def run(self): """Run analysis. @return: structured results. """ self.key = "procmemory" results = [] if os.path.exists(self.pmemory_path): for dmp in os.listdir(self.pmemory_path): if not dmp.endswith(".dmp"): continue dump_path = os.path.join(self.pmemory_path, dmp) dump_file = File(dump_path) if "-" in os.path.basename(dump_path): pid = int(os.path.basename(dump_path).split("-")[0]) else: pid = int(os.path.basename(dump_path).split(".")[0]) proc = dict( file=dump_path, pid=pid, yara=dump_file.get_yara("memory"), urls=list(dump_file.get_urls()), regions=list(self.read_dump(dump_path)), ) if self.options.get("idapro"): self.create_idapy(proc) results.append(proc) return results
def run(self): """Run analysis. @return: structured results. """ self.key = "procmemory" results = [] if self.options.get("extract_img") and not HAVE_PEFILE: log.warning( "In order to extract PE files from memory dumps it is " "required to have pefile installed (`pip install pefile`).") if os.path.exists(self.pmemory_path): for dmp in os.listdir(self.pmemory_path): if not dmp.endswith(".dmp"): continue dump_path = os.path.join(self.pmemory_path, dmp) dump_file = File(dump_path) pid, num = map(int, re.findall("(\\d+)", dmp)) proc = dict( file=dump_path, pid=pid, num=num, yara=dump_file.get_yara("memory"), urls=list(dump_file.get_urls()), regions=list(self.read_dump(dump_path)), ) if self.options.get("idapro"): self.create_idapy(proc) if self.options.get("extract_img") and HAVE_PEFILE: proc["extracted"] = list(self.dump_images(proc)) if self.options.get("dump_delete"): try: os.remove(dump_path) except OSError: log.error( "Unable to delete memory dump file at path \"%s\"", dump_path) results.append(proc) results.sort(key=lambda x: (x["pid"], x["num"])) return results
def run(self): """Run analysis. @return: structured results. """ self.key = "procmemory" results = [] if self.options.get("extract_img") and not HAVE_PEFILE: log.warning( "In order to extract PE files from memory dumps it is " "required to have pefile installed (`pip install pefile`)." ) if os.path.exists(self.pmemory_path): for dmp in os.listdir(self.pmemory_path): if not dmp.endswith(".dmp"): continue dump_path = os.path.join(self.pmemory_path, dmp) dump_file = File(dump_path) pid, num = map(int, re.findall("(\\d+)", dmp)) proc = dict( file=dump_path, pid=pid, num=num, yara=dump_file.get_yara("memory"), urls=list(dump_file.get_urls()), regions=list(self.read_dump(dump_path)), ) if self.options.get("idapro"): self.create_idapy(proc) if self.options.get("extract_img") and HAVE_PEFILE: proc["extracted"] = list(self.dump_images(proc)) if self.options.get("dump_delete"): try: os.remove(dump_path) except OSError: log.error("Unable to delete memory dump file at path \"%s\"", dump_path) results.append(proc) results.sort(key=lambda x: (x["pid"], x["num"])) return results
def run(self): """Run analysis. @return: structured results. """ self.key = "procmemory" results = [] if os.path.exists(self.pmemory_path): for dmp in os.listdir(self.pmemory_path): if not dmp.endswith(".dmp"): continue dump_path = os.path.join(self.pmemory_path, dmp) dump_file = File(dump_path) dump_name = os.path.basename(dump_path) pid = int(re.findall("(\\d{2,5})", dump_name)[0]) proc = dict( file=dump_path, pid=pid, yara=dump_file.get_yara("memory"), urls=list(dump_file.get_urls()), regions=list(self.read_dump(dump_path)), ) if self.options.get("idapro"): self.create_idapy(proc) if self.options.get("dump_delete"): try: os.remove(dump_path) except OSError: log.error( "Unable to delete memory dump file at path \"%s\"", dump_path) results.append(proc) return results
def run(self): """Run analysis. @return: structured results. """ self.key = "procmemory" results = [] if os.path.exists(self.pmemory_path): for dmp in os.listdir(self.pmemory_path): if not dmp.endswith(".dmp"): continue dump_path = os.path.join(self.pmemory_path, dmp) dump_file = File(dump_path) dump_name = os.path.basename(dump_path) pid = int(re.findall("(\d{2,5})", dump_name)[0]) proc = dict( file=dump_path, pid=pid, yara=dump_file.get_yara("memory"), urls=list(dump_file.get_urls()), regions=list(self.read_dump(dump_path)), ) if self.options.get("idapro"): self.create_idapy(proc) if self.options.get("dump_delete"): try: os.remove(dump_path) except OSError: log.error("Unable to delete memory dump file at path \"%s\"", dump_path) results.append(proc) return results