Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype generic process functions #1000

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Prototype generic process functions #1000

wants to merge 4 commits into from
+86 −16

Conversation

eve-mem
Copy link
Contributor

@eve-mem eve-mem commented Sep 4, 2023

Hello,

This draft PR is to add some experimental features to provide a generic way of getting basic information from processes regardless of operating system. The idea was discussed in the comments of this issue: #981

The idea being to provide a set of functions that can be used in plugins to make them easier to make (or volshell), and be consistent across the different operating systems so it's easier to switch between them.

It is very basic, just adding the following functions. Mostly just be shifting code out of various pslist plugins to the extensions so they can used from anywhere.

Function Windows Linux Mac
get_pid 🟢 🟢 🟢
get_parent_pid 🟢 🟢 🟢
get_name 🟢 🟢 🟢
get_create_time 🔴 🟢
get_exit_time 🔴 🔴

(This is what I mean with the colours if it's not clear - 🟢: Added in this PR, ⚫: Function already existed, 🔴: Not added in this PR)

It was interesting to work on this. I noticed after that the linux module class also inherits from GenericIntelProcess and already has a get_name function.

Also that the windows EPROCESS already had the get_create_time and get_exit_time functions so I used those names in the generic part.

I've then modified the pslist plugins for windows/linux/mac to show how this could be used. If this is useful I'm happy to modify the existing plugins to use this, it shouldn't affect how they work - but might make them easier to read.

I'm not sure if this is the best (or even a good) way of doing this - so I'd be very interested in your thoughts.

Thanks!

@eve-mem eve-mem mentioned this pull request Apr 30, 2024
Draft
@eve-mem eve-mem closed this Apr 30, 2024
@eve-mem eve-mem reopened this Apr 30, 2024
@eve-mem eve-mem marked this pull request as ready for review April 30, 2024 05:34
@eve-mem
Copy link
Contributor Author

eve-mem commented Apr 30, 2024

@ikelos - I'd love your thoughts on this. The idea to have a simple to use way to get key information about a process for plugins. That way there can be a central way to do these lookups within plugins so that they're consistent and if an update needs to be done it only needs to happen in one place. It could be bulked out to include extra bits for a process like getting memory regions etc.

It should hopefully mean that we'd be able to make non-OS specific plugins - assuming it's done in the right way. Given it's above intel process that might be a good place for it given the arm work at the moment?

Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@eve-mem