Add process create and exit times

[Austin-Lamb]

Description

This adds process creation and exit times to ntosebpfext. As I did this, I wanted to test that these times made sense, so the previous way of testing by just writing from process_monitor to a file and reding it back in from a PowerShell script was going to be limiting, so I reimplemented the tests and test harness too.

This change also removes the x86 architecture as Windows 11 does not support x86 32-bit anyway. I also removed a number of unused Solution Configurations, so we have fewer to maintain.

Testing

1. Ran all the existing unit tests.
2. Added a new unit test, with the updated usersim that allows shimming the process create and exit time APIs.
3. Reimplemented the E2E tests as 3 .NET projects. process_monitor.Library is a class library that has the logic to listen to the ntosebpfext events from process_monitor.sys and surface them as .NET events. Then process_monitor (the exe) moved from C++ to C# so it is a thin wrapper over that library that just adds console output and Ctrl+C support. Lastly, there's process_monitor.Tests which is MSTest code that exercises the library and can do things like "run a process and confirm the exit code is what we expect" or "run a process that should take at least 3 seconds, and confirm the exit time is >= 3 seconds beyond the start time. This also lays groundwork for further testing that uses richer data than text parsing a log file would benefit from.

Documentation

Yes, updated the docs on how to run the tests and set up a dev environment.

Installation

This changes what a dev needs to install to build and test this project (see updated docs), but does not change the install requirements for the ntosebpfext extension for an end-user.

[poornagmsft]

[like] Poorna Gaddehosur reacted to your message:

---

From: Austin Lamb @.> Sent: Wednesday, May 8, 2024 12:09:03 AM To: microsoft/ntosebpfext @.> Cc: Poorna Gaddehosur @.>; Review requested @.> Subject: [microsoft/ntosebpfext] User/austinl/add process create and exit times (PR #47)

Description

This adds process creation and exit times to ntosebpfext. As I did this, I wanted to test that these times made sense, so the previous way of testing by just writing from process_monitor to a file and reding it back in from a PowerShell script was going to be limiting, so I reimplemented the tests and test harness too.

Testing

1. Ran all the existing unit tests.
2. Added a new unit test, with the updated usersim that allows shimming the process create and exit time APIs.
3. Reimplemented the E2E tests as 3 .NET projects. process_monitor.Library is a class library that has the logic to listen to the ntosebpfext events from process_monitor.sys and surface them as .NET events. Then process_monitor (the exe) moved from C++ to C# so it is a thin wrapper over that library that just adds console output and Ctrl+C support. Lastly, there's process_monitor.Tests which is MSTest code that exercises the library and can do things like "run a process and confirm the exit code is what we expect" or "run a process that should take at least 3 seconds, and confirm the exit time is >= 3 seconds beyond the start time. This also lays groundwork for further testing that uses richer data than text parsing a log file would benefit from.

Documentation

Yes, updated the docs on how to run the tests and set up a dev environment.

Installation

This changes what a dev needs to install to build and test this project (see updated docs), but does not change the install requirements for the ntosebpfext extension for an end-user.

---

You can view, comment on, or merge this pull request online at:

https://github.com/microsoft/ntosebpfext/pull/47

Commit Summary

• 214232fhttps://github.com/microsoft/ntosebpfext/pull/47/commits/214232f0cdb91fd95df23112b97e9c099e98744d Working on adding exit codes, need to bump usersim version
• 4b8e891https://github.com/microsoft/ntosebpfext/pull/47/commits/4b8e891c028fcde807f370e58d58bf9997a238df Update submodules
• 7c054cdhttps://github.com/microsoft/ntosebpfext/pull/47/commits/7c054cd7da05b5ea0ec788886cc974d60b087029 Add tests and docs, try to fix annotation failure seen in CI
• 03b6763https://github.com/microsoft/ntosebpfext/pull/47/commits/03b67635629812759fd69da2cb8e297cbc1b67a9 Merge branch 'main' into user/austinl/addProcessExitCode
• b51b3d4https://github.com/microsoft/ntosebpfext/pull/47/commits/b51b3d4b11a5efd8aefbec0fd6f35c454e71602a Updating usersim to pick up SAL fix
• 64b32cfhttps://github.com/microsoft/ntosebpfext/pull/47/commits/64b32cf4abe12a0306c6ab48ebac93c46070d669 Merge branch 'user/austinl/addProcessExitCode' of https://github.com/Austin-Lamb/ntosebpfext into user/austinl/addProcessExitCode
• d2e1dbchttps://github.com/microsoft/ntosebpfext/pull/47/commits/d2e1dbc7bc135a76a0d683f085e8df689d98f93c Add create and exit times, refactor test harness into .NET
• c76cf6bhttps://github.com/microsoft/ntosebpfext/pull/47/commits/c76cf6bd104a2ed6fa27fb3b8ce59bce360c5d2f Add one more file to sln

File Changes

(34 fileshttps://github.com/microsoft/ntosebpfext/pull/47/files)

• M .github/workflows/cicd.ymlhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-6727e33ccc9195d67f0786e1384f8f1cdaf4090c3e77547943105bd2b28c99d0 (4)
• M .github/workflows/reusable-build.ymlhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-951765131741a39f193f7387e405bafacb9b9e836a17986e6c7480d6dc448cc3 (6)
• M CONTRIBUTING.mdhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-eca12c0a30e25b4b46522ebf89465a03ba72a03f540796c979137931d8f92055 (60)
• M Directory.Build.propshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-9da24614831c308827a1ae533ffea392c97638c261dd42bd0f5226baa136d16e (11)
• A Directory.Packages.propshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-5baf5f9e448ad54ab25a091adee0da05d4d228481c9200518fcb1b53a65d4156 (20)
• M README.mdhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5 (5)
• A RunSettings.runsettingshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-a705b0a29f2e4fd74fb771f0d9242a48e9a38269346f3a962b7328c0e279eb70 (146)
• M external/Catch2https://github.com/microsoft/ntosebpfext/pull/47/files#diff-8274a6812394762a831653cd1a1b585314bcd180f4d01cd42a309d0b6cf53d4e (2)
• M external/usersimhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-4ae78540d77e146774e537be8c7888b0e96d803c98c06760e4e8775833905812 (2)
• M include/ebpf_ntos_hooks.hhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-9a7747cac93a4fbc69bf67be53aa46851eadf48a58f60522c564f07c872bc2bb (17)
• M ntosebpfext.slnhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-2bc7addd1b14a538a605dec34a389535c0da5868cc857cad43e676fef90d1d51 (170)
• M ntosebpfext/ntos_ebpf_ext_process.chttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-b47f3e1916f02cf4bb573430db75060b5c3865e9b22f38dc9c7ae0da03947b4e (7)
• A scripts/rebuild_ntosebpfext.cmdhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-90a18ccb0641433abd7a0d347c2273ac5160c6e03d5befa012edecebd5331f1b (6)
• M tests/ntosebpfext_unit/ntos_ebpfext_unit.cpphttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-6bcb3a8423bee5680f40d48a9ffa4df733cbe593e16572621199e918ec776e20 (141)
• A tests/process_monitor.Tests/ProcessMonitorTests.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-6172a9676cd3e7fa7f02e12e550f6958f671f87cb8fb620d21d5223e8be32363 (117)
• A tests/process_monitor.Tests/Setup-ProcessMonitorTests.ps1https://github.com/microsoft/ntosebpfext/pull/47/files#diff-e83e528cb7248f714fc48cc4ffa37ff035c168bbfeef86dc6d0575bf9562cc8a (35)
• A tests/process_monitor.Tests/process_monitor.Tests.csprojhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-377646df505b7b07ab737f265c2959485e1d7e42c148fd96509c4a7bb0f17071 (36)
• A tools/process_monitor.Library/PInvokes.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-b106b69e2ad93ac90c0019f17041e443e92179a03c0dd014f14d259777871664 (51)
• A tools/process_monitor.Library/ProcessCreatedEventArgs.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-b08b3ee00142ee07b15f9977ba668038da8f03ce45d7a0946030d8fd6732fe74 (26)
• A tools/process_monitor.Library/ProcessDestroyedEventArgs.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-b1cced1432abb0e40c85928bcb0ce53a451a41fd6d77ff36dda208aa9dd42114 (24)
• A tools/process_monitor.Library/ProcessMonitor.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-5ce67008e52ea2d7ceecb93a57ac819897cec303e39f0850f28ea24a76b5381a (75)
• A tools/process_monitor.Library/ProcessMonitorBPFLoader.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-c8f7e53c2a6af969f7dd0696f9385df1c4febe776069369e9f731f6c12166ad4 (240)
• A tools/process_monitor.Library/process_monitor.Library.csprojhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-3601fb5e48f8edbaa9b8a4ab73a898945c37d021ab1683b86add9e46775d6f51 (25)
• A tools/process_monitor/ExceptionFormatter.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-3b394faabd5c2d6b0b3462683fa36e4cd7eea356349fc6ec40f7887c3827aecd (78)
• A tools/process_monitor/ProcessMonitorLoggingFormatter.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-c7a5df1ecf3f3ee811f3a8ede47f6a94accdf6be99db70051d7400b7d73e2c45 (81)
• A tools/process_monitor/Program.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-2d2c26fc129b97042c65ae931d13116058735b4d85ab14bada6fb8a6ee62944e (57)
• D tools/process_monitor/Test-ProcessMonitor.ps1https://github.com/microsoft/ntosebpfext/pull/47/files#diff-9b2a1323efa4f4fc2d9e08a6db00004594be450b33ab12df52fcd19a93ea37ea (86)
• A tools/process_monitor/TextWriterExtensions.Color.cshttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-6e9ba244d05d9496878538130c9405a25fed00af03d271a04003443f45c8fd59 (110)
• D tools/process_monitor/process_monitor.cpphttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-95330276d9ed760687e3fca3cf7d8bf0dc275ba2d4dbe0ec8ca0df0aca3d44a9 (180)
• A tools/process_monitor/process_monitor.csprojhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-c03a297439a719bab99c9e4828a98f6342a4d1569fe2a99659a980ff59a9aab8 (19)
• R tools/process_monitor_bpf/packages.confighttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-b6fc3251dd17f7a395641e9d2b1cfcc89496a5c589489093f9c973d38c06c63a (0)
• R tools/process_monitor_bpf/process_monitor.chttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-202e86bdeb81684b6cff4eb49fecabb4b234d640cdef252ae9585b3ea5c94ad2 (41)
• R tools/process_monitor_bpf/process_monitor_bpf.vcxprojhttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-7db0b95bb1328f76e5bcba77a648e015def2be8800ed92df9acf5da3b1c84c65 (11)
• R tools/process_monitor_bpf/process_monitor_bpf.vcxproj.filtershttps://github.com/microsoft/ntosebpfext/pull/47/files#diff-8ef6535594fc5b39d0a71c0352f5116191dca0af083c33a71c24ca052bf1f2eb (11)

Patch Links:

• https://github.com/microsoft/ntosebpfext/pull/47.patch
• https://github.com/microsoft/ntosebpfext/pull/47.diff

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/ntosebpfext/pull/47, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AO6DOEQ2JM73KZKSFIUW4NDZBFUJ7AVCNFSM6AAAAABHL52WD2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGI4DINBSG4YDANY. You are receiving this because your review was requested.Message ID: @.***>