Struct owlyshield_ransom::process::ProcessRecord [−][src]
pub struct ProcessRecord {Show 54 fields
pub appname: String,
pub gid: c_ulonglong,
pub pids: HashSet<c_ulong>,
pub ops_read: u64,
pub ops_setinfo: u64,
pub ops_written: u64,
pub ops_open: u64,
pub bytes_read: u64,
pub bytes_written: u64,
pub entropy_read: f64,
pub entropy_written: f64,
pub files_read: HashSet<FileId>,
pub files_renamed: HashSet<FileId>,
pub files_opened: HashSet<FileId>,
pub files_written: HashSet<FileId>,
pub files_deleted: HashSet<FileId>,
pub fpaths_created: HashSet<String>,
pub fpaths_updated: HashSet<String>,
pub dirs_with_files_created: HashSet<String>,
pub dirs_with_files_updated: HashSet<String>,
pub dirs_with_files_opened: HashSet<String>,
pub extensions_read: ExtensionsCount,
pub extensions_written: ExtensionsCount,
pub exepath: PathBuf,
pub exe_exists: bool,
pub process_state: ProcessState,
pub is_malicious: bool,
pub time_started: SystemTime,
pub time_killed: Option<SystemTime>,
pub time_suspended: Option<SystemTime>,
pub clusters: usize,
pub clusters_max_size: usize,
pub driver_msg_count: usize,
tx: Sender<MultiThreadClustering>,
rx: Receiver<MultiThreadClustering>,
is_thread_clustering_running: bool,
last_thread_clustering_time: SystemTime,
last_thread_clustering_duration: Duration,
pub file_size_empty: HashSet<String>,
pub file_size_tiny: HashSet<String>,
pub file_size_small: HashSet<String>,
pub file_size_medium: HashSet<String>,
pub file_size_large: HashSet<String>,
pub file_size_huge: HashSet<String>,
pub bytes_size_empty: Vec<c_ulonglong>,
pub bytes_size_tiny: Vec<c_ulonglong>,
pub bytes_size_small: Vec<c_ulonglong>,
pub bytes_size_medium: Vec<c_ulonglong>,
pub bytes_size_large: Vec<c_ulonglong>,
pub bytes_size_huge: Vec<c_ulonglong>,
pub on_shared_drive_read_count: u32,
pub on_shared_drive_write_count: u32,
pub on_removable_drive_read_count: u32,
pub on_removable_drive_write_count: u32,
}Expand description
GID state in real-time. This is a central structure.
This struct has several functions:
- Store the activity of a gid by aggregating the data received from the driver in real-time
- Calculate multiple metrics that will feed the prediction
Fields
appname: StringMain process name.
gid: c_ulonglongGroup Identifier: a unique number (maintained by the minifilter) identifying this family of precesses.
pids: HashSet<c_ulong>Set of pids in this family of processes.
ops_read: u64Count of Read operations crate::driver_com::IrpMajorOp::IrpRead
ops_setinfo: u64Count of SetInfo operations crate::driver_com::IrpMajorOp::IrpSetInfo
ops_written: u64Count of Write operations crate::driver_com::IrpMajorOp::IrpWrite
ops_open: u64Count of Handle Creation operations crate::driver_com::IrpMajorOp::IrpCreate
bytes_read: u64Total of bytes read
bytes_written: u64Total bytes written
entropy_read: f64Total entropy read
entropy_written: f64Total entropy write
files_read: HashSet<FileId>File descriptors read
files_renamed: HashSet<FileId>File descriptors renamed
files_opened: HashSet<FileId>File descriptors created
files_written: HashSet<FileId>File descriptors written
files_deleted: HashSet<FileId>File descriptors deleted
fpaths_created: HashSet<String>File paths created
fpaths_updated: HashSet<String>File paths updated (by a setinfo operation)
dirs_with_files_created: HashSet<String>Directories having files created
dirs_with_files_updated: HashSet<String>Directories having files updated
dirs_with_files_opened: HashSet<String>Directories having files opened (a file handle has been created)
extensions_read: ExtensionsCountUnique extensions read count
extensions_written: ExtensionsCountUnique extensions written count
exepath: PathBufPath to the exe of the main process (the root)
exe_exists: boolProcess exe file still exists (father)?
process_state: ProcessStateProcess execution state (Running, Suspended, Killed…)
is_malicious: boolHas the process been classified as malicious?
time_started: SystemTimeTime of the main process start
time_killed: Option<SystemTime>Time of the main process kill (if malicious)
time_suspended: Option<SystemTime>Time of process suspended
clusters: usizeNumber of directories (with files updated) clusters created
clusters_max_size: usizeDeepest cluster size
driver_msg_count: usizeNumber of driver messages received for this Gid
tx: Sender<MultiThreadClustering>Used by Self::launch_thread_clustering to communicate with a thread in charge of the heavy computations (clustering).
rx: Receiver<MultiThreadClustering>Used by Self::launch_thread_clustering to communicate with a thread in charge of the heavy computations (clustering).
is_thread_clustering_running: boolUsed by Self::launch_thread_clustering to communicate with a thread in charge of the heavy computations (clustering).
last_thread_clustering_time: SystemTimelast_thread_clustering_duration: Durationfile_size_empty: HashSet<String>Files sorted by size according to steps, with the sort_file_size function.
file_size_tiny: HashSet<String>Files sorted by size according to steps, with the sort_file_size function.
file_size_small: HashSet<String>Files sorted by size according to steps, with the sort_file_size function.
file_size_medium: HashSet<String>Files sorted by size according to steps, with the sort_file_size function.
file_size_large: HashSet<String>Files sorted by size according to steps, with the sort_file_size function.
file_size_huge: HashSet<String>Files sorted by size according to steps, with the sort_file_size function.
bytes_size_empty: Vec<c_ulonglong>Number of bytes transferred sorted according to steps, with the sort_bytes function.
bytes_size_tiny: Vec<c_ulonglong>Number of bytes transferred sorted according to steps, with the sort_bytes function.
bytes_size_small: Vec<c_ulonglong>Number of bytes transferred sorted according to steps, with the sort_bytes function.
bytes_size_medium: Vec<c_ulonglong>Number of bytes transferred sorted according to steps, with the sort_bytes function.
bytes_size_large: Vec<c_ulonglong>Number of bytes transferred sorted according to steps, with the sort_bytes function.
bytes_size_huge: Vec<c_ulonglong>Number of bytes transferred sorted according to steps, with the sort_bytes function.
Count of Read operations crate::driver_com::IrpMajorOp::IrpRead on a shared (remote) drive
Count of Write operations crate::driver_com::IrpMajorOp::IrpWrite on a shared (remote) drive
on_removable_drive_read_count: u32Count of Read operations crate::driver_com::IrpMajorOp::IrpRead on a removable drive
on_removable_drive_write_count: u32Count of Write operations crate::driver_com::IrpMajorOp::IrpWrite on a removable drive
Implementations
Entry point to call on new drivermsg.
Sorts the number of bytes transferred according to the defined levels:
- Empty (0 KB)
- Tiny (0 – 16 KB)
- Small (16 KB – 1 MB)
- Medium (1 – 128 MB)
- Large (128 MB – 1 GB)
- Huge (> 1 GB)
Sorts the files by size according to the defined levels:
- Empty (0 KB)
- Tiny (0 – 16 KB)
- Small (16 KB – 1 MB)
- Medium (1 – 128 MB)
- Large (128 MB – 1 GB)
- Huge (> 1 GB)
Decides if a new clustering is required. Three parameters are considered:
- Is the clustering thread running?
- The last clustering time.
- The last clustering duration.
This function is to reduce the frequency of clustering on some applications whose clustering requires a lot of CPU.