def __init__(self, case, fd, inode):
FileSystem.File.__init__(self, case, fd, inode)
parts = inode.split('|')
pid = int(parts[-1][1:])
iosource_name = parts[0][1:]
## Make a volatility object available FIXME allow options in
## here
op = vutils.get_standard_parser("")
## Build a fake command line
self.filename = '%s/%s' % (case, iosource_name)
self.args = ['-f', self.filename ]
opts, args = op.parse_args(self.args)
## This identifies the image
(self.addr_space, self.symtab, self.types) = vutils.load_and_identify_image(op, opts)
self.size = 0xFFFFFFFFFFFFFFFF
if pid > 0:
# get list of windows processes
all_tasks = vmodules.process_list(self.addr_space, self.types, self.symtab)
## Find the task struct
all_tasks = vmodules.process_find_pid(self.addr_space,
self.types, self.symtab,
all_tasks, pid)
if len(all_tasks) == 0:
print "Error process [%d] not found"%opts.pid
return
elif len(all_tasks)>1:
print "Found multiple possible processes"
task = all_tasks[0]
## The process address space
process_address_space = vmodules.process_addr_space(self.addr_space,
self.types, task,
self.filename)
self.addr_space = process_address_space
def load(self, loader):
import vmodules
dbh = DB.DBO(loader.case)
all_tasks = vmodules.process_list(loader.addr_space, loader.types, loader.symtab)
for task in all_tasks:
## Not a valid task skip it
if not loader.addr_space.is_valid_address(task):
continue
row = {}
## The task filename
row['name'] = vmodules.process_imagename(\
loader.addr_space, loader.types, task)
## The pid
row['pid'] = vmodules.process_pid(loader.addr_space,
loader.types, task)
## The ppid
row['ppid'] = vmodules.process_inherited_from(loader.addr_space,
loader.types, task)
## Create time
create_time = vmodules.process_create_time(
loader.addr_space,
loader.types, task)
row['_time'] = "from_unixtime(%s)" % create_time
## The process address space
process_address_space = vmodules.process_addr_space(loader.addr_space,
loader.types, task,
loader.filename)
modules = []
if process_address_space:
## The process environment block
peb = vmodules.process_peb(loader.addr_space, loader.types, task)
if process_address_space.is_valid_address(peb):
row['cmdline'] = vmodules.process_command_line(\
process_address_space,
loader.types, peb) or "Unknown"
modules = vmodules.process_ldrs(process_address_space, loader.types, peb)
## Insert one row for the task
new_inode = "%s/%s/%s" % (loader.mount_point, row['pid'], row['name'])
row['inode_id'] = loader.VFSCreate(
None, "I%s|A%s" % (loader.iosource_name, row['pid']), new_inode,
_ctime = create_time, _mtime = create_time
)
dbh.insert('windows_tasks', _fast = True, **row)
for module in modules:
if not process_address_space.is_valid_address(module):
continue
row2 = {'inode_id': row['inode_id'] }
row2['path'] = vmodules.module_path(process_address_space,
loader.types, module) or "Unknown"
row2['base'] = vmodules.module_base(process_address_space,
loader.types, module) or "Unknown"
row2['size'] = vmodules.module_size(process_address_space,
loader.types, module) or -1
dbh.insert("windows_modules", _fast=True, **row2)
