def collect(self, hint, processes):
by_pid = {}
to_decorate = []
for process in processes:
pid = process["Process/pid"]
collision = by_pid.get(pid)
if collision:
# Collision on PIDs. Keep the later process, since the earlier
# one is definitely dead.
start_time = process["Timestamps/created_at"]
if start_time < collision["Timestamps/created_at"]:
# Keep the collision.
continue
by_pid[pid] = process
to_decorate.append(process)
for process in to_decorate:
ppid = process["MemoryObject/base_object"].p_ppid
parent = by_pid.get(ppid, None)
if parent is None:
continue
parent_start = parent["Timestamps/created_at"]
process_start = process["Timestamps/created_at"]
if parent_start > process_start:
continue
yield [
process.identity,
definitions.Process(parent=parent.identity)
]
def collect(self, hint, procs):
manager = self.manager
for entity in procs:
proc = entity["MemoryObject/base_object"]
user_identity = manager.identify({"User/uid": proc.p_uid})
process_identity = manager.identify({
("Process/pid", "Timestamps/created_at"):
(proc.pid, proc.p_start.as_datetime())
})
# kern_proc.c:2706
session = proc.p_pgrp.pg_session
if session:
session_identity = manager.identify(
{"MemoryObject/base_object": session})
yield definitions.MemoryObject(base_object=session,
type="session")
else:
session_identity = None
cr3 = proc.task.map.pmap.pm_cr3
if cr3:
cr3_ptr = proc.obj_profile.Pointer(
vm=self.session.physical_address_space,
target="void",
value=proc.task.map.pmap.pm_cr3)
else:
cr3_ptr = None
yield [
# Reuse the base object identity but also use the PID.
process_identity | entity.identity,
definitions.Timestamps(created_at=proc.p_start.as_datetime()),
definitions.Process(pid=proc.pid,
command=utils.SmartUnicode(proc.p_comm),
user=user_identity,
cr3=cr3_ptr,
is_64bit=proc.task.map.pmap.pm_task_map ==
"TASK_MAP_64BIT",
session=session_identity),
definitions.Named(name="%s (pid=%d)" % (proc.p_comm, proc.pid),
kind="Process")
]
# We don't know much about the user at this stage, but this
# is still kind of useful in getting at least a list of UIDs.
# Once we have more robustness in listing users this can go away.
yield [user_identity, definitions.User(uid=proc.p_uid)]
def collect(self, hint, procs):
for entity in procs:
eproc = entity["MemoryObject/base_object"]
yield [
entity.identity
| self.manager.identify({"Process/pid": eproc.pid}),
definitions.Process(pid=eproc.pid,
parent=self.manager.identify({
"Process/pid":
eproc.InheritedFromUniqueProcessId
}),
command=eproc.name,
is_64bit=eproc.IsWow64),
definitions.Timestamps(created_at=eproc.CreateTime,
destroyed_at=eproc.ExitTime),
definitions.Named(name=eproc.name, kind="Process")
]