Python volatility.win32.tasks.pslist() Examples

The following are 30 code examples of volatility.win32.tasks.pslist(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module volatility.win32.tasks , or try the search function .
Example #1
Source File: sessions.py    From vortessence with GNU General Public License v2.0 6 votes vote down vote up
def find_session_space(self, kernel_space, session_id):
        """ Get a session address space by its ID. 
    
        @param space: a kernel AS for process enumeration
        @param session_id: the session ID to find.
    
        @returns _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId == session_id:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    return obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad)
        return obj.NoneObject("Cannot locate a session") 
Example #2
Source File: cmdhistory.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def cmdhistory_process_filter(self, addr_space):
        """Generator for processes that might contain command 
        history information. 

        Takes into account if we're on Windows 7 or an earlier
        operator system. 

        @param addr_space: a kernel address space. 
        """

        # Detect if we're on windows seven 
        use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
                                addr_space.profile.metadata.get('minor', 0))

        for task in tasks.pslist(addr_space):
            process_name = str(task.ImageFileName).lower()
            # The process we select is conhost on Win7 or csrss for others
            if ((use_conhost and process_name == "conhost.exe") or
                        (not use_conhost and process_name == "csrss.exe")):
                yield task 
Example #3
Source File: dlldump.py    From DAMM with GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.OFFSET != None:
            data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
        else:
            data = self.filter_tasks(tasks.pslist(addr_space))

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error, e:
                debug.error('Error parsing regular expression: %s' % e) 
Example #4
Source File: sessions.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def find_session_space(self, kernel_space, session_id):
        """ Get a session address space by its ID. 
    
        @param space: a kernel AS for process enumeration
        @param session_id: the session ID to find.
    
        @returns _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId == session_id:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    return obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad)
        return obj.NoneObject("Cannot locate a session") 
Example #5
Source File: sessions.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def session_spaces(self, kernel_space):
        """ Generators unique _MM_SESSION_SPACE objects
        referenced by active processes. 
    
        @param space: a kernel AS for process enumeration
    
        @yields _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        seen = []
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId != None and proc.SessionId.v() not in seen:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    seen.append(proc.SessionId.v())
                    yield obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad) 
Example #6
Source File: sessions.py    From DAMM with GNU General Public License v2.0 6 votes vote down vote up
def session_spaces(self, kernel_space):
        """ Generators unique _MM_SESSION_SPACE objects
        referenced by active processes. 
    
        @param space: a kernel AS for process enumeration
    
        @yields _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        seen = []
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId != None and proc.SessionId.v() not in seen:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    seen.append(proc.SessionId.v())
                    yield obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad) 
Example #7
Source File: sessions.py    From DAMM with GNU General Public License v2.0 6 votes vote down vote up
def find_session_space(self, kernel_space, session_id):
        """ Get a session address space by its ID. 
    
        @param space: a kernel AS for process enumeration
        @param session_id: the session ID to find.
    
        @returns _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId == session_id:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    return obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad)
        return obj.NoneObject("Cannot locate a session") 
Example #8
Source File: dlldump.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.DUMP_DIR == None:
            debug.error("Please specify a dump directory (--dump-dir)")
        if not os.path.isdir(self._config.DUMP_DIR):
            debug.error(self._config.DUMP_DIR + " is not a directory")

        if self._config.OFFSET != None:
            data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
        else:
            data = self.filter_tasks(tasks.pslist(addr_space))

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error, e:
                debug.error('Error parsing regular expression: %s' % e) 
Example #9
Source File: cmdhistory.py    From DAMM with GNU General Public License v2.0 6 votes vote down vote up
def cmdhistory_process_filter(self, addr_space):
        """Generator for processes that might contain command 
        history information. 

        Takes into account if we're on Windows 7 or an earlier
        operator system. 

        @param addr_space: a kernel address space. 
        """

        # Detect if we're on windows seven 
        use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
                                addr_space.profile.metadata.get('minor', 0))

        for task in tasks.pslist(addr_space):
            process_name = str(task.ImageFileName).lower()
            # The process we select is conhost on Win7 or csrss for others
            if ((use_conhost and process_name == "conhost.exe") or
                        (not use_conhost and process_name == "csrss.exe")):
                yield task 
Example #10
Source File: cmdhistory.py    From vortessence with GNU General Public License v2.0 6 votes vote down vote up
def cmdhistory_process_filter(self, addr_space):
        """Generator for processes that might contain command 
        history information. 

        Takes into account if we're on Windows 7 or an earlier
        operator system. 

        @param addr_space: a kernel address space. 
        """

        # Detect if we're on windows seven 
        use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
                                addr_space.profile.metadata.get('minor', 0))

        for task in tasks.pslist(addr_space):
            process_name = str(task.ImageFileName).lower()
            # The process we select is conhost on Win7 or csrss for others
            if ((use_conhost and process_name == "conhost.exe") or
                        (not use_conhost and process_name == "csrss.exe")):
                yield task 
Example #11
Source File: psempire.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
	    # For each process in the list
        for task in self.filter_tasks(tasks.pslist(addr_space)):
            # print task.ImageFileName
            for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
				# Injected code detected if there's values returned
                rules = yara.compile(sources = signatures)
                scanner = malfind.VadYaraScanner(task = task, rules = rules)
                # print 'before'
                for hit, address in scanner.scan():
            	    vad_base_addr = self.get_vad_base(task, address)
            	    
            	    # Get a chuck of memory of size 2048 next to where the string was detected
                    content = address_space.zread(address, 2048)
                    yield task, address, vad_base_addr, content
                    break
                # break  # Show only 1 instance of detected injection per process 
Example #12
Source File: dlldump.py    From vortessence with GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.DUMP_DIR == None:
            debug.error("Please specify a dump directory (--dump-dir)")
        if not os.path.isdir(self._config.DUMP_DIR):
            debug.error(self._config.DUMP_DIR + " is not a directory")

        if self._config.OFFSET != None:
            data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
        else:
            data = self.filter_tasks(tasks.pslist(addr_space))

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error, e:
                debug.error('Error parsing regular expression: %s' % e) 
Example #13
Source File: dlldump.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.OFFSET != None:
            data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
        else:
            data = self.filter_tasks(tasks.pslist(addr_space))

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error, e:
                debug.error('Error parsing regular expression: %s' % e) 
Example #14
Source File: sessions.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def find_session_space(self, kernel_space, session_id):
        """ Get a session address space by its ID. 
    
        @param space: a kernel AS for process enumeration
        @param session_id: the session ID to find.
    
        @returns _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId == session_id:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    return obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad)
        return obj.NoneObject("Cannot locate a session") 
Example #15
Source File: dlldump.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.DUMP_DIR == None:
            debug.error("Please specify a dump directory (--dump-dir)")
        if not os.path.isdir(self._config.DUMP_DIR):
            debug.error(self._config.DUMP_DIR + " is not a directory")

        if self._config.OFFSET != None:
            data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
        else:
            data = self.filter_tasks(tasks.pslist(addr_space))

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error, e:
                debug.error('Error parsing regular expression: %s' % e) 
Example #16
Source File: poisonivy.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):

        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
        
        rules = yara.compile(sources = signatures)

        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = malfind.VadYaraScanner(task = task, rules = rules)

            for hit, address in scanner.scan():
                vad_base_addr = self.get_vad_base(task, address)
                if address - vad_base_addr > 0x1000:
                    continue

                yield task, vad_base_addr 
Example #17
Source File: sessions.py    From vortessence with GNU General Public License v2.0 6 votes vote down vote up
def session_spaces(self, kernel_space):
        """ Generators unique _MM_SESSION_SPACE objects
        referenced by active processes. 
    
        @param space: a kernel AS for process enumeration
    
        @yields _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        seen = []
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId != None and proc.SessionId.v() not in seen:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    seen.append(proc.SessionId.v())
                    yield obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad) 
Example #18
Source File: sessions.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def session_spaces(self, kernel_space):
        """ Generators unique _MM_SESSION_SPACE objects
        referenced by active processes. 
    
        @param space: a kernel AS for process enumeration
    
        @yields _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        seen = []
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId != None and proc.SessionId.v() not in seen:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    seen.append(proc.SessionId.v())
                    yield obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad) 
Example #19
Source File: sessions.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def find_session_space(self, kernel_space, session_id):
        """ Get a session address space by its ID. 
    
        @param space: a kernel AS for process enumeration
        @param session_id: the session ID to find.
    
        @returns _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId == session_id:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    return obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad)
        return obj.NoneObject("Cannot locate a session") 
Example #20
Source File: cmdhistory.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def cmdhistory_process_filter(self, addr_space):
        """Generator for processes that might contain command 
        history information. 

        Takes into account if we're on Windows 7 or an earlier
        operator system. 

        @param addr_space: a kernel address space. 
        """

        # Detect if we're on windows seven 
        use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
                                addr_space.profile.metadata.get('minor', 0))

        for task in tasks.pslist(addr_space):
            process_name = str(task.ImageFileName).lower()
            # The process we select is conhost on Win7 or csrss for others
            if ((use_conhost and process_name == "conhost.exe") or
                        (not use_conhost and process_name == "csrss.exe")):
                yield task 
Example #21
Source File: cmdhistory.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def cmdhistory_process_filter(self, addr_space):
        """Generator for processes that might contain command 
        history information. 

        Takes into account if we're on Windows 7 or an earlier
        operator system. 

        @param addr_space: a kernel address space. 
        """

        # Detect if we're on windows seven 
        use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
                                addr_space.profile.metadata.get('minor', 0))

        for task in tasks.pslist(addr_space):
            process_name = str(task.ImageFileName).lower()
            # The process we select is conhost on Win7 or csrss for others
            if ((use_conhost and process_name == "conhost.exe") or
                        (not use_conhost and process_name == "csrss.exe")):
                yield task 
Example #22
Source File: sessions.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def session_spaces(self, kernel_space):
        """ Generators unique _MM_SESSION_SPACE objects
        referenced by active processes. 
    
        @param space: a kernel AS for process enumeration
    
        @yields _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        seen = []
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId != None and proc.SessionId.v() not in seen:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    seen.append(proc.SessionId.v())
                    yield obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad) 
Example #23
Source File: malfind.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def _scan_kernel_memory(self, addr_space, rules):
        # Find KDBG so we know where kernel memory begins. Do not assume
        # the starting range is 0x80000000 because we may be dealing with
        # an image with the /3GB boot switch. 
        kdbg = tasks.get_kdbg(addr_space)

        start = kdbg.MmSystemRangeStart.dereference_as("Pointer")

        # Modules so we can map addresses to owners
        mods = dict((addr_space.address_mask(mod.DllBase), mod)
                    for mod in modules.lsmod(addr_space))
        mod_addrs = sorted(mods.keys())

        # There are multiple views (GUI sessions) of kernel memory.
        # Since we're scanning virtual memory and not physical, 
        # all sessions must be scanned for full coverage. This 
        # really only has a positive effect if the data you're
        # searching for is in GUI memory. 
        sessions = []

        for proc in tasks.pslist(addr_space):
            sid = proc.SessionId
            # Skip sessions we've already seen 
            if sid == None or sid in sessions:
                continue

            session_space = proc.get_process_address_space()
            if session_space == None:
                continue

            sessions.append(sid)
            scanner = DiscontigYaraScanner(address_space = session_space,
                                           rules = rules)

            for hit, address in scanner.scan(start_offset = start):
                module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
                yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE)) 
Example #24
Source File: malfind.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def _scan_process_memory(self, addr_space, rules):
        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = VadYaraScanner(task = task, rules = rules)
            for hit, address in scanner.scan():
                yield (task, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) 
Example #25
Source File: evtlogs.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This plugin only works on XP and 2003")

        ## When verbose is specified, we recalculate the list of SIDs for
        ## services in the registry. Otherwise, we take the list from the 
        ## pre-populated dictionary in getservicesids.py
        if self._config.VERBOSE:
            ssids = getservicesids.GetServiceSids(self._config).calculate()
            for sid, service in ssids:
                self.extrasids[sid] = " (Service: " + service + ")" 
        else:
            for sid, service in getservicesids.servicesids.items():
                self.extrasids[sid] = " (Service: " + service + ")"

        ## Get the user's SIDs from the registry
        self.load_user_sids()

        for proc in tasks.pslist(addr_space):
            if str(proc.ImageFileName).lower() == "services.exe":
                for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter):
                    if vad.FileObject.FileName:
                        name = str(vad.FileObject.FileName).lower()
                        if name.endswith(".evt"):
                            ## Maybe check the length is reasonable, though probably there won't 
                            ## ever be event logs that are multiple GB or TB in size.
                            data = process_space.zread(vad.Start, vad.Length)
                            yield name, data 
Example #26
Source File: psxview.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def calculate(self):
        if self._config.OUTPUT == "xlsx" and not has_openpyxl:
            debug.error("You must install OpenPyxl 2.1.2 for xlsx format:\n\thttps://pypi.python.org/pypi/openpyxl")
        elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE:
            debug.error("You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)")

        addr_space = utils.load_as(self._config)

        all_tasks = list(tasks.pslist(addr_space))

        ps_sources = {}
        # The keys are names of process sources. The values
        # are dictionaries whose keys are physical process 
        # offsets and the values are _EPROCESS objects. 
        ps_sources['pslist'] = self.check_pslist(all_tasks)
        ps_sources['psscan'] = self.check_psscan()
        ps_sources['thrdproc'] = self.check_thrdproc(addr_space)
        ps_sources['csrss'] = self.check_csrss_handles(all_tasks)
        ps_sources['pspcid'] = self.check_pspcid(addr_space)
        ps_sources['session'] = self.check_sessions(addr_space)
        ps_sources['deskthrd'] = self.check_desktop_thread(addr_space)

        # Build a list of offsets from all sources
        seen_offsets = []
        for source in ps_sources.values():
            for offset in source.keys():
                if offset not in seen_offsets:
                    seen_offsets.append(offset)
                    yield offset, source[offset], ps_sources 
Example #27
Source File: psxview.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def unified_output(self, data):
        return TreeGrid([("Offset(P)", Address),
                       ("Name", str),
                       ("PID", int),
                       ("pslist", str),
                       ("psscan", str),
                       ("thrdproc", str),
                       ("pspcid", str),
                       ("csrss", str),
                       ("session", str),
                       ("deskthrd", str),
                       ("ExitTime", str)],
                        self.generator(data)) 
Example #28
Source File: enumfunc.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        tasklist = []
        modslist = []

        if self._config.SCAN:
            if not self._config.KERNEL_ONLY:
                for t in filescan.PSScan(self._config).calculate():
                    v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
                    if v:
                        tasklist.append(v)
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modscan.ModScan(self._config).calculate()]
        else:
            if not self._config.KERNEL_ONLY:
                tasklist = [t for t in tasks.pslist(addr_space)]
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modules.lsmod(addr_space)]

        for task in tasklist:
            for mod in task.get_load_modules():
                yield task, mod

        for mod in modslist:
            yield None, mod 
Example #29
Source File: evtlogs.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This plugin only works on XP and 2003")

        ## When verbose is specified, we recalculate the list of SIDs for
        ## services in the registry. Otherwise, we take the list from the 
        ## pre-populated dictionary in getservicesids.py
        if self._config.VERBOSE:
            ssids = getservicesids.GetServiceSids(self._config).calculate()
            for sid, service in ssids:
                self.extrasids[sid] = " (Service: " + service + ")" 
        else:
            for sid, service in getservicesids.servicesids.items():
                self.extrasids[sid] = " (Service: " + service + ")"

        ## Get the user's SIDs from the registry
        self.load_user_sids()

        for proc in tasks.pslist(addr_space):
            if str(proc.ImageFileName).lower() == "services.exe":
                for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter):
                    if vad.FileObject.FileName:
                        name = str(vad.FileObject.FileName).lower()
                        if name.endswith(".evt"):
                            ## Maybe check the length is reasonable, though probably there won't 
                            ## ever be event logs that are multiple GB or TB in size.
                            data = process_space.zread(vad.Start, vad.Length)
                            yield name, data 
Example #30
Source File: psxview.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def calculate(self):
        if self._config.OUTPUT == "xlsx" and not has_openpyxl:
            debug.error("You must install OpenPyxl for xlsx format:\n\thttps://bitbucket.org/ericgazoni/openpyxl/wiki/Home")
        elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE:
            debug.error("You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)")

        addr_space = utils.load_as(self._config)

        all_tasks = list(tasks.pslist(addr_space))

        ps_sources = {}
        # The keys are names of process sources. The values
        # are dictionaries whose keys are physical process 
        # offsets and the values are _EPROCESS objects. 
        ps_sources['pslist'] = self.check_pslist(all_tasks)
        ps_sources['psscan'] = self.check_psscan()
        ps_sources['thrdproc'] = self.check_thrdproc(addr_space)
        ps_sources['csrss'] = self.check_csrss_handles(all_tasks)
        ps_sources['pspcid'] = self.check_pspcid(addr_space)
        ps_sources['session'] = self.check_sessions(addr_space)
        ps_sources['deskthrd'] = self.check_desktop_thread(addr_space)

        # Build a list of offsets from all sources
        seen_offsets = []
        for source in ps_sources.values():
            for offset in source.keys():
                if offset not in seen_offsets:
                    seen_offsets.append(offset)
                    yield offset, source[offset], ps_sources