def _ScanProcess(self, process, scan_request, scan_response):
rdf_process = rdf_client.Process.FromPsutilProcess(process)
start_time = rdfvalue.RDFDatetime.Now()
try:
matches = self._GetMatches(process, scan_request)
scan_time = rdfvalue.RDFDatetime.Now() - start_time
scan_time_us = scan_time.ToInt(rdfvalue.MICROSECONDS)
except YaraTimeoutError:
scan_response.errors.Append(
rdf_memory.ProcessMemoryError(
process=rdf_process,
error="Scanning timed out (%s)." %
(rdfvalue.RDFDatetime.Now() - start_time)))
return
except Exception as e: # pylint: disable=broad-except
scan_response.errors.Append(
rdf_memory.ProcessMemoryError(process=rdf_process,
error=str(e)))
return
if matches:
scan_response.matches.Append(
rdf_memory.YaraProcessScanMatch(process=rdf_process,
match=matches,
scan_time_us=scan_time_us))
else:
scan_response.misses.Append(
rdf_memory.YaraProcessScanMiss(process=rdf_process,
scan_time_us=scan_time_us))
def _ScanProcess(self, process, scan_request, scan_response):
rdf_process = rdf_client.Process.FromPsutilProcess(process)
# TODO: Replace time.time() arithmetic with RDFDatetime
# subtraction.
start_time = time.time()
try:
matches = self._GetMatches(process, scan_request)
scan_time = time.time() - start_time
scan_time_us = int(scan_time * 1e6)
except yara.TimeoutError:
scan_response.errors.Append(
rdf_memory.ProcessMemoryError(
process=rdf_process,
error="Scanning timed out (%s seconds)." %
(time.time() - start_time)))
return
except Exception as e: # pylint: disable=broad-except
scan_response.errors.Append(
rdf_memory.ProcessMemoryError(process=rdf_process,
error=str(e)))
return
if matches:
scan_response.matches.Append(
rdf_memory.YaraProcessScanMatch(process=rdf_process,
match=matches,
scan_time_us=scan_time_us))
else:
scan_response.misses.Append(
rdf_memory.YaraProcessScanMiss(process=rdf_process,
scan_time_us=scan_time_us))
def GenerateSample(self, match, **kwargs):
process = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=1333718907167083)
return rdf_memory.YaraProcessScanMatch(process=process,
match=match,
scan_time_us=42,
**kwargs)
def Run(self, args):
result = rdf_memory.YaraProcessScanResponse()
for p in ProcessIterator(args.pids, args.process_regex,
args.ignore_grr_process, result.errors):
self.Progress()
n_results = len(result.errors) + len(result.matches) + len(
result.misses)
if n_results >= self._RESULTS_PER_RESPONSE:
self.SendReply(result)
result = rdf_memory.YaraProcessScanResponse()
rdf_process = rdf_client.Process.FromPsutilProcess(p)
start_time = time.time()
try:
matches = self._ScanProcess(p, args)
scan_time = time.time() - start_time
scan_time_us = int(scan_time * 1e6)
except yara.TimeoutError:
result.errors.Append(
rdf_memory.ProcessMemoryError(
process=rdf_process,
error="Scanning timed out (%s seconds)." %
(time.time() - start_time)))
continue
except Exception as e: # pylint: disable=broad-except
result.errors.Append(
rdf_memory.ProcessMemoryError(process=rdf_process,
error=str(e)))
continue
if matches:
result.matches.Append(
rdf_memory.YaraProcessScanMatch(process=rdf_process,
match=matches,
scan_time_us=scan_time_us))
else:
result.misses.Append(
rdf_memory.YaraProcessScanMiss(process=rdf_process,
scan_time_us=scan_time_us))
self.SendReply(result)
