registry key.
 .
-MessageId=48
-SymbolicName=LoadDriver
-Language=English
-LoadDriver loads the kernel driver.
-.
 MessageId=49
 SymbolicName=VirtualAlloc
 Language=English

diff --git a/pkg/sys/etw/types.go b/pkg/sys/etw/types.go
@@ -37,9 +37,6 @@ var KernelTraceControlGUID = windows.GUID{Data1: 0x9e814aad, Data2: 0x3204, Data
 // KernelAuditAPICallsGUID represents the GUID for the kernel audit API provider
 var KernelAuditAPICallsGUID = windows.GUID{Data1: 0xe02a841c, Data2: 0x75a3, Data3: 0x4fa7, Data4: [8]byte{0xaf, 0xc8, 0xae, 0x09, 0xcf, 0x9b, 0x7f, 0x23}}
 
-// AntimalwareEngineGUID represents the GUID for the Microsoft Antimalware Engine provider
-var AntimalwareEngineGUID = windows.GUID{Data1: 0x0a002690, Data2: 0x3839, Data3: 0x4e3a, Data4: [8]byte{0xb3, 0xb6, 0x96, 0xd8, 0xdf, 0x86, 0x8d, 0x99}}
-
 const (
 	// TraceSystemTraceEnableFlagsInfo controls system logger event flags
 	TraceSystemTraceEnableFlagsInfo = uint8(4)
@@ -50,8 +47,6 @@ const (
 	KernelLoggerSession = "NT Kernel Logger"
 	// KernelAuditAPICallsSession represents the session name for the kernel audit API logger
 	KernelAuditAPICallsSession = "Kernel Audit API Calls Logger"
-	// AntimalwareEngineSession is the session name for the Antimalware Engine logger
-	AntimalwareEngineSession = "Antimalware Engine Logger"
 	// WnodeTraceFlagGUID indicates that the structure contains event tracing information
 	WnodeTraceFlagGUID = 0x00020000
 	// ProcessTraceModeRealtime denotes that there will be a real-time consumers for events forwarded from the providers

diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
@@ -31,6 +31,9 @@
 - macro: load_module
   expr: kevt.name = 'LoadImage'
 
+- macro: unload_module
+  expr: kevt.name = 'UnloadImage'
+
 - macro: set_value
   expr: kevt.name = 'RegSetValue'
 
@@ -64,21 +67,22 @@
 - macro: duplicate_handle
   expr: kevt.name = 'DuplicateHandle'
 
+- macro: create_handle
+  expr: kevt.name = 'CreateHandle'
+
 - macro: load_driver
   expr: >
-    kevt.name = 'LoadDriver'
+    (load_module and image.name iendswith '.sys')
       or
-    (
-      kevt.name = 'CreateHandle'
-        and
-      handle.type = 'Driver'
-    )
+    (create_handle and handle.type = 'Driver')
   description: |
-    Detects the loading of the kernel driver. Antimalware Engine ETW provider
-    publishes events related to driver loading, but only if Windows Defender
-    Antivirus realtime protection is enabled. On the contrary, we can also detect
-    loading of kernel driver by observing the object manager events and watching
-    for driver objects being created.
+    Detects the loading of the kernel driver. Image load events are published when
+    executable images, DLLs, or driver PE objects are loaded. On the contrary, we can
+    also detect loading of kernel driver by observing the object manager events and
+    watching for driver objects being created.
+
+- macro: unload_driver
+  expr: unload_image and image.name iendswith '.sys'
 
 - macro: load_unsigned_module
   expr: >