I’m pleased to announce the release of Fibratus 0.4.0. The remarkable features of this release include per-pid process spying, Elasticsearch output adapter and the configuration based process exclusions.
What’s new
Per-pid process spying
Let me introduce the --pid command line option which enables to attach and spy on the activity of the given process. For example, here is the output when attached to the Chrome process:
$ fibratus run --pid 6040
...
1141 11:51:43.751000 2 chrome.exe (6040) - RegQueryKey (hive=REGISTRY_MACHINE_SYSTEM, key=SYSTEM\ControlSet001\Control\Session Manager\, pid=6040, status=0, tid=1624)
1142 11:51:43.751000 2 chrome.exe (6040) - RegQueryKey (hive=REGISTRY_MACHINE_SYSTEM, key=SYSTEM\ControlSet001\Control\Session Manager\, pid=6040, status=0, tid=1624)
1143 11:51:43.751000 2 chrome.exe (6040) - RegOpenKey (hive=REGISTRY_MACHINE_SOFTWARE, key=SOFTWARE\WOW6432Node\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}, pid=6040, status=0, tid=1624)
...
1541 11:51:52.833000 3 chrome.exe (6040) - CloseFile (file=\Device\HarddiskVolume2\Users\Nedo\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RFe927c36.TMP, tid=8984)
1542 11:51:52.833000 3 chrome.exe (6040) - CreateFile (file=\Device\HarddiskVolume2\Users\Nedo\AppData\Local\Google\Chrome\User Data\Default\, file_type=FILE, operation=OPEN, share_mask=rw-, tid=8984)
1543 11:51:52.835000 2 chrome.exe (6040) - CloseFile (file=\Device\HarddiskVolume2\Users\Nedo\AppData\Local\Google\Chrome\User Data\Default\, tid=8984)
1544 11:51:52.835000 2 chrome.exe (6040) - CreateFile (file=\Device\HarddiskVolume2\Users\Nedo\AppData\Local\Google\Chrome\User Data\Default\, file_type=FILE, operation=OPEN, share_mask=rw-, tid=8984)
1545 11:51:52.836000 2 chrome.exe (6040) - CloseFile (file=\Device\HarddiskVolume2\Users\Nedo\AppData\Local\Google\Chrome\User Data\Default\, tid=8984)
1546 11:51:52.836000 2 chrome.exe (6040) - CloseFile (file=\Device\HarddiskVolume2\Users\Nedo\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity, tid=8984)
1547 11:51:52.836000 2 chrome.exe (6040) - CloseFile (file=\Device\HarddiskVolume2\Users\Nedo\AppData\Local\Google\Chrome\User Data\Default\7CFE.tmp, tid=8984)
1548 11:51:52.836000 2 chrome.exe (6040) - CreateFile (file=\Device\HarddiskVolume2\Users\Nedo\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RFe927c36.TMP, file_type=REPARSE_POINT, operation=OPEN, share_mask=rwd, tid=8984)
1549 11:51:52.836000 2 chrome.exe (6040) - DeleteFile (file=\Device\HarddiskVolume2\Users\Nedo\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RFe927c36.TMP, tid=8984)
1551 11:51:53.311000 0 chrome.exe (6040) - Recv (application=https, dport=443, ip_dst=192.30.253.112, ip_src=192.168.1.105, l4_proto=TCP, packet_size=31, pid=6040, sport=55896)
1552 11:51:53.322000 0 chrome.exe (6040) - Recv (application=https, dport=443, ip_dst=192.30.253.112, ip_src=192.168.1.105, l4_proto=TCP, packet_size=31, pid=6040, sport=55897)
1553 11:51:53.648000 0 chrome.exe (6040) - Recv (application=https, dport=443, ip_dst=192.30.253.112, ip_src=192.168.1.105, l4_proto=TCP, packet_size=31, pid=6040, sport=55898)
...Here we can observe the file system operations, the registry activity and the network requests performed by the Chrome process. If you want to narrow the scope of a trace to a specific kernel events, use process spying in combination with the --filters flag.
Streaming kernel events to Elasticsearch
The kernel event stream can now be emitted to Elasticsearch via the output adapter.
It can perform per-document indexing as well as bulk indexing. The elasticsearch accessor is injected into filament at runtime. For more information see fibratus.yml configuration descriptor.
Process exclusions
To avoid the overhead of the unecessary kernel events you can exclude them from the trace.
Just add the process name (including the extension) to the fibratus.yml configuration file.
excluded_procs:
- svchost.exe
- smss.exe
- services.exe
- taskmgr.exe
- dwm.exe
- vprot.exe
- lsass.exe
- sihost.exe
- systemIf you have any feedback or want to contribute you can reach out via Github or drop me an email.