fibratus icon indicating copy to clipboard operation
fibratus copied to clipboard

Published 20 hours ago verified publisher icon rabbitstack

Some events can't be collected with filaments

Open cyohg opened this issue 5 months ago • 1 comments

Hi,

Describe the bug

I'm using a filament to collect the events I want, but it doesn't work for events that has "WriteFile", "RegDeleteKey" and "RegDeleteValue" in their name attribute.

How to reproduce it

  • Write a filament like this one :
# myFilament.py
def on_init():
    print("Starting filament")
 
@dotdictify
def on_next_kevent(kevent):
    print(kevent.name)
    if (kevent.name == "WriteFile"):
        print(kevent)

def on_stop():
    print("Ending filament")
  • Run it with fibratus run -f myFilament

Expected behavior

I also ran a capture while installing Blender with the fibratus capture command and converted it to JSON file, which had a lot of "WriteFile" events, I therefore expected to see a lot of "WriteFile" events in the console while using filaments. But I got 0.

Environment

  • Fibratus version:

Image

  • Configuration: "fibratus config" returns me Error: fibratus API server up and running on localhost:8482
  • OS: Windows 10 Pro - build: 19045.5965

Additional context

  • I also tried to put kfilter("kevt.name = 'WriteFile'") at the start of the on_init() function but I got the same result.
  • I have the same problem with "RegDeleteKey" and "RegDeleteValue", I don't know if other events have that problem
  • I tried the above propositions with "CreateFile" and it worked perfectly

cyohg avatar Jun 19 '25 14:06 cyohg

Thanks for the bug report. Could you try to run the filament by including an additional flag?

fibratus run --forward -f myFilament

rabbitstack avatar Jun 19 '25 18:06 rabbitstack

Now I've got all of the types of events I wanted, but sometimes it misses a lot of them : I go from 1 million events in my classical capture to 500 000 or even less with that command. It seems quite random too. Maybe it comes from the fact that I dump events infos into a JSON file and that this process is "slow", since letting the capture with the filament run after the end of the installation seems to be better, but I didn't have the problem previsously. What does --forward do ?

cyohg avatar Jun 23 '25 09:06 cyohg

Sadly, I don't have any strong evidence to explain the difference in the volume between the filament and the capture events.

What does --forward do ?

Forward basically instructs Fibratus to send all events to one of the output destinations (console is the default output). In other words, it enables the event forwarding/collection mode. Rule engine is the default mode. Because of the bug, when you supply to run the filament, the rule engine is also enabled. The rule engine is smart enough to dynamically disable all events that are not used by the rules.

I'll fix this in the upcoming version.

rabbitstack avatar Jun 23 '25 18:06 rabbitstack