forked from Velocidex/velociraptor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocess.go
executable file
·110 lines (91 loc) · 3.03 KB
/
process.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
// +build !windows
/*
Velociraptor - Hunting Evil
Copyright (C) 2019 Velocidex Innovations.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
// This module is built on gopsutils but this is too slow and
// inefficient. Eventually we will remove it from the codebase.
package vql
import (
"github.com/shirou/gopsutil/process"
"www.velocidex.com/golang/velociraptor/utils"
"www.velocidex.com/golang/vfilter"
)
// Block potentially dangerous methods.
var _BlockedMembers = []string{"Terminate", "Kill", "Suspend", "Resume"}
type _ProcessFieldImpl struct{}
func (self _ProcessFieldImpl) Applicable(a vfilter.Any, b vfilter.Any) bool {
_, b_ok := b.(string)
switch a.(type) {
case process.Process, *process.Process:
return b_ok
}
return false
}
func (self _ProcessFieldImpl) Associative(
scope *vfilter.Scope, a vfilter.Any, b vfilter.Any) (vfilter.Any, bool) {
field := b.(string)
if utils.InString(&_BlockedMembers, field) {
return false, true
}
res, pres := vfilter.DefaultAssociative{}.Associative(scope, a, b)
return res, pres
}
func (self _ProcessFieldImpl) GetMembers(scope *vfilter.Scope, a vfilter.Any) []string {
var result []string
for _, item := range (vfilter.DefaultAssociative{}).GetMembers(scope, a) {
if !utils.InString(&_BlockedMembers, item) {
result = append(result, item)
}
}
return result
}
type PslistArgs struct {
Pid int64 `vfilter:"optional,field=pid,doc=A pid to list. If this is provided we are able to operate much faster by only opening a single process."`
}
func init() {
exportedProtocolImpl = append(exportedProtocolImpl, &_ProcessFieldImpl{})
exportedPlugins = append(exportedPlugins,
vfilter.GenericListPlugin{
PluginName: "pslist",
Function: func(
scope *vfilter.Scope,
args *vfilter.Dict) []vfilter.Row {
var result []vfilter.Row
arg := &PslistArgs{}
err := vfilter.ExtractArgs(scope, args, arg)
if err != nil {
scope.Log("pslist: %s", err.Error())
return result
}
// If the user asked for one process
// just return that one.
if arg.Pid != 0 {
process_obj, err := process.NewProcess(int32(arg.Pid))
if err == nil {
result = append(result, process_obj)
}
return result
}
processes, err := process.Processes()
if err == nil {
for _, item := range processes {
result = append(result, item)
}
}
return result
},
RowType: &process.Process{},
Doc: "List processes",
})
}