From 7eed1acd921a67975d194ec0c495ba135d76b986 Mon Sep 17 00:00:00 2001
From: Konstanty Cieslinski <konstanty.cieslinski@cert.pl>
Date: Sat, 7 Aug 2021 11:07:57 +0200
Subject: [PATCH 1/3] Stop relying on NtTerminateProcess

---
 drakcore/drakcore/postprocess/pstree.py | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/drakcore/drakcore/postprocess/pstree.py b/drakcore/drakcore/postprocess/pstree.py
index d84ea038f..9c22b5d77 100644
--- a/drakcore/drakcore/postprocess/pstree.py
+++ b/drakcore/drakcore/postprocess/pstree.py
@@ -189,19 +189,6 @@ def parse_nt_create_process_ex_entry(
     pstree.add_process(p)
 
 
-def parse_nt_terminate_process_entry(
-    pstree: ProcessTree, entry: Dict[str, Any]
-) -> None:
-    pid = entry["ExitPid"] if entry["ExitPid"] != 0 else entry["PID"]
-    p = pstree.get_single_process(
-        pid, float(entry["TimeStamp"]), float(entry["TimeStamp"])
-    )
-    if p is None:
-        # ExitProcess might call TerminateProcess twice, so maybe we had already marked it.
-        return
-    p.ts_to = float(entry["TimeStamp"])
-
-
 def parse_mm_clean_process_address_space_entry(
     pstree: ProcessTree, entry: Dict[str, Any]
 ) -> None:
@@ -236,9 +223,6 @@ def tree_from_log(file: TextIO) -> List[Dict[str, Any]]:
             elif "Method" in entry and entry["Method"] == "NtCreateProcessEx":
                 # Process has been created after the analysis started.
                 parse_nt_create_process_ex_entry(pstree, entry)
-            elif "Method" in entry and entry["Method"] == "NtTerminateProcess":
-                # Process has been terminated. This can be deleted once MmCleanProcessAddressSpace will be added to procmon.
-                parse_nt_terminate_process_entry(pstree, entry)
             elif "Method" in entry and entry["Method"] == "MmCleanProcessAddressSpace":
                 # Process has been terminated.
                 parse_mm_clean_process_address_space_entry(pstree, entry)

From 6f0ab63c0f8e10fe6b9547cdf745a46fe210e29f Mon Sep 17 00:00:00 2001
From: Konstanty Cieslinski <konstanty.cieslinski@cert.pl>
Date: Sat, 7 Aug 2021 13:00:25 +0200
Subject: [PATCH 2/3] bump drakvuf

---
 drakvuf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drakvuf b/drakvuf
index 095a35f06..03a21caed 160000
--- a/drakvuf
+++ b/drakvuf
@@ -1 +1 @@
-Subproject commit 095a35f06370a8868f4ab440496981800e2f7582
+Subproject commit 03a21caedf63a086f2f64683f56efecf5cbc1226

From ebd56da3ac593eaa2c224f69b2ba10522b077c7b Mon Sep 17 00:00:00 2001
From: Hubert Jasudowicz <hubert.jasudowicz@cert.pl>
Date: Sat, 7 Aug 2021 13:09:33 +0200
Subject: [PATCH 3/3] bump even more

---
 drakvuf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drakvuf b/drakvuf
index 03a21caed..d74df17b6 160000
--- a/drakvuf
+++ b/drakvuf
@@ -1 +1 @@
-Subproject commit 03a21caedf63a086f2f64683f56efecf5cbc1226
+Subproject commit d74df17b6aae89ad85cb842d4b9aba9530cc1c1e