def _ScanProcess(self, process, scan_request, scan_response):
rdf_process = rdf_client.Process.FromPsutilProcess(process)
start_time = rdfvalue.RDFDatetime.Now()
try:
matches = self._GetMatches(process, scan_request)
scan_time = rdfvalue.RDFDatetime.Now() - start_time
scan_time_us = scan_time.ToInt(rdfvalue.MICROSECONDS)
except YaraTimeoutError:
scan_response.errors.Append(
rdf_memory.ProcessMemoryError(
process=rdf_process,
error="Scanning timed out (%s)." %
(rdfvalue.RDFDatetime.Now() - start_time)))
return
except Exception as e: # pylint: disable=broad-except
scan_response.errors.Append(
rdf_memory.ProcessMemoryError(process=rdf_process,
error=str(e)))
return
if matches:
scan_response.matches.Append(
rdf_memory.YaraProcessScanMatch(process=rdf_process,
match=matches,
scan_time_us=scan_time_us))
else:
scan_response.misses.Append(
rdf_memory.YaraProcessScanMiss(process=rdf_process,
scan_time_us=scan_time_us))
def _ScanProcess(self, process, scan_request, scan_response):
rdf_process = rdf_client.Process.FromPsutilProcess(process)
# TODO: Replace time.time() arithmetic with RDFDatetime
# subtraction.
start_time = time.time()
try:
matches = self._GetMatches(process, scan_request)
scan_time = time.time() - start_time
scan_time_us = int(scan_time * 1e6)
except yara.TimeoutError:
scan_response.errors.Append(
rdf_memory.ProcessMemoryError(
process=rdf_process,
error="Scanning timed out (%s seconds)." %
(time.time() - start_time)))
return
except Exception as e: # pylint: disable=broad-except
scan_response.errors.Append(
rdf_memory.ProcessMemoryError(process=rdf_process,
error=str(e)))
return
if matches:
scan_response.matches.Append(
rdf_memory.YaraProcessScanMatch(process=rdf_process,
match=matches,
scan_time_us=scan_time_us))
else:
scan_response.misses.Append(
rdf_memory.YaraProcessScanMiss(process=rdf_process,
scan_time_us=scan_time_us))
def Run(self, args):
if args.prioritize_offsets and len(args.pids) != 1:
raise ValueError(
"Supplied prioritize_offsets {} for PIDs {} in YaraProcessDump. "
"Required exactly one PID.".format(args.prioritize_offsets,
args.pids))
result = rdf_memory.YaraProcessDumpResponse()
for p in ProcessIterator(args.pids, args.process_regex, None,
args.ignore_grr_process, result.errors):
self.Progress()
start = rdfvalue.RDFDatetime.Now()
try:
response = self.DumpProcess(p, args)
now = rdfvalue.RDFDatetime.Now()
response.dump_time_us = (now - start).ToInt(
rdfvalue.MICROSECONDS)
result.dumped_processes.Append(response)
if response.error:
# Limit exceeded, we bail out early.
break
except Exception as e: # pylint: disable=broad-except
result.errors.Append(
rdf_memory.ProcessMemoryError(
process=rdf_client.Process.FromPsutilProcess(p),
error=str(e)))
continue
self.SendReply(result)
def Run(self, args):
result = rdf_memory.YaraProcessDumpResponse()
self.bytes_written = 0
for p in ProcessIterator(args.pids, args.process_regex,
args.ignore_grr_process, result.errors):
self.Progress()
start_time = time.time()
try:
response = self.DumpProcess(p, args)
response.dump_time_us = int((time.time() - start_time) * 1e6)
result.dumped_processes.Append(response)
if response.error:
# Limit exceeded, we bail out early.
break
except Exception as e: # pylint: disable=broad-except
result.errors.Append(
rdf_memory.ProcessMemoryError(
process=rdf_client.Process.FromPsutilProcess(p),
error=str(e)))
continue
self.SendReply(result)
def _GenerateSample(self, **kwargs):
process = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=1333718907167083)
return rdf_memory.ProcessMemoryError(process=process, **kwargs)
def ProcessIterator(pids, process_regex_string, cmdline_regex_string,
ignore_grr_process, error_list):
"""Yields all (psutil-) processes that match certain criteria.
Args:
pids: A list of pids. If given, only the processes with those pids are
returned.
process_regex_string: If given, only processes whose name matches the regex
are returned.
cmdline_regex_string: If given, only processes whose cmdline matches the
regex are returned.
ignore_grr_process: If True, the grr process itself will not be returned.
error_list: All errors while handling processes are appended to this list.
Type is repeated ProcessMemoryError.
Yields:
psutils.Process objects matching all criteria.
"""
pids = set(pids)
if ignore_grr_process:
grr_pid = psutil.Process().pid
else:
grr_pid = -1
if process_regex_string:
process_regex = re.compile(process_regex_string)
else:
process_regex = None
if cmdline_regex_string:
cmdline_regex = re.compile(cmdline_regex_string)
else:
cmdline_regex = None
if pids:
process_iterator = []
for pid in pids:
try:
process_iterator.append(psutil.Process(pid=pid))
except Exception as e: # pylint: disable=broad-except
error_list.Append(
rdf_memory.ProcessMemoryError(
process=rdf_client.Process(pid=pid), error=str(e)))
else:
process_iterator = psutil.process_iter()
for p in process_iterator:
if process_regex and not process_regex.search(p.name()):
continue
if cmdline_regex and not cmdline_regex.search(" ".join(p.cmdline())):
continue
if p.pid == grr_pid:
continue
yield p
def Run(self, args):
result = rdf_memory.YaraProcessScanResponse()
for p in ProcessIterator(args.pids, args.process_regex,
args.ignore_grr_process, result.errors):
self.Progress()
n_results = len(result.errors) + len(result.matches) + len(
result.misses)
if n_results >= self._RESULTS_PER_RESPONSE:
self.SendReply(result)
result = rdf_memory.YaraProcessScanResponse()
rdf_process = rdf_client.Process.FromPsutilProcess(p)
start_time = time.time()
try:
matches = self._ScanProcess(p, args)
scan_time = time.time() - start_time
scan_time_us = int(scan_time * 1e6)
except yara.TimeoutError:
result.errors.Append(
rdf_memory.ProcessMemoryError(
process=rdf_process,
error="Scanning timed out (%s seconds)." %
(time.time() - start_time)))
continue
except Exception as e: # pylint: disable=broad-except
result.errors.Append(
rdf_memory.ProcessMemoryError(process=rdf_process,
error=str(e)))
continue
if matches:
result.matches.Append(
rdf_memory.YaraProcessScanMatch(process=rdf_process,
match=matches,
scan_time_us=scan_time_us))
else:
result.misses.Append(
rdf_memory.YaraProcessScanMiss(process=rdf_process,
scan_time_us=scan_time_us))
self.SendReply(result)
