search

microsoft / ntosebpfext

eBPF-For-Windows extension to provide access to Windows kernel functionality
MIT License
11 stars 9 forks source link

Add exit codes to process destroy information #36

Closed Austin-Lamb closed 4 months ago

Austin-Lamb commented 5 months ago

Description

When a process is destroyed, we now plumb through the exit code as well. This is often handy for a user-mode thing listening for processes, so it can know if a process exited successfully or failed, to correlate with other telemetry.

To do this, I had to update the usersim submodule to pick up this: https://github.com/microsoft/usersim/pull/191

Testing

Manually tested. Added automated tests - both unit and E2E with process_monitor

Documentation

Added docs on how to build, test and debug.

Installation

No changes to installation.

Alan-Jowett commented 5 months ago

@austin-lamb can you please fix the code analysis failures? 

       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext.sln" (default target) (1) ->
       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext\user\ntosebpfext_user.vcxproj" (default target) (7) ->
       (RunNativeCodeAnalysis target) -> 
         D:\a\ntosebpfext\ntosebpfext\ntosebpfext\ntos_ebpf_ext_process.c(17): error C28251: Inconsistent annotation for 'PsGetProcessExitStatus': this instance has no annotations. See d:\a\ntosebpfext\ntosebpfext\external\usersim\inc\usersim\ps.h(21).  [D:\a\ntosebpfext\ntosebpfext\ntosebpfext\user\ntosebpfext_user.vcxproj]

       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext.sln" (default target) (1) ->
       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext\sys\ntosebpfext.vcxproj.metaproj" (default target) (2) ->
       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext\sys\ntosebpfext.vcxproj" (default target) (14) ->
         D:\a\ntosebpfext\ntosebpfext\ntosebpfext\ntos_ebpf_ext_process.c(17): error C28251: Inconsistent annotation for 'PsGetProcessExitStatus': this instance has no annotations. See c:\program files (x86)\windows kits\10\include\10.0.22621.0\km\ntddk.h(11293).  [D:\a\ntosebpfext\ntosebpfext\ntosebpfext\sys\ntosebpfext.vcxproj]
Austin-Lamb commented 5 months ago

@Austin-Lamb can you please fix the code analysis failures?

       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext.sln" (default target) (1) ->
       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext\user\ntosebpfext_user.vcxproj" (default target) (7) ->
       (RunNativeCodeAnalysis target) -> 
         D:\a\ntosebpfext\ntosebpfext\ntosebpfext\ntos_ebpf_ext_process.c(17): error C28251: Inconsistent annotation for 'PsGetProcessExitStatus': this instance has no annotations. See d:\a\ntosebpfext\ntosebpfext\external\usersim\inc\usersim\ps.h(21).  [D:\a\ntosebpfext\ntosebpfext\ntosebpfext\user\ntosebpfext_user.vcxproj]

       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext.sln" (default target) (1) ->
       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext\sys\ntosebpfext.vcxproj.metaproj" (default target) (2) ->
       "D:\a\ntosebpfext\ntosebpfext\ntosebpfext\sys\ntosebpfext.vcxproj" (default target) (14) ->
         D:\a\ntosebpfext\ntosebpfext\ntosebpfext\ntos_ebpf_ext_process.c(17): error C28251: Inconsistent annotation for 'PsGetProcessExitStatus': this instance has no annotations. See c:\program files (x86)\windows kits\10\include\10.0.22621.0\km\ntddk.h(11293).  [D:\a\ntosebpfext\ntosebpfext\ntosebpfext\sys\ntosebpfext.vcxproj]

Should be fixed now, with the updated usersim to fix SAL.