ghost-ng/PIE.py

## PIE.py
#/bin/env/python3
#Easy as PIE - Process Information Enumeration
import psutil,hashlib,sys
from uuid import uuid4

def hash_file(file):
    # uuid is used to generate a random number
    salt = uuid4().hex
    hashed = hashlib.sha256()
    with open(file, 'rb') as ofile:
	    buf = ofile.read()
	    hashed.update(buf)
    return hashed.hexdigest()

def check_file(hashed_file, new_file):
#    print("recalled hash: ",hashed_password)
#    print("user pass: ",user_password)
    password, salt = hashed_file.split(':')
    hashed = hashlib.sha256(salt.encode() + new_file.encode()).hexdigest()

    return password == hashed

def format_neat_output(proclist):

	for proc in proclist:           #iterate each tuple
		ex_states = ("LISTEN",None)
		if not proc[9]:
			raddr = "N/A"
			rport = "N/A"
		else:
			raddr = proc[9][0]
			rport = proc[9][1]

		print(

"""Process ID -> {pid}
***************************
Name ---------------------> {proc_name}
File Path ================> {file_path}
File Sha256 Hash ---------> {hash}
Working Dir ==============> {cwd}
Status -------------------> {status}
Running Under User =======> {perms}
Socket State -------------> {state}
Listening Address ========> {laddr}
Local Port ---------------> {lport}
Remote Address ===========> {raddr}
Remote Port --------------> {rport}
""".format(pid=proc[0],proc_name=proc[1],file_path=proc[2],hash=proc[3],cwd=proc[5],status=proc[4],
           perms=proc[6],laddr=proc[8][0],lport=proc[8][1],raddr=raddr,rport=rport,state=proc[10]))
		if len(proc[11]) != 0:
			children = proc[11]
			for child in children:
				print(
""" \tChild ID -> {pid}
	***************************
	Name ---------------------> {ch_name}
	File Path=================> {ch_exe}
	File Sha256 Hash ---------> {hash}
""".format(pid=child[0],ch_name=child[1],ch_exe=child[2],hash=child[3]))


		# print("""
		# {pid}     {status}    {perms}     {state}     {laddr}     {lport}     {raddr}     {rport}     {file_path}
		# """.format(pid=proc[0],proc_name=proc[1],file_path=proc[2],hash=proc[3],status=proc[4],
		# 	           perms=proc[5],laddr=proc[7][0],lport=proc[7][1],raddr=raddr,rport=rport,state=proc[9]))
		# sys.exit(0)

def baseline_procs():
	conn_list = psutil.net_connections()        #Return a tuple
	net_list = []								#maps a pid to its process information
	family_names = []
	#the proc_tup tuple contains objects related to the current process
	# a series of proc_tup tuples are in the larger net_tup tuple

	for processes in conn_list:
	#iterate over all the found network processes to extract their
	#process IDs
	# The following are the mappings
	# Below are the mappings for the Parent Tuple
	# 0 - process id
	# 1 - pid name
	# 2 - path to the process's file
	# 3 - hash of the file in #3
	# 4 - the status of the process
	# 5 - the process working dir
	# 6 - process's running permissions
	# 7 - any file the process has open
	# 8 - tuple - (listening addr,lport)
	# 9 - tuple - (remote addr,rport)
	# 10 - the state of the connection
	# 11 - children processes tuple in tuple with children details ((child1 name1, child1 exe-path1),(2,2).....)
	#The Following is the mapping for any children tuples
	# 0 - child pid
	# 1 - chile process name
	# 2 - path to child process exe
	# 3 - hash of #2
		ppid = processes[6]          #processes[6] is the pid value
		ppid_object = psutil.Process(ppid)
		children_list = []
		children = ppid_object.children()
		if children:
			for child in children:
				children_list.append((child.pid,child.name(),child.exe(),hash_file(child.exe())))

		proc_tup = (ppid,ppid_object.name(),ppid_object.exe(),hash_file(ppid_object.exe()),ppid_object.status(),
		            ppid_object.cwd(),ppid_object.username(),ppid_object.open_files(),processes[3],
		            processes[4],processes[5],children_list)
					#Load the tuple with as much pertinent info about the process
					#and associated netowkr connections


		net_list.append(proc_tup)   #append the tuple to the list
	return net_list
if __name__ == '__main__':
	format_neat_output(baseline_procs())
	#/bin/env/python3
	#Easy as PIE - Process Information Enumeration
	import psutil,hashlib,sys
	from uuid import uuid4

	def hash_file(file):
	# uuid is used to generate a random number
	salt = uuid4().hex
	hashed = hashlib.sha256()
	with open(file, 'rb') as ofile:
	buf = ofile.read()
	hashed.update(buf)
	return hashed.hexdigest()

	def check_file(hashed_file, new_file):
	# print("recalled hash: ",hashed_password)
	# print("user pass: ",user_password)
	password, salt = hashed_file.split(':')
	hashed = hashlib.sha256(salt.encode() + new_file.encode()).hexdigest()

	return password == hashed

	def format_neat_output(proclist):

	for proc in proclist: #iterate each tuple
	ex_states = ("LISTEN",None)
	if not proc[9]:
	raddr = "N/A"
	rport = "N/A"
	else:
	raddr = proc[9][0]
	rport = proc[9][1]

	print(

	"""Process ID -> {pid}
	***************************
	Name ---------------------> {proc_name}
	File Path ================> {file_path}
	File Sha256 Hash ---------> {hash}
	Working Dir ==============> {cwd}
	Status -------------------> {status}
	Running Under User =======> {perms}
	Socket State -------------> {state}
	Listening Address ========> {laddr}
	Local Port ---------------> {lport}
	Remote Address ===========> {raddr}
	Remote Port --------------> {rport}
	""".format(pid=proc[0],proc_name=proc[1],file_path=proc[2],hash=proc[3],cwd=proc[5],status=proc[4],
	perms=proc[6],laddr=proc[8][0],lport=proc[8][1],raddr=raddr,rport=rport,state=proc[10]))
	if len(proc[11]) != 0:
	children = proc[11]
	for child in children:
	print(
	""" \tChild ID -> {pid}
	***************************
	Name ---------------------> {ch_name}
	File Path=================> {ch_exe}
	File Sha256 Hash ---------> {hash}
	""".format(pid=child[0],ch_name=child[1],ch_exe=child[2],hash=child[3]))


	# print("""
	# {pid} {status} {perms} {state} {laddr} {lport} {raddr} {rport} {file_path}
	# """.format(pid=proc[0],proc_name=proc[1],file_path=proc[2],hash=proc[3],status=proc[4],
	# perms=proc[5],laddr=proc[7][0],lport=proc[7][1],raddr=raddr,rport=rport,state=proc[9]))
	# sys.exit(0)

	def baseline_procs():
	conn_list = psutil.net_connections() #Return a tuple
	net_list = [] #maps a pid to its process information
	family_names = []
	#the proc_tup tuple contains objects related to the current process
	# a series of proc_tup tuples are in the larger net_tup tuple

	for processes in conn_list:
	#iterate over all the found network processes to extract their
	#process IDs
	# The following are the mappings
	# Below are the mappings for the Parent Tuple
	# 0 - process id
	# 1 - pid name
	# 2 - path to the process's file
	# 3 - hash of the file in #3
	# 4 - the status of the process
	# 5 - the process working dir
	# 6 - process's running permissions
	# 7 - any file the process has open
	# 8 - tuple - (listening addr,lport)
	# 9 - tuple - (remote addr,rport)
	# 10 - the state of the connection
	# 11 - children processes tuple in tuple with children details ((child1 name1, child1 exe-path1),(2,2).....)
	#The Following is the mapping for any children tuples
	# 0 - child pid
	# 1 - chile process name
	# 2 - path to child process exe
	# 3 - hash of #2
	ppid = processes[6] #processes[6] is the pid value
	ppid_object = psutil.Process(ppid)
	children_list = []
	children = ppid_object.children()
	if children:
	for child in children:
	children_list.append((child.pid,child.name(),child.exe(),hash_file(child.exe())))

	proc_tup = (ppid,ppid_object.name(),ppid_object.exe(),hash_file(ppid_object.exe()),ppid_object.status(),
	ppid_object.cwd(),ppid_object.username(),ppid_object.open_files(),processes[3],
	processes[4],processes[5],children_list)
	#Load the tuple with as much pertinent info about the process
	#and associated netowkr connections


	net_list.append(proc_tup) #append the tuple to the list
	return net_list
	if __name__ == '__main__':
	format_neat_output(baseline_procs())