def getProcesses(self): ''' Get information about all non-system processes -> list(Process) @command: wmic path Win32_Process get CommandLine, CreationDate, ExecutablePath, Name, ProcessId @raise Exception: if WMI query failed ''' queryBuilder = self._provider.getBuilder('Win32_Process') queryBuilder.addWmiObjectProperties('Name', 'ProcessId', 'CommandLine', 'ExecutablePath', 'CreationDate') processes = [] for info in self._provider.getAgent().getWmiData(queryBuilder): name = info.Name pid = info.ProcessId if pid == '-1' or not str(pid).isdigit(): logger.debug( "Skip process '%s'. It is system process or has non numeric PID" % name) continue startupTime = info.CreationDate try: startupTime = modeling.getDateFromUtcString(startupTime) except ValueError, ve: logger.warn(str(ve)) startupTime = None cmdline = self.__getCommandLineWithProcessName( info.CommandLine, name) # process argument list argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$', cmdline) parameters = argsMatch and argsMatch.group(2) or None process = Process(name, cmdline) process.setPid(pid) process.parameters = parameters process.path = info.ExecutablePath processes.append(process)
def getProcesses(self): ''' Get information about all non-system processes -> list(Process) @command: wmic path Win32_Process get CommandLine, CreationDate, ExecutablePath, Name, ProcessId @raise Exception: if WMI query failed ''' queryBuilder = self._provider.getBuilder('Win32_Process') queryBuilder.addWmiObjectProperties('Name', 'ProcessId', 'CommandLine', 'ExecutablePath', 'CreationDate') processes = [] for info in self._provider.getAgent().getWmiData(queryBuilder): name = info.Name pid = info.ProcessId if pid == '-1' or not str(pid).isdigit(): logger.debug("Skip process '%s'. It is system process or has non numeric PID" % name) continue startupTime = info.CreationDate try: startupTime = modeling.getDateFromUtcString(startupTime) except ValueError, ve: logger.warn(str(ve)) startupTime = None cmdline = self.__getCommandLineWithProcessName(info.CommandLine, name) # process argument list argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$', cmdline) parameters = argsMatch and argsMatch.group(2) or None process = Process(name, cmdline) process.setPid(pid) process.parameters = parameters process.path = info.ExecutablePath processes.append(process)
def findAllProcessesByWmi(self): ''' Find all processes running on the system @types: -> list(process.Process) @command: wmic process get commandLine, creationdate, executablepath, name, processId ''' provider = self._getWmiAgentProvider() queryBuilder = provider.getBuilder('Win32_Process') queryBuilder.addWmiObjectProperties('name', 'processId', 'commandLine', 'executablepath', 'creationdate', 'ParentProcessId') processes = [] agent = provider.getAgent() results = agent.getWmiData(queryBuilder) for item in results: name = item.name if not name: logger.warn("Skipped process without name. CommandLine: %s" % item.commandLine) continue pid = item.processId if pid == '-1' or not pid.isnumeric(): logger.debug( "Skipped process '%s'. It is system process or has non numeric PID" % name) continue commandLine = self.__fixMissedProcessNameInCommandLine( name, item.commandLine) process = process_module.Process(name, pid, commandLine=commandLine) process.executablePath = item.executablepath parentPid = item.ParentProcessId if parentPid and parentPid.isdigit(): process.setParentPid(parentPid) processStartupTimeString = item.creationdate if processStartupTimeString: try: startupDate = modeling.getDateFromUtcString( processStartupTimeString) process.setStartupTime(startupDate) except: logger.debug("Failed parsing date from UTC string '%s'" % processStartupTimeString) argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$', process.commandLine) if argsMatch: process.argumentLine = argsMatch.group(2) processes.append(process) return processes
def getOperatingSystemInfo(self): '''@types: -> HostDo @raise Exception: if wmi query failed''' hostDo = HostDo() queryBuilder = self._wmiProvider.getBuilder('Win32_OperatingSystem') queryBuilder.addWmiObjectProperties('Caption', 'otherTypeDescription', 'Version', 'BuildNumber', 'csdversion', 'lastBootUpTime', 'registeredUser', 'totalVisibleMemorySize', 'organization') osDataList = self._wmiProvider.getAgent().getWmiData(queryBuilder) for osData in osDataList: if osData.Caption: otherTypeDescription = osData.otherTypeDescription if not otherTypeDescription: otherTypeDescription = None (vendor, name, installType) = separateCaption( self.__normalizeWindowsOSAndType(osData.Caption), self.__normalizeWindowsOSAndType(otherTypeDescription)) hostDo.hostOsName = name hostDo.installType = installType hostDo.vendor = vendor hostDo.registeredOwner = osData.registeredUser hostDo.physicalMemory = osData.totalVisibleMemorySize hostDo.organization = osData.organization else: logger.warn( "Caption field is empty. Host OS name, installation type and vendor will not be parsed out." ) if osData.Version: hostDo.ntVersion = self.__normalizeWindowsOSAndType( osData.Version) else: logger.warn('Version field is empty. Skipping.') if osData.csdversion: hostDo.servicePack = __parseServicePack( self.__normalizeWindowsOSAndType(osData.csdversion)) else: logger.warn('Service pack field is empty. Skipping.') if osData.BuildNumber: hostDo.buildNumber = osData.BuildNumber else: logger.warn('Build number filed is empty. Skipping') try: hostDo.lastBootDate = modeling.getDateFromUtcString( osData.lastBootUpTime) except: logger.warn("Failed to parse last boot date from value '%s'" % osData.lastBootUpTime) return hostDo
def setLastBootUpTime(hostOSH, lastBootUpTime): if lastBootUpTime: date = None try: date = modeling.getDateFromUtcString(lastBootUpTime) except: logger.debug("WMI: query returned lastBootUpTime that failed to be parsed: %s" % lastBootUpTime) else: hostOSH.setDateAttribute('host_last_boot_time', date) else: logger.debug("WMI: query returned empty lastBootUpTime field")
def setLastModificationTimeInUTC(self, timeInUTC): ''' Parse java.util.Date from provided str str -> None @param timeInUTC: last modification time in utc @type timeInUTC: str @return: None @raise ValueError: if failed to parse provided utc string ''' if timeInUTC: self.__lastModificationTime = modeling.getDateFromUtcString(timeInUTC) else: raise ValueError('Not a UTC: %s' % timeInUTC)
def __getWindowsWmicFileLastModificationTime(shell, fileName): escapedFileName = fileName.replace('\\', '\\\\') command = 'wmic datafile where "name = \'%s\'" get LastModified /format:list < %%SystemRoot%%\win.ini' % escapedFileName buffer = shell.execCmd(command) if buffer and shell.getLastCmdReturnCode() == 0 and buffer.find(__WMIC_ERROR) == -1: lines = buffer.split('\n') lines = [line.strip() for line in lines if line.strip()] for line in lines: matcher = re.match(r"LastModified=([\d.+-]{%s})" % UTC_DATE_LENGTH, line) if matcher: return getDateFromUtcString(matcher.group(1)) else: raise ValueError("Output is empty or incorrect either error code is not zero. File name: %s" % fileName)
def findAllProcessesByWmi(self): ''' Find all processes running on the system @types: -> list(process.Process) @command: wmic process get commandLine, creationdate, executablepath, name, processId ''' provider = self._getWmiAgentProvider() queryBuilder = provider.getBuilder('Win32_Process') queryBuilder.addWmiObjectProperties('name', 'processId', 'commandLine', 'executablepath', 'creationdate', 'ParentProcessId') processes = [] agent = provider.getAgent() results = agent.getWmiData(queryBuilder) for item in results: name = item.name if not name: logger.warn("Skipped process without name. CommandLine: %s" % item.commandLine) continue pid = item.processId if pid == '-1' or not pid.isnumeric(): logger.debug("Skipped process '%s'. It is system process or has non numeric PID" % name) continue commandLine = self.__fixMissedProcessNameInCommandLine(name, item.commandLine) process = process_module.Process(name, pid, commandLine = commandLine) process.executablePath = item.executablepath parentPid = item.ParentProcessId if parentPid and parentPid.isdigit(): process.setParentPid(parentPid) processStartupTimeString = item.creationdate if processStartupTimeString: try: startupDate = modeling.getDateFromUtcString(processStartupTimeString) process.setStartupTime(startupDate) except: logger.debug("Failed parsing date from UTC string '%s'" % processStartupTimeString) argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$', process.commandLine) if argsMatch: process.argumentLine = argsMatch.group(2) processes.append(process) return processes
def getWindowsWmiFileLastModificationTime(client, fileName): if not fileName: raise ValueError("File name is null or empty") modificationTime = None escapedFileName = fileName.replace('\\', '\\\\') command = "Select LastModified from CIM_Datafile Where name = '%s'" % escapedFileName resultTable = client.executeQuery(command).asTable() if resultTable and resultTable[0]: try: modificationTime = getDateFromUtcString(resultTable[0][0]) except: logger.warn('Failed getting last modification time for file: %s' % fileName) else: logger.warn('Failed getting last modification time for file: %s' % fileName) return modificationTime
def getDateFromCimDate(cimDateTime): ''' CimDateTime -> java.util.Date ''' if cimDateTime is None: return None dateTimeClass = cimDateTime.getClass().getName() if dateTimeClass in ("javax.cim.CIMDateTimeAbsolute", ): sourceDate = cimDateTime.getDateTimeString() #20121103140952.000000+000 #replace possible * in time zone value sourceDate = re.sub(r"\*", "0", sourceDate) return modeling.getDateFromUtcString(sourceDate) raise ValueError("Unsupported type")
def getOperatingSystemInfo(self): '''@types: -> HostDo @raise Exception: if wmi query failed''' hostDo = HostDo() queryBuilder = self._wmiProvider.getBuilder('Win32_OperatingSystem') queryBuilder.addWmiObjectProperties('Caption', 'otherTypeDescription', 'Version', 'BuildNumber', 'csdversion', 'lastBootUpTime', 'registeredUser', 'totalVisibleMemorySize', 'organization') osDataList = self._wmiProvider.getAgent().getWmiData(queryBuilder) for osData in osDataList: if osData.Caption: otherTypeDescription = osData.otherTypeDescription if not otherTypeDescription: otherTypeDescription = None (vendor, name, installType) = separateCaption(self.__normalizeWindowsOSAndType(osData.Caption), self.__normalizeWindowsOSAndType(otherTypeDescription)) hostDo.hostOsName = name hostDo.installType = installType hostDo.vendor = vendor hostDo.registeredOwner = osData.registeredUser hostDo.physicalMemory = osData.totalVisibleMemorySize hostDo.organization = osData.organization else: logger.warn("Caption field is empty. Host OS name, installation type and vendor will not be parsed out.") if osData.Version: hostDo.ntVersion = self.__normalizeWindowsOSAndType(osData.Version) else: logger.warn('Version field is empty. Skipping.') if osData.csdversion: hostDo.servicePack = __parseServicePack(self.__normalizeWindowsOSAndType(osData.csdversion)) else: logger.warn('Service pack field is empty. Skipping.') if osData.BuildNumber: hostDo.buildNumber = osData.BuildNumber else: logger.warn('Build number filed is empty. Skipping') try: hostDo.lastBootDate = modeling.getDateFromUtcString(osData.lastBootUpTime) except: logger.warn("Failed to parse last boot date from value '%s'" % osData.lastBootUpTime) return hostDo
def discoverProcessesByWmic(client, OSHVResult, hostID, Framework, pid2Process = None): ''' Discover system processes, report them and save in probe DB. Shell, oshVector, str, Framework, map[str, str] -> bool @command: wmic process get commandLine, creationdate, executablepath, name, processId ''' wmiProvider = wmiutils.getWmiProvider(client) queryBuilder = wmiProvider.getBuilder('Win32_Process') queryBuilder.usePathCommand(1) #queryBuilder = wmiutils.WmicQueryBuilder('process') queryBuilder.addWmiObjectProperties('name', 'processId', 'commandLine', 'executablepath', 'creationdate') wmicAgent = wmiProvider.getAgent() processItems = [] try: processItems = wmicAgent.getWmiData(queryBuilder) except: logger.debugException('Failed getting processes information via wmic' ) return 0 pdu = None try: pdu = processdbutils.ProcessDbUtils(Framework) processList = [] hostOSH = None count = 0 for processItem in processItems: if not processItem.name: continue processName = processItem.name processNameLower = processName.lower() processPid = processItem.processId if processPid == '-1' or not processPid.isnumeric(): logger.debug("Process '%s' is system process or has non numeric pid" % processName) continue processExecutablePath = processItem.executablepath processCommandLine = processItem.commandLine processStartupTimeString = processItem.creationdate processStartupTime = None if processStartupTimeString: try: startupDate = modeling.getDateFromUtcString(processStartupTimeString) processStartupTime = startupDate.getTime() except: errobj = errorobject.createError(errorcodes.PROCESS_STARTUP_TIME_ATTR_NOT_SET, ['NTCMD', processStartupTimeString], "%s: Process startup time attribute is not set due to error while parsing date string '%s'" % ('NTCMD', processStartupTimeString)) logger.reportWarningObject(errobj) # check whether process name is included in command line # Obtain first token containing process from the CMD line matchObj = re.match('(:?["\'](.*?)["\']|(.*?)\s)', processCommandLine) if matchObj and matchObj.groups(): firstCmdToken = matchObj.group(1).strip() else: firstCmdToken = processCommandLine.strip() #remove quotes firstCmdToken = re.sub('[\'"]', '', firstCmdToken).lower() #token has to end with process name if not firstCmdToken.endswith(processNameLower): extStartPos = processNameLower.rfind('.') if extStartPos != -1: pnameNoExt = processNameLower[0:extStartPos] if not firstCmdToken.endswith(pnameNoExt): processCommandLine = '%s %s' % (processName, processCommandLine) processArgs = None argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$',processCommandLine) if argsMatch: processArgs = argsMatch.group(2) pdu.addProcess(hostID, processName, processPid, processCommandLine, processExecutablePath, processArgs, None, processStartupTime) if processPid in processList: logger.debug("Process: '%s' already reported" % processName) continue count += 1 processList.append(processPid) if OSHVResult is not None: if hostOSH == None: hostOSH = modeling.createOshByCmdbIdString('host', hostID) processOsh = modeling.createProcessOSH(processName, hostOSH, processCommandLine, processPid, processExecutablePath, None, None, processStartupTime) OSHVResult.add(processOsh) pdu.flushHostProcesses(hostID) if pid2Process is not None: pid2Process.putAll(pdu.getProcessCmdMap()) finally: if pdu != None: pdu.close() return 1
def discoverProcessesByWmic(client, OSHVResult, hostID, Framework, pid2Process=None): ''' Discover system processes, report them and save in probe DB. Shell, oshVector, str, Framework, map[str, str] -> bool @command: wmic process get commandLine, creationdate, executablepath, name, processId ''' wmiProvider = wmiutils.getWmiProvider(client) queryBuilder = wmiProvider.getBuilder('Win32_Process') queryBuilder.usePathCommand(1) #queryBuilder = wmiutils.WmicQueryBuilder('process') queryBuilder.addWmiObjectProperties('name', 'processId', 'commandLine', 'executablepath', 'creationdate') wmicAgent = wmiProvider.getAgent() processItems = [] try: processItems = wmicAgent.getWmiData(queryBuilder) except: logger.debugException('Failed getting processes information via wmic') return 0 pdu = None try: pdu = processdbutils.ProcessDbUtils(Framework) processList = [] hostOSH = None count = 0 for processItem in processItems: if not processItem.name: continue processName = processItem.name processNameLower = processName.lower() processPid = processItem.processId if processPid == '-1' or not processPid.isnumeric(): logger.debug( "Process '%s' is system process or has non numeric pid" % processName) continue processExecutablePath = processItem.executablepath processCommandLine = processItem.commandLine processStartupTimeString = processItem.creationdate processStartupTime = None if processStartupTimeString: try: startupDate = modeling.getDateFromUtcString( processStartupTimeString) processStartupTime = startupDate.getTime() except: errobj = errorobject.createError( errorcodes.PROCESS_STARTUP_TIME_ATTR_NOT_SET, ['NTCMD', processStartupTimeString], "%s: Process startup time attribute is not set due to error while parsing date string '%s'" % ('NTCMD', processStartupTimeString)) logger.reportWarningObject(errobj) # check whether process name is included in command line # Obtain first token containing process from the CMD line matchObj = re.match('(:?["\'](.*?)["\']|(.*?)\s)', processCommandLine) if matchObj and matchObj.groups(): firstCmdToken = matchObj.group(1).strip() else: firstCmdToken = processCommandLine.strip() #remove quotes firstCmdToken = re.sub('[\'"]', '', firstCmdToken).lower() #token has to end with process name if not firstCmdToken.endswith(processNameLower): extStartPos = processNameLower.rfind('.') if extStartPos != -1: pnameNoExt = processNameLower[0:extStartPos] if not firstCmdToken.endswith(pnameNoExt): processCommandLine = '%s %s' % (processName, processCommandLine) processArgs = None argsMatch = re.match('("[^"]+"|[^"]\S+)\s+(.+)$', processCommandLine) if argsMatch: processArgs = argsMatch.group(2) pdu.addProcess(hostID, processName, processPid, processCommandLine, processExecutablePath, processArgs, None, processStartupTime) if processPid in processList: logger.debug("Process: '%s' already reported" % processName) continue count += 1 processList.append(processPid) if OSHVResult is not None: if hostOSH == None: hostOSH = modeling.createOshByCmdbIdString('host', hostID) processOsh = modeling.createProcessOSH( processName, hostOSH, processCommandLine, processPid, processExecutablePath, None, None, processStartupTime) OSHVResult.add(processOsh) pdu.flushHostProcesses(hostID) if pid2Process is not None: pid2Process.putAll(pdu.getProcessCmdMap()) finally: if pdu != None: pdu.close() return 1