def test_process_tree_regular(self):
pt = ProcessTree(None)
l = [
(484, 380, False),
(1444, 1872, True),
(2068, 1444, True),
(2104, 1444, True),
(2292, 2068, True),
(2348, 2292, True),
(2428, 2068, True),
(2488, 2428, True),
(2564, 2068, True),
(2620, 2068, True),
]
for idx, (pid, ppid, track) in enumerate(l):
pt.handle_event({
"pid": pid,
"ppid": ppid,
"process_name": "procname",
"command_line": "cmdline",
"first_seen": idx,
"children": [],
"track": track,
})
obj = pt.run()
assert len(obj) == 2
assert not obj[0]["children"]
assert len(obj[1]["children"]) == 2
assert len(obj[1]["children"][0]["children"]) == 4
assert len(obj[1]["children"][0]["children"][0]["children"]) == 1
def test_process_tree_pid_reuse(self):
pt = ProcessTree(None)
# Parent PID of the initial malicious process (pid=2104) is later on
# created again, confusing our earlier code and therefore not
# displaying any of the malicious processes in our Web Interface.
l = [
(468, 364, False),
(2624, 2104, True),
(2148, 2624, True),
(1836, 1788, True),
(2056, 2148, True),
(2104, 2148, True),
(2480, 2104, True),
(2420, 2104, True),
(2308, 2056, True),
]
for idx, (pid, ppid, track) in enumerate(l):
pt.handle_event({
"pid": pid,
"ppid": ppid,
"process_name": "procname",
"command_line": "cmdline",
"first_seen": idx,
"children": [],
"track": track,
})
obj = pt.run()
assert len(obj) == 3
assert len(obj[1]["children"]) == 1
assert len(obj[1]["children"][0]["children"]) == 2
assert len(obj[1]["children"][0]["children"][0]["children"]) == 1
assert len(obj[1]["children"][0]["children"][1]["children"]) == 2
assert not obj[2]["children"]
