Source Code for Module rekall.plugins.windows.pstree

 1  # Rekall Memory Forensics 
 2  # 
 3  # Copyright 2013 Google Inc. All Rights Reserved. 
 4  # 
 5  # Authors 
 6  # Michael Cohen <scudette@users.sourceforge.net> 
 7  # 
 8  # This program is free software; you can redistribute it and/or modify 
 9  # it under the terms of the GNU General Public License as published by 
10  # the Free Software Foundation; either version 2 of the License, or (at 
11  # your option) any later version. 
12  # 
13  # This program is distributed in the hope that it will be useful, but 
14  # WITHOUT ANY WARRANTY; without even the implied warranty of 
15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
16  # General Public License for more details. 
17  # 
18  # You should have received a copy of the GNU General Public License 
19  # along with this program; if not, write to the Free Software 
20  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
21  # 
22   
23  """pstree example file""" 
24   
25  from rekall.plugins.windows import common 
26   
27   
28 -class PSTree(common.WinProcessFilter): 
29      """Print process list as a tree""" 
30   
31      __name = "pstree" 
32   
33      table_header = [ 
34          dict(name="_EPROCESS", type="TreeNode", max_depth=5, child=dict( 
35              type="_EPROCESS", style="light")), 
36          dict(name="ppid", width=6, align="r"), 
37          dict(name="thd_count", width=6, align="r"), 
38          dict(name="hnd_count", width=6, align="r"), 
39          dict(name="create_time", width=24), 
40          dict(name="cmd", width=40, hidden=True), 
41          dict(name="path", width=40, hidden=True), 
42          dict(name="audit", width=40, hidden=True), 
43      ] 
44   
45 -    def _find_root(self, pid_dict, pid): 
46          # Prevent circular loops. 
47          seen = set() 
48   
49          while pid in pid_dict and pid not in seen: 
50              seen.add(pid) 
51              pid = int(pid_dict[pid].InheritedFromUniqueProcessId) 
52   
53          return pid 
54   
55 -    def _make_process_dict(self): 
56          """Returns a dict keyed by pids with values _EPROCESS objects.""" 
57          result = {} 
58          for eprocess in self.filter_processes(): 
59              result[int(eprocess.UniqueProcessId)] = eprocess 
60   
61          return result 
62   
63 -    def collect(self): 
64          process_dict = self._make_process_dict() 
65   
66          def draw_children(pad, pid): 
67              """Given a pid output all its children.""" 
68              for task in sorted(process_dict.values(), key=lambda x: x.pid): 
69                  if task.InheritedFromUniqueProcessId != pid: 
70                      continue 
71   
72                  process_params = task.Peb.ProcessParameters 
73   
74                  yield dict( 
75                      _EPROCESS=task, 
76                      ppid=task.InheritedFromUniqueProcessId, 
77                      thd_count=task.ActiveThreads, 
78                      hnd_count=task.ObjectTable.m("HandleCount"), 
79                      create_time=task.CreateTime, 
80                      cmd=process_params.CommandLine, 
81                      path=process_params.ImagePathName, 
82                      audit=task.SeAuditProcessCreationInfo.ImageFileName.Name, 
83                      depth=pad) 
84   
85                  process_dict.pop(task.pid, None) 
86                  for x in draw_children(pad + 1, task.pid): 
87                      yield x 
88   
89          while process_dict: 
90              keys = process_dict.keys() 
91              root = self._find_root(process_dict, keys[0]) 
92              for x in draw_children(0, root): 
93                  yield x 
94