def getProcesses(self):
''' Get information about all non-system processes
-> list(Process)
@command: wmic path Win32_Process get CommandLine, CreationDate, ExecutablePath, Name, ProcessId
@raise Exception: if WMI query failed
'''
queryBuilder = self._provider.getBuilder('Win32_Process')
queryBuilder.addWmiObjectProperties('Name', 'ProcessId', 'CommandLine',
'ExecutablePath', 'CreationDate')
processes = []
for info in self._provider.getAgent().getWmiData(queryBuilder):
name = info.Name
pid = info.ProcessId
if pid == '-1' or not str(pid).isdigit():
logger.debug(
"Skip process '%s'. It is system process or has non numeric PID"
% name)
continue
startupTime = info.CreationDate
try:
startupTime = modeling.getDateFromUtcString(startupTime)
except ValueError, ve:
logger.warn(str(ve))
startupTime = None
cmdline = self.__getCommandLineWithProcessName(
info.CommandLine, name)
# process argument list
argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$', cmdline)
parameters = argsMatch and argsMatch.group(2) or None
process = Process(name, cmdline)
process.setPid(pid)
process.parameters = parameters
process.path = info.ExecutablePath
processes.append(process)
def getProcesses(self):
''' Get information about all non-system processes
-> list(Process)
@command: wmic path Win32_Process get CommandLine, CreationDate, ExecutablePath, Name, ProcessId
@raise Exception: if WMI query failed
'''
queryBuilder = self._provider.getBuilder('Win32_Process')
queryBuilder.addWmiObjectProperties('Name', 'ProcessId', 'CommandLine', 'ExecutablePath', 'CreationDate')
processes = []
for info in self._provider.getAgent().getWmiData(queryBuilder):
name = info.Name
pid = info.ProcessId
if pid == '-1' or not str(pid).isdigit():
logger.debug("Skip process '%s'. It is system process or has non numeric PID" % name)
continue
startupTime = info.CreationDate
try:
startupTime = modeling.getDateFromUtcString(startupTime)
except ValueError, ve:
logger.warn(str(ve))
startupTime = None
cmdline = self.__getCommandLineWithProcessName(info.CommandLine, name)
# process argument list
argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$', cmdline)
parameters = argsMatch and argsMatch.group(2) or None
process = Process(name, cmdline)
process.setPid(pid)
process.parameters = parameters
process.path = info.ExecutablePath
processes.append(process)
def findAllProcessesByWmi(self):
''' Find all processes running on the system
@types: -> list(process.Process)
@command: wmic process get commandLine, creationdate, executablepath, name, processId
'''
provider = self._getWmiAgentProvider()
queryBuilder = provider.getBuilder('Win32_Process')
queryBuilder.addWmiObjectProperties('name', 'processId', 'commandLine',
'executablepath', 'creationdate',
'ParentProcessId')
processes = []
agent = provider.getAgent()
results = agent.getWmiData(queryBuilder)
for item in results:
name = item.name
if not name:
logger.warn("Skipped process without name. CommandLine: %s" %
item.commandLine)
continue
pid = item.processId
if pid == '-1' or not pid.isnumeric():
logger.debug(
"Skipped process '%s'. It is system process or has non numeric PID"
% name)
continue
commandLine = self.__fixMissedProcessNameInCommandLine(
name, item.commandLine)
process = process_module.Process(name,
pid,
commandLine=commandLine)
process.executablePath = item.executablepath
parentPid = item.ParentProcessId
if parentPid and parentPid.isdigit():
process.setParentPid(parentPid)
processStartupTimeString = item.creationdate
if processStartupTimeString:
try:
startupDate = modeling.getDateFromUtcString(
processStartupTimeString)
process.setStartupTime(startupDate)
except:
logger.debug("Failed parsing date from UTC string '%s'" %
processStartupTimeString)
argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$',
process.commandLine)
if argsMatch:
process.argumentLine = argsMatch.group(2)
processes.append(process)
return processes
def getOperatingSystemInfo(self):
'''@types: -> HostDo
@raise Exception: if wmi query failed'''
hostDo = HostDo()
queryBuilder = self._wmiProvider.getBuilder('Win32_OperatingSystem')
queryBuilder.addWmiObjectProperties('Caption', 'otherTypeDescription',
'Version', 'BuildNumber',
'csdversion', 'lastBootUpTime',
'registeredUser',
'totalVisibleMemorySize',
'organization')
osDataList = self._wmiProvider.getAgent().getWmiData(queryBuilder)
for osData in osDataList:
if osData.Caption:
otherTypeDescription = osData.otherTypeDescription
if not otherTypeDescription:
otherTypeDescription = None
(vendor, name, installType) = separateCaption(
self.__normalizeWindowsOSAndType(osData.Caption),
self.__normalizeWindowsOSAndType(otherTypeDescription))
hostDo.hostOsName = name
hostDo.installType = installType
hostDo.vendor = vendor
hostDo.registeredOwner = osData.registeredUser
hostDo.physicalMemory = osData.totalVisibleMemorySize
hostDo.organization = osData.organization
else:
logger.warn(
"Caption field is empty. Host OS name, installation type and vendor will not be parsed out."
)
if osData.Version:
hostDo.ntVersion = self.__normalizeWindowsOSAndType(
osData.Version)
else:
logger.warn('Version field is empty. Skipping.')
if osData.csdversion:
hostDo.servicePack = __parseServicePack(
self.__normalizeWindowsOSAndType(osData.csdversion))
else:
logger.warn('Service pack field is empty. Skipping.')
if osData.BuildNumber:
hostDo.buildNumber = osData.BuildNumber
else:
logger.warn('Build number filed is empty. Skipping')
try:
hostDo.lastBootDate = modeling.getDateFromUtcString(
osData.lastBootUpTime)
except:
logger.warn("Failed to parse last boot date from value '%s'" %
osData.lastBootUpTime)
return hostDo
def setLastBootUpTime(hostOSH, lastBootUpTime):
if lastBootUpTime:
date = None
try:
date = modeling.getDateFromUtcString(lastBootUpTime)
except:
logger.debug("WMI: query returned lastBootUpTime that failed to be parsed: %s" % lastBootUpTime)
else:
hostOSH.setDateAttribute('host_last_boot_time', date)
else:
logger.debug("WMI: query returned empty lastBootUpTime field")
def setLastModificationTimeInUTC(self, timeInUTC):
''' Parse java.util.Date from provided str
str -> None
@param timeInUTC: last modification time in utc
@type timeInUTC: str
@return: None
@raise ValueError: if failed to parse provided utc string
'''
if timeInUTC:
self.__lastModificationTime = modeling.getDateFromUtcString(timeInUTC)
else:
raise ValueError('Not a UTC: %s' % timeInUTC)
def __getWindowsWmicFileLastModificationTime(shell, fileName):
escapedFileName = fileName.replace('\\', '\\\\')
command = 'wmic datafile where "name = \'%s\'" get LastModified /format:list < %%SystemRoot%%\win.ini' % escapedFileName
buffer = shell.execCmd(command)
if buffer and shell.getLastCmdReturnCode() == 0 and buffer.find(__WMIC_ERROR) == -1:
lines = buffer.split('\n')
lines = [line.strip() for line in lines if line.strip()]
for line in lines:
matcher = re.match(r"LastModified=([\d.+-]{%s})" % UTC_DATE_LENGTH, line)
if matcher:
return getDateFromUtcString(matcher.group(1))
else:
raise ValueError("Output is empty or incorrect either error code is not zero. File name: %s" % fileName)
def findAllProcessesByWmi(self):
''' Find all processes running on the system
@types: -> list(process.Process)
@command: wmic process get commandLine, creationdate, executablepath, name, processId
'''
provider = self._getWmiAgentProvider()
queryBuilder = provider.getBuilder('Win32_Process')
queryBuilder.addWmiObjectProperties('name', 'processId', 'commandLine', 'executablepath', 'creationdate', 'ParentProcessId')
processes = []
agent = provider.getAgent()
results = agent.getWmiData(queryBuilder)
for item in results:
name = item.name
if not name:
logger.warn("Skipped process without name. CommandLine: %s" % item.commandLine)
continue
pid = item.processId
if pid == '-1' or not pid.isnumeric():
logger.debug("Skipped process '%s'. It is system process or has non numeric PID" % name)
continue
commandLine = self.__fixMissedProcessNameInCommandLine(name, item.commandLine)
process = process_module.Process(name, pid, commandLine = commandLine)
process.executablePath = item.executablepath
parentPid = item.ParentProcessId
if parentPid and parentPid.isdigit():
process.setParentPid(parentPid)
processStartupTimeString = item.creationdate
if processStartupTimeString:
try:
startupDate = modeling.getDateFromUtcString(processStartupTimeString)
process.setStartupTime(startupDate)
except:
logger.debug("Failed parsing date from UTC string '%s'" % processStartupTimeString)
argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$', process.commandLine)
if argsMatch:
process.argumentLine = argsMatch.group(2)
processes.append(process)
return processes
def getWindowsWmiFileLastModificationTime(client, fileName):
if not fileName:
raise ValueError("File name is null or empty")
modificationTime = None
escapedFileName = fileName.replace('\\', '\\\\')
command = "Select LastModified from CIM_Datafile Where name = '%s'" % escapedFileName
resultTable = client.executeQuery(command).asTable()
if resultTable and resultTable[0]:
try:
modificationTime = getDateFromUtcString(resultTable[0][0])
except:
logger.warn('Failed getting last modification time for file: %s' % fileName)
else:
logger.warn('Failed getting last modification time for file: %s' % fileName)
return modificationTime
def getDateFromCimDate(cimDateTime):
'''
CimDateTime -> java.util.Date
'''
if cimDateTime is None:
return None
dateTimeClass = cimDateTime.getClass().getName()
if dateTimeClass in ("javax.cim.CIMDateTimeAbsolute", ):
sourceDate = cimDateTime.getDateTimeString()
#20121103140952.000000+000
#replace possible * in time zone value
sourceDate = re.sub(r"\*", "0", sourceDate)
return modeling.getDateFromUtcString(sourceDate)
raise ValueError("Unsupported type")
def getOperatingSystemInfo(self):
'''@types: -> HostDo
@raise Exception: if wmi query failed'''
hostDo = HostDo()
queryBuilder = self._wmiProvider.getBuilder('Win32_OperatingSystem')
queryBuilder.addWmiObjectProperties('Caption', 'otherTypeDescription',
'Version', 'BuildNumber', 'csdversion',
'lastBootUpTime', 'registeredUser',
'totalVisibleMemorySize', 'organization')
osDataList = self._wmiProvider.getAgent().getWmiData(queryBuilder)
for osData in osDataList:
if osData.Caption:
otherTypeDescription = osData.otherTypeDescription
if not otherTypeDescription:
otherTypeDescription = None
(vendor, name, installType) = separateCaption(self.__normalizeWindowsOSAndType(osData.Caption), self.__normalizeWindowsOSAndType(otherTypeDescription))
hostDo.hostOsName = name
hostDo.installType = installType
hostDo.vendor = vendor
hostDo.registeredOwner = osData.registeredUser
hostDo.physicalMemory = osData.totalVisibleMemorySize
hostDo.organization = osData.organization
else:
logger.warn("Caption field is empty. Host OS name, installation type and vendor will not be parsed out.")
if osData.Version:
hostDo.ntVersion = self.__normalizeWindowsOSAndType(osData.Version)
else:
logger.warn('Version field is empty. Skipping.')
if osData.csdversion:
hostDo.servicePack = __parseServicePack(self.__normalizeWindowsOSAndType(osData.csdversion))
else:
logger.warn('Service pack field is empty. Skipping.')
if osData.BuildNumber:
hostDo.buildNumber = osData.BuildNumber
else:
logger.warn('Build number filed is empty. Skipping')
try:
hostDo.lastBootDate = modeling.getDateFromUtcString(osData.lastBootUpTime)
except:
logger.warn("Failed to parse last boot date from value '%s'"
% osData.lastBootUpTime)
return hostDo
def getDateFromCimDate(cimDateTime):
'''
CimDateTime -> java.util.Date
'''
if cimDateTime is None:
return None
dateTimeClass = cimDateTime.getClass().getName()
if dateTimeClass in ("javax.cim.CIMDateTimeAbsolute", ):
sourceDate = cimDateTime.getDateTimeString()
#20121103140952.000000+000
#replace possible * in time zone value
sourceDate = re.sub(r"\*", "0", sourceDate)
return modeling.getDateFromUtcString(sourceDate)
raise ValueError("Unsupported type")
def discoverProcessesByWmic(client, OSHVResult, hostID, Framework, pid2Process = None):
''' Discover system processes, report them and save in probe DB.
Shell, oshVector, str, Framework, map[str, str] -> bool
@command: wmic process get commandLine, creationdate, executablepath, name, processId
'''
wmiProvider = wmiutils.getWmiProvider(client)
queryBuilder = wmiProvider.getBuilder('Win32_Process')
queryBuilder.usePathCommand(1)
#queryBuilder = wmiutils.WmicQueryBuilder('process')
queryBuilder.addWmiObjectProperties('name', 'processId', 'commandLine', 'executablepath', 'creationdate')
wmicAgent = wmiProvider.getAgent()
processItems = []
try:
processItems = wmicAgent.getWmiData(queryBuilder)
except:
logger.debugException('Failed getting processes information via wmic' )
return 0
pdu = None
try:
pdu = processdbutils.ProcessDbUtils(Framework)
processList = []
hostOSH = None
count = 0
for processItem in processItems:
if not processItem.name:
continue
processName = processItem.name
processNameLower = processName.lower()
processPid = processItem.processId
if processPid == '-1' or not processPid.isnumeric():
logger.debug("Process '%s' is system process or has non numeric pid" % processName)
continue
processExecutablePath = processItem.executablepath
processCommandLine = processItem.commandLine
processStartupTimeString = processItem.creationdate
processStartupTime = None
if processStartupTimeString:
try:
startupDate = modeling.getDateFromUtcString(processStartupTimeString)
processStartupTime = startupDate.getTime()
except:
errobj = errorobject.createError(errorcodes.PROCESS_STARTUP_TIME_ATTR_NOT_SET, ['NTCMD', processStartupTimeString], "%s: Process startup time attribute is not set due to error while parsing date string '%s'" % ('NTCMD', processStartupTimeString))
logger.reportWarningObject(errobj)
# check whether process name is included in command line
# Obtain first token containing process from the CMD line
matchObj = re.match('(:?["\'](.*?)["\']|(.*?)\s)', processCommandLine)
if matchObj and matchObj.groups():
firstCmdToken = matchObj.group(1).strip()
else:
firstCmdToken = processCommandLine.strip()
#remove quotes
firstCmdToken = re.sub('[\'"]', '', firstCmdToken).lower()
#token has to end with process name
if not firstCmdToken.endswith(processNameLower):
extStartPos = processNameLower.rfind('.')
if extStartPos != -1:
pnameNoExt = processNameLower[0:extStartPos]
if not firstCmdToken.endswith(pnameNoExt):
processCommandLine = '%s %s' % (processName, processCommandLine)
processArgs = None
argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$',processCommandLine)
if argsMatch:
processArgs = argsMatch.group(2)
pdu.addProcess(hostID, processName, processPid, processCommandLine, processExecutablePath, processArgs, None, processStartupTime)
if processPid in processList:
logger.debug("Process: '%s' already reported" % processName)
continue
count += 1
processList.append(processPid)
if OSHVResult is not None:
if hostOSH == None:
hostOSH = modeling.createOshByCmdbIdString('host', hostID)
processOsh = modeling.createProcessOSH(processName, hostOSH, processCommandLine, processPid, processExecutablePath, None, None, processStartupTime)
OSHVResult.add(processOsh)
pdu.flushHostProcesses(hostID)
if pid2Process is not None:
pid2Process.putAll(pdu.getProcessCmdMap())
finally:
if pdu != None:
pdu.close()
return 1
def discoverProcessesByWmic(client,
OSHVResult,
hostID,
Framework,
pid2Process=None):
''' Discover system processes, report them and save in probe DB.
Shell, oshVector, str, Framework, map[str, str] -> bool
@command: wmic process get commandLine, creationdate, executablepath, name, processId
'''
wmiProvider = wmiutils.getWmiProvider(client)
queryBuilder = wmiProvider.getBuilder('Win32_Process')
queryBuilder.usePathCommand(1)
#queryBuilder = wmiutils.WmicQueryBuilder('process')
queryBuilder.addWmiObjectProperties('name', 'processId', 'commandLine',
'executablepath', 'creationdate')
wmicAgent = wmiProvider.getAgent()
processItems = []
try:
processItems = wmicAgent.getWmiData(queryBuilder)
except:
logger.debugException('Failed getting processes information via wmic')
return 0
pdu = None
try:
pdu = processdbutils.ProcessDbUtils(Framework)
processList = []
hostOSH = None
count = 0
for processItem in processItems:
if not processItem.name:
continue
processName = processItem.name
processNameLower = processName.lower()
processPid = processItem.processId
if processPid == '-1' or not processPid.isnumeric():
logger.debug(
"Process '%s' is system process or has non numeric pid" %
processName)
continue
processExecutablePath = processItem.executablepath
processCommandLine = processItem.commandLine
processStartupTimeString = processItem.creationdate
processStartupTime = None
if processStartupTimeString:
try:
startupDate = modeling.getDateFromUtcString(
processStartupTimeString)
processStartupTime = startupDate.getTime()
except:
errobj = errorobject.createError(
errorcodes.PROCESS_STARTUP_TIME_ATTR_NOT_SET,
['NTCMD', processStartupTimeString],
"%s: Process startup time attribute is not set due to error while parsing date string '%s'"
% ('NTCMD', processStartupTimeString))
logger.reportWarningObject(errobj)
# check whether process name is included in command line
# Obtain first token containing process from the CMD line
matchObj = re.match('(:?["\'](.*?)["\']|(.*?)\s)',
processCommandLine)
if matchObj and matchObj.groups():
firstCmdToken = matchObj.group(1).strip()
else:
firstCmdToken = processCommandLine.strip()
#remove quotes
firstCmdToken = re.sub('[\'"]', '', firstCmdToken).lower()
#token has to end with process name
if not firstCmdToken.endswith(processNameLower):
extStartPos = processNameLower.rfind('.')
if extStartPos != -1:
pnameNoExt = processNameLower[0:extStartPos]
if not firstCmdToken.endswith(pnameNoExt):
processCommandLine = '%s %s' % (processName,
processCommandLine)
processArgs = None
argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$',
processCommandLine)
if argsMatch:
processArgs = argsMatch.group(2)
pdu.addProcess(hostID, processName, processPid, processCommandLine,
processExecutablePath, processArgs, None,
processStartupTime)
if processPid in processList:
logger.debug("Process: '%s' already reported" % processName)
continue
count += 1
processList.append(processPid)
if OSHVResult is not None:
if hostOSH == None:
hostOSH = modeling.createOshByCmdbIdString('host', hostID)
processOsh = modeling.createProcessOSH(
processName, hostOSH, processCommandLine, processPid,
processExecutablePath, None, None, processStartupTime)
OSHVResult.add(processOsh)
pdu.flushHostProcesses(hostID)
if pid2Process is not None:
pid2Process.putAll(pdu.getProcessCmdMap())
finally:
if pdu != None:
pdu.close()
return 1
