QueryData genProcessEnvs(QueryContext &context) { QueryData results; auto pidlist = getProcList(); int argmax = genMaxArgs(); for (auto &pid : pidlist) { if (!context.constraints["pid"].matches<int>(pid)) { // Optimize by not searching when a pid is a constraint. continue; } auto env = getProcEnv(pid, argmax); for (auto env_itr = env.begin(); env_itr != env.end(); ++env_itr) { Row r; r["pid"] = INTEGER(pid); r["name"] = getProcName(pid); r["path"] = getProcPath(pid); r["key"] = env_itr->first; r["value"] = env_itr->second; results.push_back(r); } } return results; }
QueryData genProcesses(QueryContext &context) { QueryData results; auto pidlist = getProcList(context); auto parent_pid = getParentMap(pidlist); int argmax = genMaxArgs(); for (auto &pid : pidlist) { if (!context.constraints["pid"].matches<int>(pid)) { // Optimize by not searching when a pid is a constraint. continue; } Row r; r["pid"] = INTEGER(pid); r["path"] = getProcPath(pid); // OS X proc_name only returns 16 bytes, use the basename of the path. r["name"] = boost::filesystem::path(r["path"]).filename().string(); // The command line invocation including arguments. std::string cmdline = boost::algorithm::join(getProcArgs(pid, argmax), " "); boost::algorithm::trim(cmdline); r["cmdline"] = cmdline; genProcRootAndCWD(pid, r); proc_cred cred; if (getProcCred(pid, cred)) { r["uid"] = BIGINT(cred.real.uid); r["gid"] = BIGINT(cred.real.gid); r["euid"] = BIGINT(cred.effective.uid); r["egid"] = BIGINT(cred.effective.gid); } else { r["uid"] = "-1"; r["gid"] = "-1"; r["euid"] = "-1"; r["egid"] = "-1"; } // Find the parent process. const auto parent_it = parent_pid.find(pid); if (parent_it != parent_pid.end()) { r["parent"] = INTEGER(parent_it->second); } else { r["parent"] = "-1"; } // If the path of the executable that started the process is available and // the path exists on disk, set on_disk to 1. If the path is not // available, set on_disk to -1. If, and only if, the path of the // executable is available and the file does NOT exist on disk, set on_disk // to 0. r["on_disk"] = osquery::pathExists(r["path"]).toString(); // systems usage and time information struct rusage_info_v2 rusage_info_data; int rusage_status = proc_pid_rusage( pid, RUSAGE_INFO_V2, (rusage_info_t *)&rusage_info_data); // proc_pid_rusage returns -1 if it was unable to gather information if (rusage_status == 0) { // size/memory information r["wired_size"] = TEXT(rusage_info_data.ri_wired_size); r["resident_size"] = TEXT(rusage_info_data.ri_resident_size); r["phys_footprint"] = TEXT(rusage_info_data.ri_phys_footprint); // time information r["user_time"] = TEXT(rusage_info_data.ri_user_time / 1000000); r["system_time"] = TEXT(rusage_info_data.ri_system_time / 1000000); r["start_time"] = TEXT(rusage_info_data.ri_proc_start_abstime); } else { r["wired_size"] = "-1"; r["resident_size"] = "-1"; r["phys_footprint"] = "-1"; r["user_time"] = "-1"; r["system_time"] = "-1"; r["start_time"] = "-1"; } results.push_back(r); } return results; }
QueryData genProcesses(QueryContext& context) { QueryData results; // Initialize time conversions. static mach_timebase_info_data_t time_base; if (time_base.denom == 0) { mach_timebase_info(&time_base); } auto pidlist = getProcList(context); int argmax = genMaxArgs(); for (auto& pid : pidlist) { Row r; r["pid"] = INTEGER(pid); { // The command line invocation including arguments. auto args = getProcRawArgs(pid, argmax); std::string cmdline = boost::algorithm::join(args.args, " "); r["cmdline"] = cmdline; } // The process relative root and current working directory. genProcRootAndCWD(pid, r); proc_cred cred; if (getProcCred(pid, cred)) { r["parent"] = BIGINT(cred.parent); r["pgroup"] = BIGINT(cred.group); // check if process state is one of the expected ones r["state"] = (1 <= cred.status && cred.status <= 5) ? TEXT(kProcessStateMapping[cred.status]) : TEXT('?'); r["nice"] = INTEGER(cred.nice); r["uid"] = BIGINT(cred.real.uid); r["gid"] = BIGINT(cred.real.gid); r["euid"] = BIGINT(cred.effective.uid); r["egid"] = BIGINT(cred.effective.gid); r["suid"] = BIGINT(cred.saved.uid); r["sgid"] = BIGINT(cred.saved.gid); } else { continue; } // If the process is not a Zombie, try to find the path and name. if (cred.status != 5) { r["path"] = getProcPath(pid); // OS X proc_name only returns 16 bytes, use the basename of the path. r["name"] = fs::path(r["path"]).filename().string(); } else { r["path"] = ""; std::vector<char> name(17); proc_name(pid, name.data(), 16); r["name"] = std::string(name.data()); } // If the path of the executable that started the process is available and // the path exists on disk, set on_disk to 1. If the path is not // available, set on_disk to -1. If, and only if, the path of the // executable is available and the file does NOT exist on disk, set on_disk // to 0. if (r["path"].empty()) { r["on_disk"] = INTEGER(-1); } else if (pathExists(r["path"])) { r["on_disk"] = INTEGER(1); } else { r["on_disk"] = INTEGER(0); } // systems usage and time information struct rusage_info_v2 rusage_info_data; int status = proc_pid_rusage(pid, RUSAGE_INFO_V2, (rusage_info_t*)&rusage_info_data); // proc_pid_rusage returns -1 if it was unable to gather information if (status == 0) { // size/memory information r["wired_size"] = TEXT(rusage_info_data.ri_wired_size); r["resident_size"] = TEXT(rusage_info_data.ri_resident_size); r["total_size"] = TEXT(rusage_info_data.ri_phys_footprint); // time information r["user_time"] = TEXT(rusage_info_data.ri_user_time / CPU_TIME_RATIO); r["system_time"] = TEXT(rusage_info_data.ri_system_time / CPU_TIME_RATIO); // Convert the time in CPU ticks since boot to seconds. // This is relative to time not-sleeping since boot. r["start_time"] = TEXT((rusage_info_data.ri_proc_start_abstime / START_TIME_RATIO) * time_base.numer / time_base.denom); } else { r["wired_size"] = "-1"; r["resident_size"] = "-1"; r["total_size"] = "-1"; r["user_time"] = "-1"; r["system_time"] = "-1"; r["start_time"] = "-1"; } struct proc_taskinfo task_info; status = proc_pidinfo(pid, PROC_PIDTASKINFO, 0, &task_info, sizeof(task_info)); if (status == sizeof(task_info)) { r["threads"] = INTEGER(task_info.pti_threadnum); } else { r["threads"] = "-1"; } results.push_back(r); } return results; }