Ejemplo n.º 1
0
    def collect(self, hint, processes):
        by_pid = {}
        to_decorate = []
        for process in processes:
            pid = process["Process/pid"]
            collision = by_pid.get(pid)
            if collision:
                # Collision on PIDs. Keep the later process, since the earlier
                # one is definitely dead.
                start_time = process["Timestamps/created_at"]
                if start_time < collision["Timestamps/created_at"]:
                    # Keep the collision.
                    continue

            by_pid[pid] = process
            to_decorate.append(process)

        for process in to_decorate:
            ppid = process["MemoryObject/base_object"].p_ppid
            parent = by_pid.get(ppid, None)
            if parent is None:
                continue

            parent_start = parent["Timestamps/created_at"]
            process_start = process["Timestamps/created_at"]

            if parent_start > process_start:
                continue

            yield [
                process.identity,
                definitions.Process(parent=parent.identity)
            ]
Ejemplo n.º 2
0
    def collect(self, hint, procs):
        manager = self.manager
        for entity in procs:
            proc = entity["MemoryObject/base_object"]
            user_identity = manager.identify({"User/uid": proc.p_uid})
            process_identity = manager.identify({
                ("Process/pid", "Timestamps/created_at"):
                (proc.pid, proc.p_start.as_datetime())
            })

            # kern_proc.c:2706
            session = proc.p_pgrp.pg_session
            if session:
                session_identity = manager.identify(
                    {"MemoryObject/base_object": session})

                yield definitions.MemoryObject(base_object=session,
                                               type="session")
            else:
                session_identity = None

            cr3 = proc.task.map.pmap.pm_cr3
            if cr3:
                cr3_ptr = proc.obj_profile.Pointer(
                    vm=self.session.physical_address_space,
                    target="void",
                    value=proc.task.map.pmap.pm_cr3)
            else:
                cr3_ptr = None

            yield [
                # Reuse the base object identity but also use the PID.
                process_identity | entity.identity,
                definitions.Timestamps(created_at=proc.p_start.as_datetime()),
                definitions.Process(pid=proc.pid,
                                    command=utils.SmartUnicode(proc.p_comm),
                                    user=user_identity,
                                    cr3=cr3_ptr,
                                    is_64bit=proc.task.map.pmap.pm_task_map ==
                                    "TASK_MAP_64BIT",
                                    session=session_identity),
                definitions.Named(name="%s (pid=%d)" % (proc.p_comm, proc.pid),
                                  kind="Process")
            ]

            # We don't know much about the user at this stage, but this
            # is still kind of useful in getting at least a list of UIDs.
            # Once we have more robustness in listing users this can go away.
            yield [user_identity, definitions.User(uid=proc.p_uid)]
Ejemplo n.º 3
0
 def collect(self, hint, procs):
     for entity in procs:
         eproc = entity["MemoryObject/base_object"]
         yield [
             entity.identity
             | self.manager.identify({"Process/pid": eproc.pid}),
             definitions.Process(pid=eproc.pid,
                                 parent=self.manager.identify({
                                     "Process/pid":
                                     eproc.InheritedFromUniqueProcessId
                                 }),
                                 command=eproc.name,
                                 is_64bit=eproc.IsWow64),
             definitions.Timestamps(created_at=eproc.CreateTime,
                                    destroyed_at=eproc.ExitTime),
             definitions.Named(name=eproc.name, kind="Process")
         ]