def __init__(self, case, fd, inode): FileSystem.File.__init__(self, case, fd, inode) parts = inode.split('|') pid = int(parts[-1][1:]) iosource_name = parts[0][1:] ## Make a volatility object available FIXME allow options in ## here op = vutils.get_standard_parser("") ## Build a fake command line self.filename = '%s/%s' % (case, iosource_name) self.args = ['-f', self.filename ] opts, args = op.parse_args(self.args) ## This identifies the image (self.addr_space, self.symtab, self.types) = vutils.load_and_identify_image(op, opts) self.size = 0xFFFFFFFFFFFFFFFF if pid > 0: # get list of windows processes all_tasks = vmodules.process_list(self.addr_space, self.types, self.symtab) ## Find the task struct all_tasks = vmodules.process_find_pid(self.addr_space, self.types, self.symtab, all_tasks, pid) if len(all_tasks) == 0: print "Error process [%d] not found"%opts.pid return elif len(all_tasks)>1: print "Found multiple possible processes" task = all_tasks[0] ## The process address space process_address_space = vmodules.process_addr_space(self.addr_space, self.types, task, self.filename) self.addr_space = process_address_space
def load(self, loader): import vmodules dbh = DB.DBO(loader.case) all_tasks = vmodules.process_list(loader.addr_space, loader.types, loader.symtab) for task in all_tasks: ## Not a valid task skip it if not loader.addr_space.is_valid_address(task): continue row = {} ## The task filename row['name'] = vmodules.process_imagename(\ loader.addr_space, loader.types, task) ## The pid row['pid'] = vmodules.process_pid(loader.addr_space, loader.types, task) ## The ppid row['ppid'] = vmodules.process_inherited_from(loader.addr_space, loader.types, task) ## Create time create_time = vmodules.process_create_time( loader.addr_space, loader.types, task) row['_time'] = "from_unixtime(%s)" % create_time ## The process address space process_address_space = vmodules.process_addr_space(loader.addr_space, loader.types, task, loader.filename) modules = [] if process_address_space: ## The process environment block peb = vmodules.process_peb(loader.addr_space, loader.types, task) if process_address_space.is_valid_address(peb): row['cmdline'] = vmodules.process_command_line(\ process_address_space, loader.types, peb) or "Unknown" modules = vmodules.process_ldrs(process_address_space, loader.types, peb) ## Insert one row for the task new_inode = "%s/%s/%s" % (loader.mount_point, row['pid'], row['name']) row['inode_id'] = loader.VFSCreate( None, "I%s|A%s" % (loader.iosource_name, row['pid']), new_inode, _ctime = create_time, _mtime = create_time ) dbh.insert('windows_tasks', _fast = True, **row) for module in modules: if not process_address_space.is_valid_address(module): continue row2 = {'inode_id': row['inode_id'] } row2['path'] = vmodules.module_path(process_address_space, loader.types, module) or "Unknown" row2['base'] = vmodules.module_base(process_address_space, loader.types, module) or "Unknown" row2['size'] = vmodules.module_size(process_address_space, loader.types, module) or -1 dbh.insert("windows_modules", _fast=True, **row2)