sysmonforlinux Event ID 11 - Empty TargetFilename #54
Description
Describe the bug
All events ID 11 - File Create are missing values in TargetFilename field. Only dash (-) is being shown.
kernel version
Linux version 4.19.90-2107.6.0.0248.35 and bpf co-re is disabled
SysinternalsEBPF version
Tested on 1.3.0.0
Sysmon version
Tested on 1.3.2
Sysmon configuration
I used the following configuration to record all events ID 11 logs like this
log
Jun 21 17:36:25 localhost sysmon[769]: 11241100x800000000000000090134Linux-Sysmon/Operationallocalhost.localdomain-2024-06-21 09:36:25.959{011548b0-48fc-6675-9d14-4ab268550000}1074/usr/sbin/rsyslogd-2024-06-21 09:36:25.959-
Expected behavior
A path and file name is expected in TargetFilename
problems in the code
I found that there seems to be a problem in the inline function “fdToPath” causing this problem,This function is in the sysinternalsEBPF_helpers.c file.
the offset fd_path descript like this "the path struct is two pointers from the start of the file struct. This will be confirmed in the testing phase", so I think the mechanism address is “task” which is incorrect, “task” needs to be replaced by “file”
Thank you.
Regards,
wiggens