Created
September 12, 2016 05:07
-
-
Save ghost-ng/9c05a0f83da17937f2a4b322699c9eac to your computer and use it in GitHub Desktop.
Process Forensics
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#/bin/env/python3 | |
#Easy as PIE - Process Information Enumeration | |
import psutil,hashlib,sys | |
from uuid import uuid4 | |
def hash_file(file): | |
# uuid is used to generate a random number | |
salt = uuid4().hex | |
hashed = hashlib.sha256() | |
with open(file, 'rb') as ofile: | |
buf = ofile.read() | |
hashed.update(buf) | |
return hashed.hexdigest() | |
def check_file(hashed_file, new_file): | |
# print("recalled hash: ",hashed_password) | |
# print("user pass: ",user_password) | |
password, salt = hashed_file.split(':') | |
hashed = hashlib.sha256(salt.encode() + new_file.encode()).hexdigest() | |
return password == hashed | |
def format_neat_output(proclist): | |
for proc in proclist: #iterate each tuple | |
ex_states = ("LISTEN",None) | |
if not proc[9]: | |
raddr = "N/A" | |
rport = "N/A" | |
else: | |
raddr = proc[9][0] | |
rport = proc[9][1] | |
print( | |
"""Process ID -> {pid} | |
*************************** | |
Name ---------------------> {proc_name} | |
File Path ================> {file_path} | |
File Sha256 Hash ---------> {hash} | |
Working Dir ==============> {cwd} | |
Status -------------------> {status} | |
Running Under User =======> {perms} | |
Socket State -------------> {state} | |
Listening Address ========> {laddr} | |
Local Port ---------------> {lport} | |
Remote Address ===========> {raddr} | |
Remote Port --------------> {rport} | |
""".format(pid=proc[0],proc_name=proc[1],file_path=proc[2],hash=proc[3],cwd=proc[5],status=proc[4], | |
perms=proc[6],laddr=proc[8][0],lport=proc[8][1],raddr=raddr,rport=rport,state=proc[10])) | |
if len(proc[11]) != 0: | |
children = proc[11] | |
for child in children: | |
print( | |
""" \tChild ID -> {pid} | |
*************************** | |
Name ---------------------> {ch_name} | |
File Path=================> {ch_exe} | |
File Sha256 Hash ---------> {hash} | |
""".format(pid=child[0],ch_name=child[1],ch_exe=child[2],hash=child[3])) | |
# print(""" | |
# {pid} {status} {perms} {state} {laddr} {lport} {raddr} {rport} {file_path} | |
# """.format(pid=proc[0],proc_name=proc[1],file_path=proc[2],hash=proc[3],status=proc[4], | |
# perms=proc[5],laddr=proc[7][0],lport=proc[7][1],raddr=raddr,rport=rport,state=proc[9])) | |
# sys.exit(0) | |
def baseline_procs(): | |
conn_list = psutil.net_connections() #Return a tuple | |
net_list = [] #maps a pid to its process information | |
family_names = [] | |
#the proc_tup tuple contains objects related to the current process | |
# a series of proc_tup tuples are in the larger net_tup tuple | |
for processes in conn_list: | |
#iterate over all the found network processes to extract their | |
#process IDs | |
# The following are the mappings | |
# Below are the mappings for the Parent Tuple | |
# 0 - process id | |
# 1 - pid name | |
# 2 - path to the process's file | |
# 3 - hash of the file in #3 | |
# 4 - the status of the process | |
# 5 - the process working dir | |
# 6 - process's running permissions | |
# 7 - any file the process has open | |
# 8 - tuple - (listening addr,lport) | |
# 9 - tuple - (remote addr,rport) | |
# 10 - the state of the connection | |
# 11 - children processes tuple in tuple with children details ((child1 name1, child1 exe-path1),(2,2).....) | |
#The Following is the mapping for any children tuples | |
# 0 - child pid | |
# 1 - chile process name | |
# 2 - path to child process exe | |
# 3 - hash of #2 | |
ppid = processes[6] #processes[6] is the pid value | |
ppid_object = psutil.Process(ppid) | |
children_list = [] | |
children = ppid_object.children() | |
if children: | |
for child in children: | |
children_list.append((child.pid,child.name(),child.exe(),hash_file(child.exe()))) | |
proc_tup = (ppid,ppid_object.name(),ppid_object.exe(),hash_file(ppid_object.exe()),ppid_object.status(), | |
ppid_object.cwd(),ppid_object.username(),ppid_object.open_files(),processes[3], | |
processes[4],processes[5],children_list) | |
#Load the tuple with as much pertinent info about the process | |
#and associated netowkr connections | |
net_list.append(proc_tup) #append the tuple to the list | |
return net_list | |
if __name__ == '__main__': | |
format_neat_output(baseline_procs()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment