Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package linux :: Module pstree
[frames] | no frames]

Source Code for Module rekall.plugins.linux.pstree

 1  # This file is part of Rekall Memory Forensics. 
 2  # Copyright (C) 2007-2013 Volatility Foundation 
 3  # Copyright 2013 Google Inc. All Rights Reserved. 
 4  # 
 5  # Rekall Memory Forensics is free software; you can redistribute it and/or modify 
 6  # it under the terms of the GNU General Public License Version 2 as 
 7  # published by the Free Software Foundation.  You may not use, modify or 
 8  # distribute this program under any other version of the GNU General 
 9  # Public License. 
10  # 
11  # Rekall Memory Forensics is distributed in the hope that it will be useful, 
12  # but WITHOUT ANY WARRANTY; without even the implied warranty of 
13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
14  # GNU General Public License for more details. 
15  # 
16  # You should have received a copy of the GNU General Public License 
17  # along with Rekall Memory Forensics.  If not, see <http://www.gnu.org/licenses/>. 
18  # 
19   
20  """ 
21  @author:       Andrew Case 
22  @license:      GNU General Public License 2.0 
23  @contact:      atcuno@gmail.com 
24  @organization: 
25  """ 
26   
27  from rekall.plugins.linux import common 
28   
29   

30 -class LinPSTree(common.LinuxPlugin): 

31      """Shows the parent/child relationship between processes. 
32   
33      This plugin prints a parent/child relationship tree by walking the 
34      task_struct.children and task_struct.sibling members. 
35      """ 
36      __name = "pstree" 
37   

38 -    def render(self, renderer): 

39          renderer.table_header([("Pid", "pid", ">6"), 
40                                 ("Ppid", "ppid", ">6"), 
41                                 ("Uid", "uid", ">6"), 
42                                 ("", "depth", "0"), 
43                                 ("Name", "name", "<30"), 
44                                 ]) 
45   
46          root_task = self.profile.get_constant_object( 
47              "init_task", target="task_struct") 
48   
49          for task, level in self.recurse_task(root_task, 0): 
50              renderer.table_row( 
51                  task.pid, task.parent.pid, task.uid, 
52                  "." * level, task.commandline) 

53   

54 -    def recurse_task(self, task, level): 

55          """Yields all the children of this task.""" 
56          yield task, level 
57   
58          for child in task.children.list_of_type("task_struct", "sibling"): 
59              for subtask, sublevel in self.recurse_task(child, level + 1): 
60                  yield subtask, sublevel 

61

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:53 2017 http://epydoc.sourceforge.net