def print_process_info(proc: Process,
return_string: bool = False,
raw_print=False,
header=True):
"""Analyst friendly custom process data format.
Args:
proc: CbR Process
return_string: return string if True, else print it to stdout.
Returns: string or None
"""
if not proc._info and raw_print:
LOGGER.debug(f"retrieving process info.")
proc.refresh()
txt = ""
if header:
txt += "------ INFO ------\n"
if raw_print:
txt = str(proc)
else:
status = "Terminated" if proc.terminated else "Running"
txt += f" Process GUID: {proc.id}\n"
txt += f" Process Name: {proc.process_name}\n"
txt += f" Process PID: {proc.process_pid}\n"
txt += f" Process MD5: {proc.process_md5}\n"
txt += f" Process Path: {proc.path}\n"
txt += f" Process Status: {status}\n"
txt += f" Command Line: {proc.cmdline}\n"
txt += f" Parent Name: {proc.parent_name}\n"
txt += f" Parent GUID: {proc.parent_id}\n"
txt += f" Hostname: {proc.hostname}\n"
txt += f" Username: {proc.username}\n"
txt += f" Start Time: {as_configured_timezone(proc.start)}\n"
try:
txt += f" Last Update Time: {as_configured_timezone(proc.last_update)}\n"
except TypeError: # should be handled by cbapi
txt += f" Last Update Time: None\n"
txt += f" Sensor ID: {proc.sensor_id}\n"
txt += f" Comms IP: {proc.comms_ip}\n"
txt += f" Interface IP: {proc.interface_ip}\n"
txt += f" GUI Link: {proc.webui_link}\n"
if return_string:
return txt
txt += "\n"
print(txt)
def process_to_dict(p: Process, max_segments=None) -> Dict:
"""Get all events for this process."""
all_segments = p.get_segments()
if max_segments is None:
max_segments = len(all_segments)
p.refresh()
results = p.original_document
results["captured_segments"] = {}
results["all_segments"] = all_segments
results["process_ancestry"] = StringIO()
with redirect_stdout(results["process_ancestry"]):
print_ancestry(p)
results["process_ancestry"] = results["process_ancestry"].getvalue()
results["process_tree"] = StringIO()
with redirect_stdout(results["process_tree"]):
print_process_tree(p)
results["process_tree"] = results["process_tree"].getvalue()
captured_segment_count = 0
if p.current_segment:
# if current_segment is set, something specifically targeted this segment
# and we will ensure it gets captured here
results["captured_segments"][
p.current_segment] = segment_events_to_dict(p)
captured_segment_count += 1
for segment in all_segments:
p.current_segment = segment
if segment in results["captured_segments"]:
continue
if captured_segment_count >= max_segments:
LOGGER.info(
f"hit maximum segment limit exporting process to json for {p.id}"
)
break
results["captured_segments"][segment] = segment_events_to_dict(p)
captured_segment_count += 1
return results