Nedim Šabić²
Nedim Šabić²
This is much needed. How one should cope with elf objects where `SEC` is utilized to designate the syscall name where kprobe is attached?
@tailhook , thank you for pointing out your work (vagga looks awesome. I'll definitely give it a try). > Do you consider making the netlink/bridge creation part a separate crate/library?...
Something like this: ``` panic: runtime error: index out of range goroutine 1 [running]: github.com/sematext/foo/beef.(*upbuilder).InitUprobes(0xc4202d3680) /home/johndoe/Sematext/dev-st/foo/src/github.com/sematext/foo/beef/uprobe_builder.go:94 +0x18 main.main.func1(0xc42045e000, 0x19b6180, 0x0, 0x0) /home/johndoe/Sematext/dev-st/foo/src/github.com/sematext/foo/cmd/foo/main.go:196 +0xc77 github.com/sematext/foo/vendor/github.com/spf13/cobra.(*Command).execute(0xc42045e000, 0xc4200a8170, 0x0, 0x0, 0xc42045e000, 0xc4200a8170) /home/johndoe/Sematext/dev-st/foo/src/github.com/sematext/foo/vendor/github.com/spf13/cobra/command.go:766...
Hi @yusufozturk Thanks for the elaborate analysis. Did you happen to see this pattern repeat for every file read? Does it happen only on the first read or for all...
Hi @yusufozturk If I'm reading this correctly, all events seem to match the Windows Event Log respective. [Here](https://www.fibratus.io/#/kevents/file?id=createfile) you can find a detailed explanation of the CreateFile event parameters. The...
This is a fabulous analysis, @yusufozturk . Thanks! For performance reasons, I think it wouldn't be viable to augment those CreateFile events from user space with detailed information about file...
Hi @yusufozturk Thanks for offering help. I'll try to investigate over the weekend and let you know my findings. Re. extracting ETW logic into separete repo. That makes a lot...
I've spent some time scanning through Microsoft API docs. There is a [function](https://docs.microsoft.com/es-es/windows/win32/api/aclapi/nf-aclapi-getsecurityinfo) that can obtain ACL metadata for a given file handle. Nevertheless, I think this wouldn't work for...
@yusufozturk Have you got a chance to look into this? If there isn't anything actionable I believe we could close the issue, as this isn't really a problem with duplicate...
My plate is pretty full this month and I have no experience with the Splunk's API. Can you take a look at the documentation to help me figure out which...