Revert "feat(sigs): refactor to use nonparsed arguments"

This reverts commit ec478cc.
aquasecurity · Dec 25, 2024 · b46a2b6 · b46a2b6
1 parent 2c6fe9e
commit b46a2b6
Show file tree

Hide file tree

Showing 45 changed files with 129 additions and 175 deletions.
diff --git a/pkg/signatures/benchmark/signature/golang/anti_debugging.go b/pkg/signatures/benchmark/signature/golang/anti_debugging.go
@@ -3,7 +3,6 @@ package golang
 import (
 	"fmt"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/helpers"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
@@ -13,7 +12,6 @@ import (
 type antiDebugging struct {
 	cb       detect.SignatureHandler
 	metadata detect.SignatureMetadata
-	logger   detect.Logger
 }
 
 func NewAntiDebuggingSignature() (detect.Signature, error) {
@@ -32,7 +30,6 @@ func NewAntiDebuggingSignature() (detect.Signature, error) {
 
 func (sig *antiDebugging) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
-	sig.logger = ctx.Logger
 	return nil
 }
 
@@ -55,30 +52,22 @@ func (sig *antiDebugging) OnEvent(event protocol.Event) error {
 	if ee.EventName != "ptrace" {
 		return nil
 	}
-	requestArg, err := helpers.GetTraceeIntArgumentByName(ee, "request")
+	request, err := helpers.GetTraceeArgumentByName(ee, "request", helpers.GetArgOps{DefaultArgs: false})
 	if err != nil {
 		return err
 	}
-
-	if uint64(requestArg) != parsers.PTRACE_TRACEME.Value() {
-		return nil
+	requestString, ok := request.Value.(string)
+	if !ok {
+		return fmt.Errorf("failed to cast request's value")
 	}
-
-	var ptraceRequestData string
-	requestString, err := parsers.ParsePtraceRequestArgument(uint64(requestArg))
-
-	if err != nil {
-		ptraceRequestData = fmt.Sprint(requestArg)
-		sig.logger.Debugw("anti_debugging sig: failed to parse ptrace request argument: %v", err)
-	} else {
-		ptraceRequestData = requestString.String()
+	if requestString != "PTRACE_TRACEME" {
+		return nil
 	}
-
 	sig.cb(&detect.Finding{
 		SigMetadata: sig.metadata,
 		Event:       event,
 		Data: map[string]interface{}{
-			"ptrace request": ptraceRequestData,
+			"ptrace request": requestString,
 		},
 	})
 	return nil

diff --git a/pkg/signatures/benchmark/signature/golang/code_injection.go b/pkg/signatures/benchmark/signature/golang/code_injection.go
@@ -65,11 +65,11 @@ func (sig *codeInjection) OnEvent(event protocol.Event) error {
 	}
 	switch ee.EventName {
 	case "open", "openat":
-		flags, err := helpers.GetTraceeIntArgumentByName(ee, "flags")
+		flags, err := helpers.GetTraceeArgumentByName(ee, "flags", helpers.GetArgOps{DefaultArgs: false})
 		if err != nil {
 			return fmt.Errorf("%v %#v", err, ee)
 		}
-		if helpers.IsFileWrite(flags) {
+		if helpers.IsFileWrite(flags.Value.(string)) {
 			pathname, err := helpers.GetTraceeArgumentByName(ee, "pathname", helpers.GetArgOps{DefaultArgs: false})
 			if err != nil {
 				return err

diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go
@@ -3,7 +3,6 @@ package main
 import (
 	"fmt"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/helpers"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
@@ -12,12 +11,12 @@ import (
 
 type AntiDebuggingPtraceme struct {
 	cb            detect.SignatureHandler
-	ptraceTraceMe int
+	ptraceTraceMe string
 }
 
 func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
-	sig.ptraceTraceMe = int(parsers.PTRACE_TRACEME.Value())
+	sig.ptraceTraceMe = "PTRACE_TRACEME"
 	return nil
 }
 
@@ -53,7 +52,7 @@ func (sig *AntiDebuggingPtraceme) OnEvent(event protocol.Event) error {
 
 	switch eventObj.EventName {
 	case "ptrace":
-		requestArg, err := helpers.GetTraceeIntArgumentByName(eventObj, "request")
+		requestArg, err := helpers.GetTraceeStringArgumentByName(eventObj, "request")
 		if err != nil {
 			return err
 		}

diff --git a/signatures/golang/anti_debugging_ptraceme_test.go b/signatures/golang/anti_debugging_ptraceme_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/signaturestest"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -30,7 +29,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "request",
 							},
-							Value: interface{}(int64(parsers.PTRACE_TRACEME.Value())),
+							Value: interface{}("PTRACE_TRACEME"),
 						},
 					},
 				},
@@ -45,7 +44,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 								ArgMeta: trace.ArgMeta{
 									Name: "request",
 								},
-								Value: interface{}(int64(parsers.PTRACE_TRACEME.Value())),
+								Value: interface{}("PTRACE_TRACEME"),
 							},
 						},
 					}.ToProtocol(),
@@ -77,7 +76,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "request",
 							},
-							Value: interface{}(int64(parsers.PTRACE_PEEKTEXT.Value())),
+							Value: interface{}("PTRACE_PEEKTEXT"),
 						},
 					},
 				},

diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go
@@ -57,7 +57,7 @@ func (sig *AslrInspection) OnEvent(event protocol.Event) error {
 			return err
 		}
 
-		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
 		if err != nil {
 			return err
 		}

diff --git a/signatures/golang/aslr_inspection_test.go b/signatures/golang/aslr_inspection_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/signaturestest"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -30,7 +29,7 @@ func TestAslrInspection(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+							Value: interface{}("O_RDONLY"),
 						},
 						{
 							ArgMeta: trace.ArgMeta{
@@ -51,7 +50,7 @@ func TestAslrInspection(t *testing.T) {
 								ArgMeta: trace.ArgMeta{
 									Name: "flags",
 								},
-								Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+								Value: interface{}("O_RDONLY"),
 							},
 							{
 								ArgMeta: trace.ArgMeta{
@@ -95,7 +94,7 @@ func TestAslrInspection(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},
@@ -112,7 +111,7 @@ func TestAslrInspection(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+							Value: interface{}("O_RDONLY"),
 						},
 						{
 							ArgMeta: trace.ArgMeta{

diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go
@@ -59,7 +59,7 @@ func (sig *CgroupNotifyOnReleaseModification) OnEvent(event protocol.Event) erro
 		}
 		basename := path.Base(pathname)
 
-		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
 		if err != nil {
 			return err
 		}

diff --git a/signatures/golang/cgroup_notify_on_release_modification_test.go b/signatures/golang/cgroup_notify_on_release_modification_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/signaturestest"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -36,7 +35,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},
@@ -57,7 +56,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 								ArgMeta: trace.ArgMeta{
 									Name: "flags",
 								},
-								Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+								Value: interface{}("O_WRONLY"),
 							},
 						},
 					}.ToProtocol(),
@@ -95,7 +94,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+							Value: interface{}("O_RDONLY"),
 						},
 					},
 				},
@@ -118,7 +117,7 @@ func TestCgroupNotifyOnReleaseModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},

diff --git a/signatures/golang/cgroup_release_agent_modification.go b/signatures/golang/cgroup_release_agent_modification.go
@@ -56,7 +56,7 @@ func (sig *CgroupReleaseAgentModification) OnEvent(event protocol.Event) error {
 
 	switch eventObj.EventName {
 	case "security_file_open":
-		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
 		if err != nil {
 			return err
 		}

diff --git a/signatures/golang/cgroup_release_agent_modification_test.go b/signatures/golang/cgroup_release_agent_modification_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/signaturestest"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -36,7 +35,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},
@@ -57,7 +56,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 								ArgMeta: trace.ArgMeta{
 									Name: "flags",
 								},
-								Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+								Value: interface{}("O_WRONLY"),
 							},
 						},
 					}.ToProtocol(),
@@ -142,7 +141,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_RDONLY)),
+							Value: interface{}("O_RDONLY"),
 						},
 					},
 				},
@@ -165,7 +164,7 @@ func TestCgroupReleaseAgentModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: interface{}(buildFlagArgValue(parsers.O_WRONLY)),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},

diff --git a/signatures/golang/core_pattern_modification.go b/signatures/golang/core_pattern_modification.go
@@ -58,7 +58,7 @@ func (sig *CorePatternModification) OnEvent(event protocol.Event) error {
 			return err
 		}
 
-		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
 		if err != nil {
 			return err
 		}

diff --git a/signatures/golang/core_pattern_modification_test.go b/signatures/golang/core_pattern_modification_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/signatures/signaturestest"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -36,7 +35,7 @@ func TestCorePatternModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: buildFlagArgValue(parsers.O_WRONLY),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},
@@ -57,7 +56,7 @@ func TestCorePatternModification(t *testing.T) {
 								ArgMeta: trace.ArgMeta{
 									Name: "flags",
 								},
-								Value: buildFlagArgValue(parsers.O_WRONLY),
+								Value: interface{}("O_WRONLY"),
 							},
 						},
 					}.ToProtocol(),
@@ -95,7 +94,7 @@ func TestCorePatternModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: buildFlagArgValue(parsers.O_RDONLY),
+							Value: interface{}("O_RDONLY"),
 						},
 					},
 				},
@@ -118,7 +117,7 @@ func TestCorePatternModification(t *testing.T) {
 							ArgMeta: trace.ArgMeta{
 								Name: "flags",
 							},
-							Value: buildFlagArgValue(parsers.O_WRONLY),
+							Value: interface{}("O_WRONLY"),
 						},
 					},
 				},

diff --git a/signatures/golang/default_loader_modification.go b/signatures/golang/default_loader_modification.go
@@ -59,7 +59,7 @@ func (sig *DefaultLoaderModification) OnEvent(event protocol.Event) error {
 
 	switch eventObj.EventName {
 	case "security_file_open":
-		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
 		if err != nil {
 			return err
 		}