def render(self):
"""Renders the kevent to standard output stream.
Uses the default output format to render the
kernel event to standard output stream.
The default output format is as follows:
id timestamp cpu process (process id) - kevent (parameters)
-- --------- --- ------- ----------- ------- ------------
Example:
160 13:27:27.554 0 wmiprvse.exe (1012) - CloseFile (file=C:\\WINDOWS\\SYSTEM32\\RSAENH.DLL, tid=2668)
"""
self._thread = self.thread
if self._thread:
kevt = RENDER_FORMAT % (self._id,
self._ts.time(),
self._cpuid,
self._thread.name,
self._thread.pid,
self._name,
self._format_params())
else:
# figure out the process id from thread
# if the process can't be found in
# thread registry
pid = NA
if self._pid is None:
if self._tid:
# get the thread handle
handle = open_thread(THREAD_QUERY_INFORMATION,
False,
self._tid)
if handle:
pid = get_process_id_of_thread(handle)
close_handle(handle)
else:
pid = self._pid
kevt = RENDER_FORMAT % (self._id,
self._ts.time(),
self._cpuid,
NA,
pid,
self._name,
self._format_params())
IO.write_console(kevt)
self._id += 1
def render(self):
"""Renders the kevent to standard output stream.
Uses the default output format to render the
kernel event to standard output stream.
The default output format is as follows:
id timestamp cpu process (process id) - kevent (parameters)
-- --------- --- ------- ----------- ------- ------------
Example:
160 13:27:27.554 0 wmiprvse.exe (1012) - CloseFile (file=C:\\WINDOWS\\SYSTEM32\\RSAENH.DLL, tid=2668)
"""
self._thread = self.thread
if self._thread:
kevt = RENDER_FORMAT % (self._id,
self._ts.time(),
self._cpuid,
self._thread.name,
self._thread.pid,
self._name,
self._format_params())
else:
# figure out the process id from thread
# if the process can't be found in
# thread registry
pid = NA
if self._pid is None:
if self._tid:
# get the thread handle
handle = open_thread(THREAD_QUERY_INFORMATION,
False,
self._tid)
if handle:
pid = get_process_id_of_thread(handle)
close_handle(handle)
else:
pid = self._pid
kevt = RENDER_FORMAT % (self._id,
self._ts.time(),
self._cpuid,
NA,
pid,
self._name,
self._format_params())
IO.write_console(kevt)
self._id += 1
def _get_proc(self, thread_id):
handle = open_thread(THREAD_QUERY_INFORMATION, False, thread_id)
if handle:
# if it was possible to get the process id
# which is the parent of the thread, we can
# try to get the process name from its pid
pid = get_process_id_of_thread(handle)
close_handle(handle)
handle = open_process(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
False, pid)
if handle:
exe = ctypes.create_unicode_buffer(MAX_PATH)
status = query_full_process_image_name(handle, 0, exe,
DWORD(MAX_PATH))
close_handle(handle)
if status:
return os.path.basename(exe.value)
def _get_proc(self, thread_id):
handle = open_thread(THREAD_QUERY_INFORMATION,
False,
thread_id)
if handle:
# if it was possible to get the process id
# which is the parent of the thread, we can
# try to get the process name from its pid
pid = get_process_id_of_thread(handle)
close_handle(handle)
handle = open_process(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
False,
pid)
if handle:
exe = ctypes.create_unicode_buffer(MAX_PATH)
status = query_full_process_image_name(handle, 0,
exe, DWORD(MAX_PATH))
close_handle(handle)
if status:
return os.path.basename(exe.value)
def get_thread(self):
"""Gets the thread associated with the kernel event.
"""
thread = self._find_thread()
if thread:
return thread.pid, thread.name
else:
# figure out the process id from thread
# if the process can't be found in
# the thread registry
pid = NA
if self._pid is None:
if self._tid:
# get the thread handle
handle = open_thread(THREAD_QUERY_INFORMATION, False,
self._tid)
if handle:
pid = get_process_id_of_thread(handle)
close_handle(handle)
else:
pid = self._pid
return pid, NA
def get_thread(self):
"""Gets the thread associated with the kernel event.
"""
thread = self._find_thread()
if thread:
return thread.pid, thread.name
else:
# figure out the process id from thread
# if the process can't be found in
# the thread registry
pid = NA
if self._pid is None:
if self._tid:
# get the thread handle
handle = open_thread(THREAD_QUERY_INFORMATION,
False,
self._tid)
if handle:
pid = get_process_id_of_thread(handle)
close_handle(handle)
else:
pid = self._pid
return pid, NA