def render(self): """Renders the kevent to standard output stream. Uses the default output format to render the kernel event to standard output stream. The default output format is as follows: id timestamp cpu process (process id) - kevent (parameters) -- --------- --- ------- ----------- ------- ------------ Example: 160 13:27:27.554 0 wmiprvse.exe (1012) - CloseFile (file=C:\\WINDOWS\\SYSTEM32\\RSAENH.DLL, tid=2668) """ self._thread = self.thread if self._thread: kevt = RENDER_FORMAT % (self._id, self._ts.time(), self._cpuid, self._thread.name, self._thread.pid, self._name, self._format_params()) else: # figure out the process id from thread # if the process can't be found in # thread registry pid = NA if self._pid is None: if self._tid: # get the thread handle handle = open_thread(THREAD_QUERY_INFORMATION, False, self._tid) if handle: pid = get_process_id_of_thread(handle) close_handle(handle) else: pid = self._pid kevt = RENDER_FORMAT % (self._id, self._ts.time(), self._cpuid, NA, pid, self._name, self._format_params()) IO.write_console(kevt) self._id += 1
def _get_proc(self, thread_id): handle = open_thread(THREAD_QUERY_INFORMATION, False, thread_id) if handle: # if it was possible to get the process id # which is the parent of the thread, we can # try to get the process name from its pid pid = get_process_id_of_thread(handle) close_handle(handle) handle = open_process(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, False, pid) if handle: exe = ctypes.create_unicode_buffer(MAX_PATH) status = query_full_process_image_name(handle, 0, exe, DWORD(MAX_PATH)) close_handle(handle) if status: return os.path.basename(exe.value)
def get_thread(self): """Gets the thread associated with the kernel event. """ thread = self._find_thread() if thread: return thread.pid, thread.name else: # figure out the process id from thread # if the process can't be found in # the thread registry pid = NA if self._pid is None: if self._tid: # get the thread handle handle = open_thread(THREAD_QUERY_INFORMATION, False, self._tid) if handle: pid = get_process_id_of_thread(handle) close_handle(handle) else: pid = self._pid return pid, NA