def calculate(self): result = {} self.profile = Profile() ## Load a new address space addr_space = utils.load_as(self.opts) for task in pslist(addr_space, self.profile): task_info = {} task_info['eprocess'] = task task_info['image_file_name'] = task.ImageFileName or 'UNKNOWN' task_info['process_id'] = task.UniqueProcessId.v() or -1 task_info['active_threads'] = task.ActiveThreads or -1 task_info['inherited_from'] = task.InheritedFromUniqueProcessId.v( ) or -1 task_info['handle_count'] = task.ObjectTable.HandleCount or -1 task_info['create_time'] = task.CreateTime ## Get the Process Environment Block - Note that _EPROCESS ## will automatically switch to process address space by ## itself. if self.opts.verbose: peb = task.Peb if peb: task_info[ 'command_line'] = peb.ProcessParameters.CommandLine task_info[ 'ImagePathName'] = peb.ProcessParameters.ImagePathName task_info[ 'Audit ImageFileName'] = task.SeAuditProcessCreationInfo.ImageFileName.Name or 'UNKNOWN' result[task_info['process_id']] = task_info return result
def calculate(self): result = {} self.profile = Profile() ## Load a new address space addr_space = utils.load_as(self.opts) for task in pslist(addr_space, self.profile): task_info = {} task_info['eprocess'] = task task_info['image_file_name'] = task.ImageFileName or 'UNKNOWN' task_info['process_id'] = task.UniqueProcessId.v() or -1 task_info['active_threads'] = task.ActiveThreads or -1 task_info['inherited_from'] = task.InheritedFromUniqueProcessId.v() or -1 task_info['handle_count'] = task.ObjectTable.HandleCount or -1 task_info['create_time'] = task.CreateTime ## Get the Process Environment Block - Note that _EPROCESS ## will automatically switch to process address space by ## itself. if self.opts.verbose: peb = task.Peb if peb: task_info['command_line'] = peb.ProcessParameters.CommandLine task_info['ImagePathName'] = peb.ProcessParameters.ImagePathName task_info['Audit ImageFileName'] = task.SeAuditProcessCreationInfo.ImageFileName.Name or 'UNKNOWN' result[task_info['process_id']] = task_info return result
def calculate(self): profile = Profile() addr_space = utils.load_as(self.opts) ## Grab all the handle tables from processes def files_in_pid(p): for f in p.handles(): filename = f.FileName.v() if filename: yield filename return self.pid_generator(files_in_pid, addr_space, profile)
def calculate(self): profile = Profile() addr_space = utils.load_as(self.opts) def list_modules(p): peb = p.Peb if peb and peb.is_valid(): ## list all the modules attached to this peb: for module in peb.Ldr.InLoadOrderModuleList.list_of_type( "_LDR_MODULE", "InLoadOrderModuleList"): yield module.BaseAddress, module.SizeOfImage, module.FullDllName return self.pid_generator(list_modules, addr_space, profile)
def calculate(self): self.profile = Profile() self.addr_space = utils.load_as(self.opts) ## Find the tcpip module: tcpip = None for module in lsmod(self.addr_space, self.profile): if "tcpip" in module.FullDllName.v(): tcpip = module.BaseAddress.v() break if not tcpip: print "Unable to find tcpip module" return def connection_generator(): for offsets in module_versions.values(): for results in self.get_tcb_connections(tcpip, offsets['TCBTableOff'][0], offsets['SizeOff'][0]): yield results return connection_generator()
def calculate(self): self.profile = Profile() self.addr_space = utils.load_as(self.opts) ## Find the tcpip module: tcpip = None for module in lsmod(self.addr_space, self.profile): if "tcpip" in module.FullDllName.v(): tcpip = module.BaseAddress.v() break if not tcpip: print "Unable to find tcpip module" return def connection_generator(): for offsets in module_versions.values(): for results in self.get_tcb_connections( tcpip, offsets['TCBTableOff'][0], offsets['SizeOff'][0]): yield results return connection_generator()