Beispiel #1
0
  def Run(self, args):
    result = rdf_yara.YaraProcessScanResponse()
    for p in ProcessIterator(args.pids, args.process_regex,
                             args.ignore_grr_process, result.errors):
      self.Progress()
      rdf_process = rdf_client.Process.FromPsutilProcess(p)

      start_time = time.time()
      try:
        matches = self._ScanProcess(p, args)
        scan_time = time.time() - start_time
        scan_time_us = int(scan_time * 1e6)
      except yara.TimeoutError:
        result.errors.Append(
            rdf_yara.YaraProcessError(
                process=rdf_process,
                error="Scanning timed out (%s seconds)." %
                (time.time() - start_time)))
        continue
      except Exception as e:  # pylint: disable=broad-except
        result.errors.Append(
            rdf_yara.YaraProcessError(process=rdf_process, error=str(e)))
        continue

      if matches:
        result.matches.Append(
            rdf_yara.YaraProcessScanMatch(
                process=rdf_process, match=matches, scan_time_us=scan_time_us))
      else:
        result.misses.Append(
            rdf_yara.YaraProcessScanMiss(
                process=rdf_process, scan_time_us=scan_time_us))

    self.SendReply(result)
Beispiel #2
0
    def Run(self, args):
        result = rdf_yara.YaraProcessDumpResponse()

        self.bytes_written = 0

        for p in ProcessIterator(args.pids, args.process_regex,
                                 args.ignore_grr_process, result.errors):
            self.Progress()
            start_time = time.time()

            try:
                response = self.DumpProcess(p, args)
                response.dump_time_us = int((time.time() - start_time) * 1e6)
                result.dumped_processes.Append(response)
                if response.error:
                    # Limit exceeded, we bail out early.
                    break
            except Exception as e:  # pylint: disable=broad-except
                result.errors.Append(
                    rdf_yara.YaraProcessError(
                        process=rdf_client.Process.FromPsutilProcess(p),
                        error=str(e)))
                continue

        self.SendReply(result)
Beispiel #3
0
def ProcessIterator(pids, process_regex_string, ignore_grr_process,
                    error_list):
    """Yields all (psutil-) processes that match certain criteria.

  Args:
    pids: A list of pids. If given, only the processes with those pids are
          returned.
    process_regex_string: If given, only processes whose name matches the regex
          are returned.
    ignore_grr_process: If True, the grr process itself will not be returned.
    error_list: All errors while handling processes are appended to this
                list. Type is repeated YaraProcessError.

  Yields:
    psutils.Process objects matching all criteria.
  """
    pids = set(pids)
    if ignore_grr_process:
        grr_pid = psutil.Process().pid
    else:
        grr_pid = -1

    if process_regex_string:
        process_regex = re.compile(process_regex_string)
    else:
        process_regex = None

    if pids:
        process_iterator = []
        for pid in pids:
            try:
                process_iterator.append(psutil.Process(pid=pid))
            except Exception as e:  # pylint: disable=broad-except
                error_list.Append(
                    rdf_yara.YaraProcessError(
                        process=rdf_client.Process(pid=pid), error=str(e)))
    else:
        process_iterator = psutil.process_iter()

    for p in process_iterator:
        if process_regex and not process_regex.search(p.name()):
            continue

        if p.pid == grr_pid:
            continue

        yield p