fibratus icon indicating copy to clipboard operation
fibratus copied to clipboard
verified publisher icon rabbitstack

feat(filter): Introduce TEB filter field

Open rabbitstack opened this issue 1 year ago • 0 comments

What is the purpose of this PR / why it is needed?

The thread.teb_address filter field returns the thread environment block base address. TEB is the userspace representation of a thread. By having access to this filter field/parameter, it is possible to read the TEB from process memory and possibly extract other valuable information.

What type of change does this PR introduce?

  • [x] New feature (non-breaking change which adds functionality)

Any specific area of the project related to this PR?

  • [x] Instrumentation/telemetry
  • [x] Filters

Does this PR introduce a user-facing change?

Yes. The thread.teb_address filter field should be reflected in the docs.

rabbitstack avatar Sep 18 '24 19:09 rabbitstack