def Run(self, args): result = rdf_yara.YaraProcessScanResponse() for p in ProcessIterator(args.pids, args.process_regex, args.ignore_grr_process, result.errors): self.Progress() rdf_process = rdf_client.Process.FromPsutilProcess(p) start_time = time.time() try: matches = self._ScanProcess(p, args) scan_time = time.time() - start_time scan_time_us = int(scan_time * 1e6) except yara.TimeoutError: result.errors.Append( rdf_yara.YaraProcessError( process=rdf_process, error="Scanning timed out (%s seconds)." % (time.time() - start_time))) continue except Exception as e: # pylint: disable=broad-except result.errors.Append( rdf_yara.YaraProcessError(process=rdf_process, error=str(e))) continue if matches: result.matches.Append( rdf_yara.YaraProcessScanMatch( process=rdf_process, match=matches, scan_time_us=scan_time_us)) else: result.misses.Append( rdf_yara.YaraProcessScanMiss( process=rdf_process, scan_time_us=scan_time_us)) self.SendReply(result)
def Run(self, args): result = rdf_yara.YaraProcessDumpResponse() self.bytes_written = 0 for p in ProcessIterator(args.pids, args.process_regex, args.ignore_grr_process, result.errors): self.Progress() start_time = time.time() try: response = self.DumpProcess(p, args) response.dump_time_us = int((time.time() - start_time) * 1e6) result.dumped_processes.Append(response) if response.error: # Limit exceeded, we bail out early. break except Exception as e: # pylint: disable=broad-except result.errors.Append( rdf_yara.YaraProcessError( process=rdf_client.Process.FromPsutilProcess(p), error=str(e))) continue self.SendReply(result)
def ProcessIterator(pids, process_regex_string, ignore_grr_process, error_list): """Yields all (psutil-) processes that match certain criteria. Args: pids: A list of pids. If given, only the processes with those pids are returned. process_regex_string: If given, only processes whose name matches the regex are returned. ignore_grr_process: If True, the grr process itself will not be returned. error_list: All errors while handling processes are appended to this list. Type is repeated YaraProcessError. Yields: psutils.Process objects matching all criteria. """ pids = set(pids) if ignore_grr_process: grr_pid = psutil.Process().pid else: grr_pid = -1 if process_regex_string: process_regex = re.compile(process_regex_string) else: process_regex = None if pids: process_iterator = [] for pid in pids: try: process_iterator.append(psutil.Process(pid=pid)) except Exception as e: # pylint: disable=broad-except error_list.Append( rdf_yara.YaraProcessError( process=rdf_client.Process(pid=pid), error=str(e))) else: process_iterator = psutil.process_iter() for p in process_iterator: if process_regex and not process_regex.search(p.name()): continue if p.pid == grr_pid: continue yield p