Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop relying on NtTerminateProcess in pstree #607

Merged
merged 3 commits into from
Aug 7, 2021
Merged

Stop relying on NtTerminateProcess in pstree #607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7eed1ac
Stop relying on NtTerminateProcess
Aug 7, 2021
6f0ab63
bump drakvuf
Aug 7, 2021
ebd56da
bump even more
chivay Aug 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 0 additions & 16 deletions drakcore/drakcore/postprocess/pstree.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,19 +189,6 @@ def parse_nt_create_process_ex_entry(
pstree.add_process(p)


def parse_nt_terminate_process_entry(
pstree: ProcessTree, entry: Dict[str, Any]
) -> None:
pid = entry["ExitPid"] if entry["ExitPid"] != 0 else entry["PID"]
p = pstree.get_single_process(
pid, float(entry["TimeStamp"]), float(entry["TimeStamp"])
)
if p is None:
# ExitProcess might call TerminateProcess twice, so maybe we had already marked it.
return
p.ts_to = float(entry["TimeStamp"])


def parse_mm_clean_process_address_space_entry(
pstree: ProcessTree, entry: Dict[str, Any]
) -> None:
Expand Down Expand Up @@ -236,9 +223,6 @@ def tree_from_log(file: TextIO) -> List[Dict[str, Any]]:
elif "Method" in entry and entry["Method"] == "NtCreateProcessEx":
# Process has been created after the analysis started.
parse_nt_create_process_ex_entry(pstree, entry)
elif "Method" in entry and entry["Method"] == "NtTerminateProcess":
# Process has been terminated. This can be deleted once MmCleanProcessAddressSpace will be added to procmon.
parse_nt_terminate_process_entry(pstree, entry)
elif "Method" in entry and entry["Method"] == "MmCleanProcessAddressSpace":
# Process has been terminated.
parse_mm_clean_process_address_space_entry(pstree, entry)
Expand Down
2 changes: 1 addition & 1 deletion drakvuf
Open in desktop
Submodule drakvuf updated 14 files
+42 −7 src/drakvuf.cpp
+9 −3 src/drakvuf.h
+1 −0 src/libhook/Makefile.am
+153 −0 src/libhook/hooks/cr3.cpp
+202 −0 src/libhook/hooks/cr3.hpp
+1 −0 src/libhook/libhook.hpp
+43 −27 src/libinjector/win_injector.c
+12 −11 src/main.cpp
+2 −2 src/plugins/libhooktest/libhooktest.cpp
+1 −10 src/plugins/libhooktest/libhooktest.h
+15 −11 src/plugins/memdump/userhook.cpp
+55 −0 src/plugins/plugins_ex.h
+18 −0 src/plugins/procmon/procmon.cpp
+3 −1 src/plugins/syscalls/win.cpp