def calculate(self):
result = {}
self.profile = Profile()
## Load a new address space
addr_space = utils.load_as(self.opts)
for task in pslist(addr_space, self.profile):
task_info = {}
task_info['eprocess'] = task
task_info['image_file_name'] = task.ImageFileName or 'UNKNOWN'
task_info['process_id'] = task.UniqueProcessId.v() or -1
task_info['active_threads'] = task.ActiveThreads or -1
task_info['inherited_from'] = task.InheritedFromUniqueProcessId.v(
) or -1
task_info['handle_count'] = task.ObjectTable.HandleCount or -1
task_info['create_time'] = task.CreateTime
## Get the Process Environment Block - Note that _EPROCESS
## will automatically switch to process address space by
## itself.
if self.opts.verbose:
peb = task.Peb
if peb:
task_info[
'command_line'] = peb.ProcessParameters.CommandLine
task_info[
'ImagePathName'] = peb.ProcessParameters.ImagePathName
task_info[
'Audit ImageFileName'] = task.SeAuditProcessCreationInfo.ImageFileName.Name or 'UNKNOWN'
result[task_info['process_id']] = task_info
return result
def calculate(self):
result = {}
self.profile = Profile()
## Load a new address space
addr_space = utils.load_as(self.opts)
for task in pslist(addr_space, self.profile):
task_info = {}
task_info['eprocess'] = task
task_info['image_file_name'] = task.ImageFileName or 'UNKNOWN'
task_info['process_id'] = task.UniqueProcessId.v() or -1
task_info['active_threads'] = task.ActiveThreads or -1
task_info['inherited_from'] = task.InheritedFromUniqueProcessId.v() or -1
task_info['handle_count'] = task.ObjectTable.HandleCount or -1
task_info['create_time'] = task.CreateTime
## Get the Process Environment Block - Note that _EPROCESS
## will automatically switch to process address space by
## itself.
if self.opts.verbose:
peb = task.Peb
if peb:
task_info['command_line'] = peb.ProcessParameters.CommandLine
task_info['ImagePathName'] = peb.ProcessParameters.ImagePathName
task_info['Audit ImageFileName'] = task.SeAuditProcessCreationInfo.ImageFileName.Name or 'UNKNOWN'
result[task_info['process_id']] = task_info
return result
def calculate(self):
profile = Profile()
addr_space = utils.load_as(self.opts)
## Grab all the handle tables from processes
def files_in_pid(p):
for f in p.handles():
filename = f.FileName.v()
if filename:
yield filename
return self.pid_generator(files_in_pid, addr_space, profile)
def calculate(self):
profile = Profile()
addr_space = utils.load_as(self.opts)
## Grab all the handle tables from processes
def files_in_pid(p):
for f in p.handles():
filename = f.FileName.v()
if filename:
yield filename
return self.pid_generator(files_in_pid, addr_space, profile)
def calculate(self):
profile = Profile()
addr_space = utils.load_as(self.opts)
def list_modules(p):
peb = p.Peb
if peb and peb.is_valid():
## list all the modules attached to this peb:
for module in peb.Ldr.InLoadOrderModuleList.list_of_type(
"_LDR_MODULE", "InLoadOrderModuleList"):
yield module.BaseAddress, module.SizeOfImage, module.FullDllName
return self.pid_generator(list_modules, addr_space, profile)
def calculate(self):
profile = Profile()
addr_space = utils.load_as(self.opts)
def list_modules(p):
peb = p.Peb
if peb and peb.is_valid():
## list all the modules attached to this peb:
for module in peb.Ldr.InLoadOrderModuleList.list_of_type(
"_LDR_MODULE", "InLoadOrderModuleList"):
yield module.BaseAddress, module.SizeOfImage, module.FullDllName
return self.pid_generator(list_modules, addr_space, profile)
def calculate(self):
self.profile = Profile()
self.addr_space = utils.load_as(self.opts)
## Find the tcpip module:
tcpip = None
for module in lsmod(self.addr_space, self.profile):
if "tcpip" in module.FullDllName.v():
tcpip = module.BaseAddress.v()
break
if not tcpip:
print "Unable to find tcpip module"
return
def connection_generator():
for offsets in module_versions.values():
for results in self.get_tcb_connections(tcpip, offsets['TCBTableOff'][0],
offsets['SizeOff'][0]):
yield results
return connection_generator()
def calculate(self):
self.profile = Profile()
self.addr_space = utils.load_as(self.opts)
## Find the tcpip module:
tcpip = None
for module in lsmod(self.addr_space, self.profile):
if "tcpip" in module.FullDllName.v():
tcpip = module.BaseAddress.v()
break
if not tcpip:
print "Unable to find tcpip module"
return
def connection_generator():
for offsets in module_versions.values():
for results in self.get_tcb_connections(
tcpip, offsets['TCBTableOff'][0],
offsets['SizeOff'][0]):
yield results
return connection_generator()
