Improved ptrack.go coverage

mengualp · Sep 19, 2022 · cbacc2e · cbacc2e
1 parent 3d705bc
commit cbacc2e
Show file tree

Hide file tree

Showing 5 changed files with 110 additions and 69 deletions.
diff --git a/.github/coverage/badge.svg b/.github/coverage/badge.svg
diff --git a/.github/coverage/coverage.txt b/.github/coverage/coverage.txt
@@ -1,21 +1,21 @@
-ok  	github.com/0xrawsec/whids/agent	64.674s	coverage: 67.0% of statements
-ok  	github.com/0xrawsec/whids/agent/config	10.122s	coverage: 77.5% of statements
-ok  	github.com/0xrawsec/whids/agent/sysinfo	0.649s	coverage: 87.5% of statements
-ok  	github.com/0xrawsec/whids/api/server	196.241s	coverage: 65.2% of statements
-ok  	github.com/0xrawsec/whids/event	67.517s	coverage: 74.2% of statements
-ok  	github.com/0xrawsec/whids/ioc	42.486s	coverage: 73.3% of statements
-ok  	github.com/0xrawsec/whids/logger	54.104s	coverage: 76.7% of statements
-ok  	github.com/0xrawsec/whids/sysmon	14.559s	coverage: 83.1% of statements
-ok  	github.com/0xrawsec/whids/utils	19.296s	coverage: 80.1% of statements
-ok  	github.com/0xrawsec/whids/utils/command	0.713s	coverage: 100.0% of statements
+ok  	github.com/0xrawsec/whids/agent	61.056s	coverage: 67.0% of statements
+ok  	github.com/0xrawsec/whids/agent/config	12.817s	coverage: 77.5% of statements
+ok  	github.com/0xrawsec/whids/agent/sysinfo	1.378s	coverage: 83.3% of statements
+ok  	github.com/0xrawsec/whids/api/server	199.651s	coverage: 65.2% of statements
+ok  	github.com/0xrawsec/whids/event	69.497s	coverage: 74.2% of statements
+ok  	github.com/0xrawsec/whids/ioc	45.351s	coverage: 73.3% of statements
+ok  	github.com/0xrawsec/whids/logger	44.606s	coverage: 76.7% of statements
+ok  	github.com/0xrawsec/whids/sysmon	21.194s	coverage: 83.1% of statements
+ok  	github.com/0xrawsec/whids/utils	23.911s	coverage: 80.1% of statements
+ok  	github.com/0xrawsec/whids/utils/command	0.608s	coverage: 100.0% of statements
 github.com/0xrawsec/whids/agent/actions.go:72:				NewActionHandler		100.0%
 github.com/0xrawsec/whids/agent/actions.go:81:				dumpname			100.0%
 github.com/0xrawsec/whids/agent/actions.go:86:				prepare				100.0%
 github.com/0xrawsec/whids/agent/actions.go:94:				shouldDump			100.0%
 github.com/0xrawsec/whids/agent/actions.go:99:				writeReader			100.0%
 github.com/0xrawsec/whids/agent/actions.go:104:				dumpAsJson			66.7%
 github.com/0xrawsec/whids/agent/actions.go:117:				dumpBinFile			100.0%
-github.com/0xrawsec/whids/agent/actions.go:121:				dumpFile			72.2%
+github.com/0xrawsec/whids/agent/actions.go:121:				dumpFile			77.8%
 github.com/0xrawsec/whids/agent/actions.go:156:				listFilesFromCommandLine	81.8%
 github.com/0xrawsec/whids/agent/actions.go:179:				filedumpSet			44.4%
 github.com/0xrawsec/whids/agent/actions.go:232:				filedump			80.0%
@@ -47,12 +47,12 @@ github.com/0xrawsec/whids/agent/agent.go:475:				fetchIoCsFromManager		69.2%
 github.com/0xrawsec/whids/agent/agent.go:528:				loadContainers			66.7%
 github.com/0xrawsec/whids/agent/agent.go:560:				updateSystemInfo		88.9%
 github.com/0xrawsec/whids/agent/agent.go:588:				updateSysmonBin			30.0%
-github.com/0xrawsec/whids/agent/agent.go:634:				updateSysmonConfig		66.7%
-github.com/0xrawsec/whids/agent/agent.go:694:				updateAgentConfig		36.0%
+github.com/0xrawsec/whids/agent/agent.go:634:				updateSysmonConfig		63.0%
+github.com/0xrawsec/whids/agent/agent.go:694:				updateAgentConfig		28.0%
 github.com/0xrawsec/whids/agent/agent.go:744:				cleanup				33.3%
 github.com/0xrawsec/whids/agent/agent.go:760:				IsHIDSEvent			68.8%
 github.com/0xrawsec/whids/agent/agent.go:794:				Report				100.0%
-github.com/0xrawsec/whids/agent/agent.go:820:				eventScanRoutine		62.5%
+github.com/0xrawsec/whids/agent/agent.go:820:				eventScanRoutine		57.5%
 github.com/0xrawsec/whids/agent/agent.go:913:				Run				75.0%
 github.com/0xrawsec/whids/agent/agent.go:951:				LogStats			100.0%
 github.com/0xrawsec/whids/agent/agent.go:960:				Stop				68.8%
@@ -99,14 +99,14 @@ github.com/0xrawsec/whids/agent/cron.go:48:				handleManagerCommand		0.0%
 github.com/0xrawsec/whids/agent/cron.go:307:				taskCommandRunner		55.0%
 github.com/0xrawsec/whids/agent/cron.go:342:				scheduleCleanArchivedTask	42.1%
 github.com/0xrawsec/whids/agent/cron.go:382:				taskUploadDumps			66.7%
-github.com/0xrawsec/whids/agent/cron.go:436:				updateTools			51.6%
+github.com/0xrawsec/whids/agent/cron.go:436:				updateTools			48.4%
 github.com/0xrawsec/whids/agent/cron.go:506:				scheduleTasks			84.0%
 github.com/0xrawsec/whids/agent/defaults.go:12:				BuildDefaultConfig		100.0%
 github.com/0xrawsec/whids/agent/filters.go:73:				NewFilter			100.0%
 github.com/0xrawsec/whids/agent/filters.go:81:				Match				100.0%
 github.com/0xrawsec/whids/agent/hookdefs.go:37:				hookSetImageSize		94.1%
 github.com/0xrawsec/whids/agent/hookdefs.go:69:				hookImageLoad			95.0%
-github.com/0xrawsec/whids/agent/hookdefs.go:106:			trackSysmonProcessCreate	76.1%
+github.com/0xrawsec/whids/agent/hookdefs.go:106:			trackSysmonProcessCreate	74.6%
 github.com/0xrawsec/whids/agent/hookdefs.go:227:			hookTrack			50.0%
 github.com/0xrawsec/whids/agent/hookdefs.go:240:			hookStats			98.2%
 github.com/0xrawsec/whids/agent/hookdefs.go:351:			hookUpdateGeneScore		85.7%
@@ -115,7 +115,7 @@ github.com/0xrawsec/whids/agent/hookdefs.go:396:			hookProcTerm			87.5%
 github.com/0xrawsec/whids/agent/hookdefs.go:412:			hookSelfGUID			43.8%
 github.com/0xrawsec/whids/agent/hookdefs.go:446:			hookFileSystemAudit		55.6%
 github.com/0xrawsec/whids/agent/hookdefs.go:476:			hookProcessIntegrityProcTamp	0.0%
-github.com/0xrawsec/whids/agent/hookdefs.go:552:			hookEnrichServices		80.6%
+github.com/0xrawsec/whids/agent/hookdefs.go:552:			hookEnrichServices		77.8%
 github.com/0xrawsec/whids/agent/hookdefs.go:630:			hookEnrichAnySysmon		100.0%
 github.com/0xrawsec/whids/agent/hookdefs.go:752:			hookClipboardEvents		0.0%
 github.com/0xrawsec/whids/agent/hookdefs.go:779:			hookKernelFiles			0.0%
@@ -149,47 +149,47 @@ github.com/0xrawsec/whids/agent/ptrack.go:258:				Id				100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:262:				UpdateStatistics		100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:279:				DriverInfoFromEvent		0.0%
 github.com/0xrawsec/whids/agent/ptrack.go:301:				KernelFileFromEvent		0.0%
-github.com/0xrawsec/whids/agent/ptrack.go:313:				sourceGUIDFromEvent		88.9%
+github.com/0xrawsec/whids/agent/ptrack.go:313:				sourceGUIDFromEvent		77.8%
 github.com/0xrawsec/whids/agent/ptrack.go:334:				targetGUIDFromEvent		70.0%
 github.com/0xrawsec/whids/agent/ptrack.go:376:				NewActivityTracker		100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:393:				delete				100.0%
-github.com/0xrawsec/whids/agent/ptrack.go:406:				freeRtn				80.0%
+github.com/0xrawsec/whids/agent/ptrack.go:406:				freeRtn				100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:444:				CheckDumpCountOrInc		100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:458:				Add				100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:469:				PS				100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:480:				Blacklist			0.0%
 github.com/0xrawsec/whids/agent/ptrack.go:484:				IsBlacklisted			100.0%
-github.com/0xrawsec/whids/agent/ptrack.go:488:				SourceTrackFromEvent		100.0%
-github.com/0xrawsec/whids/agent/ptrack.go:500:				TargetTrackFromEvent		80.0%
-github.com/0xrawsec/whids/agent/ptrack.go:512:				GetParentByGuid			0.0%
+github.com/0xrawsec/whids/agent/ptrack.go:488:				SourceTrackFromEvent		83.3%
+github.com/0xrawsec/whids/agent/ptrack.go:500:				TargetTrackFromEvent		83.3%
+github.com/0xrawsec/whids/agent/ptrack.go:512:				GetParentByGuid			80.0%
 github.com/0xrawsec/whids/agent/ptrack.go:521:				getByGuid			100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:530:				GetByGuid			100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:539:				GetByPID			71.4%
-github.com/0xrawsec/whids/agent/ptrack.go:554:				ContainsGuid			0.0%
-github.com/0xrawsec/whids/agent/ptrack.go:561:				ContainsPID			0.0%
-github.com/0xrawsec/whids/agent/ptrack.go:568:				Modules				100.0%
-github.com/0xrawsec/whids/agent/ptrack.go:576:				AddKernelFile			0.0%
-github.com/0xrawsec/whids/agent/ptrack.go:582:				GetKernelFile			0.0%
-github.com/0xrawsec/whids/agent/ptrack.go:589:				DelKernelFile			0.0%
-github.com/0xrawsec/whids/agent/ptrack.go:597:				GetModuleOrUpdate		100.0%
-github.com/0xrawsec/whids/agent/ptrack.go:608:				IsTerminated			0.0%
-github.com/0xrawsec/whids/agent/ptrack.go:615:				Terminate			100.0%
+github.com/0xrawsec/whids/agent/ptrack.go:556:				ContainsGuid			100.0%
+github.com/0xrawsec/whids/agent/ptrack.go:563:				ContainsPID			0.0%
+github.com/0xrawsec/whids/agent/ptrack.go:570:				Modules				100.0%
+github.com/0xrawsec/whids/agent/ptrack.go:578:				AddKernelFile			0.0%
+github.com/0xrawsec/whids/agent/ptrack.go:584:				GetKernelFile			0.0%
+github.com/0xrawsec/whids/agent/ptrack.go:591:				DelKernelFile			0.0%
+github.com/0xrawsec/whids/agent/ptrack.go:599:				GetModuleOrUpdate		100.0%
+github.com/0xrawsec/whids/agent/ptrack.go:610:				IsTerminated			80.0%
+github.com/0xrawsec/whids/agent/ptrack.go:619:				Terminate			90.9%
 github.com/0xrawsec/whids/agent/stats.go:29:				NewEventStats			100.0%
 github.com/0xrawsec/whids/agent/stats.go:39:				SinceStart			100.0%
 github.com/0xrawsec/whids/agent/stats.go:43:				Start				100.0%
-github.com/0xrawsec/whids/agent/stats.go:48:				Threshold			100.0%
-github.com/0xrawsec/whids/agent/stats.go:52:				Duration			100.0%
+github.com/0xrawsec/whids/agent/stats.go:48:				Threshold			0.0%
+github.com/0xrawsec/whids/agent/stats.go:52:				Duration			0.0%
 github.com/0xrawsec/whids/agent/stats.go:56:				Update				100.0%
 github.com/0xrawsec/whids/agent/stats.go:64:				Events				100.0%
 github.com/0xrawsec/whids/agent/stats.go:68:				Detections			100.0%
 github.com/0xrawsec/whids/agent/stats.go:72:				EPS				75.0%
-github.com/0xrawsec/whids/agent/stats.go:80:				CriticalEPS			100.0%
+github.com/0xrawsec/whids/agent/stats.go:80:				CriticalEPS			0.0%
 github.com/0xrawsec/whids/agent/stats.go:84:				DynEPS				75.0%
-github.com/0xrawsec/whids/agent/stats.go:92:				HasPerfIssue			69.2%
-github.com/0xrawsec/whids/agent/stats.go:112:				HasCriticalPerfIssue		100.0%
+github.com/0xrawsec/whids/agent/stats.go:92:				HasPerfIssue			61.5%
+github.com/0xrawsec/whids/agent/stats.go:112:				HasCriticalPerfIssue		0.0%
 github.com/0xrawsec/whids/agent/sysinfo/sysinfo.go:19:			RegisterEdrInfo			100.0%
 github.com/0xrawsec/whids/agent/sysinfo/sysinfo.go:68:			Err				0.0%
-github.com/0xrawsec/whids/agent/sysinfo/windows_sysinfo.go:31:		NewSystemInfo			100.0%
+github.com/0xrawsec/whids/agent/sysinfo/windows_sysinfo.go:31:		NewSystemInfo			95.0%
 github.com/0xrawsec/whids/api/server/command.go:18:			ToCommand			77.8%
 github.com/0xrawsec/whids/api/server/log_streamer.go:18:		Queue				75.0%
 github.com/0xrawsec/whids/api/server/log_streamer.go:26:		Stream				100.0%
@@ -400,7 +400,7 @@ github.com/0xrawsec/whids/sysmon/config.go:191:				XML				100.0%
 github.com/0xrawsec/whids/sysmon/config.go:195:				Sha256				80.0%
 github.com/0xrawsec/whids/sysmon/config.go:210:				MarshalXML			100.0%
 github.com/0xrawsec/whids/sysmon/config.go:214:				UnmarshalXML			80.0%
-github.com/0xrawsec/whids/sysmon/default.go:64:				AgnosticConfig			0.0%
+github.com/0xrawsec/whids/sysmon/default.go:60:				AgnosticConfig			0.0%
 github.com/0xrawsec/whids/sysmon/sysmon_windows.go:39:			stdCmdOutput			75.0%
 github.com/0xrawsec/whids/sysmon/sysmon_windows.go:49:			Versions			88.2%
 github.com/0xrawsec/whids/sysmon/sysmon_windows.go:86:			InstallOrUpdate			66.7%
@@ -476,4 +476,4 @@ github.com/0xrawsec/whids/utils/windows.go:61:				ResolveCDrive			75.0%
 github.com/0xrawsec/whids/utils/windows.go:84:				RegValue			71.4%
 github.com/0xrawsec/whids/utils/windows.go:99:				RegJoin				100.0%
 github.com/0xrawsec/whids/utils/windows.go:106:				RegValueToString		66.7%
-total:									(statements)			70.0%
+total:									(statements)			69.9%
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -61,11 +61,7 @@ var (
         <SourceImage condition="is">C:\Windows\system32\wbem\wmiprvse.exe</SourceImage>
         <SourceImage condition="is">C:\Windows\System32\VBoxService.exe</SourceImage>
         <SourceImage condition="is">C:\Windows\system32\taskmgr.exe</SourceImage>
-        <GrantedAccess condition="is">0x1000</GrantedAccess>
-        <GrantedAccess condition="is">0x2000</GrantedAccess>
-        <GrantedAccess condition="is">0x3000</GrantedAccess>
         <GrantedAccess condition="is">0x100000</GrantedAccess>
-        <GrantedAccess condition="is">0x101000</GrantedAccess>
       </ProcessAccess>
     </RuleGroup>
     <RuleGroup groupRelation="or">
@@ -115,7 +111,8 @@ var (
 	osqueryBin         []byte
 	osqueryTestBinPath = filepath.Join("data", fmt.Sprintf("%s.%s%s", los.OS, tools.ToolOSQueryi, los.ExecExt))
 
-	wmicPidRe = regexp.MustCompile(`ProcessId\s=\s\d+`)
+	wmicPidRe     = regexp.MustCompile(`ProcessId\s=\s\d+`)
+	powershellCmd = "wget https://www.google.com"
 )
 
 func wmicCreateProcess(cmdLine string) int {
@@ -330,15 +327,15 @@ func installSysmon() {
 	sysmonInstalled = true
 }
 
-func testHook(h *Agent, e *event.EdrEvent) {
-	fmt.Println(utils.PrettyJsonOrPanic(e))
-}
-
 func TestAgent(t *testing.T) {
 	// draining old events from autologger
 	drainOldAutologgerEvents(t)
 
 	tt := toast.FromT(t)
+	// we use tt in separate threads and FailNow breaks
+	// some tests in this case (seems to break thread)
+	tt.FailNow = false
+
 	defer cleanup()
 
 	manager, clConf := prepareManager()
@@ -373,6 +370,7 @@ func TestAgent(t *testing.T) {
 	// creating new agent
 	a, err := NewAgent(c)
 	tt.CheckErr(err)
+	defer a.Stop()
 
 	// loading testing rule
 	r := testingRule()
@@ -386,18 +384,58 @@ func TestAgent(t *testing.T) {
 		}
 	}
 
+	// testing process tracker
+	// this hook is inserted after all others so the process tracker structure
+	// should be in a good state to test it
+	a.preHooks.Hook(func(a *Agent, e *event.EdrEvent) {
+		if e.Channel() == sysmonChannel {
+			//t.Log(utils.JsonStringOrPanic(e))
+			srcGuid := sourceGUIDFromEvent(e)
+			//t.Logf("contains guid:%s : %t", srcGuid, a.tracker.ContainsGuid(srcGuid))
+			if !a.tracker.ContainsGuid(srcGuid) {
+				return
+			}
+
+			tr := a.tracker.GetByGuid(srcGuid)
+			if a.tracker.ContainsGuid(tr.ParentProcessGUID) {
+				tt.Assert(!a.tracker.GetParentByGuid(srcGuid).IsZero())
+			}
+
+			if strings.Contains(tr.CommandLine, powershellCmd) {
+				// don't apply to all events
+				if rand.Int()%2 == 0 {
+					// terminate bogus commands
+					tt.CheckErr(tr.TerminateProcess())
+				}
+			}
+
+			switch e.EventID() {
+			case SysmonProcessCreate:
+				tt.Assert(!a.tracker.IsTerminated(srcGuid))
+			case SysmonProcessTerminate:
+				// at this point process should be always flagged as terminated
+				tt.Assert(a.tracker.IsTerminated(srcGuid))
+			default:
+				// some events come after process termination so it is not a relevant test
+				//tt.Assert(!a.tracker.IsTerminated(srcGuid))
+			}
+		}
+	}, fltAnyEvent)
+
 	// add a final hook to catch all events after enrichment
-	a.preHooks.Hook(func(h *Agent, e *event.EdrEvent) {
+	a.preHooks.Hook(func(a *Agent, e *event.EdrEvent) {
 		if e.Channel() == sysmonChannel {
 			gotSysmonEvent = true
 			switch e.EventID() {
 			case SysmonDNSQuery, SysmonNetworkConnect:
-				t.Log(utils.PrettyJsonOrPanic(e.Event))
+				//t.Log(utils.PrettyJsonOrPanic(e.Event))
 			}
 		}
+
 		if isSysmonProcessTerminate(e) {
 			gotProcessTermination = true
 		}
+		// testing process track structure
 	}, fltAnyEvent)
 
 	a.postHooks.Hook(func(h *Agent, e *event.EdrEvent) {
@@ -411,11 +449,10 @@ func TestAgent(t *testing.T) {
 		func() { tt.CheckErr(a.config.EtwConfig.ConfigureAutologger()) },
 	)
 
-	tt.CheckErr(err)
 	// we start running the agent
 	tt.CheckErr(a.Run())
 	// generate fake network trafic not originating from edr
-	pid := wmicCreateProcess("powershell -Command while(1){powershell -Command wget https://www.google.com;sleep 1}")
+	pid := wmicCreateProcess(format("powershell -Command while(1){powershell -Command %s;sleep 1}", powershellCmd))
 	// terminate wmic process
 	defer terminate(pid)
 

diff --git a/agent/ptrack.go b/agent/ptrack.go
@@ -486,34 +486,34 @@ func (pt *ActivityTracker) IsBlacklisted(cmdLine string) bool {
 }
 
 func (pt *ActivityTracker) SourceTrackFromEvent(e *event.EdrEvent) (t *ProcessTrack) {
+	pt.RLock()
+	defer pt.RUnlock()
 	var guid string
 
-	t = emptyProcessTrack()
-
 	if guid = sourceGUIDFromEvent(e); guid == nullGUID {
-		return
+		return emptyProcessTrack()
 	}
 
-	return pt.GetByGuid(guid)
+	return pt.getByGuid(guid)
 }
 
 func (pt *ActivityTracker) TargetTrackFromEvent(e *event.EdrEvent) (t *ProcessTrack) {
+	pt.RLock()
+	defer pt.RUnlock()
 	var guid string
 
-	t = emptyProcessTrack()
-
 	if guid = targetGUIDFromEvent(e); guid == nullGUID {
-		return
+		return emptyProcessTrack()
 	}
 
-	return pt.GetByGuid(guid)
+	return pt.getByGuid(guid)
 }
 
 func (pt *ActivityTracker) GetParentByGuid(guid string) *ProcessTrack {
 	pt.RLock()
 	defer pt.RUnlock()
 	if c, ok := pt.guids[guid]; ok {
-		return pt.GetByGuid(c.ParentProcessGUID)
+		return pt.getByGuid(c.ParentProcessGUID)
 	}
 	return emptyProcessTrack()
 }
@@ -539,10 +539,12 @@ func (pt *ActivityTracker) GetByGuid(guid string) *ProcessTrack {
 func (pt *ActivityTracker) GetByPID(pid int64) *ProcessTrack {
 	pt.RLock()
 	defer pt.RUnlock()
+
 	// if we find processes in running processes
 	if t := pt.rpids[pid]; t != nil {
 		return t
 	}
+
 	// if we find process in terminated processes
 	if t := pt.tpids[pid]; t != nil {
 		return t
@@ -606,17 +608,23 @@ func (pt *ActivityTracker) GetModuleOrUpdate(i *ModuleInfo) *ModuleInfo {
 }
 
 func (pt *ActivityTracker) IsTerminated(guid string) bool {
-	if t := pt.GetByGuid(guid); !t.IsZero() {
+	pt.Lock()
+	defer pt.Unlock()
+	if t := pt.getByGuid(guid); !t.IsZero() {
 		return t.Terminated
 	}
 	return true
 }
 
-func (pt *ActivityTracker) Terminate(guid string) error {
+func (pt *ActivityTracker) Terminate(guid string) {
 	pt.Lock()
 	defer pt.Unlock()
 
 	if t := pt.getByGuid(guid); !t.IsZero() {
+		// don't terminate process twice
+		if t.Terminated {
+			return
+		}
 		t.Terminated = true
 		t.TimeTerminated = time.Now()
 		// PID entry must be cleared as soon as possible
@@ -626,5 +634,5 @@ func (pt *ActivityTracker) Terminate(guid string) error {
 		pt.tpids[t.PID] = t
 		pt.free.Push(t)
 	}
-	return nil
+	return
 }